Compare commits

...

3 commits

4 changed files with 33 additions and 8 deletions

View file

@ -0,0 +1,17 @@
#!/bin/bash
# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
# a basic ACME provisioner is enabled. This script runs commands to modify the
# default configuration.
# Enable forceCN if not set.
# This is needed because certbot does not include a
# Subject CN field in the CSR:
# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
#
# Ideally Mosquitto would learn to look at the SAN field instead:
# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
fi

View file

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# When initializing step-ca with the docker flag STEPCA_INIT_PASSWORD_FILE the # When initializing step-ca with the docker flag
# password will be used both for key encryption as well as the admin "step" # DOCKER_STEPCA_INIT_PASSWORD_FILE the password will be used both for key
# provisioner. If not using that flag a separate password will be generated for # encryption as well as the admin "step" provisioner. If not using that flag a
# each usage. This seems better as you are not typing the encryption password # separate password will be generated for each usage. This seems better as you
# any other time, while the provisioner password is used anytime you are # are not typing the encryption password any other time, while the provisioner
# managing things. # password is used anytime you are managing things.
# #
# This script is used on first setup of step-ca to modify the provisioner to # This script is used on first setup of step-ca to modify the provisioner to
# use its own password instead. Pending # use its own password instead. Pending

View file

@ -59,6 +59,14 @@ class cdn::ca(
content => file('cdn/ca/bootstrap-client'), content => file('cdn/ca/bootstrap-client'),
} }
file { '/opt/step-ca/init/scripts/configure-acme':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => file('cdn/ca/configure-acme'),
}
file { '/opt/step-ca/init/deb': file { '/opt/step-ca/init/deb':
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',

View file

@ -231,13 +231,13 @@ class cdn::cache(
concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}": concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem, target => $combined_pem,
source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem", source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
order => '01', order => '01',
} }
concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}": concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem, target => $combined_pem,
source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem", source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
order => '02', order => '02',
} }