Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
    Vignesh Mohanasundaram


    I’m facing an issue with Step Certificate, hope to get some answers/suggestions from here.
    I have a kubenetes environment and installed steps certificate through helm chart.

    helm -n certs upgrade --install --create-namespace ca smallstep/step-certificates

    After that I’m trying to use cert-manager and ClusterIssuer,

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
      name: smallstep-ca
        server: https://ca-step-certificates.certs.svc.cluster.local/acme/acme/directory
        preferredChain: "Step Online CA"
          name: smallstep-issuer-account-key
        - http01:
              class: nginx

    Now I’m getting the following error

    Failed to register ACME account: Get "https://ca-step-certificates.certs.svc.cluster.local/acme/acme/directory": x509: certificate signed by unknown authority

    How can I resolve this?

    Andrei Kondakov
    Screenshot 2021-06-30 at 09.52.41.png


    What are the .vlog files responsible for?
    Are there ways to clean up these files to reduce disk space consumption on the server?

    Thank you!

    HI all, I am following your blog post and cannot get part of it to work, I wondered if anyone was able to help please? -> https://smallstep.com/blog/istio-with-private-ca/
    I am unable oo get the base64 version of the root certificate: nothing is returned
    Nothing is also returned when trying to get the provisioner kid
    Pods are running as per the blog post..
    Matthew Frost
    does anyone know how i would get a list seperated from a claim like so ["Role","role2"] to work as custom principles in the templating language.
    Running step-ca on docker. Behind traefik. Is there some way to start it listening on an http port so I can reverse proxy it?
    Matthew Frost
    for some reason
    if i overide the ssh template
    it does not work
    still does user,name
    and user.name@
    i set the options in provider for ssh template
    and nothing
    even if i do it wrong still defaults
    any ideas why?
    Matthew Frost
    using the oidc provider basicly
    Hello all. I installed step-ca on RPi4 using the blog guide. https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/?utm_source=pocket_mylist
    But my ubuntu clients cannot bootstrap. I got the following error: qt.qpa.xcb: could not connect to display
    qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
    This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
    Hi, anyone else have a problem with connection refused using step ca?
    Hey @this-caroline @mattronix @matty__moose_twitter @vigneshraaj we've completely moved over to the discord channel. Apologies for our radio silence, but I don't think anyone has been checking this channel for the last few weeks. Please come join us over at our discord and we'll be happy to try and help out. https://discord.gg/ACAeVdQNW5
    Oleg Tsvinev
    @dopey thank you guys for a great job - first thing to say in a first post :) And now, my question - is it possible to change JWT token expiration time? I thought it'd be controlled by claims in provisioner, but all provisioners I configured only issue tokens with 1h life. Is it by design? Am I missing something?
    Hi, I've been using step-ca for a year now. I have just 1 issue. I have about 18 vlog files of 1.1G in my db/ directory. 16 of them were created a month ago. So I have about 16GB wasted space. Can I just delete those files or is there a command to clean it out?
    Florian Wagner
    Hey everyone. I'm running step commands from a cron script. Output gets mailed to me. Including ANSI color escapes. Any way to turn these off?
    Hey folks (especially @wagnerflo @Richie765), sorry for the slow response. We moved our community channel to Discord. Join here s0o we can help you out: Step Discord
    Lukas M
    Guys? Is there any ETA for release that will contain smallstep/step-issuer#15 ? Thanks
    Mariano Cano
    Hey @lukasmrtvy cluster issuer support was released on Friday.
    And we don't actively check gitter now. We have a new channel in Discord
    Lukas M
    @maraino Thanks :thumbsup:
    Hi All,
    I have a AKS cluster with private domains. Wanted to automate ssl termination & cert renewal for traefik & respective redirections to application uis, using smallstep & cert-manager. Kindly guide me to the right direction, if there is any blog to refer. The help will be very much appreciated.
    Thanks in advance.
    Javier R
    Hi everyone. I am trying to setup a SSH lab environment but I am getting confuse with sshd_config keys. Documentation asks to include "TrustedUserCAKeys /keys/ssh_user_key.pub" but it says "CA" which easily can be identify with my certs/ssh_user_ca_key.pub, and I don´t have any ssh_user_key.pub ( I have tried different step ssh commands but I can´t find which argument generates this user key file). I tried using TrustedUserCAKeys /keys/ssh_user_ca_key.pub but sshd does not work, showing "Unable to load host key: /keys/ssh_host_ecdsa_key".
    1 reply
    Many Thanks in Advance and Happy New Year :)
    Mariano Cano

    Hi All, we moved all discussions to discord, we can help you there, we are not monitoring this channel anymore

    🚚 Moving Alert: New Home on Discord Ave.

    Smallstep is moving to Discord to help us better support and serve the community. Here are some features and use cases I am excited about:

    • Voice channels for live debugging and office hours
    • Better search functionality to help us find past issues
    • Dedicated help channels
    • Contests and giveaways

    To join, please use this link.

    Unfortunately, this means Gitter will no longer be our main community platform and will be deprecated in the near future. Please join Discord to receive a faster response from the team/community. If you have any questions about the move or need help onboarding the new platform, please reach out to me at kevin@smallstep.com so I can be of assistance!

    Greg Waines

    can stepca sign CSRs with "CA: TRUE" ?

    I tried this and it seems to remove that line from the certificate and sign it

    Hi all, is the smalstep CA docker able to trust its own CA at all? My CA docker unable to access an internal keycloak server on https using this dockers CA 🙂 TIA
    Tried LEGO_CA_CERTIFICATES with no joy
    Hey there, I was wondering if there is a way to run step-ca for ssh in some kind of high-availability-fashion? E.g. could I just run two CAs with the same secrets behind a load-balancer?
    Or would that cause problems with duplicate serials?
    Hi for step ca renew how do i pass in the ca decryption pass using password file instead of inside of ca.json?
    Adam Cécile
    Hi there, I'm wondering if what I'm looking for is actually doable: I'm using smallstep CA private ACME serve issuing certfs trusted by all company computers and I'm wiling to add SSL bumping with squid, for doing so, it requires squid to have its own intermediate CA to be able to sign SSL certificates on the fly, can I generate an intermediate CA for squid using my internam ACME server ? Thanks
    hemanth kumar
    Hi All,
    How to initiate the $ sudo step ca init --kms azurekms ""Using the Ansible "" Command
    hemanth kumar
    How to initiate the $ sudo step ca init --kms azurekms ""Using the Ansible "" Command
    @hemanth99358332_twitter: the community has moved to discord. you might try them over there.
    @hemanth99358332_twitter: https://discord.gg/X2RKGwEbV9
    has anyone got slack OIDC to work?
    it seems like it wants a redirect url and step uses localhost over http, which slack doesn't like