Skip to main content

Follower mode installation

Leader required

If the Anapaya SCION CA is deployed in follower mode, the host does not actively rotate the CA certificates. Instead, it provisions the CA certificates and private keys that the leader generates to step-ca. When deploying the Anapaya SCION CA in follower mode, the leader must already be deployed and running.

Before you can deploy the Anapaya SCION CA in follower mode, make sure that you have followed the preparation instructions.

Configure step-ca

Prepare the necessary directories with the correct ownership and permissions:

sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/step
sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/step/certs
sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/step/config
sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/step/secrets

The configuration for step-ca should be mirrored from the leader. In particular, the following files should be copied from the leader host to the follower:

  • /etc/scion-ca/step/certs/intermediate_ca.crt
  • /etc/scion-ca/step/certs/root_ca.crt
  • /etc/scion-ca/step/config/ca.json
  • /etc/scion-ca/step/config/defaults.json
Different credentials

In case you use different database credentials than on the leader node, update /etc/scion-ca/step/config/ca.json accordingly.

Additionally, the credentials for the Google Cloud KMS key ring need to be installed under:

  • /etc/scion-ca/step/secrets/credentials.json

Set up the systemd service for step-ca:

sudo tee /etc/systemd/system/step-ca.service > /dev/null << 'EOF'
[Unit]
Description=step-ca service
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
ConditionFileNotEmpty=/etc/scion-ca/step/config/ca.json
ConditionFileNotEmpty=/etc/scion-ca/step/secrets/credentials.json

[Service]
Type=simple
User=scion-ca
Group=scion-ca
Environment=STEPPATH=/etc/scion-ca/step
WorkingDirectory=/etc/scion-ca/step
ExecStart=/usr/bin/step-ca config/ca.json
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3

; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes

; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWritePaths=/etc/scion-ca/step/config/ca.json

[Install]
WantedBy=multi-user.target
EOF

Load and enable the step-ca service:

sudo systemctl daemon-reload
sudo systemctl enable --now step-ca
sudo systemctl status step-ca

Configure step-ca-rotator

Prepare the necessary directories with the correct ownership and permissions:

sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/rotator

Copy the crendentials located in $SCION_CA_STEP_CA_ROTATOR_CREDS for the Google Cloud KMS key ring to the step-ca-rotator configuration directory:

sudo cp $SCION_CA_STEP_CA_ROTATOR_CREDS /etc/scion-ca/rotator/credentials.json
sudo chown scion-ca:scion-ca /etc/scion-ca/rotator/credentials.json
sudo chmod 0400 /etc/scion-ca/rotator/credentials.json

Generate the step-ca-rotator configuration file:

step-ca-rotator sample config | sudo -u scion-ca tee /etc/scion-ca/rotator/config.toml > /dev/null
sudo chmod 0400 /etc/scion-ca/rotator/config.toml

Make sure to update the following fields in the configuration file:

  • database.dsn
  • instance.isd_as
  • instance.rotation_follower (set to true)
  • instance.key (do not include the version suffix`)
  • instance.root_key (do include the version suffix`)

You can also change other fields to your liking. E.g., you might want to change the log.console.format to human for easier manual inspection of the logs, or change the log.console.level to debug for more verbose logging.

Create the systemd service for step-ca-rotator:

step-ca-rotator sample systemd-service | sudo tee /etc/systemd/system/step-ca-rotator.service > /dev/null

Load and enable the step-ca-rotator service:

sudo systemctl daemon-reload
sudo systemctl enable --now step-ca-rotator
sudo systemctl status step-ca-rotator

Configure step-ca-adapter

Prepare the necessary directories with the correct ownership and permissions:

sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/adapter
sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/adapter/tls/
sudo -u scion-ca mkdir -m 0700 /etc/scion-ca/adapter/tls/acme

Copy the shared secret and the provisioner password from the leader host to the follower host:

  • /etc/scion-ca/adapter/shared_secret
  • /etc/scion-ca/adapter/step-ca-adapter.pw

Generate the step-ca-adapter configuration file:

step-ca-adapter sample config | sudo tee -u scion-ca /etc/scion-ca/adapter/config.toml > /dev/null
sudo chmod 0400 /etc/scion-ca/adapter/config.toml

Make sure to update the following fields in the configuration file:

  • database.dsn
  • general.isd
  • public.api_addr (use a resolvable hostname)
  • public.acme.ca (if ACME is supported on step-ca, use https://localhost:8443/acme/acme/directory)

You can also change other fields to your liking. E.g., you might want to change the log.console.format to human for easier manual inspection of the logs, or change the log.console.level to debug for more verbose logging.

tip

To enable ACME support, follow the user guide.

Create the systemd service for step-ca-adapter:

step-ca-adapter sample systemd-service | sudo tee /etc/systemd/system/step-ca-adapter.service > /dev/null

Load and enable the step-ca-adapter service:

sudo systemctl daemon-reload
sudo systemctl enable --now step-ca-adapter
sudo systemctl status step-ca-adapter