安装Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux

What is Step-CA?

[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. -https://github.com/smallstep/certificates

Installing Step-CA and Step-CLI

1. Log into the Linux device
2. Run the following commands in a terminal
   # update software repositories
   sudo apt update
   # install available software updates
   sudo apt upgrade -y
   # install prerequisites
   sudo apt install curl wget -y
   # clean up downloaded apt files
   sudo apt clean
   # lookup latest steps-ca release URL
   regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
   # download steps-ca server
   wget -O ./steps-ca.deb $downloadURL
   # install steps-ca server
   sudo dpkg -i ./steps-ca.deb
   # lookup latest steps-cli release URL
   regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && && downloadURL="${BASH_REMATCH[1]}"
   # download steps-cli client
   wget -O ./steps-cli.deb $downloadURL
   # install steps-cli client
   sudo dpkg -i ./steps-cli.deb
   # create the /etc/step-ca directory
   sudo mkdir /etc/step-ca
   # elevate to root user
   sudo su
   # set the step-ca path
   export STEPPATH=/etc/step-ca

Initialize A New Certificate Authority

1. Continue with the following commands in a terminal
   # initilize a CA
   step ca init
2. Select standalone > press Enter
3. Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] > Press Enter
4. Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] > Press Enter
5. Enter the port for Step-CA to listen on [ie :8443] > Press Enter
6. Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] > Press Enter
7. Enter a password for the CA or leave it blank to have a password generated > Press Enter

Installing Step-CA Service/Daemon

1. Continue with the following commands in a terminal
   # add ACME provisioner
   step ca provisioner add acme --type ACME
   # exit root shell
   exit
   # create password.txt, replace with the CA password
   echo '$YourCAPassword!!' | sudo tee -a /etc/step-ca/password.txt > /dev/null
   # create step-ca user
   sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca
   # set ownership of /etc/step-ca
   sudo chown step-ca:step-ca /etc/step-ca -R
   # limit permissions on the password.txt file
   sudo chmod 400 /etc/step-ca/password.txt
   # create step-ca log directory
   sudo mkdir /var/log/step-ca -p
   # set ownership of step-ca logs
   sudo chown step-ca:step-ca /var/log/step-ca -R
   # edit the ca configuration
   sudo nano /etc/step-ca/config/ca.json
2. By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed

   "claims": {
   "maxTLSCertDuration":"26280h",
   "defaultTLSCertDuration":"8760h"
   },

3. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
4. Continue with the following commands in a terminal
   # create service file
   sudo nano /etc/systemd/system/step-ca.service
5. Paste the following configuration into step-ca.service

   [Unit]
   Description=step-ca service
   After=network.target
   StartLimitIntervalSec=0

   [Service]
   Type=simple
   Restart=always
   RestartSec=1
   User=step-ca
   Group=step-ca
   Environment=STEPPATH=/etc/step-ca
   ExecStart=/bin/sh -c "/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt >> /var/log/step-ca/step-ca.log 2>&1"

   [Install]
   WantedBy=multi-user.target

6. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
7. Continue with the following commands to enable and start the service:
   # reload systemd services
   sudo systemctl daemon-reload
   # start step-ca service on boot and now
   sudo systemctl enable step-ca --now

Automating Certificate Requests

1. Log into the server needing to request a certificate
2. Continue following commands in a terminal window
   # copy the step-ca root certificate to trusted certs
   sudo cp /etc/step-ca/certs/root_ca.crt /usr/local/share/ca-certificates/
   # copy the step-ca intermediate certificate to trusted certs
   sudo cp /etc/step-ca/certs/intermediate_ca.crt /usr/local/share/ca-certificates/
   # update ca certs
   sudo update-ca-certificates
   # remove apt version of certbot if installed
   sudo apt remove certbot -y
   # install snapd
   sudo apt install snapd -y
   # install snap core and update
   sudo snap install core; sudo snap refresh core
   # install certbot snap
   sudo snap install --classic certbot
   # create certbot symbolic link
   sudo ln -s /snap/bin/certbot /usr/bin/certbot
   # request the certificate
   sudo REQUESTS_CA_BUNDLE=/etc/step-ca/certs/root_ca.crt certbot certonly --standalone -d <%host%> --server https://<%step-ca-host%>:<%step-ca-port%>/acme/acme/directory
3. When prompted, enter an email address and agree to the terms of service
4. Choose whether to share your email and receive emails from certbot
5. Certbot will output information regarding the location of the certificate files

Sources: https://smallstep.com/docs/step-ca/installation
https://certbot.eff.org/instructions?ws=other&os=debianbuster
https://smallstep.com/docs/tutorials/acme-challenge/