|
|
@@ -0,0 +1,99 @@
|
|
|
+ <!DOCTYPE html>
|
|
|
+ <html lang="en" xmlns="http://www.w3.org/1999/xhtml">
|
|
|
+ <head>
|
|
|
+ <title>Containerized Self-Hosted ACME Server with Step-CA in Docker</title>
|
|
|
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
|
+ <meta charset="UTF-8">
|
|
|
+ <meta name="keywords" content="Home Lab,Home Lab Ideas,Install Guide,Self-Hosted,ACME,Certificate Authority,Certificates,Encryption,HTTPS,IT Security,Let's Encrypt,Let's Encrypt Alternative,Linux,PKI,Public Key Infrastructure,SSL Certificates,Self-Hosted Let's Encrypt,Self-Signed,Self-Signed HTTPS,Self-Signed PKI,Self-Signed SSL,Container,Containerization,Docker,Docker How To,Docker Made Easy,Docker Tutorial,Docker Installation Tutorial,Docker Simplified,How To,Tutorial,i12bretro">
|
|
|
+ <meta name="author" content="i12bretro">
|
|
|
+ <meta name="description" content="Containerized Self-Hosted ACME Server with Step-CA in Docker">
|
|
|
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
|
+ <meta name="revised" content="05/14/2023 06:51:16 AM" />
|
|
|
+ <link rel="icon" type="image/x-icon" href="includes/favicon.ico">
|
|
|
+ <script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
|
|
|
+ <script type="text/javascript" src="includes/js/steps.js"></script>
|
|
|
+ <link href="css/steps.css" rel="stylesheet" type="text/css" />
|
|
|
+ </head>
|
|
|
+ <body>
|
|
|
+ <div id="gridContainer">
|
|
|
+ <div class="topMargin"></div>
|
|
|
+ <div id="listName" class="topMargin">
|
|
|
+ <h1>Containerized Self-Hosted ACME Server with Step-CA in Docker</h1>
|
|
|
+ </div>
|
|
|
+ <div></div>
|
|
|
+ <div id="content">
|
|
|
+ <h2>What is Step-CA?</h2>
|
|
|
+
|
|
|
+<blockquote><em>[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. -<a href="https://github.com/smallstep/certificates" target="_blank">https://github.com/smallstep/certificates</a></em></blockquote>
|
|
|
+
|
|
|
+<h2>Installing Docker</h2>
|
|
|
+
|
|
|
+<ol>
|
|
|
+ <li>Log into the Linux based device</li>
|
|
|
+ <li>Run the following commands in the terminal
|
|
|
+ <div class="codeBlock"># install prerequisites<br />
|
|
|
+ sudo apt install apt-transport-https ca-certificates curl software-properties-common gnupg-agent -y<br />
|
|
|
+ # add docker gpg key<br />
|
|
|
+ curl -fsSL https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release)/gpg | sudo apt-key add -<br />
|
|
|
+ # add docker software repository<br />
|
|
|
+ sudo add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release) $(lsb_release -cs) stable"<br />
|
|
|
+ # install docker<br />
|
|
|
+ sudo apt install docker-ce docker-compose containerd.io -y<br />
|
|
|
+ # enable and start docker service<br />
|
|
|
+ sudo systemctl enable docker && sudo systemctl start docker<br />
|
|
|
+ # add the current user to the docker group<br />
|
|
|
+ sudo usermod -aG docker $USER<br />
|
|
|
+ # reauthenticate for the new group membership to take effect<br />
|
|
|
+ su - $USER</div>
|
|
|
+ </li>
|
|
|
+</ol>
|
|
|
+
|
|
|
+<h2>Running Step-CA Server</h2>
|
|
|
+
|
|
|
+<ol>
|
|
|
+ <li>Continue with the following commands in a terminal window
|
|
|
+ <div class="codeBlock"># create a working directory<br />
|
|
|
+ mkdir ~/docker/step-ca -p<br />
|
|
|
+ # start the step-ca container<br />
|
|
|
+ # change the INIT_NAME and DNS_NAMES variables as needed<br />
|
|
|
+ docker run -d --name=step-ca -v ~/docker/step-ca:/home/step -p 9000:9000 -e DOCKER_STEPCA_INIT_NAME="i12bretro Certificate Authority" -e DOCKER_STEPCA_INIT_DNS_NAMES="$(hostname -f)" smallstep/step-ca<br />
|
|
|
+ # enable the acme provisioner<br />
|
|
|
+ docker exec -it step-ca step ca provisioner add acme --type ACME<br />
|
|
|
+ # restart the step-ca container<br />
|
|
|
+ docker restart step-ca</div>
|
|
|
+ </li>
|
|
|
+</ol>
|
|
|
+
|
|
|
+<h2>Automating Certificate Requests</h2>
|
|
|
+
|
|
|
+<ol>
|
|
|
+ <li>Log into the server needing to request a certificate</li>
|
|
|
+ <li>Continue following commands in a terminal window
|
|
|
+ <div class="codeBlock"># if on a remote server from the docker host, copy the root-ca.crt file<br />
|
|
|
+ scp <%user%>@<%dockerhostDNSorIP%>:~/docker/step-ca/certs/root_ca.crt ~/root_ca.crt<br />
|
|
|
+ # remove apt version of certbot if installed<br />
|
|
|
+ sudo apt remove certbot -y<br />
|
|
|
+ # install snapd<br />
|
|
|
+ sudo apt install snapd -y<br />
|
|
|
+ # install snap core and update<br />
|
|
|
+ sudo snap install core; sudo snap refresh core<br />
|
|
|
+ # install certbot snap<br />
|
|
|
+ sudo snap install --classic certbot<br />
|
|
|
+ # create certbot symbolic link<br />
|
|
|
+ sudo ln -s /snap/bin/certbot /usr/bin/certbot<br />
|
|
|
+ # request the certificate<br />
|
|
|
+ sudo REQUESTS_CA_BUNDLE=~/root_ca.crt certbot certonly --standalone -d <%host-DNS-name%> --server https://<%step-ca-docker-host%>:9000/acme/acme/directory</div>
|
|
|
+ </li>
|
|
|
+ <li>When prompted, enter an email address and agree to the terms of service</li>
|
|
|
+ <li>Choose whether to share your email and receive emails from certbot</li>
|
|
|
+ <li>Certbot will output information regarding the location of the certificate files</li>
|
|
|
+</ol>
|
|
|
+
|
|
|
+<p>Documentation: <a href="https://hub.docker.com/r/smallstep/step-ca" target="_blank">https://hub.docker.com/r/smallstep/step-ca</a></p>
|
|
|
+
|
|
|
+<p>Sources: <a href="https://certbot.eff.org/instructions?ws=other&os=debianbuster" target="_blank">https://certbot.eff.org/instructions?ws=other&os=debianbuster</a><br />
|
|
|
+<a href="https://smallstep.com/docs/tutorials/acme-challenge/" target="_blank">https://smallstep.com/docs/tutorials/acme-challenge/</a></p> </div>
|
|
|
+ </div>
|
|
|
+ </body>
|
|
|
+ </html>
|
|
|
+
|
i12bretro