"step ca" in docker doesn't trust itself

[kiler129]

I'm pulling my hair for two days and nothing seems to be working correctly - I believe I'm missing something small.

The core of the issue is that after following the intermediate CA (medium way) tutorial step no longer trusts itself (?!):

host$ docker run -d -p 127.0.0.1:9000:9000 -v $(pwd)/ca/:/home/step --name test-ca smallstep/step-ca
host$ docker exec -it test-ca sh
guest$ step ca certificate localhost srv.crt srv.key
client GET https://localhost:9000/provisioners?limit=100 failed: Get "https://localhost:9000/provisioners?limit=100": x509: certificate signed by unknown authority

---

My CA config seems to contain all elements (i.e. intermediate CA and no root key):

ca/
├── certs
│   ├── intermediate_ca.crt
│   └── root_ca.crt
├── config
│   ├── ca.json
│   └── defaults.json
├── db
│   ├── 000000.vlog
│   ├── 000034.sst
│   ├── LOCK
│   └── MANIFEST
├── secrets
│   ├── intermediate_ca_key
│   └── password
└── templates

How come the step trusts just-generated CA after step ca init but it does not after replacing intermediate_ca.crt and root_ca.crt?

[maraino]

On your guest host, you need to have the actual root ca in $STEPPATH/certs/root_ca.crt, by default it would be ~/.step/certs/root_ca.crt.

If you replaced the root certificate you will need to bootstrap again your environment, to do this you need to first get the fingerprint of the new root_ca.crt, you can do this with step certificate fingerprint root_ca.crt

Then to re-bootstrap your guest host you just do:

step ca bootstrap --ca-url https://ca-url:9000 --fingerprint xyz...

At this moment step will download the root from https://ca-url:9000/1.0/root/xyz... and validate the fingerprint with the one you provided. This is how you trust the new generated CA.