Re: [update] security/step-ca
On 7/26/23 17:37, Bryce Chidester wrote: > Apologies for the mangling! I'd seen other patches on the list sent > inline and plaintext without issue and assumed that was preferred. > Diff attached, > SHA256(step-ca-0.24.2.diff) = > d971844216873258bcf3a83163c724063d3f1a2a43f2ac91f43f0fafaaabaea6 committed thanks! > -Bryce > > On Sat, 22 Jul 2023 at 06:45, Daniel Jakots wrote: >> On Fri, 21 Jul 2023 10:08:47 -0700, Bryce Chidester >> wrote: >> >>> Just a simple version bump to step-ca 0.24.2 (modgo-gen-modules, >>> makesum, update-plist). Tested working, and now running in production >>> on amd64/kvm. >> The patch is mangled (same thing for step-cli) and won't apply. Can you >> please send them again? If you're not sure how to ensure they don't get >> mangled, it's probably easier to just attach them. >> >> Cheers, >> Daniel >>
Re: [update] security/step-ca
On Fri, 21 Jul 2023 10:08:47 -0700, Bryce Chidester wrote: > Just a simple version bump to step-ca 0.24.2 (modgo-gen-modules, > makesum, update-plist). Tested working, and now running in production > on amd64/kvm. The patch is mangled (same thing for step-cli) and won't apply. Can you please send them again? If you're not sure how to ensure they don't get mangled, it's probably easier to just attach them. Cheers, Daniel
Re: [update] security/step-ca
On 2/5/23 16:14, Tiemen Werkman wrote: > On Sun, 2023-02-05 at 18:41 +, Stuart Henderson wrote: >> On 2023/02/05 09:37, Tiemen Werkman wrote: >>> I changed the rc.d/step_ca script and removed the default >>> daemonflags >>> because it caused a problem starting the step_ca daemon. >>> >>> When initializing step-ca both the root and intermediate certificate >>> private keys are secured whith a password by default. The step_ca >>> daemon >>> requires access to the private key in order to sign certificates and >>> therefore requires the password securing it. >>> Documentation suggests storing the password in {LOCALSTATEDIR}/step- >>> ca/secrets/secret.txt and starting step_ca with the flag: >>> "--password-file secrets/secret.txt". >>> Adding this daemon flag appears to overwrite >>> /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails, >> Of course - the flags in the rc.d file are default, by setting your >> own >> you override this. See e.g. 'rcctl get step_ca flags'. >> >> It doesn't seem correct to remove them from the rc file, I expect this >> probably breaks things for people who already have it working with a >> CA >> without passphrase. >> >>> Also version 0.22.0 of the pkg/README suggested initializing Step ca >>> using the following command: >>> # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca >>> init" >>> >>> However this does not work, I think it's because the _step-ca user >>> does >>> not have a home directory?? >>> Anyway this command does work: >>> doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca >>> step >>> ca init" >> I agree with aisha about fixing the su command rather than changing to >> doas. >> > Apologies for the confusion, I've reread my email and I wasn't clear. > > I ran into trouble when originally installing and starting up step_ca. > The default initialization forces a password on the private keys. It > seems prudent to leave it, but then --password-file flag must also be > set. This is where I became confused: when setting the --password-file > flag, the config/ca.json flag must also be set even though it is already > set in /etc/rc.d/step_ca (also config/ca.json must precede any other > flag if any other flag is set). If no password is set and therefore the > --password-file flag is not required then the additional config/ca.json > flag is not required. > I thought that the flags in rc.conf.local are appended to the flags > already present in /etc/rc.d/step_ca. > > I've done as A. Tammy suggested and set the environment variable > $STEPPATH in /etc/login.conf.d/step_ca and this resolves the issue. > Step_ca can now be started with additional flag(s) set in rc.conf.local > without prepending config/ca.json or without any flags at all (presuming > none are needed). And the original /etc/rc.d/step_ca daemon flag is > restored as it was. > > I've also changed the initialization command as A. Tammy suggested. > I left a line in the README about binding to unprivileged ports. > > Tiemen Werkman ty committed with a few small tweaks. Inlined them fyi for future updates. > Index: modules.inc > === > RCS file: /cvs/ports/security/step-ca/modules.inc,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 modules.inc > --- modules.inc 27 Aug 2022 21:17:16 - 1.1.1.1 > +++ modules.inc 5 Feb 2023 21:05:52 - > @@ -1,19 +1,132 @@ > +MODGO_VERSION = v0.23.1 This doesn't need to be there in modules.inc > Index: pkg/PLIST > === > RCS file: /cvs/ports/security/step-ca/pkg/PLIST,v > retrieving revision 1.2 > diff -u -p -r1.2 PLIST > --- pkg/PLIST 19 Sep 2022 20:35:54 - 1.2 > +++ pkg/PLIST 5 Feb 2023 21:05:52 - > @@ -15,15 +15,7 @@ > @bin bin/step-yubikey-init > share/doc/pkg-readmes/${PKGSTEM} > share/doc/step-ca/ > +share/doc/step-ca/CHANGELOG.md > share/doc/step-ca/CONTRIBUTING.md > -share/doc/step-ca/GETTING_STARTED.md > share/doc/step-ca/README.md > -share/doc/step-ca/acme.md > -share/doc/step-ca/cas.md > -share/doc/step-ca/database.md > -share/doc/step-ca/defaults.md > -share/doc/step-ca/docker.md > -share/doc/step-ca/kms.md > -share/doc/step-ca/provisioners.md > -share/doc/step-ca/questions.md > -share/doc/step-ca/revocation.md > +share/doc/step-ca/SECURITY.md PLIST needed updating after adding the login file. Aisha
Re: [update] security/step-ca
On 2023/02/05 09:37, Tiemen Werkman wrote: > I changed the rc.d/step_ca script and removed the default daemonflags > because it caused a problem starting the step_ca daemon. > > When initializing step-ca both the root and intermediate certificate > private keys are secured whith a password by default. The step_ca daemon > requires access to the private key in order to sign certificates and > therefore requires the password securing it. > Documentation suggests storing the password in {LOCALSTATEDIR}/step- > ca/secrets/secret.txt and starting step_ca with the flag: > "--password-file secrets/secret.txt". > Adding this daemon flag appears to overwrite > /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails, Of course - the flags in the rc.d file are default, by setting your own you override this. See e.g. 'rcctl get step_ca flags'. It doesn't seem correct to remove them from the rc file, I expect this probably breaks things for people who already have it working with a CA without passphrase. > Also version 0.22.0 of the pkg/README suggested initializing Step ca > using the following command: > # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init" > > However this does not work, I think it's because the _step-ca user does > not have a home directory?? > Anyway this command does work: > doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step > ca init" I agree with aisha about fixing the su command rather than changing to doas.
