Compare commits

..

No commits in common. "9a73d8bdfedc65f94d5e96577923d85a5bf9df0f" and "8cd801bd642abe2b2cbf33debfad8766325a1015" have entirely different histories.

4 changed files with 8 additions and 33 deletions

View file

@ -1,17 +0,0 @@
#!/bin/bash
# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
# a basic ACME provisioner is enabled. This script runs commands to modify the
# default configuration.
# Enable forceCN if not set.
# This is needed because certbot does not include a
# Subject CN field in the CSR:
# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
#
# Ideally Mosquitto would learn to look at the SAN field instead:
# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
fi

View file

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# When initializing step-ca with the docker flag # When initializing step-ca with the docker flag STEPCA_INIT_PASSWORD_FILE the
# DOCKER_STEPCA_INIT_PASSWORD_FILE the password will be used both for key # password will be used both for key encryption as well as the admin "step"
# encryption as well as the admin "step" provisioner. If not using that flag a # provisioner. If not using that flag a separate password will be generated for
# separate password will be generated for each usage. This seems better as you # each usage. This seems better as you are not typing the encryption password
# are not typing the encryption password any other time, while the provisioner # any other time, while the provisioner password is used anytime you are
# password is used anytime you are managing things. # managing things.
# #
# This script is used on first setup of step-ca to modify the provisioner to # This script is used on first setup of step-ca to modify the provisioner to
# use its own password instead. Pending # use its own password instead. Pending

View file

@ -59,14 +59,6 @@ class cdn::ca(
content => file('cdn/ca/bootstrap-client'), content => file('cdn/ca/bootstrap-client'),
} }
file { '/opt/step-ca/init/scripts/configure-acme':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => file('cdn/ca/configure-acme'),
}
file { '/opt/step-ca/init/deb': file { '/opt/step-ca/init/deb':
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',

View file

@ -231,13 +231,13 @@ class cdn::cache(
concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}": concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem, target => $combined_pem,
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem", source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
order => '01', order => '01',
} }
concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}": concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
target => $combined_pem, target => $combined_pem,
source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem", source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
order => '02', order => '02',
} }