Hamish Fleming

Vincit qui se vincit
Neovim Arch

This is my personal blog where I write small tutorials and notes worth sharing.

I use Arch btw

Twitch Status
TraefikHome LabSSLStep CA

Create Your Own Certificate Authority for Traefik SSL using Step CA

Create Your Own Certificate Authority for Traefik SSL using Step CA

Introduction

In this post, I will show you how to create your own Certificate Authority (CA) for Traefik SSL. This is a very tool to have, as it will allow you to easily create SSL certificates for your home lab or development environment. This post will also cover how to use the Certificate Authority to generate SSL certificates for your Traefik reverse proxy automatically using your containerised Step-CA instance your Certificate Authority.

What is Traefik?

Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, …) and configures itself automatically and dynamically. Point Traefik at your orchestrator, and it will automatically detect and manage your services.

What is Step-CA?

Step-CA is a zero trust certificate authority (CA) built on the smallstep platform. It is designed to be a simple, secure, and scalable CA that you can use to issue TLS certificates to your infrastructure. It also has an ACME provisioner which allows you to automatically generate certificates for your Traefik reverse proxy.

What is a Certificate Authority?

A Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate is a small data file that binds a public key with an entity’s details. The most common use for digital certificates is to enable Transport Layer Security (TLS).

Why use a Certificate Authority?

The main reason to use a Certificate Authority is to enable TLS. TLS is a cryptographic protocol that provides communication security over the Internet. It is used to secure HTTP, FTP, SMTP, POP3, IMAP and other applications that use the TCP/IP protocol to provide communication services.

Why use your own Certificate Authority?

Using your own Certificate Authority means that you don’t have to pay for a certificate. This is especially useful if you are running a home lab, or you have a small website that doesn’t need a lot of traffic.

Step 1: Create a Docker Compose file

Create your docker-compose.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

version: "3.9"
services:
  step-ca:
    image: smallstep/step-ca
    environment:
      DOCKER_STEPCA_INIT_NAME: Smallstep
      DOCKER_STEPCA_INIT_DNS_NAMES: dev.local,local
      DOCKER_STEPCA_INIT_PROVISIONER_NAME: admin
      DOCKER_STEPCA_INIT_PASSWORD: pass123
    ports:
      - 9000:9000
    volumes:
      - ./data/step-ca:/home/step

Initialization of your step-ca instance

Create your data directory

mkdir -p "$PWD/data/step-ca" && sudo chown -R 1000:1000 "$PWD/data/step-ca"

Initialize your step-ca instance

docker run --rm -it -v "$PWD/data/step-ca:/home/step" smallstep/step-ca step ca init

Add your password

echo <your password here> | sudo tee "$PWD/data/step-ca/secrets/password"
sudo chown -R 1000:1000 "$PWD/data/step-ca/secrets/password"

Start your step-ca Instance:

docker-compose up -d step-ca


Once going through Save your Root fingerprint somewhere to use afterwards.

Generating root certificate...
all done!

Generating intermediate certificate...
all done!

✔ Root certificate: /home/step/certs/root_ca.crt
✔ Root private key: /home/step/secrets/root_ca_key
✔ Root fingerprint: f032205...
✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/step/secrets/intermediate_ca_key
✔ Database folder: /home/step/db
✔ Default configuration: /home/step/config/defaults.json
✔ Certificate Authority configuration: /home/step/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

FEEDBACK 😍 🍻
      The step utility is not instrumented for usage statistics. It does not
      phone home. But your feedback is extremely valuable. Any information you
      can provide regarding how you’re using `step` helps. Please send us a
      sentence or two, good or bad: [email protected] or join
      https://github.com/smallstep/certificates/discussions.


Then, go to https://localhost:9000/health to make sure service is running.

Enable ACME provisioner

docker-compose exec step-ca step ca provisioner add acme --type ACME
docker-compose restart

Add CA to your development environment

step ca bootstrap --ca-url https://localhost:9000 --install --fingerprint <fingerprint-acquired>

EG: 

1

step ca bootstrap --ca-url https://localhost:9000 --install --fingerprint f0322055102894cae067c9e23ed3139f670f39c54233a5012f2c723614868d58

This command setup created CA on your computer to be able to acquire certificates, and adds the CA to your computer’s trust store.

Check if CA is added to your trust store.

curl https://localhost:9000/health

Create a sample certificate for localhost.

step ca certificate site.myhost.local site_home_local.crt site_home_local.key

Run traefik first

docker-compose up -d traefik && \
sleep 10 && \
docker-compose up -d whoami
Recent Articles

Self Hosted Comment Solution

Self Hosted Comment Solution Commento Commento is a fast, bloat-free commenting system written in Go, that you can host on your own server. It embeds directly into your pages, loads fast and is fully-customizable. Features Fast: Commento is fast. It ……

Say HiVno Continue Reading
More Like this

Setting Up a Ga4 Tag on Hugo

Unfortunately, I have spent the last 24 hours so deep in the google seo suite it’s sending me that “u up?” text at 3am. Somehow more true to the analogy than I care to admit, the entire expierence has been a disapointment for everyone involved, in ……

HugoSEO Read More

Comments....