Re: [update] security/step-ca
Thanks, comments inlined. On 2/5/23 04:37, Tiemen Werkman wrote: > This patch updates step-ca from version 0.22.0 to 0.23.1. > > Tested, built and working on amd64(linux kvm) and aarch64(pine64 > rock64). > > I changed the rc.d/step_ca script and removed the default daemonflags > because it caused a problem starting the step_ca daemon. > > When initializing step-ca both the root and intermediate certificate > private keys are secured whith a password by default. The step_ca daemon > requires access to the private key in order to sign certificates and > therefore requires the password securing it. > Documentation suggests storing the password in {LOCALSTATEDIR}/step- > ca/secrets/secret.txt and starting step_ca with the flag: > "--password-file secrets/secret.txt". > Adding this daemon flag appears to overwrite > /etc/rc.d/step_ca:daemon_flags="config/ca.json" and step_ca fails, > unable to find the configuration file. I removed the > /etc/rc.d/step_ca:daemon_flags="config/ca.json" statement and instead > added the following to rc.conf.local: step_ca_flags=config/ca.json -- > password-file secrets/secret.txt and this does work. > > Also version 0.22.0 of the pkg/README suggested initializing Step ca > using the following command: > # su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init" This fails as the shell for _step-ca account is set as /sbin/nologin and can be fixed by executing with shell defined su -s /bin/sh _step-ca -c "..." Let's not use doas in README unless really necessary. > However this does not work, I think it's because the _step-ca user does > not have a home directory?? > Anyway this command does work: > doas -u _step-ca /bin/sh -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step > ca init" > Also the docs folder has been deprecated, /usr/local/share/doc/step- > ca/README.md offers several alternatives for step-ca documentation. > I have changed the pkg/README to reflect both changes. In addition to this I think you should create a login.conf.d file which sets STEPPATH in its environment. As an example look at the recent sogo commit which adds an environment variable to the launch for sogo - https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/sogo/pkg/sogod.login?rev=1.2&content-type=text/x-cvsweb-markup > > Tiemen Werkman > > > Index: Makefile > === > RCS file: /cvs/ports/security/step-ca/Makefile,v > retrieving revision 1.4 > diff -u -p -r1.4 Makefile > --- Makefile 19 Sep 2022 20:35:54 - 1.4 > +++ Makefile 5 Feb 2023 03:42:58 - > @@ -3,7 +3,7 @@ BROKEN-armv7 = github.com/go-piv/piv-go@ > > COMMENT =private certificate authority and ACME server > > -V = 0.22.0 > +V = 0.23.1 > MODGO_MODNAME = github.com/smallstep/certificates > MODGO_VERSION = v${V} > DISTNAME = step-ca-${V} > @@ -34,7 +34,7 @@ do-build: > > post-install: > ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/step-ca > - ${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/step-ca > + ${INSTALL_DATA} ${WRKSRC}/*.md ${PREFIX}/share/doc/step-ca > > .include "modules.inc" > .include > Index: distinfo > === > RCS file: /cvs/ports/security/step-ca/distinfo,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 distinfo > --- distinfo 27 Aug 2022 21:17:15 - 1.1.1.1 > +++ distinfo 5 Feb 2023 03:42:58 - > @@ -1,80 +1,266 @@ > # rcctl enable step_ca > -# rcctl set step_ca flags --config config/ca.json > +# rcctl set step_ca flags config/ca.json > + > +Firewall > + > + > +Step CA cannot bind to priviledged ports. Configure Step CA to listen on port > +4343 and add the following rule to /etc/pf.conf. > + > + pass in proto tcp to port https rdr-to 127.0.0.1 port 4343 > I don't know if this is needed, anyone who is running their own private CA probably also has something else listening on https already or at least knows to use a reverse proxy. > Add the CA cert to system store > === > > -The default certificate for Step CA is stored in > ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt > +The root certificate for step-ca is stored in > ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt > which should be added to the system by appending it to > ${SYSCONFDIR}/ssl/cert.pem > > # cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >> > ${SYSCONFDIR}/ssl/cert.pem > Index: pkg/step_ca.rc > === > RCS file: /cvs/ports/security/step-ca/pkg/step_ca.rc,v > retrieving revision 1.2 > diff -u -p -r1.2 step_ca.rc > --- pkg/step_ca.rc19 Sep 2022 20:35:54 - 1.2 > +++ pkg/step_ca.rc5 Feb 2023 03:42:58 - > @@ -1,7 +1,6 @@ > #!/bin/ksh > > daemon="${LOCALBASE}/bin/step-ca" > -daemon_flags="config/ca.json" > daemon_user="_step-ca" > daemon_logger=daemon.info > daemon_execdir="${LOCALSTATEDIR}/step-ca" >