Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Mariano Cano
    @maraino
    We have an internal discussion an prioritization of those issues every Tuesday. You just missed it, but I can talk it about internally before that. Just add the issue
    If you have a special use case for using IPs instead of DNS, make sure to add that to the issue, it might help with prioritization
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    Mostly our DNS is a mess since the different hostnames were setup by different people over many years and we've acquired so many smaller companies which each had their own systems. As a result we do a lot through ip address.
    I'm sure we're not the only organization that has problems like that.
    Issue submitted. Thank you very much.
    Mariano Cano
    @maraino
    Not the better solution, but something that can help is also to have a centralized server doing some kind of custom validation and providing a Token for use with JWK provisioners
    thanks
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    I'll look into that. Thank you.
    Mariano Cano
    @maraino
    @mquinnatlasroofingcom : by the way do you know if the client that you're using support the IP validation? Which one are you using?
    the acme client
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    It's POSH-ACME. As far as I can see it doesn't really support IP addresses as such it treats them as DNS names and passes them over as a string.
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    In playing around with the code yesterday I found that I could change order.go at line 386 from "Type: x509util.DNSType" to "Type: x509Util.IPType" and it would send back a signed signature with the correct san type. This was simply a proof of concept since it now doesn't work for DNS names at all. I'm thinking of adding a pattern match so if the name looks like an IP it's signed as an IP and if it doesn't then it's signed as DNS. I'm pretty sure that will work but I'm a little concerned that it will break something else or render something insecure. What do you think?
    Mariano Cano
    @maraino

    @mquinnatlasroofingcom that will only work if the CSR is "malformed" and has the IPs marked as domain names. I don't think we will accept that change at the moment, but when we add support to IP Validation in ACME is something that we might add if this is what the clients does.
    Right now I guess you can build your own step-ca with a change there and try.

    I'm not sure if it will work, but it can be something like:

    typ := x509util.DNSType
    if net.ParseIP(csr.DNSNames[i]) != nil {
       typ = x509util.IPType
    }
    ...
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    What I'm talking about here is a dirty hack and definitely not the way you'd want to do it in a released product. But as a purely internal solution I'm thinking it will probably work. Unless you can think of a security flaw in what I'm proposing.
    Mariano Cano
    @maraino
    not at the moment, as long as the challenge also works
    but this is only gonna work on those clients that creates a malformed CSR
    Lukas M
    @lukasmrtvy
    Guys? Anyone tried to extend Cockpit-WS for usage with Smallstep SSH ?
    Max
    @dopey
    Hey @lukasmrtvy, I’ve never used Cockpit before. Looks like an orchestration tool?
    Looks like cockpit-ws normally uses cockpit-session + pam to authenticate users, but there’s a flag to use SSH:
    --local-ssh
    
    Normally cockpit-ws uses cockpit-session and PAM to authenticate the user and start a user session. With this option enabled, it will instead authenticate via SSH at 127.0.0.1 port 22.
    Smallstep SSH just uses SSH under the hood so if you were able to get cockpit-ws working with —local-ssh then you could also use Smallstep SSO for SSH.
    Lukas M
    @lukasmrtvy
    @dopey more like Web UI for Linux.. I dont think that Cockpit will print on stdout in Web UI Login URL in --local-ssh mode.
    Tom Stewart
    @twstewart42

    hello smallstep, having a problem generating a ca-chain bundle with my certificate

    step certificate create fqdn.example.com new-cert.crt new-cert.key --ca intermediate_ca.crt --ca-key intermediate_ca.key --bundle

    OR

    step certificate bundle new-cert.crt intermediate_ca.crt new-cert-bundle.ca-chain.crt

