certificates
certificates copied to clipboard
smallstep
[Bug]: Docker step ca init "open /home/step/secrets/intermediate_ca_key: permission denied"
Steps to Reproduce
Testing the Docker image, I've created this simple docker-compose.yml
version: "3.5"
volumes:
step:
services:
step-ca:
image: smallstep/step-ca
container_name: step-ca
restart: always
volumes:
- "step:/home/step"
- "./password:/home/step/secrets/password"
environment:
DOCKER_STEPCA_INIT_NAME: "ca.local"
DOCKER_STEPCA_INIT_DNS_NAMES: "localhost,ca.local,step-ca"
ports:
- "443:9000"
Your Environment
- OS - Docker on Rasberry Pi OS 64 bits
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
# uname -a
Linux talloca 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux
step-caVersion - Docker image:smallstep/step-ca:latest(DIGEST:sha256: 48c19bdd6cf8c179b04805b897ee4c591df479f919cece6cb13285053cfb8c12)
Expected Behavior
I expect the CA to start properly.
Actual Behavior
The CA doesn't start. It fails during init with a permission error.
$ docker-compose up
Creating volume "step-ca_step" with default driver
Pulling step-ca (smallstep/step-ca:)...
latest: Pulling from smallstep/step-ca
b3c136eddcbf: Pull complete
3ec4389e237d: Pull complete
a1e5a30d2645: Pull complete
4f4fb700ef54: Pull complete
a9471723f12d: Pull complete
8612715930f6: Pull complete
07c9f79436f9: Pull complete
45a6246097cd: Pull complete
c10367b913fb: Pull complete
Digest: sha256:48c19bdd6cf8c179b04805b897ee4c591df479f919cece6cb13285053cfb8c12
Status: Downloaded newer image for smallstep/step-ca:latest
Creating step-ca ... done
Attaching to step-ca
step-ca |
step-ca | Generating root certificate... done!
step-ca | Generating intermediate certificate... done!
step-ca | open /home/step/secrets/intermediate_ca_key: permission denied
# ls -al /var/lib/docker/volumes/step-ca_step/_data/
total 28
drwxr-sr-x 6 tallo tallo 4096 Jul 15 08:01 .
drwx-----x 3 root root 4096 Jul 15 08:01 ..
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 certs
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 config
-rw-r--r-- 1 tallo tallo 41 Jul 15 08:34 password
drwxr-sr-x 2 root tallo 4096 Jul 15 08:01 secrets
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 templates
# ls -al /var/lib/docker/volumes/step-ca_step/_data/secrets/
total 8
drwxr-sr-x 2 root tallo 4096 Jul 15 08:46 .
drwxr-sr-x 6 tallo tallo 4096 Jul 15 08:46 ..
-rwxr-xr-x 1 root tallo 0 Jul 15 08:46 password
Additional Context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @spyesx, I was able to reproduce this as well.
I think this is docker/compose#3270 in the wild.
Because of the volume mount, you may need to add a layer to the Dockerfile for step-ca to get this working.
What I still don't understand is why docker run -d -v step:/home/step ... works, but this doesn't work.
Yes, I think we can close this for now and revisit if/when the Compose bug is fixed.
I know this issue has been long since closed, but I've been trying to figure this bug out myself for some time and just found a solution. Hopefully this may help someone else in the future.
Because you are exposing home/step/secrets/password to a password folder in your project directory, you may need to make sure that the password folder is given the correct permissions in your server.
I was using linux myself, and I had run a sudo chmod to the folder i was exposing. After doing that, I was no longer seeing the permission denied message from step-ca, and the container is now running as expected.
