Press ESC to close

Smallstep ACME CA x Proxmox x Docker Compose / Portainer Stack

# docker.compose - PORTAINER!!!
# NOTE: We're passing a cleartext password via an environment variable. If you're not 
#       comfortable with this, there's a manual setup process available in the Docker 
#       Hub page for smallstep/step-ca (https://hub.docker.com/r/smallstep/step-ca).
#       
#       If you're using your own DNS server(s) to resolve internal hostnames, enter
#       them in the DNS1 and DNS2 fields in the associated .env file. If not, leave
#       them null in the .env file and delete the DNS section (lines 26 - 28) in
#       this file.
#
#       By default, the step-ca container will listen on port 9000 on the host. Change
#       the number to the left of the colon on line 25 to change the external port.
#
#

version: '3.8'

services:
  step-ca:
    image: 'smallstep/step-ca:latest'
    container_name: 'step-ca'
    hostname: 'step-ca'
    networks:
      - 'step-ca'
    ports:
      - 9000:9000
    dns:
      - '${DNS1}'
      - '${DNS2}'
    dns_search:
      - '${DOMAIN}'
    environment:
      # Name of Cert Authority (i.e., PrivateCorp CA). Visible on all issued certs.
      - "DOCKER_STEPCA_INIT_NAME=${CA_NAME}"
      # Comma-separated list of hostnames/IP addresses the CA will accept requests on
      - "DOCKER_STEPCA_INIT_DNS_NAMES=${CA_DNS_NAMES}"
      # Name for the initial provisioner. Default is 'admin' if left null.
      - "DOCKER_STEPCA_INIT_PROVISIONER_NAME=${STEP_PROVISIONER_NAME}"
      # Specify a password for encrypted CA Keys & Default CA Provisioner
      - "DOCKER_STEPCA_INIT_PASSWORD=${CA_ENCRYPTION_PASS}"
      # Set this to any non-null value to enable SSH cert support
      - "DOCKER_STEPCA_INIT_SSH=${INIT_SSH}"
    volumes:
      - '/opt/smallstep:/home/step'
    env_file:
      - stack.env


volumes:
  step:
    name: step
    driver: local

networks:
  step-ca:
    name: 'step-ca'

Some variables are needed for that compose:

CA_NAME="My Priv CA"
CA_DNS_NAMES=ca.domain.internal
STEP_PROVISIONER_NAME=admin
CA_ENCRYPTION_PASS=SuperSecretP@ssword
INIT_SSH=y
DOMAIN=domain.internal
DNS1=ip.of.internal.dns

After spinning up the container we neet to add ACME Provisioner. 

docker exec -it step-ca bash

step ca provisioner add acme --type ACME

Section about Root Certificate – in progress

root@pve:/etc/ssl/certs# pvenode acme account register default [email protected]
Directory endpoints: 
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 2
Enter custom URL: https://ca.domain.internal:9000/acme/acme/directory

Attempting to fetch Terms of Service from 'https://ca.domain.internal:9000/acme/acme/directory'..
No Terms of Service found, proceeding.
Do you want to use external account binding? [y|N]: n

Attempting to register account with 'https://ca.domain.internal:9000/acme/acme/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://ca.domain.internal:9000/acme/acme/account/zWfBTX5dh8RMXToPRpFGswe1oXjE4Flc'
Task OK
root@pve:/etc/ssl/certs#

After adding custom ACME server we need to ask the ACME server for certificate

root@pve:/etc/ssl/certs# pvenode config set --acme domains=proxmox.domain.internal
root@pve:/etc/ssl/certs# pvenode acme cert order

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany. Wymagane pola są oznaczone *

Najnowsze komentarze

Brak komentarzy do wyświetlenia.