Join Log in
Score:1
avatar Server

SmallStep step-ca and Traefik - could not connect to validation target

hm flag
Waldo

I'm trying to set up a Let's Encrypt type service in a private network with the Smallstep step-ca and traefik. And I'm stuck because step-ca fails to validate the certificate request from traefik..

Here is what I have done so far.

I launched a step-ca service in a docker container like explained in this documentation on a server with IP "172.16.4.5". I've also followed this documentation to add the acme entry point.

On another server "172.16.4.4", I launched a docker-compose configuration with Traefik 2.4 and a "whoami" service (Like here the official example).

All internal domains names are served by a private DNS Server. And each server resolved domain name without problem.

The server and the step-ca container can reach the server 172.16.4.4 on port 80 and 443. The server 172.16.4.4 and the traefik container can reach the 172.16.4.5. I installed in traefik container the root certificate made with step-ca during its initialization.

I've set up traefik to use TSL challenge. Traefik initialise the challenge and, I don't know why the step-ca raise an error {"type":"urn:ietf:params:acme:error:connection","detail":"The server could not connect to validation target"}}

Below the full error raised by step-ca :

INFO[0126]     duration=63.427116ms duration-ns=63427116 fields.time="2021-07-13T09:55:33Z" method=POST name=ca nonce=XX path=/acme/company.int/authz/XX protocol=HTTP/1.1 referer= remote-address=172.16.4.4 request-id=xx response="{\"identifier\":{\"type\":\"dns\",\"value\":\"whoami.company.int\"},\"status\":\"pending\",\"challenges\":[{\"type\":\"dns-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\"},{\"type\":\"http-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\"},{\"type\":\"tls-alpn-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\",\"error\":{\"type\":\"urn:ietf:params:acme:error:connection\",\"detail\":\"The server could not validation target\"}}],\"wildcard\":false,\"expires\":\"2021-07-14T09:54:24Z\"}" size=872 status=200 user-agent="containous-traefik/2.4.8 xenolf-acme/4.3.1 (release; linux; amd64)" user-id=

Here the Traefik config.toml

[api]
  insecure = true
  dashboard = true
  debug = true

[certificatesResolvers]
  [certificatesResolvers.myresolver]
    [certificatesResolvers.myresolver.acme]
      caServer = "https://acme.compagny.int:9000/acme/company.int/directory"
      email = "[email protected]"
      storage = "/etc/traefik/acme/acme.json"
      [certificatesResolvers.myresolver.acme.tlsChallenge]

[providers]
  [providers.docker]
    watch = true
    network = "traefik_webgateway"
    swarmmode = false
    exposedbydefault = false
  [providers.file]
    filename = "traefik.toml"
    directory = "/etc/traefik"

Here the /home/step/config/ca.json for step-ca service:

{
    "root": "/home/step/certs/root_ca.crt",
    "federatedRoots": [],
    "crt": "/home/step/certs/intermediate_ca.crt",
    "key": "/home/step/secrets/intermediate_ca_key",
    "address": ":9000",
    "insecureAddress": "",
    "dnsNames": [
        "acme.company.int"
    ],
    "authority": {
        "provisioners": [
            {
                "type": "JWK",
                // [...]
                },
                "encryptedKey": "xxx"
            },
            {
                "type": "ACME",
                "name": "company.int",
                "forceCN": true,
                "claims": {
                    "maxTLSCertDuration": "2160h0m0s",
                    "defaultTLSCertDuration": "2160h0m0s"
                }
            },
            {
                "type": "ACME",
                "name": "acme"
            }
        ],
        "template": {},
        "backdate": "1m0s"
    },
    "tls": {
        "cipherSuites": [
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ],
        "minVersion": 1.2,
        "maxVersion": 1.3,
        "renegotiation": false
    }
}
958
1 + 0
Score:0
avatar Server
hm flag
Waldo

Just a parameter issue.

I used to start the step-ca service with the parameter --resolver with the IP of the DNS server. But you need to add the port of the DNS server or setp-ca will fail to lookup the domain name.

So the answer of my probleme is jsut to add :53 at the end of the IP, like this

step-ca --resolver="10.14.2.2:53"
0 + 0
Halex avatar
ng flag
Halex
My understanding is that you run step-ca in a Docker container, so how are you starting step-ca with the custom parameter? Have you modified the original image? I would be grateful if you would elaborate the explanation of the solution a little, I am having the same problem and maybe someone else stumbles upon it later and it would certainly be helpful.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.