step-ca ACME Server/Trusted ACME Root Cert

Gunsmithy

Hi there,

First off, I've been using Certwarden for a few months now in my home-lab for certs for DoH/DoT and have been loving it!

I'm now hoping to potentially use it to issue certs to secure internal mTLS traffic. I already have step-ca set up for this purpose for users, but I now have container workloads I would like to get certs for the same way.

I found that you can add custom ACME servers to Certwarden, and step-ca supports ACME, but I'm running into a wall due to the fact that step-ca uses self-signed certs so Certwarden refuses to connect: https://smallstep.com/docs/tutorials/acme-protocol-acme-clients/#acme-challenge-type

This is likely a feature request, but is there a way we can add/mount trusted CA certs to the Certwarden container, better yet, being able to specify what root to trust when creating an ACME server?

Thanks for the great software!

gregtwallace

I think this isn’t really a Cert Warden specific issue that I can address, it’s more a generic container issue.

I’d recommend building your own container with your CA added. Something like:
https://stackoverflow.com/questions/42292444/how-do-i-add-a-ca-root-certificate-inside-a-docker-image

Alternatively, since the image in the container is Linux you could make a script to execute within the container to add your CA. This might actually be easier if you modify your startup service to run the script every time. This would ensure you get new CW versions and that the CA is added when you do.

Gunsmithy

Hey there!

I was looking at a few posts like this prior and just thought it could be more elegant if allowing to specify a cert to pass through presumably to the underlying acme.sh commands being run.

I have however got a working solution for future reference for anyone else!
I created a script called startup.sh on my Docker host looking like so. (Don't forget to chmod +x it)

#!/bin/bash
apk update
apk add ca-certificates
update-ca-certificates
/app/certwarden

I then added the following entrypoint and mounts (including the default) to my certwarden compose file:

entrypoint: "/tmp/startup.sh"
volumes:
  - "./certwarden:/app/data"
  - "./certwarden-startup/root_ca.crt:/usr/local/share/ca-certificates/root_ca.crt"
  - "./certwarden-startup/startup.sh:/tmp/startup.sh"

Then I was able to connect to my local step-ca server just fine! Should persist through updates and such too as long as your Dockerfile CMD does not change.
Still need to test the certs out but they seem to have been issued fine.

gregtwallace

Great! Glad you got it working 🙂

kiler129

@Gunsmithy Your solution inspired me to look into a docker-native way, without risking breakage if CW Dockerfile changes. It turns out it's actually very easy to do with compose:

    stepca-staging-acme:
        image: smallstep/step-ca:latest
        # ...

    certwarden-main:
        #image: ghcr.io/gregtwallace/certwarden:v0.26.0
        build:
            context: .
            dockerfile_inline: |
                FROM ghcr.io/gregtwallace/certwarden:v0.26.0
                RUN --mount=type=bind,source=./stepca-staging-acme,target=/home/step \
                  apk update && apk add --no-cache ca-certificates jq && \
                  cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/ && \
                  update-ca-certificates

This version robustly reads the proper CA bundle path from step-ca configuration during build. It can also be easily extended to support multiple instances of step-ca (as you should run staging & prod):

    certwarden-main:
        #image: ghcr.io/gregtwallace/certwarden:v0.26.0
        build:
            context: .
            dockerfile_inline: |
                FROM ghcr.io/gregtwallace/certwarden:v0.26.0
                RUN --mount=type=bind,source=./stepca-staging-acme,target=/home/step \
                  apk update && apk add --no-cache ca-certificates jq && \
                  cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/
                RUN --mount=type=bind,source=./stepca-prod-acme,target=/home/step \
                  cp "$(jq -r .root /home/step/config/ca.json)" /usr/local/share/ca-certificates/ && \
                  update-ca-certificates

If your step-ca runs in a different stack, step-ca shares endpoint with roots. In other words you can use curl -k https://acme-staging.example.tld/roots.pem to get the certificate, albeit with a bit of a chicken-egg problem with root CA trust 😉