At a loss for adding domains to an allowlist

[insipx]

I followed https://smallstep.com/docs/certificate-manager/kubernetes-tls/kubernetes-step-issuer/

My homelab was renewing certificates fine and i had tls via a wildcard domain at *.jupiter.lan and the traefik ingress ip 10.10.68.1

I recently followed https://smallstep.com/blog/access-your-homelab-anywhere/

I started getting these errors in step-issuer and on my ca after following it:

step-issuer

{"level":"error","ts":"2026-01-25T20:24:28Z","logger":"controllers.CertificateRequest","msg":"failed to sign certificate request","certificaterequest":{" │

Jan 25 15:46:19 volos sh[20747]: time="2026-01-25T15:46:19-05:00" level=warning duration=3.385747ms duration-ns=3385747 error="ip name \"10.10.68.1\" not allowed" fields.time="2026-01-25T15:46:19-05:00" method=POST name=ca ott=$ott path=/sign protocol=HTTP/2.0 referer= remote-address=10.10.69.50 request-id=bd642f64-2e40-4afe-8303-3207217f6980 size=118 status=403 user-agent=step-http-client/1.0 user-id=

but this seems to have completely broken step-issuer. it can no longer renew certificates and no matter what I try i cannot add my san to the allow list. I get:

my admins:

me@tinyca ~> sudo -u step --preserve-env step ca admin list
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
✔ Provisioner: mainsuperadmin@mail.com (JWK) [kid: --]
Please enter the password to decrypt the provisioner key:
SUBJECT                 PROVISIONER                             TYPE
step                    mainsuperadmin@mail.com (JWK)       SUPER_ADMIN
step-issuer-admin       step-issuer (JWK)                       ADMIN
insipx                  mainsuperadmin@mail.com (JWK)       ADMIN

It's unclear to me what the --provisioner flag does. is that the provisioner i want to allow the DNS for, or the admin provisioner to auth the command? in either case, it does not work:

me@tinyca ~> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer"
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
✔ Provisioner: step-issuer (JWK) [kid: ]
Please enter the password to decrypt the provisioner key:
error retrieving policy: error retrieving policy: adminHandler.authorizeToken; unable to load admin with subject(s) [step step] and provisioner 'step-issuer'


insipx@volos ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "mainsuperadmin@mail.com"
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
✔ Provisioner: mainsuperadmin@mail.com (JWK) [kid: ]
Please enter the password to decrypt the provisioner key:
error retrieving policy: error retrieving policy: operation not supported in standalone mode

Standalone mode is also confusing. AFAICT, there is no --offline flag for step ca policy commands.

i also tried with my admin that has the step-issuer as a provisioner:

me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner view --provisioner step-issuer
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step-issuer-admin
✔ Provisioner: step-issuer (JWK) [kid: ---]
Please enter the password to decrypt the provisioner key:
error retrieving authority policy: operation not supported in standalone mode

Then i thought maybe i misunderstood and need to add it to authority policies:

Authority Policies

**me@tinyca ~> sudo -u step --preserve-env step ca policy authority view
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step-issuer-admin
✔ Provisioner: step-issuer (JWK) [kid:]
Please enter the password to decrypt the provisioner key:
me@tinyca ~ [3]> sudo -u step --preserve-env step ca policy authority view
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step-issuer-admin
✔ Provisioner: step-issuer (JWK) [kid: ---]
Please enter the password to decrypt the provisioner key:
{
   "x509": {
      "allow": {
         "dns": [
            "step",
            "22385564",
            "14836775",
            "*.jupiter.lan",
            "insipx",
            "step-issuer-admin",
            "10.10.68.1"
         ],
         "emails": [
            "mainsuperadmin@mail.com"
         ]
      },
      "deny": {},
      "allowWildcardNames": true
   },
   "ssh": {
      "host": {
         "allow": {},
         "deny": {}
      },
      "user": {
         "allow": {},
         "deny": {}
      }
   }
}

[hslatman]

Can you try --admin-provisioner to point to the admin JWK?

[insipx]

admin-provisioenr

me@tinyca ~> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-provisioner "step"
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
error creating admin client: invalid value 'step' for flag '--admin-provisioner'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-provisioner "mainsuperadmin@mail.com"
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step█
error creating admin client: invalid value 'mainsuperadmin@mail.com' for flag '--admin-provisioner'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-provisioner mainsuperadmin@mail.com
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
error creating admin client: invalid value 'mainsuperadmin@mail.com' for flag '--admin-provisioner'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-provisioner step-issuer-admin
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
error creating admin client: invalid value 'step-issuer-admin' for flag '--admin-provisioner'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-provisioner step
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
error creating admin client: invalid value 'step' for flag '--admin-provisioner'

Variations:

me@tinyca ~> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-subject step
No admin credentials found. You must login to execute admin commands.
✔ Provisioner: step-issuer (JWK) [kid: --]
Please enter the password to decrypt the provisioner key:
Please enter the password to decrypt the provisioner key:
error retrieving policy: error retrieving policy: adminHandler.authorizeToken; unable to load admin with subject(s) [step step] and provisioner 'step-issuer'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-subject step-issuer-admin
No admin credentials found. You must login to execute admin commands.
✔ Provisioner: step-issuer (JWK) [kid: --]
Please enter the password to decrypt the provisioner key:
error retrieving policy: error retrieving policy: operation not supported in standalone mode
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-issuer step
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
error creating admin client: invalid value 'step' for flag '--admin-provisioner'
me@tinyca ~ [1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --provisioner "step-issuer" --admin-issuer step-issuer-admin
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step-issuer-admin
error creating admin client: invalid value 'step-issuer-admin' for flag '--admin-provisioner'
me@tinyca ~ [1]>

[hslatman]

And with --admin-provisioner "mainsuperadmin@mail.com" --admin-subject "step"?

[insipx]

that gave me:

[1]> sudo -u step --preserve-env step ca policy provisioner x509 allow dns "*.jupiter.lan" --admin-provisioner "mainsuperadmin@mail.com" --admin-subject "step" --provisioner step-issuer
No admin credentials found. You must login to execute admin commands.
error creating admin client: invalid value 'mainsuperadmin@mail.com' for flag '--admin-provisioner'

[insipx]

For any future visitors, I figured it out:

The open-source Step Certificate authority can only be configured at an authority level (according to these docs)

A self-hosted step-ca instance can be configured with a policy on the authority level only. In a free hosted smallstep Certificate Manager authority, policies can be configured on the authority, on each provisioner, and on every ACME account.

So, that may be why none of the provisioner commands worked, the self-hosted one can only do rules for authority commands

Ultimately, this is what fixed it, and all at the authority level:

1.) Add wildcard domain to authority
2.) Allow wildcard domains. Even if domain is on allowlist with wildcard, if this is not enabled it will not work
3.) add ip to allowlist as well (I was unaware IPs had their own allowlist)

The really confusing part for me is that i wanted this allow list scoped to just the step-issuer provisioner rather than the authority level. And since provisioner seems like a valid option for the step-cli tool, I assumed it possible. I usually first refer the the cli command --help as a doc reference rather than going out to the internet. Further I was not not sure the implications of having something scoped to authority level have for the acme issuer for instance, since that depends on challenges rather than issuer rules.

IMO Step should have better error messages than

error retrieving authority policy: operation not supported in standalone mode

or the previous authority admin/permission errors, since its difficult to find what the right "troubleshooting" path really is. I was convinced there was some secret/undocumented "offline" mode I could use the issue provisioner rules, when in reality provisioner rules were simply disabled completely (or maybe there is a mode, but only in the "proprietary" hosted version)

Glad to have fixed this though! Now i got mTLS on my k3s cluster working. thanks for the suggestions @hslatman