Re: [update] security/step-ca
On 7/26/23 17:37, Bryce Chidester wrote: > Apologies for the mangling! I'd seen other patches on the list sent > inline and plaintext without issue and assumed that was preferred. > Diff attached, > SHA256(step-ca-0.24.2.diff) = > d971844216873258bcf3a83163c724063d3f1a2a43f2ac91f43f0fafaaabaea6 committed thanks! > -Bryce > > On Sat, 22 Jul 2023 at 06:45, Daniel Jakots wrote: >> On Fri, 21 Jul 2023 10:08:47 -0700, Bryce Chidester >> wrote: >> >>> Just a simple version bump to step-ca 0.24.2 (modgo-gen-modules, >>> makesum, update-plist). Tested working, and now running in production >>> on amd64/kvm. >> The patch is mangled (same thing for step-cli) and won't apply. Can you >> please send them again? If you're not sure how to ensure they don't get >> mangled, it's probably easier to just attach them. >> >> Cheers, >> Daniel >>
Re: [update] security/step-ca
On Fri, 21 Jul 2023 10:08:47 -0700, Bryce Chidester wrote: > Just a simple version bump to step-ca 0.24.2 (modgo-gen-modules, > makesum, update-plist). Tested working, and now running in production > on amd64/kvm. The patch is mangled (same thing for step-cli) and won't apply. Can you please send them again? If you're not sure how to ensure they don't get mangled, it's probably easier to just attach them. Cheers, Daniel
Re: [update] security/step-ca
On 2/5/23 16:14, Tiemen Werkman wrote:
> On Sun, 2023-02-05 at 18:41 +, Stuart Henderson wrote:
>> On 2023/02/05 09:37, Tiemen Werkman wrote:
>>> I changed the rc.d/step_ca script and removed the default
>>> daemonflags
>>> because it caused a problem starting the step_ca daemon.
>>>
>>> When initializing step-ca both the root and intermediate certificate
>>> private keys are secured whith a password by default. The step_ca
>>> daemon
>>> requires access to the private key in order to sign certificates and
>>> therefore requires the password securing it.
>>> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
>>> ca/secrets/secret.txt and starting step_ca with the flag:
>>> "--password-file secrets/secret.txt".
>>> Adding this daemon flag appears to overwrite
>>> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
>> Of course - the flags in the rc.d file are default, by setting your
>> own
>> you override this. See e.g. 'rcctl get step_ca flags'.
>>
>> It doesn't seem correct to remove them from the rc file, I expect this
>> probably breaks things for people who already have it working with a
>> CA
>> without passphrase.
>>
>>> Also version 0.22.0 of the pkg/README suggested initializing Step ca
>>> using the following command:
>>> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca
>>> init"
>>>
>>> However this does not work, I think it's because the _step-ca user
>>> does
>>> not have a home directory??
>>> Anyway this command does work:
>>> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca
>>> step
>>> ca init"
>> I agree with aisha about fixing the su command rather than changing to
>> doas.
>>
> Apologies for the confusion, I've reread my email and I wasn't clear.
>
> I ran into trouble when originally installing and starting up step_ca.
> The default initialization forces a password on the private keys. It
> seems prudent to leave it, but then --password-file flag must also be
> set. This is where I became confused: when setting the --password-file
> flag, the config/ca.json flag must also be set even though it is already
> set in /etc/rc.d/step_ca (also config/ca.json must precede any other
> flag if any other flag is set). If no password is set and therefore the
> --password-file flag is not required then the additional config/ca.json
> flag is not required.
> I thought that the flags in rc.conf.local are appended to the flags
> already present in /etc/rc.d/step_ca.
>
> I've done as A. Tammy suggested and set the environment variable
> $STEPPATH in /etc/login.conf.d/step_ca and this resolves the issue.
