insecureAddress for SCEP provider

[jbperrin88]

What would you like to be added

on ca.yaml line 88 , there is only HTTPS port configuration.

Can you add an option to set another port or just enable InsecureAddress configuration

Why this is needed

This is needed to handle InsecureAddress configuration for SCEP provider

[jbperrin88]

I workaround this issue .... by modifying the statefulSet after helm but this is not really beautiful....

If you enable insecure mode , you'll also need to add the right port map to Service.

By the way , i've got another issue.... linked to this one

I used existing secret with ca.json
Inside ca.json i need to set static provisioners SCEP even if i've already set in via remote management (my config use mariadb databases)

So if i understand it well (i've read a lot from sources)

When this stepca service start , it look at CRL and SCEP and insecureAddress to enable insecure listener...
Bu if the SCEP config is set inside the databases ... it to late to know it ...

Best regards

[hslatman]

@jbperrin88 regarding your last issue: are you using the latest version of step-ca? I remember having changed something in the order of checks recently for SCEP specifically, because I came across the same issue.

The code for that is this: https://github.com/smallstep/certificates/blob/master/authority/authority.go#L638-L648. The change was introduced with smallstep/certificates@4bb88ad.

We'll discuss the additional port in the chart in our upcoming open source triage meeting.

[travisghansen]

#206 is created to fix this.

I also experienced the listener not starting unless crl is enabled or scep is turned on. Perhaps the desired behavior but initially turning it on and not seeing the port bound was a bit confusing for a newcomer.