step ssh config --roots returns x509: certificate signed by unknown authority #1865

marcheyer · 2024-05-31T07:59:09Z

marcheyer
May 31, 2024

Hello,

i'm trying to setup ssh certificates with a kubernetes hosted CA for an ec2 jumphost.
I'm following https://smallstep.com/blog/diy-single-sign-on-for-ssh/ as a guideline.
What i have done so far:

I created the necessary files for the secrets used by the Helmchart of stepCA locally.
I rewrote the path definitions in the files to match the structure in the container
I deployed the files as k8s secrets
I deployed the Helmchart
This is working so far.
I deployed the https://gist.github.com/tashian/fde43668cbf6e3227fb13ef51db650b8 script to the ec2 instance which i want to connect to via ssh certificates.

Now the Problem:
The script runs
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
which yields:
The root certificate has been saved in /home/ubuntu/.step/certs/root_ca.crt.
The authority configuration has been saved in /home/ubuntu/.step/config/defaults.json.

This looks good to me.

But the next step step ssh config --roots > $(step path)/certs/ssh_user_key.pub
yields
error getting ssh public keys: client GET https://ca.example.com/ssh/roots failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

Can you give me a hint what i'm doing wrong?

Best regards

Answered by tashian

Jun 3, 2024

Looks like you've gotten pretty far along!

First thing I would check is the certificate validity on that endpoint.
Does the output of step certificate inspect https://ca.example.com --bundle give you a certificate bundle that chains back up to your root CA whose fingerprint is $CA_FINGERPRINT?
If you're using step-ca directly, it will match.
If you're using step-ca through a reverse proxy, it may not.
Since it's Kubernetes, I'm suspecting there's a proxy involved here.
If that's the case, see Proxying step-ca traffic for details on how to address the issue.

View full answer

tashian · 2024-06-03T20:30:10Z

tashian
Jun 3, 2024
Collaborator

Looks like you've gotten pretty far along!

First thing I would check is the certificate validity on that endpoint.
Does the output of step certificate inspect https://ca.example.com --bundle give you a certificate bundle that chains back up to your root CA whose fingerprint is $CA_FINGERPRINT?
If you're using step-ca directly, it will match.
If you're using step-ca through a reverse proxy, it may not.
Since it's Kubernetes, I'm suspecting there's a proxy involved here.
If that's the case, see Proxying step-ca traffic for details on how to address the issue.

0 replies

marcheyer · 2024-06-17T07:56:32Z

marcheyer
Jun 17, 2024
Author

Thank you @tashian i will procced here in a while. Unfortunatly i got a higher prioritized task i have to deal with for now.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

step ssh config --roots returns x509: certificate signed by unknown authority #1865

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

step ssh config --roots returns x509: certificate signed by unknown authority #1865

Uh oh!

marcheyer May 31, 2024

Replies: 2 comments

Uh oh!

tashian Jun 3, 2024 Collaborator

Uh oh!

marcheyer Jun 17, 2024 Author

marcheyer
May 31, 2024

tashian
Jun 3, 2024
Collaborator

marcheyer
Jun 17, 2024
Author