> Step_ca can now be started with additional flag(s) set in rc.conf.local
> without prepending config/ca.json or without any flags at all (presuming
> none are needed). And the original /etc/rc.d/step_ca daemon flag is
> restored as it was.
>
> I've also changed the initialization command as A. Tammy suggested.
> I left a line in the README about binding to unprivileged ports.
>
> Tiemen Werkman
ty committed with a few small tweaks. Inlined them fyi for future updates.
> Index: modules.inc
> ===
> RCS file: /cvs/ports/security/step-ca/modules.inc,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 modules.inc
> --- modules.inc 27 Aug 2022 21:17:16 - 1.1.1.1
> +++ modules.inc 5 Feb 2023 21:05:52 -
> @@ -1,19 +1,132 @@
> +MODGO_VERSION = v0.23.1
This doesn't need to be there in modules.inc
> Index: pkg/PLIST
> ===
> RCS file: /cvs/ports/security/step-ca/pkg/PLIST,v
> retrieving revision 1.2
> diff -u -p -r1.2 PLIST
> --- pkg/PLIST 19 Sep 2022 20:35:54 - 1.2
> +++ pkg/PLIST 5 Feb 2023 21:05:52 -
> @@ -15,15 +15,7 @@
> @bin bin/step-yubikey-init
> share/doc/pkg-readmes/${PKGSTEM}
> share/doc/step-ca/
> +share/doc/step-ca/CHANGELOG.md
> share/doc/step-ca/CONTRIBUTING.md
> -share/doc/step-ca/GETTING_STARTED.md
> share/doc/step-ca/README.md
> -share/doc/step-ca/acme.md
> -share/doc/step-ca/cas.md
> -share/doc/step-ca/database.md
> -share/doc/step-ca/defaults.md
> -share/doc/step-ca/docker.md
> -share/doc/step-ca/kms.md
> -share/doc/step-ca/provisioners.md
> -share/doc/step-ca/questions.md
> -share/doc/step-ca/revocation.md
> +share/doc/step-ca/SECURITY.md
PLIST needed updating after adding the login file.
Aisha
Re: [update] security/step-ca
On 2023/02/05 09:37, Tiemen Werkman wrote:
> I changed the rc.d/step_ca script and removed the default daemonflags
> because it caused a problem starting the step_ca daemon.
>
> When initializing step-ca both the root and intermediate certificate
> private keys are secured whith a password by default. The step_ca daemon
> requires access to the private key in order to sign certificates and
> therefore requires the password securing it.
> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
> ca/secrets/secret.txt and starting step_ca with the flag:
> "--password-file secrets/secret.txt".
> Adding this daemon flag appears to overwrite
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
Of course - the flags in the rc.d file are default, by setting your own
you override this. See e.g. 'rcctl get step_ca flags'.
It doesn't seem correct to remove them from the rc file, I expect this
probably breaks things for people who already have it working with a CA
without passphrase.
> Also version 0.22.0 of the pkg/README suggested initializing Step ca
> using the following command:
> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"
>
> However this does not work, I think it's because the _step-ca user does
> not have a home directory??
> Anyway this command does work:
> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step
> ca init"
I agree with aisha about fixing the su command rather than changing to
doas.
Re: [update] security/step-ca
Thanks, comments inlined.
On 2/5/23 04:37, Tiemen Werkman wrote:
> This patch updates step-ca from version 0.22.0 to 0.23.1.
>
> Tested, built and working on amd64(linux kvm) and aarch64(pine64
> rock64).
>
> I changed the rc.d/step_ca script and removed the default daemonflags
> because it caused a problem starting the step_ca daemon.
>
> When initializing step-ca both the root and intermediate certificate
> private keys are secured whith a password by default. The step_ca daemon
> requires access to the private key in order to sign certificates and
> therefore requires the password securing it.
> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
> ca/secrets/secret.txt and starting step_ca with the flag:
> "--password-file secrets/secret.txt".
