dopey
commented
3 years ago Hey @rubin55, you're right to be confused.
The ca.json file is in a transitional state. We have moved some things to the database that used to belong in the ca.json - namely provisioners. However, we left the existing provisioner mgmt command group in tact so as not to confuse existing users. Instead, we created a new provisioner CRUD subcommand group that can be found at step beta ca provisioner .... However, the CA needs to be enabled to allow configuration mgmt in the database, otherwise it will not generate the necessary tables and required default values on startup.
To enable remote provisioner mgmt, add enableAdmin: true to the ca.json inside the authority: {} attribute. You'll want to remove your DB and ($(step path)/db) and start fresh. Once the DB is removed, start the CA. Now you should be able to run step beta ca provisioner add ... from a remote client. You will be prompted for an admin subject and provisioner (these are the required default values I referred to above). The default admin subject is step and the provisioner is just the default first provisioner. The password will be the same as the one you passed to start the CA (the password that decrypts the intermediate private key). Using the step beta ca command groups you can do CRUD operations on admins and provisioners. We placed these command under the beta group because they are in beta - you may run into issues (if so please let us know) and documentation is generally non existent except in the CLI commands themselves. So, for example, you can run step beta ca provisioner add -h to get usage and examples, one of which will be for ACME. While these command groups are in beta, they're already used by our hosted product infrastructure, so they should be reliable.
Another option is to stick with static configuration and no remote provisioner mgmt. If you just need to add one ACME provisioner and don't expect to need to make updates on the fly, then this is much easier. Start a local instance of step-ca and add an ACME provisioner using step ca provisioner add as you did in your example above. Crib the ACME provisioner from the ca.json (it's very simply) and add it to your Docker ca.json configmap.
Yet another option is to link your instance of step-ca that runs in a Docker container to our certificate manager product. We manage provisioners for you, thereby enabling the remote provisioner management without you needing to play around with the ca.json. To do this, create a team in our Certificate Manager product (at https://smallstep.com) and follow the directions to link an instance.
rubin55
Subject of the issue
After installing step-ca in a Docker container, as per instructions here, and initializing the (remote) step-cli client as per instructions documented (see previous link), I'm trying to follow the ACME setup tutorial, specifically here. I'm getting the following error (commands included):
I suspect ca.json exists within the Docker container running step-ca; it seems very counter-intuitive to me that I apparently can't run certain commands remotely, even though the
stepcli command is intended to remotely manage a step-ca instance, right?This is either not explained thoroughly in the documentation (i.e., you need to explain that certain
stepcommands can only run on wherestep-cais physically running, not remotely, which I would also consider a usability bug/issue) or it's an actual bug.Any insights or fixes much appreciated!
Your environment
Steps to reproduce
See subject of the issue.
Expected behaviour
I would expect step-ca to be correctly configured, setting up the ACME provisioner, by the previously mentioned step-cli command.
Actual behaviour
error loading configuration: error opening /home/rubin/.step/config/ca.json: open /home/rubin/.step/config/ca.json: no such file or directoryAdditional context
See subject of the issue.