On 2023/02/05 09:37, Tiemen Werkman wrote:
> I changed the rc.d/step_ca script and removed the default daemonflags
> because it caused a problem starting the step_ca daemon.
>
> When initializing step-ca both the root and intermediate certificate
> private keys are secured whith a password by default. The step_ca daemon
> requires access to the private key in order to sign certificates and
> therefore requires the password securing it.
> Documentation suggests storing the password in {LOCALSTATEDIR}/step-
> ca/secrets/secret.txt and starting step_ca with the flag:
> "--password-file secrets/secret.txt".
> Adding this daemon flag appears to overwrite
> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
Of course - the flags in the rc.d file are default, by setting your own
you override this. See e.g. 'rcctl get step_ca flags'.
It doesn't seem correct to remove them from the rc file, I expect this
probably breaks things for people who already have it working with a CA
without passphrase.
> Also version 0.22.0 of the pkg/README suggested initializing Step ca
> using the following command:
> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"
>
> However this does not work, I think it's because the _step-ca user does
> not have a home directory??
> Anyway this command does work:
> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step
> ca init"
I agree with aisha about fixing the su command rather than changing to
doas.
