Problems Updating from Source

[agarlow23]

I have a running step-ca server on a Fedora vm (v0.28.3) compiled from source to support a yubikey. I want to update to the latest v0.30.2 but while it appears to be compiling properly I can't connect when I try curl https://mycertserver/acme/acme/directory on another machine.

Systemctl shows step-ca as active and running, my root and intermediate certs and the ca.json files appear unchanged.

What is the proper way to update step-ca when compiling from source? Not sure what I'm missing since a previous answer said to just follow the regular installation instructions, which I did and everything would just work.

Also, devs, are there any plans to just include HSM support in the precompiled binaries or even maybe have a repo for dnf/apt?

[tashian]

Hi @agarlow23,

Do you get any logs at all when you hit the endpoint? Every ACME request will result in several log lines, so if you're not getting anything at all, then it sounds like a network, firewall, or other OS-related issue that's preventing the request from reaching step-ca.

As for the HSM build of step-ca, some of our OS maintainers do build step-ca with HSM support into their packages.
For example, I use the Arch Linux step-ca package and I believe it includes HSM support built-in.

Another option: Though we don't push HSM builds to our GitHub, we do push HSM builds to Docker Hub. If you look at the hsm tagged images on our Docker Hub repo, you could always pull one of those for your architecture, and extract the binary from it.

Hope this helps

Carl

[agarlow23]

Thanks Carl. I tried disabling firewalld but I still curl still wont resolve. In systemctl status, I can see logs when I curl on v0.28.3 but nothing after v0.30.2. I'll try extracting the docker binary and see if that works.

[agarlow23]

setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca

I also ran resotrecon and chmod a+x just to let anyone reading in the future know exactly what I did.