#!/bin/bash

# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
# a basic ACME provisioner is enabled. This script runs commands to modify the
# default configuration.

# Enable forceCN if not set.
# This is needed because certbot does not include a
# Subject CN field in the CSR:
# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
#
# Ideally Mosquitto would learn to look at the SAN field instead:
# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
    step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin  --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
fi