step ssh config x509: certificate signed by unknown authority #984
-
|
I am following the step mentioned on https://smallstep.com/blog/diy-single-sign-on-for-ssh/ $ step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
The root certificate has been saved in /root/.step/certs/root_ca.crt.
Your configuration has been saved in /root/.step/config/defaults.json.is working fine but step $ step ssh config --roots
error getting ssh public keys: client GET https://ca.stagingsimpl.com/ssh/roots failed: Get "https://ca.stagingsimpl.com/ssh/roots": x509: certificate signed by unknown authoritymy CA instance is behind an Application load balancer |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @praveenraghav01, Are you using L4 or L7 load balancing on your application load balancer? A likely cause for the error you're seeing is that the load balancer is using a certificate not signed by your step-ca root CA. The If you need load balancing, we generally advise to use L4 load balancing, so that TLS is terminated by If L4 load balancing is not an option, you could look into providing the load balancer a certificate signed by your root CA, so that |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the help using L4 load balancing helps |
Beta Was this translation helpful? Give feedback.
Hi @praveenraghav01,
Are you using L4 or L7 load balancing on your application load balancer? A likely cause for the error you're seeing is that the load balancer is using a certificate not signed by your step-ca root CA. The
stepCLI verifies certificate chains using the root CA cert stored in/root/.step/certs/root_ca.crt, which it fails to do now. Thebootstrapcommand works, because it intentionally connects using a non-TLS HTTP connection.If you need load balancing, we generally advise to use L4 load balancing, so that TLS is terminated by
step-caand not by the load balancer. Some more information about that is available here: https://smallstep.com/docs/step-ca/certificate-authorit…