-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Step CA as an ACME server? #55
Comments
When I started this project in 2018, Step CA ACME did not exist yet. It's only become available about a year ago or so. Thanks for the comparison, I haven't come around myself to trying it out. Sounds like you should stick to Step CA 😄 |
Boulder sucks but LabCA is great... Most of my ACME clients are conneted to LabCA, only when Boulder fails to do the job, I redirect the client to Step CA. So at the moment I have both LabCA and Step CA running.
Having LabCA with Step CA would be great. I looked at your code but replacing Boulder with Step CA is beyond my skills (I know nothing about Go, very little about dockers). |
I did a bit of research on Step CA. You may find it useful in case you are considering Step CA. The good news:
The bad news:
If you plan to add new features to LabCA, it makes little sense to stick with Boulder. For example, if you want to renew / replace Root and Issuer CA certificates with Boulder, you need to do that manually with openssl (= danger of misconfiguration). With Step CA, (re)placing root is easy with one command (step ca init). On the other side, the missing SQL backend is a dealbreaker at the moment.... So my humble suggestion would be: wait with new LabCA features. Switch to Step CA once they merge their SQL backend into open source? |
Actually, it turns out the current MySQL database is already quite usable! I have made a standalone version of the LabCA GUI that can work with the step-ca database to show the ACME information. The .deb is on the latest release page. More info here. I haven't bothered with BadgerDB, the limitation of only one process accessing it at the same time is just horrible. I quickly tried integrating the revocation of certificates, but automating that is however not so easy. On the command line you either manually need to select the provisioner and provide the password, or provide a token for which you also need to select the provisioner and provide the password? Looking at the API documentation I haven't solved that issue. But I guess if you have this GUI you can easily lookup the serial of the certificate that you want to revoke and then do it with the step cli. |
Thanks a lot! I tried to run the standalone version and got an error:
Some hard-coded path in the binary? |
Hmm, there was a small bug in determining if the embedded templates should be used or the templates from a directory. Should be fixed now in the latest release (v22.09.1). |
Hi, just want to say that it works! Thanks a lot! I have some minor issues with web server paths: certificate details
and account details
same with authz, orders and challenges details. webpage loads but without CSS styles and stuff. |
Run as systemd service, works for me (please double check):
|
For posterity and an update, step-ca is a FOSS-washing commercial project where useful features are locked away behind a paywall deliberately.
|
OK, I know you have invested a lot into Boulder. But still, I would like to start the discussion...
Couple of hours ago I did my very first installation of Step CA as an ACME server. It was actually much easier than expected (follow this guide ).
So now I have both Boulder (LabCA) and Step CA, each within its own LXC. And a bunch of ACME clients to test them. Some quick comparison of Step CA over Boulder:
The text was updated successfully, but these errors were encountered: