On 2023/02/05 09:37, Tiemen Werkman wrote: > I changed the rc.d/step_ca script and removed the default daemonflags > because it caused a problem starting the step_ca daemon. > > When initializing step-ca both the root and intermediate certificate > private keys are secured whith a password by default. The step_ca daemon > requires access to the private key in order to sign certificates and > therefore requires the password securing it. > Documentation suggests storing the password in {LOCALSTATEDIR}/step- > ca/secrets/secret.txt and starting step_ca with the flag: > "--password-file secrets/secret.txt". > Adding this daemon flag appears to overwrite > /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails,
Of course - the flags in the rc.d file are default, by setting your own you override this. See e.g. 'rcctl get step_ca flags'. It doesn't seem correct to remove them from the rc file, I expect this probably breaks things for people who already have it working with a CA without passphrase. > Also version 0.22.0 of the pkg/README suggested initializing Step ca > using the following command: > # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init" > > However this does not work, I think it's because the _step-ca user does > not have a home directory?? > Anyway this command does work: > doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step > ca init" I agree with aisha about fixing the su command rather than changing to doas.