├── config
    └── traefik.yml
├── .gitignore
├── https_site.py
├── docker-compose.yml
└── README.md


/config/traefik.yml:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | data
2 | 


--------------------------------------------------------------------------------
/https_site.py:
--------------------------------------------------------------------------------
1 | from http.server import HTTPServer,SimpleHTTPRequestHandler
2 | from socketserver import BaseServer
3 | import ssl
4 | 
5 | httpd = HTTPServer(('0.0.0.0', 8443), SimpleHTTPRequestHandler)
6 | httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True, keyfile="site_home_local.key", certfile="site_home_local.crt", ca_certs="data/step-ca/certs/root_ca.crt")
7 | httpd.serve_forever()
8 | 


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3.9"
 2 | services:
 3 |   step-ca:
 4 |     image: smallstep/step-ca
 5 |     networks:
 6 |       traefik-net:
 7 |         aliases:
 8 |           - "ca.myhost.local"
 9 |     ports:
10 |       - 9000:9000
11 |     volumes:
12 |       - ./data/step-ca:/home/step
13 | 
14 |   traefik:
15 |     image: traefik:v2.4
16 |     depends_on:
17 |       - step-ca
18 |     networks:
19 |       traefik-net:
20 |         aliases:
21 |           - "traefik"
22 |           - "traefik.myhost.local"
23 |           - "whoami.myhost.local"
24 |     command:
25 |       - "--api.insecure=true"
26 |       - "--api.dashboard=true"
27 |       - "--providers.docker=true"
28 |       - "--providers.docker.exposedbydefault=false"
29 |       - "--providers.docker.network=traefik-net"
30 |       - "--providers.file.filename=/dynamic-conf.yml"
31 |       - "--providers.file.watch=true"
32 |       - "--accesslog=false"
33 |       - "--log=true"
34 |       - "--log.level=DEBUG"
35 |       - "--entrypoints.web.address=:80"
36 |       - "--entrypoints.websecure.address=:443"
37 |       - "--certificatesResolvers.myresolver.acme.tlsChallenge=true"
38 |       - "--certificatesResolvers.myresolver.acme.email=admin"
39 |       - "--certificatesResolvers.myresolver.acme.storage=/etc/acme/acme.json"
40 |       - "--certificatesresolvers.myresolver.acme.caserver=https://ca.myhost.local:9000/acme/acme/directory"
41 |       - "--certificatesResolvers.myresolver.acme.httpChallenge=true"
42 |       - "--certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web"
43 |     ports:
44 |       - "80:80"
45 |       - "443:443"
46 |     volumes:
47 |       - /var/run/docker.sock:/var/run/docker.sock
48 |       - ./data/traefik/acme:/etc/acme
49 |       - ./data/step-ca/certs/root_ca.crt:/usr/local/share/ca-certificates/my_root_ca.crt
50 |       - ./config/traefik.yml:/dynamic-conf.yml
51 |     environment:
52 |       LEGO_CA_CERTIFICATES: "/usr/local/share/ca-certificates/my_root_ca.crt"
53 |       LEGO_CA_SERVER_NAME: "ca.myhost.local"
54 |     labels:
55 |       - "traefik.enable=true"
56 |       - "traefik.http.routers.traefik0.entrypoints=web"
57 |       - "traefik.http.routers.traefik0.rule=Host(`traefik.myhost.local`)"
58 |       - "traefik.http.services.traefik.loadbalancer.server.port=8080"
59 | 
60 |       - "traefik.http.middlewares.traefik-redirect.redirectscheme.scheme=https"
61 |       - "traefik.http.routers.traefik0.middlewares=traefik-redirect"
62 | 
63 |       - "traefik.http.routers.traefik1.entrypoints=websecure"
64 |       - "traefik.http.routers.traefik1.rule=Host(`traefik.myhost.local`)"
65 |       - "traefik.http.routers.traefik1.tls=true"
66 |       - "traefik.http.routers.traefik1.tls.certresolver=myresolver"
67 | 
68 |   whoami:
69 |     image: containous/whoami:latest
70 |     hostname: "whoami1"
71 |     networks:
72 |       traefik-net:
73 |     labels:
74 |       - "traefik.enable=true"
75 |       - "traefik.http.routers.whoami0.entrypoints=web"
76 |       - "traefik.http.routers.whoami0.rule=Host(`whoami.myhost.local`)"
77 | 
78 |       - "traefik.http.middlewares.whoami-redirect.redirectscheme.scheme=https"
79 |       - "traefik.http.routers.whoami0.middlewares=whoami-redirect"
80 | 
81 |       - "traefik.http.routers.whoami1.entrypoints=websecure"
82 |       - "traefik.http.routers.whoami1.rule=Host(`whoami.myhost.local`)"
83 |       - "traefik.http.routers.whoami1.tls=true"
84 |       - "traefik.http.routers.whoami1.tls.certresolver=myresolver"
85 | 
86 | networks:
87 |   traefik-net:
88 |     external: true
