No way to get dockerized step-ca up and running after issuing new CA authority

[BHuck74]

Dear all,

I’ve been trying for days to get step-ca working with docker without success…

The init process is working well and my stack is coming up.

Next, I followed this procedure like for like to get RSA keys :

Immediately after issuing the procedure I get the following recurring container log:

2024/09/17 10:11:02 /usr/local/go/src/net/http/server.go:3416: http: TLS handshake error from 127.0.0.1:36294: remote error: tls: bad certificate

After restarting the container, logs are looping on the following message:

badger 2024/09/17 10:14:35 INFO: All 1 tables opened in 1ms
badger 2024/09/17 10:14:35 INFO: Replaying file id: 0 at offset: 6663
badger 2024/09/17 10:14:35 INFO: Replay took: 352.254µs
error decrypting /home/step/secrets/intermediate_ca_key: x509: decryption password incorrect

I also tried to change /home/step/secrets/password with the password I provided for the root CA. No change.

I've also tried adding the "password": "XXX" in the ca.json file. Not better either.

I definitely must have missed something but at that stage, I’m stuck.

Here is my docker-compose (I didn’t modify the configuration to use mysql so far).

version: '3.7'
x-step-ca: &step-ca_environment
  DOCKER_STEPCA_INIT_NAME: 'Test-CA'
  DOCKER_STEPCA_INIT_DNS_NAMES: ‘XXX, XXX’
  DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: true
  DOCKER_STEPCA_INIT_SSH: true
  DOCKER_STEPCA_INIT_PROVISIONER_NAME: 'ca-admin'
  TZ: 'Europe/Paris'

x-step-db: &step-db_environment
  MYSQL_DATABASE: step-ca
  MYSQL_USER: step-ca-user
  MYSQL_PASSWORD: ‘XXX’
  MYSQL_ROOT_PASSWORD: ‘XXX’
  TZ: 'Europe/Paris'

services:
  step-ca-server:
    image: smallstep/step-ca:latest
    container_name: step-ca
    restart: unless-stopped
    user: root
    environment: *step-ca_environment
    volumes:
      - '/mnt/docker/step-ca:/home/step'
    networks:
      - step-ca-network
    ports:
      - '9000:9000'
    depends_on:
      - db

  db:
    image: mysql:9.0
    container_name: step-db
    restart: unless-stopped
    volumes:
      - '/mnt/docker/step-ca/mysql:/var/lib/mysql'
    environment: *step-db_environment
    mem_limit: 512M   # Limit the container to 512MB of memory
    cpus: "1.0"       # Limit the container to 1 CPU core
    networks:
      - step-ca-network

networks:
  step-ca-network:
    driver: bridge

Can someone provide me some insight?

Cheers

Edit :

When putting the intermediate CA password in /home/step/secrets/password as stated somewhere, then the error changes:

error decrypting /home/step/secrets/ssh_host_ca_key: x509: decryption password incorrect

[tashian]

When putting the intermediate CA password in /home/step/secrets/password as stated somewhere, then the error changes:
error decrypting /home/step/secrets/ssh_host_ca_key: x509: decryption password incorrect

That's great. You were able to decrypt the intermediate CA with the password file. But, now, the SSH CA is not decrypting.

By default, when you initialize a PKI and create an SSH CAs, it will use the same encryption password for both the X.509 intermediate CA key and the SSH CA keys.

In your case, you have a situation where the intermediate CA and SSH CA key passwords differ.

To fix it, you'll need another password file that contains the password for your SSH CA keys.
Create that file, and pass --ssh-host-password-file=file and --ssh-user-password-file=file flags when starting step-ca.

Alternatively, you could change your SSH CA key passwords so that they match the X.509 CA password.

[BHuck74]

Thank you very much for taking the time to respond to me so quickly.

Ok, make sense. I didn't know neither read that...

Yesterday I tried without passing DOCKER_STEPCA_INIT_SSH: trueand indeed the container started successfully.

I will give it a try as soon as possible.