@Gunsmithy Your solution inspired me to look into a docker-native way, without risking breakage if CW Dockerfile
changes. It turns out it's actually very easy to do with compose:
stepca-staging-acme:
image: smallstep/step-ca:latest
# ...
certwarden-main:
#image: ghcr.io/gregtwallace/certwarden:v0.26.0
build:
context: .
dockerfile_inline: |
FROM ghcr.io/gregtwallace/certwarden:v0.26.0
RUN --mount=type=bind,source=./stepca-staging-acme,target=/home/step \
apk update && apk add --no-cache ca-certificates jq && \
cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/ && \
update-ca-certificates
This version robustly reads the proper CA bundle path from step-ca
configuration during build. It can also be easily extended to support multiple instances of step-ca
(as you should run staging & prod):
certwarden-main:
#image: ghcr.io/gregtwallace/certwarden:v0.26.0
build:
context: .
dockerfile_inline: |
FROM ghcr.io/gregtwallace/certwarden:v0.26.0
RUN --mount=type=bind,source=./stepca-staging-acme,target=/home/step \
apk update && apk add --no-cache ca-certificates jq && \
cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/
RUN --mount=type=bind,source=./stepca-prod-acme,target=/home/step \
cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/ && \
update-ca-certificates
If your step-ca
runs in a different stack, step-ca
shares endpoint with roots. In other words you can use curl -k https://acme-staging.example.tld/roots.pem
to get the certificate, albeit with a bit of a chicken-egg problem with root CA trust 😉