> Adding this daemon flag appears to overwrite
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
> unable to find the configuration file. I removed the
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" statement and instead
> added the following to rc.conf.local: step_ca_flags=config/ca.json --
> password-file secrets/secret.txt and this does work.
>
> Also version 0.22.0 of the pkg/README suggested initializing Step ca
> using the following command:
> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"
This fails as the shell for _step-ca account is set as /sbin/nologin and
can be fixed by executing with shell defined su -s /bin/sh _step-ca -c "..."
Let's not use doas in README unless really necessary.
> However this does not work, I think it's because the _step-ca user does
> not have a home directory??
> Anyway this command does work:
> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step
> ca init"
> Also the docs folder has been deprecated, /usr/local/share/doc/step-
> ca/README.md offers several alternatives for step-ca documentation.
> I have changed the pkg/README to reflect both changes.
In addition to this I think you should create a login.conf.d file which
sets STEPPATH in its environment.
As an example look at the recent sogo commit which adds an environment
variable to the launch for sogo -
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/sogo/pkg/sogod.login?rev=1.2=text/x-cvsweb-markup
>
> Tiemen Werkman
>
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/security/step-ca/Makefile,v
> retrieving revision 1.4
> diff -u -p -r1.4 Makefile
> --- Makefile 19 Sep 2022 20:35:54 - 1.4
> +++ Makefile 5 Feb 2023 03:42:58 -
> @@ -3,7 +3,7 @@ BROKEN-armv7 = github.com/go-piv/piv-go@
>
> COMMENT =private certificate authority and ACME server
>
> -V = 0.22.0
> +V = 0.23.1
> MODGO_MODNAME = github.com/smallstep/certificates
> MODGO_VERSION = v${V}
> DISTNAME = step-ca-${V}
> @@ -34,7 +34,7 @@ do-build:
>
> post-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/step-ca
> - ${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/step-ca
> + ${INSTALL_DATA} ${WRKSRC}/*.md ${PREFIX}/share/doc/step-ca
>
> .include "modules.inc"
> .include
> Index: distinfo
> ===
> RCS file: /cvs/ports/security/step-ca/distinfo,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 distinfo
> --- distinfo 27 Aug 2022 21:17:15 - 1.1.1.1
> +++ distinfo 5 Feb 2023 03:42:58 -
> @@ -1,80 +1,266 @@
> # rcctl enable step_ca
> -# rcctl set step_ca flags --config config/ca.json
> +# rcctl set step_ca flags config/ca.json
> +
> +Firewall
> +
> +
> +Step CA cannot bind to priviledged ports. Configure Step CA to listen on port
> +4343 and add the following rule to /etc/pf.conf.
> +
> + pass in proto tcp to port https rdr-to 127.0.0.1 port 4343
>
I don't know if this is needed, anyone who is running their own private
CA probably also has something else listening on https already or at
least knows to use a reverse proxy.
> Add the CA cert to system store
> ===
>
> -The default certificate for Step CA is stored in
> ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
> +The root certificate for step-ca is stored in
> ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
> which should be added to the system by appending it to
> ${SYSCONFDIR}/ssl/cert.pem
>
> # cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >>
> ${SYSCONFDIR}/ssl/cert.pem
> Index: pkg/step_ca.rc
> ===
> RCS file: /cvs/ports/security/step-ca/pkg/step_ca.rc,v
> retrieving revision 1.2
> diff -u -p -r1.2 step_ca.rc
> --- pkg/step_ca.rc19 Sep 2022 20:35:54 - 1.2
> +++ pkg/step_ca.rc5 Feb 2023 03:42:58 -
> @@ -1,7 +1,6 @@
> #!/bin/ksh
>
> daemon="${LOCALBASE}/bin/step-ca"
> -daemon_flags="config/ca.json"
> daemon_user="_step-ca"
> daemon_logger=daemon.info
> daemon_execdir="${LOCALSTATEDIR}/step-ca"
>
