Containerized Self-Hosted ACME Server with Step-CA in Docker 🌱

What is Step-CA?

[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. -https://github.com/smallstep/certificates

Installing Docker

  1. Log into the Linux based device
  2. Run the following commands in the terminal
    # install prerequisites
    sudo apt install apt-transport-https ca-certificates curl software-properties-common gnupg-agent -y
    # add docker gpg key
    curl -fsSL https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release)/gpg | sudo apt-key add -
    # add docker software repository
    sudo add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$(awk -F'=' '/^ID=/{ print $NF }' /etc/os-release) $(lsb_release -cs) stable"
    # install docker
    sudo apt install docker-ce docker-compose containerd.io -y
    # enable and start docker service
    sudo systemctl enable docker && sudo systemctl start docker
    # add the current user to the docker group
    sudo usermod -aG docker $USER
    # reauthenticate for the new group membership to take effect
    su - $USER

Running Step-CA Server

  1. Continue with the following commands in a terminal window
    # create a working directory
    mkdir ~/docker/step-ca -p
    # start the step-ca container
    # change the INIT_NAME and DNS_NAMES variables as needed
    docker run -d --name=step-ca -v ~/docker/step-ca:/home/step -p 9000:9000 -e DOCKER_STEPCA_INIT_NAME="i12bretro Certificate Authority" -e DOCKER_STEPCA_INIT_DNS_NAMES="$(hostname -f)" smallstep/step-ca
    # enable the acme provisioner
    docker exec -it step-ca step ca provisioner add acme --type ACME
    # restart the step-ca container
    docker restart step-ca

Automating Certificate Requests

  1. Log into the server needing to request a certificate
  2. Continue following commands in a terminal window
    # if on a remote server from the docker host, copy the root-ca.crt file
    scp <%user%>@<%dockerhostDNSorIP%>:~/docker/step-ca/certs/root_ca.crt ~/root_ca.crt
    # remove apt version of certbot if installed
    sudo apt remove certbot -y
    # install snapd
    sudo apt install snapd -y
    # install snap core and update
    sudo snap install core; sudo snap refresh core
    # install certbot snap
    sudo snap install --classic certbot
    # create certbot symbolic link
    sudo ln -s /snap/bin/certbot /usr/bin/certbot
    # request the certificate
    sudo REQUESTS_CA_BUNDLE=~/root_ca.crt certbot certonly --standalone -d <%host-DNS-name%> --server https://<%step-ca-docker-host%>:9000/acme/acme/directory
  3. When prompted, enter an email address and agree to the terms of service
  4. Choose whether to share your email and receive emails from certbot
  5. Certbot will output information regarding the location of the certificate files

Documentation: https://hub.docker.com/r/smallstep/step-ca

Sources: https://certbot.eff.org/instructions?ws=other&os=debianbuster
https://smallstep.com/docs/tutorials/acme-challenge/