Usage<\/h2>\n\n\n\n
So what I\u2019ve done is create a very simple This is me using Smallstep on Debian creating a You\u2019ll see that we are grabbing Smallstep using This is going to create a certificate for me without a password requirement, if you want a password, I\u2019ve created a bash script that enters it into the prompt that becomes accessible once Smallstep asks for your password:<\/p>\n\n\n\n That will get you going in Travis CI if you want a password, and are using this foundation for more than testing purposes.<\/p>\n\n\n\n Now when we are talking the normal user experience when using ACME (not Smallstep per se), it\u2019s something like:<\/p>\n\n\n\n If a client wishes to fetch a resource from the server (which would otherwise be done with a GET), then it MUST send a POST request with a JWS body as described above, where the payload of the JWS is a zero-length octet string. In other words, the \u201cpayload\u201d field of the JWS object MUST be present and set to the empty string (\u201c\u201d), or you\u2019ll get a Well don\u2019t worry, we\u2019re gonna pass The value of the Replay-Nonce header field MUST be an octet string encoded according to the Fig. 1. Overview of the interoperable implementation architecture.<\/em><\/p>\n\n\n\n I can\u2019t get into every aspect of ACME, but do some research about the Interoperable Implementation Arch. It\u2019s quite interesting.<\/p>\n\n\n\n The ACME client creates a key pair (sometimes referred to as a key value pair), for the domains and provides the ACME server with the public key (contained in an The actual ACME protocol is designed to work asynchronously and breaks the sketched flow into several (smaller) steps. Each of these steps is linked to the flow using unique identifiers (provided in URLs) that are issued by the ACME server step-by-step during the flow. The protocol requires the client to authenticate each message (based on the JSON Web Signature (JWS) standard.<\/p>\n\n\n\n Once the rate limit is exceeded, the server MUST respond with an error with the type You\u2019ll then see the following if your build worked correctly:<\/p>\n\n\n\n You\u2019ll notice You\u2019ll see I have this command as well in our This is to make sure You just got a rundown on The ACME Protocol, and how you can use As always, if you have any questions about this tutorial, please email me at montana@travis-ci.org<\/a> and I will assist you.<\/p>\n\n\n\n Happy building! Down below you will find relevant links to this tutorial:<\/p>\n\n\n\n Here are some relevant links before you go!<\/p>\n\n\n\n You may know something called the ACME protocol for automated certificate management has seen vast adoption in the Web PKI since its inception in 2016. While initially conceived for usage on the public web, the protocol is also well-suited for usage on internal networks, e.g. infranets, infrachats at Colleges, etc. Let\u2019s lerarn more about Smallstep. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_breakdance_hide_in_design_set":false,"_breakdance_tags":"","footnotes":""},"categories":[16],"tags":[7,19,20,5],"class_list":["post-238248","post","type-post","status-publish","format-standard","hentry","category-news","tag-community","tag-feature","tag-infrastructure","tag-news"],"_links":{"self":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/comments?post=238248"}],"version-history":[{"count":6,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238248\/revisions"}],"predecessor-version":[{"id":242783,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238248\/revisions\/242783"}],"wp:attachment":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/media?parent=238248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/categories?post=238248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/tags?post=238248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}.travis.yml<\/code> showing off some of Smallstep\u2019s features, and you can start thinking about how this could be useful for your project that\u2019s running Travis. So let\u2019s get into the .travis.yml<\/code> file I created:<\/p>\n\n\n\ndist: jammy\nlanguage: go\ngroup: edge\nsudo: true\n\nscript: \n - wget https:\/\/dl.step.sm\/gh-release\/cli\/docs-cli-install\/v0.20.0\/step-cli_0.20.0_amd64.deb\n - sudo dpkg -i step-cli_0.20.0_amd64.deb\n - step -v \n - step certificate create --profile root-ca \"Montana Mendy Travis CI keys\" ca.crt ca.key --insecure --no-password\n - step certificate inspect https:\/\/smallstep.com<\/code><\/pre>\n\n\n\nlocalhost.key<\/code>:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/08\/183217280-a7d7e3e3-bf01-4b36-8a94-d8ce2d41e5a6-1024x155-1.png\")
<\/figure>\n\n\n\nwget<\/code>, we then use dpkg<\/code> to unzip it, I then check step -v<\/code> to see Smallstep is infact in our VM. I then run the following:<\/p>\n\n\n\nstep certificate create --profile root-ca \"Montana Mendy Travis CI keys\" ca.crt ca.key --insecure --no-password<\/code><\/pre>\n\n\n\n#!\/bin\/bash\npass=\"toocool\"\necho $pass | step certificate create --profile root-ca \"Montana Mendy Travis CI keys\" ca.crt ca.key<\/code><\/pre>\n\n\n\nACME User Experience<\/h2>\n\n\n\n
\n
JWS<\/h2>\n\n\n\n
null<\/code>.<\/p>\n\n\n\nOh no I got stuck at an interactive prompt!<\/h2>\n\n\n\n
pass<\/code> with $pass<\/code> and telling it to run that along with the step<\/code> command as you remmeber above, but please remember you\u2019ll want to run the following to make sure it has proper permissions:<\/p>\n\n\n\nchmod u+x step.sh \n.\/step.sh<\/code><\/pre>\n\n\n\nbase64url<\/code> encoding. When setting up some of the policies please remember the clients MUST ignore invalid Replay-Nonce<\/code> values, this is an example of what they look like:<\/p>\n\n\n\nbase64url = ALPHA \/ DIGIT \/ \"-\" \/ \"_\"\nReplay-Nonce = 1*base64url<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/08\/183215829-e4085090-8f5a-4c6e-ab30-5b7846e3a31c-1024x314-2.png\")
<\/figure>\n\n\n\nHow can I sum up The ACME Protocol?<\/h2>\n\n\n\n
X.509<\/code> certificate signing request (CSR)). The ACME server then issues a certificate containing the public key and all domains previously requested by the client.<\/p>\n\n\n\nRatelimit<\/h2>\n\n\n\n
urn:ietf:params:acme:error:rateLimited<\/code>. Additionally, the server SHOULD<\/em> send a Retry-After header field and tell the end-user when they should try again.<\/p>\n\n\n\nThe Build<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/08\/183211757-499552fb-b0f4-4e96-984a-c95dca09a832-1024x550-2.png\")
<\/figure>\n\n\n\ncurl<\/code> will pull all the things you need from Google, then we run gcloud components update kubectl<\/code>, and we make sure we Docker listed as a service. Your build should look similar to this:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/07\/181833484-d5193c31-1298-4983-b83f-50ac924e2e65-1-1024x205-1.png\")
<\/figure>\n\n\n\n.travis.yml<\/code>:<\/p>\n\n\n\nstep certificate inspect https:\/\/smallstep.com<\/code><\/pre>\n\n\n\ncertificate insepct<\/code> is working, and as you can see Smallstep is doing a wonderful job.<\/p>\n\n\n\nConclusion<\/h2>\n\n\n\n
smallstep<\/code> to use The ACME Protocol and leverage some of it in your Travis CI project.<\/p>\n\n\n\n\n