Open in app

Sign in

Write

Sign in

Mastodon

Setup Traefik, ACME using Smallstep

Karanbir Singh
6 min readJan 18, 2023

--

Winter holidays are great times to sit back and relax. As a dev, I/We have our mind(s) running all the times. Interestingly I got a challenge related to mTLS during the Christmas 2022 break and while going through it over internet I got to know about Smallstep. By their own definition — Smallstep is an Automated Certificate Management for DevOps(Devs).

Smallstep provides good number of ways to generate certificates. Out of those various ways ACME is one and probably the best one. I had previously hosted Traefik that completely uses ACME + LetsEncrypt to resolve the hosts for the configured route’s HOST in the Traefik.

The article that you are currently reading here, I will be using Traefik + ACME + Smallstep (instead of letsencrypt) to make things end to end https.

Prerequisites:-

  • basics and knowledge of the DNS.
  • some real use case, like microservices, mTLS, proxying, https, etc.
  • a pretty good machine.
  • average knowledge of certs, keys, etc.
  • setup a smallstep free account & acme provisioner.
  • admin access to install few cli tools, etc.

Setting up the Smallstep, sign up on Smallstep & follow the below steps:-

1. Select ACME as Authority type.

2. Setup Authority Details.

- Set the Name of the CAs that will show up in the CA chain.
- Set the desired subdomain.
- Authority Type Devops is free — one per account.

3. Setup Registration Authority. You may fill up things based on your setup.

The following three properties can be changed based on your own setup
- Name — name for the authority.
- Address — the port where the server will be available on the local.
- DNS names — add all the DNS names that you would want to configure.

4. Setup ACME provisioner.

set the acme claims settings as per your setup.
- minimum — 5mins will be really helpful for short lived certificates for testing purpose.

5. Create configuration token & Authorize when prompted.

6. Setup step cli and initiate step ca local server in RA(Registration Authority) mode.

Setting up the cli:-

  • for mac os systems the setup is straightforward using brew.
brew install step
  • for windows the setup involves getting the step and step-ca release files from Github, extracting the executables and placing them at desired location in the PC, and making them available via PATH variable.

The command which is hidden in screenshot will be similar to what we have below:-

step-ca --token <a long token> --issuer-password-file <(echo some_password)
  • keep this token handy for future
  • also the some_password will be unique to you and your account, save that also for future.

if you have a DNS server that satisfies your resolution needs in that case append that like below:-

step-ca --token <a long token> --issuer-password-file <(echo some_password) --resolver="127.0.0.1:53"

For windows command prompt the <(echo some_password) will not work. In that case run command as below (and you will be prompted to enter the password manually):-

step-ca --token <a long token> --resolver="127.0.0.1:53"

After running the command if done successfully, you will get something like below:-

badger 2023/01/17 09:32:53 INFO: All 1 tables opened in 4ms
badger 2023/01/17 09:32:53 INFO: Replaying file id: 0 at offset: 31150
badger 2023/01/17 09:32:53 INFO: Replay took: 56.241µs
2023/01/17 09:34:23 Starting Smallstep CA/0.23.0 (darwin/amd64)
2023/01/17 09:34:23 Documentation: https://u.step.sm/docs/ca
2023/01/17 09:34:23 Community Discord: https://u.step.sm/discord
2023/01/17 09:34:23 Current context: localhost
2023/01/17 09:34:23 Config file: loaded from token
2023/01/17 09:34:23 The primary server URL is https://localhost:3443
2023/01/17 09:34:23 Root certificates are available at https://localhost:3443/roots.pem
2023/01/17 09:34:23 Additional configured hostnames: localhost, <other hosts>
2023/01/17 09:34:23 X.509 Root Fingerprint: <your fingerprint>
2023/01/17 09:34:23 Serving HTTPS on :3443 ..

Setting up Traefik

- download any recent release from the traefik’s release Github location.
- based on local machine setup, choose the specific release and have that available on PATH also, it would again depend on your own setup.

traefik.yml file, the main configuration file:-

# traefik.yml file
accessLog:
  bufferingSize: 100
  filePath: log-access.log
api:
  dashboard: true
  debug: true
entryPoints:
  # - listening on the port 80
  web:
    address: ":80"
    forwardedHeaders:
      insecure: true
  # secure that is listening on the 443
  websecure:
    address: ":443"
log:
  filePath: log-file.log
  level: DEBUG
providers:
  file:
    filename: provider.yml # provider file is shared below
serversTransport:
  insecureSkipVerify: true
certificatesResolvers:
  local:
    acme:
      caserver: https://localhost:3443/acme/acme/directory # replace port may be
      storage: acme.json # this should get created automatically.
      httpChallenge:
        entryPoint: web

provider.yml, the provider related configuration file:-

http:
  routers:
    dashboard:
      rule: "Host(`localhost`)" # based on the DNS it could be anything
      service: "noop@internal"
      entryPoints:
        - "web"
      middlewares:
        - "secured-redirect"
    dashboard-secured:
      entryPoints:
        - "websecure"
      rule: "Host(`localhost`)" # based on the DNS it could be anything
      service: "api@internal"
      tls:
        certResolver: "local"
        domains:
          - main: "localhost" # based on the DNS it could be anything

log:
  filePath: log-file.log
  level: DEBUG

command to boot in traefik is as below (I ran that from the folder where traefik executable was placed):-

./traefik --configfile=./traefik.yml

what will happen is, if the config and setup is all good, no VPN/ PROXY issues, in that case the acme.json file have certs resolved with the help of ACME registration authority running in pair with the CA we configured on the Smallstep.

open https://localhost — the dashboard of traefik should be available.

Ultimately the website/services will be up with https with least pains.

Other important configuration related commands are:-

bootstrap the ca on local, it will fetch certs, config, etc.

step ca bootstrap --ca-url=https://localhost:3443 --fingerprint=random_string_replace_with_your_fingerprint

the output will be like:-

The root certificate has been saved in <location>\root_ca.crt.
The authority configuration has been saved in <location>\defaults.json.
The profile configuration has been saved in <location>\defaults.json.

install the root CA cert in the system’s truststore. (provide password or approval wherever required)

step certificate install .\root_ca.crt

update the JWK provisioner’s claim durations using below command

step ca provisioner update acme-ra-jwk-<unique> --x509-min-dur=0h10m0s --x509-default-dur=4380h1m0s --x509-max-dur=9490h1m0s --ca-url=https://<sub_domain>.<org>.ca.smallstep.com

For the above command to run successfully you will be prompted to login.
- select OIDC option.
- you will be redirected to the browser. you might be already logged into your smallstep account, just click on authorize.
- else if asked for credentials, just fill in creds and authorize.

copy the unique id of the provisioner and CA URL from authorities page on smallstep. like from below screenshot.

You can reach me over LinkedIn for any questions and queries:-

Karanbir Singh — Software Engineer — Telstra | LinkedIn

Software Developer with almost 10 years experience in analysis, design, development and deployment of web based…

www.linkedin.com

Certificate Authority
Traefik
Smallstep
Acme
Pki

--

--

Karanbir Singh

Written by Karanbir Singh

111 Followers

API developer + Web Application developer + Devops Engineer = Full Stack Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams