SmallStep and Traefik Integration Architecture
2 min readJan 18, 2023
Smallstep is an awesome tool for sure and this blog post is about noting down my understanding about it plus sharing the same back with the community
Smallstep — one liner definition
It is an automated certificate management for devops.
It helps issue and renew certificates for your setup of tools, workloads and uses world renown protocols like ACME, OIDC, etc.
Components used for exploration:-
- Smallstep CA account. Leveraging their — cloud based CA.
- A local step-ca server running in RA(Remote Authority) Mode, :3443 port on my local.
- Traefik — it has an acme client, inbuilt — running on local on :80 & :443 as a proxy server.
- DNS server like coredns(for Windows) or dnsmasq(for MAC) — required for the hostname resolution or hosts file entries manipulation (which won’t support wildcards)
What happens?
Every step represents the number in diagram
- Traefik has a route that is configured with some host like — example.com and that routes to a downstream or anything.
It is configured to call the acme server on :3443, part of the local machine/ local network(in case of multiple machines may be). - Traefik internally raises a request for the certificate to RA running on :3443
- RA (running on :3443) hits the DNS for validating the DNS details. (without DNS/ HTTP challenge it won’t work).
- RA passes over the request to the cloud based CA(certificate authority) which is authenticated by the step-ca internally.
- If all OK, CA will validate and return back with the signed certs(certs signed by intermediate/ root CAs)
- Signed certificates are relayed back to traefik(the original cert requester) & traefik locally stores them with itself.
After this — if a user(you in your case) on the local machine tries to access example.com, it will be https and all of this is achiened/done almost
automatically for you by traefik + smallstep.
For details on setup — refer the other post here
