Internal ACME server set up but no joy with acme-tiny or curl

[sdgathman]

acme-tiny gets 404 on https://ca.internal:9000/acme/BMS/directory - so does curl.
provisioner is type: ACME and name: BMS
Fetching https://ca.internal:9000/roots.pem with curl gets the configured ca_root.crt

NOTE: it took a while to realize that step-ca seems to generate a server cert on the fly using dnsNames in config for subjectAltName in cert. So acme-tiny and curl were getting hostname mismatch.

[sdgathman]

Ah, the docs didn't mention $CERTPATH/db. Created that directory and the directory url succeeds. But now, step-ca is trying to fetch the challenge from the step-ca hostname http://ca.internal - instead of the hostname being registered! Now what am I missing?

Ah - step-ca caches NX_DOMAIN a really long time. Have to make sure step-ca server can see new domain before trying to register it. (Seems like a bug.) Workaround, restart step-ca after creating new domain.

[sdgathman]

Now it gets: authority.Sign: error reading /var/lib/step-ca/.step/templates/certs/x509/default.tpl: open /var/lib/step-ca/.step/templates/certs/x509/default.tpl: no such file or directory"

The step ca init didn't put anything in templates. What goes in templates??

[sdgathman]

The suggested ACME provisioner included default.tpl - but did not provide an example. I removed the "options" clause from ACME provisioner, and now certs get signed.

How do I get the intermediate CA pre/ap-pended to the signed cert, like Let's Encrypt does? I can add scripting on the client end (like I had before LE added that feature). But it's better if the ACME server provides the intermediate.

[hslatman]

The intermediates are already part of the response: https://github.com/smallstep/certificates/blob/master/acme/api/handler.go#L388-L394.

[sdgathman]

Yep. I had wiped it out by running through openssl x509 -text ...