From d1b0694e44082197fdefc8a65a47f8b0694ffbda Mon Sep 17 00:00:00 2001 From: Patrik Lundin Date: Tue, 8 Oct 2024 21:45:17 +0200 Subject: [PATCH] Also set --admin-provisioner=admin Without this the commands will hang for input to select a provisioner. This is needed now that we have enabled a second (the ACME) provisioner on init. --- .../etc/puppet/modules/cdn/files/ca/set-provisioner-pw | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) mode change 100755 => 100644 global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw diff --git a/global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw b/global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw old mode 100755 new mode 100644 index 3392a6b..204cfdb --- a/global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw +++ b/global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw @@ -13,7 +13,7 @@ # password by hand, see below for the commented out command. # If we detect that the key-password is still valid for the provisioner change it. -if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then +if step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then echo "admin provisioner still using encryption key password, changing it" # Change the provisioner password @@ -24,10 +24,10 @@ if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/in #ENCRYPTED_KEY=$(echo $OLD_ENCRYPTED_KEY | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW --password-file /opt/step-ca/init/secrets/provisioner-password | step crypto jose format) ENCRYPTED_KEY=$(echo "$OLD_ENCRYPTED_KEY" | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format) - step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password + step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password # Now verify that we can use the expected password for the admin provisioner - if ! step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then + if ! step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then echo "tried updating provisioner password but it does not work!" exit 1 fi