I'm trying to set up a Let's Encrypt type service in a private network with the Smallstep step-ca and traefik.
And I'm stuck because step-ca fails to validate the certificate request from traefik..
Here is what I have done so far.
I launched a step-ca service in a docker container like explained in this documentation on a server with IP "172.16.4.5". I've also followed this documentation to add the acme entry point.
On another server "172.16.4.4", I launched a docker-compose configuration with Traefik 2.4 and a "whoami" service (Like here the official example).
All internal domains names are served by a private DNS Server. And each server resolved domain name without problem.
The server and the step-ca container can reach the server 172.16.4.4 on port 80 and 443. The server 172.16.4.4 and the traefik container can reach the 172.16.4.5. I installed in traefik container the root certificate made with step-ca during its initialization.
I've set up traefik to use TSL challenge. Traefik initialise the challenge and, I don't know why the step-ca raise an error
{"type":"urn:ietf:params:acme:error:connection","detail":"The server
could not connect to validation target"}}
Below the full error raised by step-ca :
INFO[0126] duration=63.427116ms duration-ns=63427116 fields.time="2021-07-13T09:55:33Z" method=POST name=ca nonce=XX path=/acme/company.int/authz/XX protocol=HTTP/1.1 referer= remote-address=172.16.4.4 request-id=xx response="{\"identifier\":{\"type\":\"dns\",\"value\":\"whoami.company.int\"},\"status\":\"pending\",\"challenges\":[{\"type\":\"dns-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\"},{\"type\":\"http-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\"},{\"type\":\"tls-alpn-01\",\"status\":\"pending\",\"token\":\"XX\",\"url\":\"https://acme.company.int:9000/acme/company.int/challenge/XX/XX\",\"error\":{\"type\":\"urn:ietf:params:acme:error:connection\",\"detail\":\"The server could not validation target\"}}],\"wildcard\":false,\"expires\":\"2021-07-14T09:54:24Z\"}" size=872 status=200 user-agent="containous-traefik/2.4.8 xenolf-acme/4.3.1 (release; linux; amd64)" user-id=
Here the Traefik config.toml
[api]
insecure = true
dashboard = true
debug = true
[certificatesResolvers]
[certificatesResolvers.myresolver]
[certificatesResolvers.myresolver.acme]
caServer = "https://acme.compagny.int:9000/acme/company.int/directory"
email = "[email protected]"
storage = "/etc/traefik/acme/acme.json"
[certificatesResolvers.myresolver.acme.tlsChallenge]
[providers]
[providers.docker]
watch = true
network = "traefik_webgateway"
swarmmode = false
exposedbydefault = false
[providers.file]
filename = "traefik.toml"
directory = "/etc/traefik"
Here the /home/step/config/ca.json for step-ca service:
{
"root": "/home/step/certs/root_ca.crt",
"federatedRoots": [],
"crt": "/home/step/certs/intermediate_ca.crt",
"key": "/home/step/secrets/intermediate_ca_key",
"address": ":9000",
"insecureAddress": "",
"dnsNames": [
"acme.company.int"
],
"authority": {
"provisioners": [
{
"type": "JWK",
// [...]
},
"encryptedKey": "xxx"
},
{
"type": "ACME",
"name": "company.int",
"forceCN": true,
"claims": {
"maxTLSCertDuration": "2160h0m0s",
"defaultTLSCertDuration": "2160h0m0s"
}
},
{
"type": "ACME",
"name": "acme"
}
],
"template": {},
"backdate": "1m0s"
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
}
}
