Following tutorial but in the end getting the 'regular' error message that the authenticity of host can't be established.

[VinvarLaLece]

Dear all,

I am trying to achieve having a Proxmox container running as my CA which acts as an ACME for my internal domains and as a SSH certificate handler. The use case will be that I will SSH to this container and to other containers from my laptop.

I am trying to set up SSH with STEP CA following tutorial and forum-post. The steps below results in the 'regular' error message that the authenticity of host can't be established. Could someone help me where I make the mistake?

---

I have set up two containers on Proxmox with the helper script from Proxmox Helper Scripts.
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/debian.sh)"
As long as I am testing, I allow SSH login by the root user.

One container will be running the desired CA and the other will act as my laptop. From what I understand, the Vagrant VM from the tutorial equals as my laptop.
For readability I call the container with CA step-host and the one acting as my laptop step-client for the rest of this post.
For testing I do not like to 'clog' my laptop or change configuration while I am not completely sure. Therefore, I make use of the second container instead.

I run the commands as follows (splitted by which device I run it on).

step-host
1 nano install_step.sh (see bottom of this post for the script.)
2 chmod +x install_step.sh
3 ./install_step.sh
4 cat /etc/step/certs/root_ca.crt (Use the output in command 5)
CONTINUE ON STEP-CLIENT
7 cat /etc/ssh/ssh_host_ecdsa_key.pub (Use the output in command 8)
CONTINUE ON STEP-CLIENT
11 cat /etc/step/password-provisioner (Use the output during command 12)

step-client
5 nano /usr/local/share/ca-certificates/root_ca.crt (Paste the output of command 4)
6 update-ca-certificates
CONTINUE ON STEP-HOST
8 echo "@cert-authority * _(PASTE the output of command 7)_" >> ~/.ssh/known_hosts
9 eval $(ssh-agent)
10 apt-get update && apt-get install -y --no-install-recommends curl gpg ca-certificates && curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' | tee /etc/apt/sources.list.d/smallstep.list && apt-get update && apt-get -y install step-cli
CONTINUE ON STEP-HOST
12 step ssh certificate root testuser_ecdsa --ca-url https://certificates.[redacted] --root /usr/local/share/ca-certificates/root_ca.crt
13 ssh-add -l
14 ssh root@certificates
15 ssh root@certificates.[redacted]

This has set up the step-host to listen for incoming SSH certificate validations. Also, it pointed step-client to validate SSH certificates at the step-host and with this I should be able to connect to step-host via SSH. However, running either command 14 or 15 results in

root@step-client:~# ssh root@certificates.[redacted]
The authenticity of host 'certificates.[redacted] (1[redacted])' can't be established.
ECDSA key fingerprint is SHA256:N[redacted].
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

I have no idea why the certificate does not get used (or even if this is what is going wrong). Would anyone have an idea how to solve it and make use of the SSH certificates?

---

install_step.sh

#!/usr/bin/bash

function generate_password () {
    set +o pipefail
    < /dev/urandom tr -dc A-Za-z0-9 | head -c16
    echo
    set -o pipefail
}

# Install dependencies & Step CA.
apt-get update && apt-get install -y --no-install-recommends curl gpg ca-certificates
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
    echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
    | tee /etc/apt/sources.list.d/smallstep.list
apt-get update && apt-get -y install step-cli step-ca

# Create group & user.
useradd --user-group --system --home /etc/step --shell /bin/false step

# Set up directories & files needed.
mkdir /etc/step
generate_password > /etc/step/password
generate_password > /etc/step/password-provisioner

# Instantiate Step CA
step ca init --acme --ssh --address=:443 --deployment-type=standalone --dns=1[redacted] --dns=certificates.[redacted] --name=example.com --password-file=/etc/step/password --provisioner-password-file=/etc/step/password-provisioner --provisioner=main

# Give Step CA permissions to bind to ports under 1024.
setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)

# Move Step CA from root user('s folder) to folder which can be ran be the user step.
mv $(step path)/* /etc/step
sed -i 's/root\/.step/etc\/step/g' /etc/step/config/ca.json
chown -R step:step /etc/step
rm -r /root/.step/

# Create a Systemd service to run Step CA (with user step)
cat <<EOF > /etc/systemd/system/step-ca.service
[Unit]
Description=step-ca service
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
ConditionFileNotEmpty=/etc/step/config/ca.json
ConditionFileNotEmpty=/etc/step/password
ConditionFileNotEmpty=/etc/step/password-provisioner

[Service]
Type=simple
User=step
Group=step
Environment=STEPPATH=/etc/step
WorkingDirectory=/etc/step
ExecStart=/usr/bin/step-ca config/ca.json --password-file password
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3

; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes

; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step/db

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now step-ca
systemctl status step-ca

# Add root_ca to trust store of machine
cp /etc/step/certs/root_ca.crt /usr/local/share/ca-certificates/root_ca.crt
update-ca-certificates

# Update SSH (server) & start it.
echo -e "#The root SSH user public key used to verify SSH user certificates.\nTrustedUserCAKeys /etc/step/certs/ssh_user_key.pub\n# Path to the private key and certificate\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub" >> /etc/ssh/sshd_config
systemctl restart ssh
eval $(ssh-agent)

# Create new SSH host certificate to this device's ssh agent.
step ssh certificate certificates.[redacted] /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --ca-url https://certificates.[redacted] --root /usr/local/share/ca-certificates/root_ca.crt --provisioner="main" --password-file=/etc/step/password-provisioner
ssh-add -l