From nobody Fri Oct  1 04:51:06 2021
X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A114717DB125
	for <ports-bugs@mlmmj.nyi.freebsd.org>; Fri,  1 Oct 2021 04:51:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HLHkL3nscz3kpF
	for <ports-bugs@FreeBSD.org>; Fri,  1 Oct 2021 04:51:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 63629191DB
	for <ports-bugs@FreeBSD.org>; Fri,  1 Oct 2021 04:51:06 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1914p69L070020
	for <ports-bugs@FreeBSD.org>; Fri, 1 Oct 2021 04:51:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1914p6UU070019
	for ports-bugs@FreeBSD.org; Fri, 1 Oct 2021 04:51:06 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: ports-bugs@FreeBSD.org
Subject: [Bug 258827] security/step-certificates: step-ca fails to start in
 the init process included SSH certs
Date: Fri, 01 Oct 2021 04:51:06 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: vendion@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
 flagtypes.name
Message-ID: <bug-258827-7788@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs
List-Help: <mailto:ports-bugs+help@freebsd.org>
List-Post: <mailto:ports-bugs@freebsd.org>
List-Subscribe: <mailto:ports-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-ports-bugs@freebsd.org
X-BeenThere: freebsd-ports-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258827

            Bug ID: 258827
           Summary: security/step-certificates: step-ca fails to start in
                    the init process included SSH certs
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: vendion@gmail.com
                CC: mw@wipp.bayern
                CC: mw@wipp.bayern
             Flags: maintainer-feedback?(mw@wipp.bayern)

After installing security/step-certificates 0.17.2, I noticed that the defa=
ult
step-ca rc script didn't include the "--ssh" flag to also have it generate =
SSH
certificate authority files as well.

After editing /usr/local/etc/rc.d/step-ca and adding "--ssh" to the
"/usr/local/bin/step ca init" line, and running service step-ca start I am =
able
to get through the init process and it successfully generates the files und=
er
/usr/local/etc/step with a couple of issues.

> Generating root certificate... done!
> Generating intermediate certificate... done!
> Generating user and host SSH certificate signing keys... done!
>
=E2=9C=94 Root certificate: /usr/local/etc/step/ca/certs/root_ca.crt
=E2=9C=94 Root private key: /usr/local/etc/step/ca/secrets/root_ca_key
=E2=9C=94 Root fingerprint:
0e2c650bc2dec4e62d47bdf7dac269a2b046d97c98844fea62bc969bacc36057
=E2=9C=94 Intermediate certificate: /usr/local/etc/step/ca/certs/intermedia=
te_ca.crt
> =E2=9C=94 Intermediate private key: /usr/local/etc/step/ca/secrets/interm=
ediate_ca_key
> =E2=9C=94 SSH user public key: /usr/local/etc/step/ca/certs/ssh_user_ca_k=
ey.pub
> =E2=9C=94 SSH user private key: /usr/local/etc/step/ca/secrets/ssh_user_c=
a_key
> =E2=9C=94 SSH host public key: /usr/local/etc/step/ca/certs/ssh_host_ca_k=
ey.pub
> =E2=9C=94 SSH host private key: /usr/local/etc/step/ca/secrets/ssh_host_c=
a_key
> =E2=9C=94 Database folder: /usr/local/etc/step/ca/db
> =E2=9C=94 Templates folder: /usr/local/etc/step/ca/templates
> =E2=9C=94 Default configuration: /usr/local/etc/step/ca/config/defaults.j=
son
> =E2=9C=94 Certificate Authority configuration: /usr/local/etc/step/ca/con=
fig/ca.json
>
> Your PKI is ready to go. To generate certificates for individual services=
 see > 'step help ca'.
>
> FEEDBACK =F0=9F=98=8D =F0=9F=8D=BB
> The step utility is not instrumented for usage statistics. It does not ph=
one
> home. But your feedback is extremely valuable. Any information you can pr=
ovide
> regarding how you=E2=80=99re using `step` helps. Please send us a sentenc=
e or two,
> good or bad at feedback@smallstep.com or join GitHub Discussions
> https://github.com/smallstep/certificates/discussions and our Discord=20
> https://u.step.sm/discord.
> Step CA Password file for auto-start not found
> Creating it....
> Please enter the Step CA Password:
>=20
> Starting step_ca.
> step_ca is not running.

Issue #1)

> Oct  1 00:38:28 ops step_ca[7822]: error opening /usr/local/etc/step/ca/c=
onfig/ca.json: open /usr/local/etc/step/ca/config/ca.json: permission denied

This is caused by the permissions to /usr/local/etc/step being wrong

> drwx------  3 root  wheel     4B Oct  1 00:38 step

Fix: chmod go+rx /usr/local/etc/step

Issue #2)

> Oct  1 00:39:17 ops step_ca[7846]: error reading templates/ssh/include.tp=
l: stat /.step/templates/ssh/include.tpl: no such file or directory

Not sure why it is not using the template directory of
/usr/local/etc/step/ca/templates

Fix: ?

--=20
You are receiving this mail because:
You are the assignee for the bug.=