On 2/5/23 16:14, Tiemen Werkman wrote:
> On Sun, 2023-02-05 at 18:41 +0000, Stuart Henderson wrote:
>> On 2023/02/05 09:37, Tiemen Werkman wrote:
>>> I changed the rc.d/step_ca script and removed the default
>>> daemonflags
>>> because it caused a problem starting the step_ca daemon.
>>>
>>> When initializing step-ca both the root and intermediate certificate
>>> private keys are secured whith a password by default. The step_ca
>>> daemon
>>> requires access to the private key in order to sign certificates and
>>> therefore requires the password securing it.
>>> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
>>> ca/secrets/secret.txt and starting step_ca with the flag:
>>> "--password-file secrets/secret.txt".
>>> Adding this daemon flag appears to overwrite
>>> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
>> Of course - the flags in the rc.d file are default, by setting your
>> own
>> you override this. See e.g. 'rcctl get step_ca flags'.
>>
>> It doesn't seem correct to remove them from the rc file, I expect this
>> probably breaks things for people who already have it working with a
>> CA
>> without passphrase.
>>
>>> Also version 0.22.0 of the pkg/README suggested initializing Step ca
>>> using the following command:
>>> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca
>>> init"
>>>
>>> However this does not work, I think it's because the _step-ca user
>>> does
>>> not have a home directory??
>>> Anyway this command does work:
>>> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca
>>> step
>>> ca init"
>> I agree with aisha about fixing the su command rather than changing to
>> doas.
>>
> Apologies for the confusion, I've reread my email and I wasn't clear.
>
> I ran into trouble when originally installing and starting up step_ca.
> The default initialization forces a password on the private keys. It
> seems prudent to leave it, but then --password-file flag must also be
> set. This is where I became confused: when setting the --password-file
> flag, the config/ca.json flag must also be set even though it is already
> set in /etc/rc.d/step_ca (also config/ca.json must precede any other
> flag if any other flag is set). If no password is set and therefore the
> --password-file flag is not required then the additional config/ca.json
> flag is not required.
> I thought that the flags in rc.conf.local are appended to the flags
> already present in /etc/rc.d/step_ca.
>
> I've done as A. Tammy suggested and set the environment variable
> $STEPPATH in /etc/login.conf.d/step_ca and this resolves the issue.
> Step_ca can now be started with additional flag(s) set in rc.conf.local
> without prepending config/ca.json or without any flags at all (presuming
> none are needed). And the original /etc/rc.d/step_ca daemon flag is
> restored as it was.
>
> I've also changed the initialization command as A. Tammy suggested.
> I left a line in the README about binding to unprivileged ports.
>
> Tiemen Werkman
ty committed with a few small tweaks. Inlined them fyi for future updates.
> Index: modules.inc
> ===================================================================
> RCS file: /cvs/ports/security/step-ca/modules.inc,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 modules.inc
> --- modules.inc 27 Aug 2022 21:17:16 -0000 1.1.1.1
> +++ modules.inc 5 Feb 2023 21:05:52 -0000
> @@ -1,19 +1,132 @@
> +MODGO_VERSION = v0.23.1
This doesn't need to be there in modules.inc
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/step-ca/pkg/PLIST,v
> retrieving revision 1.2
> diff -u -p -r1.2 PLIST
> --- pkg/PLIST 19 Sep 2022 20:35:54 -0000 1.2
> +++ pkg/PLIST 5 Feb 2023 21:05:52 -0000
> @@ -15,15 +15,7 @@
> @bin bin/step-yubikey-init
> share/doc/pkg-readmes/${PKGSTEM}
> share/doc/step-ca/
> +share/doc/step-ca/CHANGELOG.md
> share/doc/step-ca/CONTRIBUTING.md
> -share/doc/step-ca/GETTING_STARTED.md
> share/doc/step-ca/README.md
> -share/doc/step-ca/acme.md
> -share/doc/step-ca/cas.md
> -share/doc/step-ca/database.md
> -share/doc/step-ca/defaults.md
> -share/doc/step-ca/docker.md
> -share/doc/step-ca/kms.md
> -share/doc/step-ca/provisioners.md
> -share/doc/step-ca/questions.md
> -share/doc/step-ca/revocation.md
> +share/doc/step-ca/SECURITY.md
PLIST needed updating after adding the login file.
Aisha
