Compare commits
No commits in common. "9a73d8bdfedc65f94d5e96577923d85a5bf9df0f" and "8cd801bd642abe2b2cbf33debfad8766325a1015" have entirely different histories.
9a73d8bdfe
...
8cd801bd64
|
@ -1,17 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
|
||||
# a basic ACME provisioner is enabled. This script runs commands to modify the
|
||||
# default configuration.
|
||||
|
||||
# Enable forceCN if not set.
|
||||
# This is needed because certbot does not include a
|
||||
# Subject CN field in the CSR:
|
||||
# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
|
||||
# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
|
||||
#
|
||||
# Ideally Mosquitto would learn to look at the SAN field instead:
|
||||
# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
|
||||
if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
|
||||
step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
|
||||
fi
|
|
@ -1,11 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
# When initializing step-ca with the docker flag
|
||||
# DOCKER_STEPCA_INIT_PASSWORD_FILE the password will be used both for key
|
||||
# encryption as well as the admin "step" provisioner. If not using that flag a
|
||||
# separate password will be generated for each usage. This seems better as you
|
||||
# are not typing the encryption password any other time, while the provisioner
|
||||
# password is used anytime you are managing things.
|
||||
# When initializing step-ca with the docker flag STEPCA_INIT_PASSWORD_FILE the
|
||||
# password will be used both for key encryption as well as the admin "step"
|
||||
# provisioner. If not using that flag a separate password will be generated for
|
||||
# each usage. This seems better as you are not typing the encryption password
|
||||
# any other time, while the provisioner password is used anytime you are
|
||||
# managing things.
|
||||
#
|
||||
# This script is used on first setup of step-ca to modify the provisioner to
|
||||
# use its own password instead. Pending
|
||||
|
|
|
@ -59,14 +59,6 @@ class cdn::ca(
|
|||
content => file('cdn/ca/bootstrap-client'),
|
||||
}
|
||||
|
||||
file { '/opt/step-ca/init/scripts/configure-acme':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => file('cdn/ca/configure-acme'),
|
||||
}
|
||||
|
||||
file { '/opt/step-ca/init/deb':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
|
|
|
@ -231,13 +231,13 @@ class cdn::cache(
|
|||
|
||||
concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
|
||||
target => $combined_pem,
|
||||
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
|
||||
source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
|
||||
order => '01',
|
||||
}
|
||||
|
||||
concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
|
||||
target => $combined_pem,
|
||||
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
|
||||
source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
|
||||
order => '02',
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue