I learned a lot from your previous videos about creating and using one's own private ca based on openSSL. Very recently I decided to change to step-ca as soon as I can allocate the time to make the change. Imagine how lucky I feel to see you now also have a brand new tutorial on step-ca!!
Thank you for your instructional videos. I find them to be very useful. and appreciate that you don't gloss over the details and more often than not, provide additional insight. For this implementation when using ACME, how do you include the IP address in the SAN when PVE generates the CSR, in addition to the FQDN, so connecting via IP provides a secure connection? With your recent Ansible videos, it would be interesting to see how much of this process could be automated for existing hosts and new hosts as they are provisioned.
I haven't tested this with a SAN or IP addressing but according to the documentation, step-ca support this smallstep.com/docs/step-cli/reference/ca/token/ For PVE for instance, you can include multiple entries in the domain field You just have to separate them with a semi-colon e.g. prox1.servers.com;192.168.12.12 Ansible's very flexible as you can just execute commands if there isn't a module to support this So for PVE you have the pve config command available pve.proxmox.com/pve-docs/pvenode.1.html
For more usability for users that watch youtube videos on there smartphones, could you please consider 3 things: enlarge the terminal, press enter 2 or 3 times in order not to start at the top and after you paste text presh arrow right in order to demarc the text so it is better readable? That would be fantastic 🙂
Good suggestions I did enlarge the font some time back based on comments, and my video editor seems to blur things when I get it to zoom but I'll revisit that option as well In the mean time, there is a blog which has all the commands in it www.techtutorials.tv/sections/it-security/automated-tls-certificates-step-ca/ Just need to figure out how to get markup language to give me a copy button
@@rob280 Yes, I think all videos like these should have commands you can copy and paste I'd like to have a copy command next to the lines, but it's a static website and it's proving difficult to find how to do that
Very clear instructions as always, unfortunately running into a problem here. Using the redirect rule for a client pc works like a charm but when trying to connect from an LXC container on the proxmox host it doesn't work, connecting to 8006 works but not through the redirect. Anyone have an idea what the issue is?
Bit of an old post, but try this stackoverflow.com/questions/54091002/docker-how-to-redirect-a-ip-within-a-container-to-another-ip That one is about the IP address but maybe it might work for a different port Although you might want to check out Caddy instead I've started deploying it as a reverse proxy for containers It is on my video to do list, but you can check out these links if you're interested caddyserver.com/docs/quick-starts/reverse-proxy caddyserver.com/docs/caddyfile/directives/reverse_proxy
@@TechTutorialsDavidMcKone Thanks for the answer. I'm not using a container but step ca diectly on an LXC. The physical interface for VM's/containers is a different one than the Proxmox management interface so no clue why it shouldn't work directly like it works with 8006 but will try with a reverse proxy in front of Proxmox proxying 443 to 8006.
Yes, it's very useful You can run it as a normal application, but I'm liking the container option Retail switches for instance that don't support SSH will still need manual work But I noticed Cerbot supports a lot of systems so that could be used to automate other devices
Typically you set the certificate expiry for 1 year Lab environments might use 10 years, but the expectation is they'd be rebuilt several times over the course of a year and so it wouldn't matter
Yeah, it's on my to do list I've been using it as a reverse proxy and it's very good for that Now I want to see if I can use it to provide certificates for other devices through ACME or even manually
@TechTutorialsDavidMcKone you definitely can adding tls internal to the caddy file setsup a root certificate that isusses server certificate all you have to do is trust the root certificate. They only last for a day which I really hope the industry isn't going for.
Docker has a desktop option www.docker.com/products/docker-desktop/ And so does Podman podman-desktop.io/ Portainer is an interesting alternative mind www.portainer.io/ But for now at least it's only supporting Docker The bootstrapping stuff I was doing was more for basic testing and updating the certificate store. It's not necessary for web browsers Not much CLI work to do for Proxmox VE, but hopefully they'll add that into the GUI at some point
I learned a lot from your previous videos about creating and using one's own private ca based on openSSL. Very recently I decided to change to step-ca as soon as I can allocate the time to make the change. Imagine how lucky I feel to see you now also have a brand new tutorial on step-ca!!
Step-ca has been on my radar for a while and I eventually got round to it
So it was good to be able to finally put it to use
I’m amazed, your content is great, good explaining and a great purpouse
Thanks for the feedback
The videos I'm doing tend to cover what I'm doing myself to improve IT
Thank you for your instructional videos. I find them to be very useful. and appreciate that you don't gloss over the details and more often than not, provide additional insight. For this implementation when using ACME, how do you include the IP address in the SAN when PVE generates the CSR, in addition to the FQDN, so connecting via IP provides a secure connection? With your recent Ansible videos, it would be interesting to see how much of this process could be automated for existing hosts and new hosts as they are provisioned.
I haven't tested this with a SAN or IP addressing but according to the documentation, step-ca support this
smallstep.com/docs/step-cli/reference/ca/token/
For PVE for instance, you can include multiple entries in the domain field
You just have to separate them with a semi-colon e.g.
prox1.servers.com;192.168.12.12
Ansible's very flexible as you can just execute commands if there isn't a module to support this
So for PVE you have the pve config command available
pve.proxmox.com/pve-docs/pvenode.1.html
For more usability for users that watch youtube videos on there smartphones, could you please consider 3 things: enlarge the terminal, press enter 2 or 3 times in order not to start at the top and after you paste text presh arrow right in order to demarc the text so it is better readable? That would be fantastic 🙂
Good suggestions
I did enlarge the font some time back based on comments, and my video editor seems to blur things when I get it to zoom but I'll revisit that option as well
In the mean time, there is a blog which has all the commands in it
www.techtutorials.tv/sections/it-security/automated-tls-certificates-step-ca/
Just need to figure out how to get markup language to give me a copy button
@@TechTutorialsDavidMcKone Thank you for putting in a link to the blog post, it is nice to be able to copy in the commands while watching the video.
@@rob280 Yes, I think all videos like these should have commands you can copy and paste
I'd like to have a copy command next to the lines, but it's a static website and it's proving difficult to find how to do that
Very clear instructions as always, unfortunately running into a problem here. Using the redirect rule for a client pc works like a charm but when trying to connect from an LXC container on the proxmox host it doesn't work, connecting to 8006 works but not through the redirect. Anyone have an idea what the issue is?
Bit of an old post, but try this
stackoverflow.com/questions/54091002/docker-how-to-redirect-a-ip-within-a-container-to-another-ip
That one is about the IP address but maybe it might work for a different port
Although you might want to check out Caddy instead
I've started deploying it as a reverse proxy for containers
It is on my video to do list, but you can check out these links if you're interested
caddyserver.com/docs/quick-starts/reverse-proxy
caddyserver.com/docs/caddyfile/directives/reverse_proxy
@@TechTutorialsDavidMcKone Thanks for the answer. I'm not using a container but step ca diectly on an LXC. The physical interface for VM's/containers is a different one than the Proxmox management interface so no clue why it shouldn't work directly like it works with 8006 but will try with a reverse proxy in front of Proxmox proxying 443 to 8006.
Very interesting! Thanks for this video.
Yes, it's very useful
You can run it as a normal application, but I'm liking the container option
Retail switches for instance that don't support SSH will still need manual work
But I noticed Cerbot supports a lot of systems so that could be used to automate other devices
Do you just create and install certs with expirations measured in decades for devices/environments that don't support ACME?
Typically you set the certificate expiry for 1 year
Lab environments might use 10 years, but the expectation is they'd be rebuilt several times over the course of a year and so it wouldn't matter
Caddy is awesome for this
Yeah, it's on my to do list
I've been using it as a reverse proxy and it's very good for that
Now I want to see if I can use it to provide certificates for other devices through ACME or even manually
@TechTutorialsDavidMcKone you definitely can adding tls internal to the caddy file setsup a root certificate that isusses server certificate all you have to do is trust the root certificate. They only last for a day which I really hope the industry isn't going for.
Nice coverage but too much of a hassle for using CLI
Docker has a desktop option
www.docker.com/products/docker-desktop/
And so does Podman
podman-desktop.io/
Portainer is an interesting alternative mind
www.portainer.io/
But for now at least it's only supporting Docker
The bootstrapping stuff I was doing was more for basic testing and updating the certificate store. It's not necessary for web browsers
Not much CLI work to do for Proxmox VE, but hopefully they'll add that into the GUI at some point
For devices without an ACME client, are you just manually creating one for years?
If so, how might that compromise the 1day strategy?
@@TechTutorialsDavidMcKone Wouldn't it be better using Caddy v2 ? they use Step-CA for localPKI
@@ltonchis1245 Thanks for mentioning this, I'll take a look
+1