[Bug 258827] security/step-certificates: step-ca fails to start in the init process included SSH certs

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 01 Oct 2021 04:51:06 UTC

            Bug ID: 258827
           Summary: security/step-certificates: step-ca fails to start in
                    the init process included SSH certs
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: vendion@gmail.com
                CC: mw@wipp.bayern
                CC: mw@wipp.bayern
             Flags: maintainer-feedback?(mw@wipp.bayern)

After installing security/step-certificates 0.17.2, I noticed that the default
step-ca rc script didn't include the "--ssh" flag to also have it generate SSH
certificate authority files as well.

After editing /usr/local/etc/rc.d/step-ca and adding "--ssh" to the
"/usr/local/bin/step ca init" line, and running service step-ca start I am able
to get through the init process and it successfully generates the files under
/usr/local/etc/step with a couple of issues.

> Generating root certificate... done!
> Generating intermediate certificate... done!
> Generating user and host SSH certificate signing keys... done!
✔ Root certificate: /usr/local/etc/step/ca/certs/root_ca.crt
✔ Root private key: /usr/local/etc/step/ca/secrets/root_ca_key
✔ Root fingerprint:
✔ Intermediate certificate: /usr/local/etc/step/ca/certs/intermediate_ca.crt
> ✔ Intermediate private key: /usr/local/etc/step/ca/secrets/intermediate_ca_key
> ✔ SSH user public key: /usr/local/etc/step/ca/certs/ssh_user_ca_key.pub
> ✔ SSH user private key: /usr/local/etc/step/ca/secrets/ssh_user_ca_key
> ✔ SSH host public key: /usr/local/etc/step/ca/certs/ssh_host_ca_key.pub
> ✔ SSH host private key: /usr/local/etc/step/ca/secrets/ssh_host_ca_key
> ✔ Database folder: /usr/local/etc/step/ca/db
> ✔ Templates folder: /usr/local/etc/step/ca/templates
> ✔ Default configuration: /usr/local/etc/step/ca/config/defaults.json
> ✔ Certificate Authority configuration: /usr/local/etc/step/ca/config/ca.json
> Your PKI is ready to go. To generate certificates for individual services see > 'step help ca'.
> The step utility is not instrumented for usage statistics. It does not phone
> home. But your feedback is extremely valuable. Any information you can provide
> regarding how you’re using `step` helps. Please send us a sentence or two,
> good or bad at feedback@smallstep.com or join GitHub Discussions
> https://github.com/smallstep/certificates/discussions and our Discord 
> https://u.step.sm/discord.
> Step CA Password file for auto-start not found
> Creating it....
> Please enter the Step CA Password:
> Starting step_ca.
> step_ca is not running.

Issue #1)

> Oct  1 00:38:28 ops step_ca[7822]: error opening /usr/local/etc/step/ca/config/ca.json: open /usr/local/etc/step/ca/config/ca.json: permission denied

This is caused by the permissions to /usr/local/etc/step being wrong

> drwx------  3 root  wheel     4B Oct  1 00:38 step

Fix: chmod go+rx /usr/local/etc/step

Issue #2)

> Oct  1 00:39:17 ops step_ca[7846]: error reading templates/ssh/include.tpl: stat /.step/templates/ssh/include.tpl: no such file or directory

Not sure why it is not using the template directory of

Fix: ?

You are receiving this mail because:
You are the assignee for the bug.