sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Also set --admin-provisioner=admin

Browse source 
Without this the commands will hang for input to select a provisioner.
This is needed now that we have enabled a second (the ACME) provisioner
on init.
This commit is contained in:
Patrik Lundin 2024-10-08 21:45:17 +02:00
parent 22a2029cf9
commit d1b0694e44
Signed by: patlu
GPG key ID: A0A812BA2249F294
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw Executable file → Normal file
View file

@ -13,7 +13,7 @@
# password by hand, see below for the commented out command.
# If we detect that the key-password is still valid for the provisioner change it.
if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then
if step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then
echo "admin provisioner still using encryption key password, changing it"
# Change the provisioner password
@ -24,10 +24,10 @@ if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/in
#ENCRYPTED_KEY=$(echo $OLD_ENCRYPTED_KEY | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW --password-file /opt/step-ca/init/secrets/provisioner-password | step crypto jose format)
ENCRYPTED_KEY=$(echo "$OLD_ENCRYPTED_KEY" | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format)
step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password
step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password
# Now verify that we can use the expected password for the admin provisioner
if ! step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then
if ! step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then
echo "tried updating provisioner password but it does not work!"
exit 1
fi