Date: Fri, 01 Oct 2021 04:51:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258827 Bug ID: 258827 Summary: security/step-certificates: step-ca fails to start in the init process included SSH certs Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: firstname.lastname@example.org CC: email@example.com CC: firstname.lastname@example.org Flags: maintainer-feedback?(email@example.com) After installing security/step-certificates 0.17.2, I noticed that the default step-ca rc script didn't include the "--ssh" flag to also have it generate SSH certificate authority files as well. After editing /usr/local/etc/rc.d/step-ca and adding "--ssh" to the "/usr/local/bin/step ca init" line, and running service step-ca start I am able to get through the init process and it successfully generates the files under /usr/local/etc/step with a couple of issues. > Generating root certificate... done! > Generating intermediate certificate... done! > Generating user and host SSH certificate signing keys... done! > ✔ Root certificate: /usr/local/etc/step/ca/certs/root_ca.crt ✔ Root private key: /usr/local/etc/step/ca/secrets/root_ca_key ✔ Root fingerprint: 0e2c650bc2dec4e62d47bdf7dac269a2b046d97c98844fea62bc969bacc36057 ✔ Intermediate certificate: /usr/local/etc/step/ca/certs/intermediate_ca.crt > ✔ Intermediate private key: /usr/local/etc/step/ca/secrets/intermediate_ca_key > ✔ SSH user public key: /usr/local/etc/step/ca/certs/ssh_user_ca_key.pub > ✔ SSH user private key: /usr/local/etc/step/ca/secrets/ssh_user_ca_key > ✔ SSH host public key: /usr/local/etc/step/ca/certs/ssh_host_ca_key.pub > ✔ SSH host private key: /usr/local/etc/step/ca/secrets/ssh_host_ca_key > ✔ Database folder: /usr/local/etc/step/ca/db > ✔ Templates folder: /usr/local/etc/step/ca/templates > ✔ Default configuration: /usr/local/etc/step/ca/config/defaults.json > ✔ Certificate Authority configuration: /usr/local/etc/step/ca/config/ca.json > > Your PKI is ready to go. To generate certificates for individual services see > 'step help ca'. > > FEEDBACK 😍 🍻 > The step utility is not instrumented for usage statistics. It does not phone > home. But your feedback is extremely valuable. Any information you can provide > regarding how you’re using `step` helps. Please send us a sentence or two, > good or bad at firstname.lastname@example.org or join GitHub Discussions > https://github.com/smallstep/certificates/discussions and our Discord > https://u.step.sm/discord. > Step CA Password file for auto-start not found > Creating it.... > Please enter the Step CA Password: > > Starting step_ca. > step_ca is not running. Issue #1) > Oct 1 00:38:28 ops step_ca: error opening /usr/local/etc/step/ca/config/ca.json: open /usr/local/etc/step/ca/config/ca.json: permission denied This is caused by the permissions to /usr/local/etc/step being wrong > drwx------ 3 root wheel 4B Oct 1 00:38 step Fix: chmod go+rx /usr/local/etc/step Issue #2) > Oct 1 00:39:17 ops step_ca: error reading templates/ssh/include.tpl: stat /.step/templates/ssh/include.tpl: no such file or directory Not sure why it is not using the template directory of /usr/local/etc/step/ca/templates Fix: ? -- You are receiving this mail because: You are the assignee for the bug.