failed to connect: x509: certificate signed by unknown authority

[M96268004]

Hi there,

I following the post "https://smallstep.com/blog/diy-single-sign-on-for-ssh/" to configure a SSO SSH environment and all went well, but it is not that convenient when configuring a new host or client when the root CA's fingerprint is not around or forget to copy it, so I try to use
step certificate fingerprint https://myca.domain.com
to retrieve my CA's fingerprint, but it returns failed to connect: x509: certificate signed by unknown authority
which is not the case when I run
step certificate fingerprint https://smallstep.com

So, would like to know if I misconfigure something, or are there any other configurations I need to do before I can retrieve my CA's fingerprint using the command? Or if there is a procedure that I can follow?

Thanks,
B/R

[maraino]

Hi @M96268004,

smallstep.com uses a certificate chain that is signed by a public CA, and your OS knows about them, to use get the fingerprint of a X509 certificate not signed by a public CA you can do one of these things:

• Pass the root certificate with the flag --roots root-ca.crt
• Use the --insecure flag to avoid the certificate validation

[maraino]

Another option is to install your private root certificate in you system using step certificate install root_ca.crt

[M96268004]

Hi @maraino
Thanks for the reply, it really helps.
Also would like to know if there is a way that I can get the CA's Root fingerprint via another machine that has not yet download the root_ca.cer file using step-cli or I have to distribute the CA's root fingerprint for other users to bootstrap with CA?

Thanks,
B/R

[maraino]

There is, but it's "insecure", we recommend distributing the fingerprint. But you can do this with this:

step certificate fingerprint <(curl -k -s  https://ca.example.com/1.0/roots | jq -r '.crts[0]' | sed -r '/^\s*$/d')

Note that we're using curl instead of step ca roots because the later requires the root certificate in your step path.

[mmalone]

The tricky part here is that the fingerprint needs to come from a trusted and authenticated source. There are three common ways this is accomplished:

1. Use SSH
2. Use "Web PKI" TLS
3. Bake the fingerprint into base images

These are broad buckets. Under "use SSH" it could be something as simple as you SSHing into a new VM and manually bootstrapping. Or it could be something more complex like Ansible or Puppet using SSH under the hood.

For Web PKI, you could serve your fingerprint from a static website that you control and retrieve it using HTTPS. This could be something as simple as an S3 bucket containing a static file. If you serve the right file format, you can use step to boostrap this way by passing the --team-url to step ca boostrap and pointing it at a URL serving a file that looks like this:

{"url":"https://ca.example.org","fingerprint":"d9d0978692f1c7cc791f5c343ce98771900721405e834cd27b9502cc719f5097"}

Finally, you could bake the fingerprint (or the root cert itself) into AMIs or container images. This is relatively easy to accomplish in a containerized infrastructure. It's harder for VMs. This is how Web PKI works: the root certificates are distributed with your operating system.

Keep in mind that root certificate distribution is security sensitive. An attacker with the ability to reconfigure your infrastructure to trust a CA that they control is pretty catastrophic. Your best bet is to use a simple mechanism that you understand well.

[M96268004]

@maraino @mmalone
Thanks for the answers and tips, I actually going to the route to hard-coded the fingerprint into the host images and deliver the root-ca's fingerprint via another channel to the end-user, so if the root-ca changed, I can using Ansible to bootstrap with a new fingerprint on all servers and provide a new fingerprint to the end-user.
Thank you guys, you're awesome.