Skip to content

[Bug]: Acme 404 page not found #2052

New issue
New issue
Open
Open
[Bug]: Acme 404 page not found#2052
Assignees
hslatman
Labels
bugneeds triageWaiting for discussion / prioritization by team
@vivekreddy94

Description

@vivekreddy94
vivekreddy94
opened on Oct 30, 2024

Steps to Reproduce

Idea is to setup intermediate CA using stepca on openshift cluster. So I have got certificate signed from our root microsoft PKI server. Everything works fine, except the ACME provisioner. I can see it being listed via step ca provisioner list but when I try to reach on acme directory, I always receive 404 page not found.

Deployment file is below

apiVersion: apps/v1
kind: Deployment
metadata:
  name: step-ca
  namespace: stepca
spec:
  replicas: 1
  selector:
    matchLabels:
      app: step-ca
  template:
    metadata:
      labels:
        app: step-ca
    spec:
      serviceAccountName: step-ca
      containers:
        - name: step-ca
          image: smallstep/step-ca:latest
          ports:
            - containerPort: 443
          securityContext:
            runAsUser: 0 
          volumeMounts:
            - name: ca-json
              mountPath: /home/step/config/ca.json
              subPath: ca.json
              #readOnly: true
            - name: certs
              mountPath: /home/step/certs
              readOnly: true
            - name: secrets
              mountPath: /home/step/secrets
              readOnly: true
      volumes:
        - name: ca-json
          configMap:
            name: step-ca-config
            items:
              - key: ca.json
                path: ca.json
        - name: certs
          secret:
            secretName: step-ca-secrets
            items:
              - key: root_ca.crt
                path: root_ca.crt
              - key: intermediate_ca.crt  # Renamed in the Secret as needed
                path: intermediate_ca.crt
        - name: secrets
          secret:
            secretName: step-ca-secrets
            items:
              - key: intermediate_ca_key
                path: intermediate_ca_key
              - key: password
                path: password

Configmap for ca.json file

apiVersion: v1
kind: ConfigMap
metadata:
 name: step-ca-config
 namespace: stepca
data:
 ca.json: |
   {
     "root": "/home/step/certs/root_ca.crt",
     "federatedRoots": null,
     "crt": "/home/step/certs/intermediate_ca.crt",
     "key": "/home/step/secrets/intermediate_ca_key",
     "address": ":443",
     "insecureAddress": "",
     "dnsNames": [
       "stepca.mydomain.corp"
     ],
     "logger": {
       "format": "text"
     },
     "authority": {
       "provisioners": [
         {
           "type": "JWK",
           "name": "admin",
           "key": {
             "use": "sig",
             "kty": "EC",
             "kid": "<kid>",
             "crv": "P-256",
             "alg": "ES256",
             "x": "N7h0_LZ0mx6DDRLm1uHQEx15bNrX5sta1WAiBkcI8vs",
             "y": "ognNSi-E8GEc44eMWvFETEZy5ay8SC_UQzxvIqMngF8"
           },
           "encryptedKey": "<encryped key"
         },
         {
           "type": "ACME",
           "name": "acme",
           "claims": {
             "maxTLSCertDuration": "24h0m0s"
           }
         }
       ],
       "template": {},
       "backdate": "1m0s"
     },
     "tls": {
       "cipherSuites": [
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
       ],
       "minVersion": 1.2,
       "maxVersion": 1.3,
       "renegotiation": false
     },
     "commonName": "Step Online CA"
   }

All my certs and keys are stored as secrets and mounted.

step-ca-56597c9cc5-kt8ls:/home/step# curl -k https://localhost:443/health
{"status":"ok"}
step-ca-56597c9cc5-kt8ls:/home/step# curl -k https://localhost:443/acme/acme/directory
404 page not found
step-ca-56597c9cc5-kt8ls:/home/step# curl --cacert /home/step/certs/root_ca.crt https://stepca.mydomain.corp/health
{"status":"ok"}
step-ca-56597c9cc5-kt8ls:/home/step# curl --cacert /home/step/certs/root_ca.crt https://stepca.mydomain.corp/acme/acme/directory
404 page not found
step-ca-56597c9cc5-kt8ls:/home/step# step ca provisioner list --ca-url https://stepca.mydomain.corp
[
{
"type": "JWK",
"name": "admin",
"key": {
"use": "sig",
"kty": "EC",
"kid": "kid",
"crv": "P-256",
"alg": "ES256",
"x": "N7h0_LZ0mx6DDRLm1uHQEx15bNrX5sta1WAiBkcI8vs",
"y": "ognNSi-E8GEc44eMWvFETEZy5ay8SC_UQzxvIqMngF8"
},
"encryptedKey": "encrypted key"
},
{
"type": "ACME",
"name": "acme",
"claims": {
"maxTLSCertDuration": "24h0m0s"
}
}
]

step-ca-56597c9cc5-kt8ls:/home/step# step ca certificate --provisioner acme example.com example.crt example.key --ca-url https://stepca.mydomain.corp
✔ Provisioner: acme (ACME)
b = 404 page not found

error initializing ACME client with server https://stepca.apps.ocp-poc.core.dev.infinity.airbus.corp/acme/acme/directory: 404 page not found

Note: I am able to create certificate with 'jwk' type with no issue.

Your Environment

  • OS -
    step-ca-56597c9cc5-kt8ls:/home/step# cat /etc/os-release
    NAME="Alpine Linux"
    ID=alpine
    VERSION_ID=3.20.3
    PRETTY_NAME="Alpine Linux v3.20"
    HOME_URL="https://alpinelinux.org/"
    BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

  • step-ca Version -
    step-ca-56597c9cc5-kt8ls:/home/step# step-ca version
    Smallstep CA/0.28.0 (linux/amd64)
    Release Date: 2024-10-30 00:21 UTC

Expected Behavior

Able to reach the directory url of acme i.e https://domain.com/acme/<acme_provisioner>/directory

Actual Behavior

When I try to reach directory url, I receive the 404 page not found

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

Labels

bugneeds triageWaiting for discussion / prioritization by team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions