Thanks, comments inlined.
On 2/5/23 04:37, Tiemen Werkman wrote:
> This patch updates step-ca from version 0.22.0 to 0.23.1.
>
> Tested, built and working on amd64(linux kvm) and aarch64(pine64
> rock64).
>
> I changed the rc.d/step_ca script and removed the default daemonflags
> because it caused a problem starting the step_ca daemon.
>
> When initializing step-ca both the root and intermediate certificate
> private keys are secured whith a password by default. The step_ca daemon
> requires access to the private key in order to sign certificates and
> therefore requires the password securing it.
> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
> ca/secrets/secret.txt and starting step_ca with the flag:
> "--password-file secrets/secret.txt".
> Adding this daemon flag appears to overwrite
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
> unable to find the configuration file. I removed the
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" statement and instead
> added the following to rc.conf.local: step_ca_flags=config/ca.json --
> password-file secrets/secret.txt and this does work.
>
> Also version 0.22.0 of the pkg/README suggested initializing Step ca
> using the following command:
> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"
This fails as the shell for _step-ca account is set as /sbin/nologin and
can be fixed by executing with shell defined su -s /bin/sh _step-ca -c "..."
Let's not use doas in README unless really necessary.
> However this does not work, I think it's because the _step-ca user does
> not have a home directory??
> Anyway this command does work:
> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step
> ca init"
> Also the docs folder has been deprecated, /usr/local/share/doc/step-
> ca/README.md offers several alternatives for step-ca documentation.
> I have changed the pkg/README to reflect both changes.
In addition to this I think you should create a login.conf.d file which
sets STEPPATH in its environment.
As an example look at the recent sogo commit which adds an environment
variable to the launch for sogo -
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/sogo/pkg/sogod.login?rev=1.2&content-type=text/x-cvsweb-markup
>
> Tiemen Werkman
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/step-ca/Makefile,v
> retrieving revision 1.4
> diff -u -p -r1.4 Makefile
> --- Makefile 19 Sep 2022 20:35:54 -0000 1.4
> +++ Makefile 5 Feb 2023 03:42:58 -0000
> @@ -3,7 +3,7 @@ BROKEN-armv7 = github.com/go-piv/piv-go@
>
> COMMENT = private certificate authority and ACME server
>
> -V = 0.22.0
> +V = 0.23.1
> MODGO_MODNAME = github.com/smallstep/certificates
> MODGO_VERSION = v${V}
> DISTNAME = step-ca-${V}
> @@ -34,7 +34,7 @@ do-build:
>
> post-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/step-ca
> - ${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/step-ca
> + ${INSTALL_DATA} ${WRKSRC}/*.md ${PREFIX}/share/doc/step-ca
>
> .include "modules.inc"
> .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/step-ca/distinfo,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 distinfo
> --- distinfo 27 Aug 2022 21:17:15 -0000 1.1.1.1
> +++ distinfo 5 Feb 2023 03:42:58 -0000
> @@ -1,80 +1,266 @@
<snip>
> # rcctl enable step_ca
> -# rcctl set step_ca flags --config config/ca.json
> +# rcctl set step_ca flags config/ca.json
> +
> +Firewall
> +========
> +
> +Step CA cannot bind to priviledged ports. Configure Step CA to listen on port
> +4343 and add the following rule to /etc/pf.conf.
> +
> + pass in proto tcp to port https rdr-to 127.0.0.1 port 4343
>
I don't know if this is needed, anyone who is running their own private
CA probably also has something else listening on https already or at
least knows to use a reverse proxy.
> Add the CA cert to system store
> ===============================
>
> -The default certificate for Step CA is stored in
> ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
> +The root certificate for step-ca is stored in
> ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
> which should be added to the system by appending it to
> ${SYSCONFDIR}/ssl/cert.pem
>
> # cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >>
> ${SYSCONFDIR}/ssl/cert.pem
> Index: pkg/step_ca.rc
> ===================================================================
> RCS file: /cvs/ports/security/step-ca/pkg/step_ca.rc,v
> retrieving revision 1.2
> diff -u -p -r1.2 step_ca.rc
> --- pkg/step_ca.rc 19 Sep 2022 20:35:54 -0000 1.2
> +++ pkg/step_ca.rc 5 Feb 2023 03:42:58 -0000
> @@ -1,7 +1,6 @@
> #!/bin/ksh
>
> daemon="${LOCALBASE}/bin/step-ca"
> -daemon_flags="config/ca.json"
> daemon_user="_step-ca"
> daemon_logger=daemon.info
> daemon_execdir="${LOCALSTATEDIR}/step-ca"
>
