How to use Ingress to expose Step CA to outside of the K8S cluster?

[Magicloud]

I have Step CA and etc setup in K8S cluster to issue certs for Ingresses. All worked well, the test HTTPS endpoint shows the cert signed by Step CA. And obviously it is not trusted by browser.

Then I followed the doc to run step cli on client to get and install the CA. But failed.

I ran step ca bootstrap --ca-url step-ca.magicloud.lan --fingerprint f689f91afac159293233fd4d9760d3979799aa0ed57dec73d6bce1fdb7d8973c. And got error downloading root certificate: failed decoding CA error response: invalid character 'I' looking for beginning of value on client. And 2025/10/22 08:12:38 /usr/local/go/src/net/http/server.go:3638: http: TLS handshake error from 10.42.0.91:48588: remote error: tls: bad certificate on Step CA server.

The ingress for Step CA is configured in Helm values:

ingress:
  enabled: true
  annotations:
    external-dns.alpha.kubernetes.io/hostname: step-ca.magicloud.lan.
    cert-manager.io/issuer: step-issuer
    cert-manager.io/issuer-kind: StepClusterIssuer
    cert-manager.io/issuer-group: certmanager.step.sm
  hosts:
    - host: step-ca.magicloud.lan
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: step-ca-tls
      hosts:
        - step-ca.magicloud.lan

Anything I missed or did wrong?