Skip to content

insecureAddress config option not starting HTTP listener in v0.27.5 #2538

New issue
New issue
Closed as duplicate of#246
Closed as duplicate of#246
insecureAddress config option not starting HTTP listener in v0.27.5#2538
@bls

Description

@bls
bls
opened on Jan 17, 2026

Description

The insecureAddress configuration option in ca.json does not appear to start an HTTP listener in step-ca version 0.27.5.

Configuration

{
  "address": ":9000",
  "insecureAddress": ":9080",
  "root": "/home/step/certs/root_ca.crt",
  "crt": "/home/step/certs/root_ca.crt",
  "key": "/home/step/certs/root_ca.key",
  "dnsNames": ["ca.example.com"],
  "db": {
    "type": "badgerv2",
    "dataSource": "/home/step/db"
  },
  "authority": {
    "provisioners": [{
      "type": "ACME",
      "name": "acme"
    }]
  }
}

Expected Behavior

step-ca should start an HTTP listener on port 9080 in addition to the HTTPS listener on port 9000, as documented.

Actual Behavior

Only the HTTPS listener on port 9000 is started. The startup logs show:

Serving HTTPS on :9000 ...

No mention of the insecure listener. Checking with netstat inside the container confirms only port 9000 is listening:

tcp        0      0 :::9000                 :::*                    LISTEN

Attempting to connect to port 9080 results in "Connection refused".

Environment

  • step-ca version: 0.27.5
  • Docker image: smallstep/step-ca:0.27.5
  • OS: Linux (Synology DSM / Docker)

Use Case

Running step-ca behind a TLS-terminating reverse proxy (Synology's built-in reverse proxy) which does not support connecting to HTTPS backends with custom CA certificates.

Related: #246

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions