Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Acme 404 page not found #2052

Open
vivekreddy94 opened this issue Oct 30, 2024 · 1 comment
Open

[Bug]: Acme 404 page not found #2052

vivekreddy94 opened this issue Oct 30, 2024 · 1 comment
Assignees
@hslatman
Labels
bug needs triage Waiting for discussion / prioritization by team

Comments

@vivekreddy94
Copy link

Steps to Reproduce

Idea is to setup intermediate CA using stepca on openshift cluster. So I have got certificate signed from our root microsoft PKI server. Everything works fine, except the ACME provisioner. I can see it being listed via step ca provisioner list but when I try to reach on acme directory, I always receive 404 page not found.

Deployment file is below

apiVersion: apps/v1
kind: Deployment
metadata:
  name: step-ca
  namespace: stepca
spec:
  replicas: 1
  selector:
    matchLabels:
      app: step-ca
  template:
    metadata:
      labels:
        app: step-ca
    spec:
      serviceAccountName: step-ca
      containers:
        - name: step-ca
          image: smallstep/step-ca:latest
          ports:
            - containerPort: 443
          securityContext:
            runAsUser: 0 
          volumeMounts:
            - name: ca-json
              mountPath: /home/step/config/ca.json
              subPath: ca.json
              #readOnly: true
            - name: certs
              mountPath: /home/step/certs
              readOnly: true
            - name: secrets
              mountPath: /home/step/secrets
              readOnly: true
      volumes:
        - name: ca-json
          configMap:
            name: step-ca-config
            items:
              - key: ca.json
                path: ca.json
        - name: certs
          secret:
            secretName: step-ca-secrets
            items:
              - key: root_ca.crt
                path: root_ca.crt
              - key: intermediate_ca.crt  # Renamed in the Secret as needed
                path: intermediate_ca.crt
        - name: secrets
          secret:
            secretName: step-ca-secrets
            items:
              - key: intermediate_ca_key
                path: intermediate_ca_key
              - key: password
                path: password

Configmap for ca.json file

apiVersion: v1
kind: ConfigMap
metadata:
 name: step-ca-config
 namespace: stepca
data:
 ca.json: |
   {
     "root": "/home/step/certs/root_ca.crt",
     "federatedRoots": null,
     "crt": "/home/step/certs/intermediate_ca.crt",
     "key": "/home/step/secrets/intermediate_ca_key",
     "address": ":443",
     "insecureAddress": "",
     "dnsNames": [
       "stepca.mydomain.corp"
     ],
     "logger": {
       "format": "text"
     },
     "authority": {
       "provisioners": [
         {
           "type": "JWK",
           "name": "admin",
           "key": {
             "use": "sig",
             "kty": "EC",
             "kid": "<kid>",
             "crv": "P-256",
             "alg": "ES256",
             "x": "N7h0_LZ0mx6DDRLm1uHQEx15bNrX5sta1WAiBkcI8vs",
             "y": "ognNSi-E8GEc44eMWvFETEZy5ay8SC_UQzxvIqMngF8"
           },
           "encryptedKey": "<encryped key"
         },
         {
           "type": "ACME",
           "name": "acme",
           "claims": {
             "maxTLSCertDuration": "24h0m0s"
           }
         }
       ],
       "template": {},
       "backdate": "1m0s"
     },
     "tls": {
       "cipherSuites": [
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
       ],
       "minVersion": 1.2,
       "maxVersion": 1.3,
       "renegotiation": false
     },
     "commonName": "Step Online CA"
   }

All my certs and keys are stored as secrets and mounted.

step-ca-56597c9cc5-kt8ls:/home/step# curl -k https://localhost:443/health
{"status":"ok"}
step-ca-56597c9cc5-kt8ls:/home/step# curl -k https://localhost:443/acme/acme/directory
404 page not found
step-ca-56597c9cc5-kt8ls:/home/step# curl --cacert /home/step/certs/root_ca.crt https://stepca.mydomain.corp/health
{"status":"ok"}
step-ca-56597c9cc5-kt8ls:/home/step# curl --cacert /home/step/certs/root_ca.crt https://stepca.mydomain.corp/acme/acme/directory
404 page not found
step-ca-56597c9cc5-kt8ls:/home/step# step ca provisioner list --ca-url https://stepca.mydomain.corp
[
{
"type": "JWK",
"name": "admin",
"key": {
"use": "sig",
"kty": "EC",
"kid": "kid",
"crv": "P-256",
"alg": "ES256",
"x": "N7h0_LZ0mx6DDRLm1uHQEx15bNrX5sta1WAiBkcI8vs",
"y": "ognNSi-E8GEc44eMWvFETEZy5ay8SC_UQzxvIqMngF8"
},
"encryptedKey": "encrypted key"
},
{
"type": "ACME",
"name": "acme",
"claims": {
"maxTLSCertDuration": "24h0m0s"
}
}
]

step-ca-56597c9cc5-kt8ls:/home/step# step ca certificate --provisioner acme example.com example.crt example.key --ca-url https://stepca.mydomain.corp
✔ Provisioner: acme (ACME)
b = 404 page not found

error initializing ACME client with server https://stepca.apps.ocp-poc.core.dev.infinity.airbus.corp/acme/acme/directory: 404 page not found

Note: I am able to create certificate with 'jwk' type with no issue.

Your Environment

  • OS -
    step-ca-56597c9cc5-kt8ls:/home/step# cat /etc/os-release
    NAME="Alpine Linux"
    ID=alpine
    VERSION_ID=3.20.3
    PRETTY_NAME="Alpine Linux v3.20"
    HOME_URL="https://alpinelinux.org/"
    BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

  • step-ca Version -
    step-ca-56597c9cc5-kt8ls:/home/step# step-ca version
    Smallstep CA/0.28.0 (linux/amd64)
    Release Date: 2024-10-30 00:21 UTC

Expected Behavior

Able to reach the directory url of acme i.e https://domain.com/acme/<acme_provisioner>/directory

Actual Behavior

When I try to reach directory url, I receive the 404 page not found

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@vivekreddy94 vivekreddy94 added bug needs triage Waiting for discussion / prioritization by team labels Oct 30, 2024
@vivekreddy94 vivekreddy94 changed the title [Bug]: [Bug]: Acme 404 page not found Oct 30, 2024
@hslatman hslatman self-assigned this Nov 5, 2024
@vivekreddy94
Copy link
Author

Update: It worked after I have added the db config to ca.json file.

After so much struggle I figured this out that step ca add command is not adding the DB config to ca.json when I try to add acme provisioner.

How I figured out ? I was trying to create a new instance with step ca init where I passed --no-db along with acme provisioner and it threw out an error saying acme needs DB.
Then I have updated my ca config with db and then it started working.

What can improve ? Logging should be improved while adding acme provisioner to existing config which doesn't have DB configured or it should add a DB config along with provisioner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hslatman @vivekreddy94