step ssh config x509: certificate signed by unknown authority #984
-
I am following the step mentioned on https://smallstep.com/blog/diy-single-sign-on-for-ssh/ $ step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
The root certificate has been saved in /root/.step/certs/root_ca.crt.
Your configuration has been saved in /root/.step/config/defaults.json. is working fine but step $ step ssh config --roots
error getting ssh public keys: client GET https://ca.stagingsimpl.com/ssh/roots failed: Get "https://ca.stagingsimpl.com/ssh/roots": x509: certificate signed by unknown authority my CA instance is behind an Application load balancer |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Hi @praveenraghav01, Are you using L4 or L7 load balancing on your application load balancer? A likely cause for the error you're seeing is that the load balancer is using a certificate not signed by your step-ca root CA. The If you need load balancing, we generally advise to use L4 load balancing, so that TLS is terminated by If L4 load balancing is not an option, you could look into providing the load balancer a certificate signed by your root CA, so that |
Beta Was this translation helpful? Give feedback.
Hi @praveenraghav01,
Are you using L4 or L7 load balancing on your application load balancer? A likely cause for the error you're seeing is that the load balancer is using a certificate not signed by your step-ca root CA. The
step
CLI verifies certificate chains using the root CA cert stored in/root/.step/certs/root_ca.crt
, which it fails to do now. Thebootstrap
command works, because it intentionally connects using a non-TLS HTTP connection.If you need load balancing, we generally advise to use L4 load balancing, so that TLS is terminated by
step-ca
and not by the load balancer. Some more information about that is available here: https://smallstep.com/docs/step-ca/certificate-authorit…