ertius.org

step ca is quite weird

#step #smallstep #stepca #sysadmin

I've been meaning to set up SSH host certificates for ages now, and I did, with a somewhat nasty Ansible role, but it involved copying the root CA cert to random machines, which was at best embarrassing. So, I decided to have a crack at setting up Smallstep CA. It is ... idiosyncratic, especially the errors it produces.

Some translations:

adminHandler.authorizeToken; unable to load admin with subject(s) [...] and provisioner '...'

This means you tried to authenticate using some username other than the default one, step. I have no idea what the answer I gave to the question What would you like to name the CA's first provisioner? was for or how I'd ever use it again (thank you!).

json: cannot unmarshal number into Go value of type ca.AdminClientError

This means that you didn't enable CA-over-the-network. You can try doing surgery on ca.json, or you can just start over, passing --remote-management to step ca init.

error retrieving policy: operation not supported in standalone mode

It is as yet unknown what these glyphs indicate with certainty.

Some further archaeology finds:

		// when an action is not supported in standalone mode and when
		// using a nosql.DB backend, actions are not supported
		if _, ok := admin.MustFromContext(r.Context()).(*nosql.DB); ok {
			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType,
				"operation not supported in standalone mode"))
			return
		}

I think this actually means "this feature isn't available in the open source release and the docs could be clearer".

In the end I managed to hack things up by creating a provisioner like this:

echo "${PASSWORD}" | step ca provisioner add "${PROVISIONER_NAME}" \
    --type JWK \
    --ssh \
    --create \
    --password-file <(echo "${PASSWORD}") \
    --ca-url "${CA_URL}"

and adding enableAdmin: true to ca.json inside the authority: {} block seemed to work. I did spend hours on this and surely forgot some other bit alas. One advantage of doing ~everything via Ansible is at least whatever I did is now encoded in some horrific shell script rather than only in my shell history.