Localaddr for ca client

[jpathy]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I would like to request some options to specify local address/bind to a specific iface when renewing certs.

Why is this needed?

When running the service with cidr based ACL(firewall) it would be helpful if we could force the client to use only certain ips.

The current workaround is static routes with src / vrfs.

[maraino]

Hi @jpathy, although the clients can be forced to use a specific interface to dial out, can you tell us why adding static routes (ip route add, route add, ...) is not a valid solution for your use case?

Another current solution for this would be using a proxy, defining the environment variables HTTP_PROXY and HTTPS_PROXY.

[jpathy]

why adding static routes (ip route add, route add, ...) is not a valid solution for your use case?

I am doing this but the CA may get different ip and i would have to update all the client(host agents) route tables/rules. Where as clients are assigned certs restricted to ips and use DNS to resolve the CA.

I can use the /renew endpoint if it's out-of-scope.

[maraino]

For step ca commands it might be easy as most of them use the same client, but we would probably do it using an environment variable. Would that work for you? Something similar to:

STEP_CLIENT_ADDR=10.30.21.192 step ca certificate [email protected] foo.crt foo.key

[jpathy]

Yes, env var would work, it can be set up easily in a systemd service.