Smallstep Step-CA

jaharmi · March 15, 2025, 9:48pm

I’ve been trying to get Smallstep Step-CA to run as a Custom App. I’ve followed the settings from the Run a private online TLS certificate authority in a Docker container article, with some variations. I’m using ElectricEel-24.10.2.

I’ve tried with and without environment variables to initialize a basic CA. I’m using host storage and have a clean dataset selected. I’ve deleted and re-created the dataset that gets mapped to “/home/step”. I’ve also tried with and without enabling the SSH CA.

No matter what I do, the container does not start up. When I click the “Install” button, I get the progress bar for a few moments. By the time I’m returned to the Installed > Apps list, the container is marked as “Stopped.”

If I click to start it, it moves to “Deploying” but then almost immediately returns to “Stopped."

I can see that it pulls down the container image in the list of available images. I don’t seem to get anything about this custom container in the app lifecycle log.

Any ideas on what to do or somehow I can troubleshoot this?

Or, if you have a Step-CA container working, can you pass along what you did?

jaharmi · March 19, 2025, 9:41pm

I am able to get the Smallstep Step-CA container to run in Orbstack on macOS.

I found a bit about accessing logs and troubleshooting Docker, and have some update info.

When I try to run the Docker command from the CLI on TrueNAS Scale 24.10.2, I get the following in the logs:

$ sudo docker logs bc430227e0e1          
open /home/step/contexts.json failed: permission denied
/entrypoint.sh: line 56: /password: Permission denied

I then added some flags to give more detailed output when running the entrypoint.sh script.

$ sudo docker run --entrypoint /bin/bash -v /mnt/tank/apps/step-ca/step:/home/step \
    -p 9000:9000 \
    -e "DOCKER_STEPCA_INIT_NAME=Smallstep” \
    -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,truenas.home,truenas.home.arpa,stepca.home,stepca.home.arpa” \
    smallstep/step-ca -x /entrypoint.sh

+ set -eo pipefail
++ step path
open /home/step/contexts.json failed: permission denied
+ export STEPPATH=
+ STEPPATH=
+ REQUIRED_INIT_VARS=('DOCKER_STEPCA_INIT_NAME' ‘DOCKER_STEPCA_INIT_DNS_NAMES’)
+ declare -ra REQUIRED_INIT_VARS
+ '[' -f /usr/sbin/pcscd ‘]’
+ '[' '!' -f /config/ca.json ‘]’
+ init_if_possible
+ local missing_vars=0
+ for var in "${REQUIRED_INIT_VARS[@]}”
+ '[' -z Smallstep ‘]’
+ for var in "${REQUIRED_INIT_VARS[@]}”
+ '[' -z localhost,nas.home,nas.home.arpa,stepca.home,stepca.home.arpa ‘]’
+ '[' 0 = 1 ‘]’
+ step_ca_init
+ DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin
+ DOCKER_STEPCA_INIT_ADMIN_SUBJECT=step
+ DOCKER_STEPCA_INIT_ADDRESS=:9000
+ setup_args=('--name' 'Smallstep' '--dns' 'localhost,nas.home,nas.home.arpa,stepca.home,stepca.home.arpa' '--provisioner' 'admin' '--password-file' '/password' '--provisioner-password-file' '/provisioner_password' '--address' ':9000’)
+ local -a setup_args
+ '[' -n '' ‘]’
+ '[' -n '' ‘]’
+ generate_password
/entrypoint.sh: line 56: /password: Permission denied

From this, it looks like the STEPPATH variable is not being set at all. It works in OrbStack on macOS, but the step path command is not returning anything when starting the container on EE. I’m getting this:

open /home/step/contexts.json failed: permission denied

I don’t know why the step path command is failing here. (See this line in the entrypoint script.) Maybe it has something to do with the storage volume I’m passing through? But other apps have not had the same sort tof problem with “apps” datasets in the same hierarchy.

The /home/step directory is mapped from apps storage in EE. The apps user should have access to it via the ACL. I’ve tried changing from the “modify” setting to the “full control” setting, making the change recursively for that path in the Dataset editor. No change.

I had also deleted and re-created the apps storage path (everything under /mnt/tank/apps related to “step-ca”) and recreated “step-ca” there. No change.

I had also tried to run the container with root permissions. No change.

I think I will next try moving away from host storage and try iX storage, just to see what happens.

jaharmi · March 20, 2025, 12:12am

Using iX storage also didn’t work.

jaharmi · March 23, 2025, 12:00pm

I finally found a way to get Step-CA to run and keep running.

Create a TrueNAS user for “step” with UID 1000.
Create a TrueNAS group for “step” with GID 1000.
Set the Dataset(s) for the container to be owned by 1000:1000.
Start the container.

It looks like there is a dependency on UID 1000.

There was nothing in the Docker container for Step-CA that I could find that led me to this requirement, but I found it when I ran docker exec commands to find out the user information in the container.

After find it, I think the dependency may be on the smallstep/cli container. There is a portion of that container definition that hardcodes the UID and GID of 1000. The smallstep/step-ca container includes/embeds this with a FROM statement. From what I’ve read, this means that the smallstep/cli container is layered into the smallstep/step-ca container.

I don’t know if there is a better way to handle this UID/GID requirement within the Custom App in TrueNAS. I tried a few things with Dataset ACLs and container settings in the Custom App setup unsuccessfully before creating the user and group, and changing the ownership of the Datasets.