Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Marc-André Moreau
    @awakecoding
    I am wondering the same about CRLs, I think it may be required to have smallstep as the offline root CA in Active Directory Certificate Services if this blog post using openssl is to be believed: https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/
    the Windows world requires CRL distribution unfortunately
    desnij
    @desnij
    mariano, max are you guys interested in small PRs such as typo fixes or single work changes? In this example, it may be obvious to most, but it is more clear to note this requires a port https://github.com/smallstep/cli/compare/master...desnij:master
    6 replies
    Marc-André Moreau
    @awakecoding
    how does one build smallstep on Windows? all I can find are Makefiles that call a lot of GNU command-line tools, which is obviously not going to work well out of the box
    desnij
    @desnij
    I am sure someone mentioned GOOS=Windows recently but I cant find the post...

    Hi step-ca compiles in windows, but we've never tested it before in that platform, it would be quite helpful if you test it
    You can build it with:

     make build GOOS=windows

    You only need the GOOS=windows if you're not using windows for building it.

    from the 19th above ^ ( gittr isnt correctly quoting today :)
    Marc-André Moreau
    @awakecoding
    yes, that's my point... it says use GOSS=windows if you're not using Windows... but I'm using Windows. and it's all makefiles and stuff.
    I wonder if it's ever been built on Windows? and not cross-compiled
    I'm not familiar with building go projects at all
    desnij
    @desnij
    ah yeah ok, I just opened powershell to build cli, chdir to cli/cmd/step and go build but I am missing gcc. Golang has some libraries that need to be build with gcc... I wil install it and get back with my results...
    • but obviously it will be much easier building it on linux :} and the result will be the same
    desnij
    @desnij
    bien oui, donc choco install mingw golang should be all you need. then cd to cmd/step and type go build... BUT it does seem to mess with the PSREADOPTIONS that I have, that is the --help text highlighting is breaking my powershell term...
    and fwiw powershell's psreadline gets borkd, but it works fine on the cygwin bash shell
    desnij
    @desnij
    I have been doing some hacking and it appears step does mess up the windows powershell console, I thought it was just the help menu and text, but it seems that any use of step ( build on linux or windows ) will mess up the powershell console... nb cygwin shell works fine
    desnij
    @desnij
    @awakecoding so it works fine on a cygwin term, but a just created a ticket for the powershell issue. And fwiw it doesnt work on CMD.exe at all.
    Marc-André Moreau
    @awakecoding
    so it can only be built using mingw right now? can you see if it's possible to build smallstep-certificates, which doesn;t have a windows build?
    64 replies
    Marc-André Moreau
    @awakecoding
    image.png
    35 replies
    Marc-André Moreau
    @awakecoding
    image.png
    it's fine in Windows Terminal but all borked in the old terminal (the only one available in Windows Server, unfortunately)
    3 replies
    Marc-André Moreau
    @awakecoding
    image.png
    the default code page definitely can't help here
    J. Hunter Hawke
    @J-Hunter-Hawke
    This is sort of an off-the-wall question, but is there a maximum password length for the JWK provisioner?
    1 reply
    desnij
    @desnij
    Sorry this is not an answer but , in the RFC spec , it is referred to as a pass phrase, so I assume it is expected to be longer than 30 chars, however since it is not specified, we have to assume it will depend on the application implementing it. -- For smallstep I havent looked and the code enough yet.
    Mariano Cano
    @maraino
    I've replied on a thread, but I don't think we are imposing any limit.
    If there is, let us know, it might be us or an underlaying package that we're using. But I'm not aware.
    vscripcaru
    @vscripcaru
    hello, anyone succeeded in deploying step CA in a namespace different than default on k8s?
    i've attempted it using the configurable params in the helm command (as stated on the github), i.e. {{fullname}}.{{namespace}}.svc.cluster.local,127.0.0.1
    but the output still shows default namespace
    desnij
    @desnij
    @vscripcaru I havent depolyed this yet, but I just looked and the "step-issuer/templates/NOTES.txt" is hardcoded to default, but the rest seems fine... does kubectl show that it is in the default space?
    ckwalsh
    @ckwalsh
    I had a good experience installing the step CA as part of the autocert install steps. It installs it in the “step” namespace
    vscripcaru
    @vscripcaru
    hmmm, thanks. I couldnt't find the notes (not even the templates dir at the step-issuer location. But didn;t get to step-issuer deployment. This is happening during the step-certificates install phase. And yes, the kubectl shows the step-certificate resources in default ns as well the output of the helm install states NAMESPACE: default
    Matt Black
    @mafrosis
    Hello folks, I thought it might be interesting to see if I could use step-ca issued mTLS certs on my Android phone. I hit an unexpected snag trying to step ca bootstrap in Termux, with 0.14.6 armv7 build.
    7 replies
    etudurd
    @etudurd
    Hello, I have a question, one host can use multiple step-ca servers? I am looking to have a redundancy in case the first CA will go down. Thank you :) In my ansible playbook shell: step ca bootstrap --ca-url {{ CA_URL }} --fingerprint {{ CA_FINGERPRINT }} -f = i am only using one CA
    2 replies
    Tomás Hidalgo
    @thidalgosalvador
    Hello. I am running a PoC with step-ca (on a local centOS server) and Google Cloud KMS. I follow the instructions on https://smallstep.com/docs/step-ca/configuration#google-cloud-kms. When I run the command step-cloudkms-init it generates in the key-ring of my KMS project a pair of keys (root and intermediate). It also generates two files (root_ca.crt and intermediate_ca.crt). But their "Subject" field is Smallstep Root and Smallstep Intermediate, respectively. Is it possible to generate certificates with a different "Subject" using Google Cloud KMS? Thanks!
    6 replies
    Jok
    @jokreliable
    STEPDEBUG=1 step-cli --config machine.json ca certificate $machine_uuid{,.crt,.key}  --provisioner Amazon
    ✔ Provisioner: Amazon (AWS)
    Smallstep CLI/0.15.12 (linux/amd64)
    Release Date: 2021-03-10 23:49 UTC
    panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xa97047]
    anyone having this sort of issues with step?
    (there is a similar issue in github for the Google provisioner that seems to be resolved, if i read it right)
    Instance where that is running is a Debian 10 buster AMI.
    Jok
    @jokreliable
    ah - looks like we might be too restrictive on some of the access control in there...
    mannp
    @mannp
    My long time running smallstep ca docker image has failed recently with the error -> invalid character 'e' looking for beginning of value against my jwt endpoint. The endpoint seems the same, but the docker will not start. I wondered if anyone has had the same or similar issue? Thanks
    2 replies
    Ralph Brynard
    @RalphBrynard
    image.png
    hello everyone, I am trying to setup a smallstep issuing CA in an ADCS environment. I have followed the steps per the link here: https://smallstep.com/docs/tutorials/intermediate-ca-new-ca, following the "Secure Way" method. However, once I've completed the configuration, navigating to https://<ca name>:<listening port>/health, the certificate shows an "Invalid Digital Signature" error:
    6 replies
    Kevin
    @devadvocado

