Skip to main content

Enable ACME for internal TLS

The Anapaya SCION CA provides the SCION CA API, which is used by the Anapaya appliance. To ensure secure communication between the Anapaya appliance and the Anapaya SCION CA, TLS must be enabled.

Given that you already have a trust anchor with the CP-PKI root certificate, you can use it to secure internal communication between the Anapaya appliance and the Anapaya SCION CA. To achieve this, step-ca can be configured to expose ACME to internal clients. This allows the step-ca-adapter to use ACME to automatically fetch and renew TLS certificates. This document walks you through enabling ACME support in step-ca and configuring the step-ca-adapter to use it.

Trusting root required

Clients of the SCION CA API, such as the Anapaya appliance, need to trust the root certificate of the CA that issues the TLS certificate. Refer to Installing the root certificate on the Anapaya appliance for more detailed instructions.

Enabling ACME in step-ca

To enable ACME support in step-ca, add an ACME provisioner:

sudo -u scion-ca STEPPATH=/etc/scion-ca/step step ca provisioner add acme \
  --type acme \
  --admin-subject step \
  --admin-provisioner scion-ca-admin \
  --admin-password-file /etc/scion-ca/secrets/scion-ca-admin.pw

(See the step-ca documentation for more information on ACME support)

Enabling ACME in step-ca-adapter

To enable ACME in step-ca-adapter, adjust the step-ca-adapter configuration file /etc/scion-ca/adapter/config.toml to point the ACME client to the step-ca instance:

[public.acme]
ca = "https://localhost:8443/acme/acme/directory"

Ensure that the public.api_addr is set to a DNS resolvable address, such that step-ca and the step-ca-adapter can complete the HTTP-01 challenge. You can create a proper DNS entry, or write a static entry to /etc/hosts.

Restart the service such that the new configuration is loaded:

sudo systemctl restart step-ca-adapter

After some time, the step-ca-adapter has automatically fetched a TLS certificate. Validate this by checking the health of the service:

curl localhost:41500/api/v1/health

Installing the root certificate on the Anapaya appliance

The Anapaya appliance needs to trust the root certificate which issues the TLS certificate for the step-ca-adapter. You can install the root certificate on the Anapaya appliance by running the following commands:

sudo cp $ROOT_PEM /usr/local/share/ca-certificates/{name}.crt
File extension

Make sure to use .crt file extension for the root certificate.

sudo update-ca-certificates

Recreate the control-{ISD_AS} docker container after the root has been installed.

Find all control services, and remove them:

appliance-cli get debug/services -f body.services --raw | grep control- | xargs docker container rm -f

Wait for the control service recreation, which can take up to a minute. Speed up the process by manually triggering an appliance controller notification:

appliance-cli post debug/notifications