Also set --admin-provisioner=admin

Without this the commands will hang for input to select a provisioner.
This is needed now that we have enabled a second (the ACME) provisioner
on init.
This commit is contained in:
Patrik Lundin 2024-10-08 21:45:17 +02:00
parent 22a2029cf9
commit d1b0694e44
Signed by: patlu
GPG key ID: A0A812BA2249F294

View file

@ -13,7 +13,7 @@
# password by hand, see below for the commented out command. # password by hand, see below for the commented out command.
# If we detect that the key-password is still valid for the provisioner change it. # If we detect that the key-password is still valid for the provisioner change it.
if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then if step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then
echo "admin provisioner still using encryption key password, changing it" echo "admin provisioner still using encryption key password, changing it"
# Change the provisioner password # Change the provisioner password
@ -24,10 +24,10 @@ if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/in
#ENCRYPTED_KEY=$(echo $OLD_ENCRYPTED_KEY | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW --password-file /opt/step-ca/init/secrets/provisioner-password | step crypto jose format) #ENCRYPTED_KEY=$(echo $OLD_ENCRYPTED_KEY | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW --password-file /opt/step-ca/init/secrets/provisioner-password | step crypto jose format)
ENCRYPTED_KEY=$(echo "$OLD_ENCRYPTED_KEY" | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format) ENCRYPTED_KEY=$(echo "$OLD_ENCRYPTED_KEY" | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format)
step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/key-password
# Now verify that we can use the expected password for the admin provisioner # Now verify that we can use the expected password for the admin provisioner
if ! step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then if ! step ca admin list --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then
echo "tried updating provisioner password but it does not work!" echo "tried updating provisioner password but it does not work!"
exit 1 exit 1
fi fi