    Hey folks, we're excited to announce a new community initiative: Smallstep Office Hours!

    The purpose of Office Hours is to create an additional channel for you all. What can we use this channel for? Well, that's up to you! If you need help debugging, we are here to help. If you have any questions on docs, don't be shy to ask. Or if you just want to meet the folks behind Smallstep and chat about cats, that sounds great!

    Office hours are open weekly on Wednesday, and hours may vary depending on the availability of our Developer Advocates. To RSVP, please check our Calendly link. Thanks and feel free to ping me if you have any additional questions.

    logopk
    @logopk
    Hi, seeing the new release on github, is there a place (besides the - well - minimal releasenotes, that are not pulled into the final version) where you explain the new features? Would that be in the blog? CHANGELOG.md is empty ;-) .
    I read "acmedb" in the releasenotes of v0.15.12-rc1 . That sounds interesting.
    Don't get me wrong, I love your work and the really great support, and I get that you push new things and bugfixes frequently. But I find it hard to understand maybe new or improved functionality and adjust my existing processes and workarounds to the new version. (Until last week where I setup a staging ca and diffed configs I didn't notice TLS 1.3 was available...)
    Thank you, Peter
    4 replies
    erne
    @etasi
    Hi Everyone, so I have a problem into which probably some of you have ran into already, but don't seem to be finding a solution or even the exact problem. I have a dev-box set up with kubernetes ( VirtualBox ) and I want to use Autocert for TLS communication between pods in a namespace. At the moment I'm just trying with the examples in the Autocert README, but get the following error:
    codecurl: (51) SSL: no alternative certificate subject name matches target host name 'hello-mtls.default.svc.cluster.local'
    command terminated with exit code 51'code'
    That comes when I execute the following command: kubectl exec $HELLO_MTLS_CLIENT -c hello-mtls-client -- curl -sS --cacert /var/run/autocert.step.sm/root.crt --cert /var/run/autocert.step.sm/site.crt --key /var/run/autoc ert.step.sm/site.key https://hello-mtls.default.svc.cluster.local
    The hello-mtls service is exposed and I can ping it from the client event the nslookup works, so the dns seems to be ok. The certificates are also autogenerated and found under the /var/run/autocert.step.sm folders in both the hello-mtls and hello-mtls-client deployments
    erne
    @etasi
    Dow anyone have any ideas as what I should check/debug next? I am stuck here as everything seems ok, when I check the deployments, nslookup, ping etc. but obviously something is off.
    erne
    @etasi

    I have a bit more info, which could perhaps lead to a solution. I inspected the certificates and there really seems to be no alternative certificate subject just like the above error says. Here is the output of the hello-mtls site.crt (I removed some lines):

    Certificate:
        Signature Algorithm: ECDSA-SHA256
            Issuer: O=Autocert,CN=Autocert Intermediate CA
            Validity
                Not Before: Apr 15 12:13:08 2021 UTC
                Not After : Apr 16 12:14:08 2021 UTC
            Subject: CN=hello-mtls.default.svc.cluster.local
            X509v3 extensions:
                X509v3 Subject Alternative Name:
                    DNS:
                X509v3 Step Provisioner:
                    Type: JWK
                    Name: autocert
                    CredentialID: zcXymF2ojmSpRCii0XP69RbBDuEdr3vjYBiG-tzzzIA

    Is it required that the DNS field has values? If so why is autocert not filling it when generating the certificates? Can someone please give me at least some tips, where to look in order to solve this problem?