    result in a single cert with no ca-chain bundle

    13 replies
    J. Hunter Hawke
    @J-Hunter-Hawke
    As a followup on the above question, I get errors from the CA when I try to use an intermediate certificate that has the previous root bundled into it. Is it possible to configure a Smallstep CA to do so? For example: I would like a remote intermediate CA to be able to create certificates with the full certificate chain.
    Mariano Cano
    @maraino
    @J-Hunter-Hawke do you mean to support 2 or more intermediates like root-> intermediate -> intermediate-step-ca -> leaf
    J. Hunter Hawke
    @J-Hunter-Hawke
    @maraino yes
    Mariano Cano
    @maraino
    @J-Hunter-Hawke I don't think this is right now supported, step-ca has the bases for supporting it, and it might work properly with the CloudCAS integration that was recently merged. But step and step-ca using local certificate/keys won't work properly. It should be possible to get certificates using curl --cacert root_and_intermediate.crt as the CA starts, but not with step at the moment
    We have this issue open, and accepted in our internal roadmap smallstep/certificates#87
    I would suggest to add a :+1:
    J. Hunter Hawke
    @J-Hunter-Hawke
    @maraino Thanks!
    Adrian L Lange
    @p3lim
    why do you have no changelogs? as a user I have no idea what is different between the versions without having to go through the commit log and associated PR discussions
    Adrian L Lange
    @p3lim
    also, is RFC8555's revoke-cert implemented in step-ca? Proxmox attempts to use it but gets a 404 (I'm on v1.15.5)
    Mariano Cano
    @maraino
    I haven't worked on the ACME implementation but I think ACME's revoke-cert is not implemented
    mquinnatlasroofingcom
    @mquinnatlasroofingcom
    @maraino We were talking the other day about IP address support I was going to do a goofy hack with a malformed CSR. On further reflection and research it seemed like it was just as easy to do it right as to do it properly. So I modified the client to send properly formatted orders and CSRs and I've got a version of step-ca that will take a ACME order with "ip" type SANs and return a properly signed, and verified certificate.
    It was really simple and didn't involve changing much. There might be an I to dot or T to cross but it pretty much implements RFC 8738. Do you want it?
    Mariano Cano
    @maraino
    @mquinnatlasroofingcom I'd like to see first how other clients are supporting this case. I don't think we will merge the change in step, because we want to support the actual extension and there are already ways to fake it with some clients side templates. But depending on how other clients support this case I might integrate the step-ca change that should be quite simple.
    Ryan Holt
    @carpenike
    hey all! I'm trying to get step-certificates working inside of my k8s cluster. I deployed it via a helm chart and trying to use my cluster's ingress to provide access to the PKI endpoints. I'm hitting a snag though as I have a Lets Encrypt wildcard cert providing SSL for the entire ingress service and am getting an x509 error when trying to run the step commands from my client. Bootstrap works as expected, but here's the error I get:
    step ca certificate foo.holthome.net foo.crt foo.key
    client GET https://pki.holthome.net/provisioners?limit=100 failed: Get "https://pki.holthome.net/provisioners?limit=100": x509: certificate signed by unknown authority
    I suspect it's because the ingress is signed by a separate root than the pki service.
    Romain Griffiths
    @wid
    Hello everyone, is there a way to list all issued certificates on the CA ?
    @carpenike I had the same problem, step-certificates directly implement SSL, so I end up using a LoadBalancer Service with an external IP.
    ssl-passthrough might work also
    Ryan Holt
    @carpenike
    @wid -- appreicate it. I was going down the ssl-passthrough path and it doesn't appear to be working. Will need to put in a PR to get the helm chart's service definition a bit more robust.
    Mariano Cano
    @maraino

    Hello everyone, is there a way to list all issued certificates on the CA ?

    @wid There's a way, creating a program that reads the db, I know @dopey has some code that does that, but I cannot find it, and he is on holidays. Perhaps he shared here with somebody, but I'm not sure.

    Romain Griffiths
    @wid
    @carpenike I could not make it run neither, it looks like the ingress-chart chart does not support support it nor give extra parameters to the binary
    @maraino thank you but I can't find the repo here https://github.com/dopey?tab=repositories
    it would be nice to be able to list them from the CLI
    Mariano Cano
    @maraino
    @carpenike step-ca requires its own certificate, some features depends on it. If you're using a load balancer you must passthrough tls
    Max
    @dopey
    @wid here is an example db reader I put together a while back — https://github.com/smallstep/analyze-step-ca-db/blob/master/badger-example.go
    Our goal is to have something available through the API, but I can’t make any promises as to when that will be delivered.
    If you’re using badgerdb (the default) then you’ll need to stop the CA while you run that script. Only one process and read/write badger at a time.
    Max
    @dopey
    If you’re using mysql then you’ll need to make some changes to that script but it shouldn’t be too bad. Let me know if you need a helping hand.
    sbingram
    @sbingram
    So when you first initialize the step client on your computer, it sets up the .step directory including the certs and configuration. I can't seem to find out how to get the ssh information copied as well. Specifically the include line in the ssh config and the config for step ssh along with the known_hosts file with the step CA inside. I see template files and have adjusted them on the step server, but to no avail. Nothing ever seems to be imported. I also see that you might have to include in the ca.json file that you want to import them, but have tried a few places without any change. I've checked the docs, but can't seem to find anything other than for certs. Did I miss some documentation somewhere or is this just not possible yet?