Containerized Self-Hosted ACME Server with Step-CA in Docker

#ACME #StepCA #LetsEncrypt #SSL

Full steps can be found at https://i12bretro.github.io/tutorials/0749.html

What is Step-CA?

[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. - https://github.com/smallstep/certificates

Installing Docker

   01. Log into the Linux based device    02. Run the following commands in the terminal          # install prerequisites          sudo apt install apt-transport-https ca-certificates curl software-properties-common gnupg-agent -y          # add docker gpg key          curl -fsSL https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release)/gpg | sudo apt-key add -          # add docker software repository          sudo add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release) $(lsb_release -cs) stable"          # install docker          sudo apt install docker-ce docker-compose containerd.io -y          # enable and start docker service          sudo systemctl enable docker && sudo systemctl start docker          # add the current user to the docker group          sudo usermod -aG docker $USER          # reauthenticate for the new group membership to take effect          su - $USER

Running Step-CA Server

   01. Continue with the following commands in a terminal window          # create a working directory          mkdir ~/docker/step-ca -p          # start the step-ca container          # change the INIT_NAME and DNS_NAMES variables as needed          docker run -d --name=step-ca -v ~/docker/step-ca:/home/step -p 9000:9000 -e DOCKER_STEPCA_INIT_NAME="i12bretro Certificate Authority" -e DOCKER_STEPCA_INIT_DNS_NAMES="$(hostname -f)" smallstep/step-ca          # enable the acme provisioner          docker exec -it step-ca step ca provisioner add acme --type ACME          # restart the step-ca container          docker restart step-ca

Automating Certificate Requests

   01. Log into the server needing to request a certificate    02. Continue following commands in a terminal window          # if on a remote server from the docker host, copy the root-ca.crt file          scp ≪%user%≫@≪%dockerhostDNSorIP%≫:/docker/step-ca/certs/root_ca.crt ~/root_ca.crt          # remove apt version of certbot if installed          sudo apt remove certbot -y          # install snapd          sudo apt install snapd -y          # install snap core and update          sudo snap install core; sudo snap refresh core          # install certbot snap          sudo snap install --classic certbot          # create certbot symbolic link          sudo ln -s /snap/bin/certbot /usr/bin/certbot          # request the certificate          sudo REQUESTS_CA_BUNDLE=/root_ca.crt certbot certonly --standalone -d ≪%host-DNS-name%≫ --server https://≪%step-ca-docker-host%≫:9000/acme/acme/directory    03. When prompted, enter an email address and agree to the terms of service    04. Choose whether to share your email and receive emails from certbot    05. Certbot will output information regarding the location of the certificate files   Documentation:  https://hub.docker.com/r/smallstep/step-ca   Sources:  https://certbot.eff.org/instructions?ws=other&os=debianbuster  https://smallstep.com/docs/tutorials/acme-challenge/  

Connect with me and others

★ Discord: https://discord.com/invite/EzenvmSHW8 ★ Reddit: https://reddit.com/r/i12bretro ★ Twitter: https://twitter.com/i12bretro ... https://www.youtube.com/watch?v=Gksq9Tx92j0