89 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Setup step-ca
  2 | 
  3 | ## Initialization from scratch
  4 | 
  5 | ```sh
  6 | mkdir -p "$PWD/data/step-ca"
  7 | sudo chown -R 1000:1000 "$PWD/data/step-ca"
  8 | docker run --rm -it -v "$PWD/data/step-ca:/home/step" smallstep/step-ca step ca init
  9 | ```
 10 | 
 11 | ### Add your password
 12 | 
 13 | <!-- echo <your password here> > /home/step/secrets/password -->
 14 | 
 15 | ```sh
 16 | echo <your password here> | sudo tee "$PWD/data/step-ca/secrets/password"
 17 | sudo chown -R 1000:1000 "$PWD/data/step-ca/secrets/password"
 18 | ```
 19 | 
 20 | ## Start your step-ca Instance
 21 | 
 22 | ```sh
 23 | docker-compose up -d step-ca
 24 | ```
 25 | 
 26 | Save your _Root fingerprint_ somewhere to use afterwards.
 27 | 
 28 | ```
 29 | Generating root certificate...
 30 | all done!
 31 | 
 32 | Generating intermediate certificate...
 33 | all done!
 34 | 
 35 | ✔ Root certificate: /home/step/certs/root_ca.crt
 36 | ✔ Root private key: /home/step/secrets/root_ca_key
 37 | ✔ Root fingerprint: f032205...
 38 | ✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt
 39 | ✔ Intermediate private key: /home/step/secrets/intermediate_ca_key
 40 | ✔ Database folder: /home/step/db
 41 | ✔ Default configuration: /home/step/config/defaults.json
 42 | ✔ Certificate Authority configuration: /home/step/config/ca.json
 43 | 
 44 | Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
 45 | 
 46 | FEEDBACK 😍 🍻
 47 |       The step utility is not instrumented for usage statistics. It does not
 48 |       phone home. But your feedback is extremely valuable. Any information you
 49 |       can provide regarding how you’re using `step` helps. Please send us a
 50 |       sentence or two, good or bad: feedback@smallstep.com or join
 51 |       https://github.com/smallstep/certificates/discussions.
 52 | ```
 53 | 
 54 | Then, go to https://localhost:9000/health to make sure service is running.
 55 | 
 56 | ## Enable ACME provisioner
 57 | 
 58 | ```sh
 59 | docker-compose exec step-ca step ca provisioner add acme --type ACME
 60 | docker-compose restart
 61 | ```
 62 | 
 63 | ## Add CA to your development environment
 64 | 
 65 | ```sh
 66 | step ca bootstrap --ca-url https://localhost:9000 --install --fingerprint <fingerprint-acquired>
 67 | step ca bootstrap --ca-url https://localhost:9000 --install --fingerprint f0322055102894cae067c9e23ed3139f670f39c54233a5012f2c723614868d58
 68 | 
 69 | ```
 70 | 
 71 | This command setup created CA on your computer to be able to acquire certificates, and adds the CA to your computer's trust store.
 72 | 
 73 | Check if CA is added to your trust store.
 74 | 
 75 | ```sh
 76 | curl https://localhost:9000/health
 77 | ```
 78 | 
 79 | Create a sample certificate for localhost.
 80 | 
 81 | ```sh
 82 | step ca certificate site.myhost.local site_home_local.crt site_home_local.key
 83 | ```
 84 | 
 85 | ### Run traefik first
 86 | 
 87 | ```sh
 88 | docker-compose up -d traefik
 89 | sleep 10
 90 | docker-compose up -d whoami
 91 | ```
 92 | 
 93 | ## Initializing step-ca from your own CA certificate and key
 94 | 
 95 | ```sh
 96 | docker-compose down
 97 | sudo rm -rf ./data
 98 | mkdir -p ./data/step-ca/secrets
 99 | 
100 | cp "$(mkcert -CAROOT)/rootCA.pem" ./data/step-ca/
101 | cp "$(mkcert -CAROOT)/rootCA-key.pem" ./data/step-ca/
102 | echo '123456' | tee "$PWD/data/step-ca/secrets/password"
103 | 
104 | # don't chown on MacOS
105 | sudo chown -R 1000:1000 "$PWD/data/step-ca"
106 | 
107 | docker-compose run step-ca step ca init \
108 | --root "/home/step/rootCA.pem" \
109 | --key "/home/step/rootCA-key.pem" \
110 | --name "mkcert CA" \
111 | --provisioner "admin" \
112 | --dns "localhost,ca.internal,ca.myhost.local,acme.myhost.local" \
113 | --address ":9000" \
114 | --password-file=/home/step/secrets/password
115 | 
116 | docker-compose up -d step-ca
117 | docker-compose exec step-ca step ca provisioner add acme --type ACME
118 | docker-compose restart
119 | docker-compose up -d traefik
120 | docker-compose logs -f traefik
121 | ```
122 | 
123 | ref: https://smallstep.com/docs/tutorials/intermediate-ca-new-ca
124 | 
125 | ## References
126 | 
127 | - https://hub.docker.com/r/smallstep/step-ca
128 | - https://smallstep.com/docs/step-ca/installation
129 | 


--------------------------------------------------------------------------------