step-ca on FreeBSD #572
Replies: 9 comments 6 replies
-
Hi Basil, I'm the maintainer of the FreeBSD port. I just sent you an answer to your mail you sent earlier. Thanks |
Beta Was this translation helpful? Give feedback.
-
Hi @mawi78, Thanks for your assistance in helping me get the Smallstep FreeBSD port working. Here's an extract from your email:
I've got some queries about the FreeBSD port of Smallstep, but I'll take this offline and communicate directly with you via email. @maraino Here's a log of a successful installation of
|
Beta Was this translation helpful? Give feedback.
-
I'm not convinced that Smallstep functions as intended under FreeBSD due to this issue smallstep/truststore#1.
This is the same issue identified when using the Caddy internal CA, which is based on the Smallstep library. More info in this Caddy forum post https://caddy.community/t/my-mtls-journey/12364/37 |
Beta Was this translation helpful? Give feedback.
-
Apologies for bumping a 3 year old thread. Thanks for creating this write-up. I've noticed there is a particularly nasty bug in how the initial setup works that's had me pulling my hair out for the last hour or so trying to get step-ca to to run via I know the guide does specifically tell the user to start step-ca as soon as the service is enabled but it may trip anyone up who happens to do a reboot before setting up their CA for the first time. I'm not overly familiar on how to send patches to FreeBSD's ports but I'd be happy to try and add a couple of checks to the rc.d script file to mitigate this issue. Cheers. |
Beta Was this translation helpful? Give feedback.
-
Hi all,
I’m just preparing the new version of step-certificates and step-cli.
I will change the rc -script accordingly, so that in the future it will just exit in case there is no configuration and add a new configure command to it to generate the configuration.
This should mitigate the observed errors.
Thanks
Markus
… On 26. Mar 2024, at 04:04, Andrew ***@***.***> wrote:
Apologies for bumping a 3 year old thread.
Thanks for creating this write-up. I've noticed there is a particularly nasty bug in how the initial setup works that's had me pulling my hair out for the last hour or so trying to get step-ca to to run via service/rc.d. In my experience if the machine is restarted before the service is started for the first time when your CA hasn't yet been created, FreeBSD locks up on the next boot waiting for user input requiring a restart and creates a broken set of configs (namely an empty /usr/local/etc/step/ca directory). At that point step-ca won't run and there's no output telling you what's wrong.
I know the guide does specifically tell the user to start step-ca as soon as the service is enabled but it may trip anyone up who happens to do a reboot before setting up their CA for the first time.
I'm not overly familiar on how to send patches to FreeBSD's ports but I'd be happy to try and add a couple of checks to the rc.d script file to mitigate this issue.
Cheers.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hi Jason,
Thanks for the bug report. I will fix this in the next release, that I’m just preparing.
Thanks
Markus
… On 21. Jul 2024, at 22:42, Jason Mann ***@***.***> wrote:
Hi.
I've just installed the step-certificates and step-cli packages on FreeBSD-14.1-RELEASE.
I've added step_ca_enable="YES" to /etc/rc.conf and run service step-ca configure, but I'm not getting the expected results:
***@***.*** /usr/local/etc/step]# service step-ca configure
No configured Step CA found.
Creating new one....
open /usr/local/etc/step/ca/contexts.json failed: not a directory
Step CA Password file for auto-start not found
Creating it....
Please enter the Step CA Password:
The password I enter is stored into /usr/local/etc/step/password.txt, but there is also a zero byte 'ca' file in there, which seems to have been created instead of a 'ca' directory to save contexts.json into.
Attempting to start the service just results in:
***@***.*** /usr/local/etc/step]# service step-ca start
Starting step_ca.
step_ca is not running.
Looking at the /usr/local/etc/rc.d/step-ca script, line 93 has this line:
install -m 600 -o ${step_ca_user} -g ${step_ca_group} /dev/null ${step_ca_steppath}
I think this line is responsible for creating a /usr/local/etc/step/ca file instead of directory. It's missing a -d argument. I added it and service step-ca configure then proceeded through the expected initialisation process.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Dear FreeBSD maintainers For me, the However, with the permissions set to chmod u+x /usr/local/etc/step/ca Is this on purpose? |
Beta Was this translation helpful? Give feedback.
-
Hi Manuel,
This is not on purpose. I have to check, when I have some free time again and will most likely fix it with the next release I make available for FreeBSD.
I’m just super-busy with other topics currently.
Best regards
Markus
… On 6. Jan 2025, at 14:45, Manuel Thalmann ***@***.***> wrote:
Dear FreeBSD maintainers
For me, the step-ca config script created a directory /usr/local/etc/step/ca with permission rw------- most likely because of this line in the script:
https://codeberg.org/FreeBSD/freebsd-ports/src/commit/68886887a4fcea987250808419d54d9710b23c0f/security/step-certificates/files/step-ca.in#L93
However, with the permissions set to rw-------, the user step is not able to read any file in the /usr/local/etc/step/ca/* directory.
For the step-ca service to work, I had to add the permission for listing contents of the /usr/local/etc/step/ca directory (namely the x) permission like so:
chmod u+x /usr/local/etc/step/ca
Is this on purpose?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
No problem!On 6. Jan 2025, at 17:12, Manuel Thalmann ***@***.***> wrote:
No worries, I can absolutely relate to that
Take care & thank you so much for your rapid answer!
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I had been trying to set up Caddy to issue internal certs, but then stalled when it appeared that the FreeBSD platform was not supported. My efforts are in this Caddy forum thread.
FreeBSD is absent from the Smallstep installation guide, reinforcing the notion that FreeBSD is not supported.
Interestingly, step-certificates and step-cli have been ported to FreeBSD, but there's no documentation on how to configure it correctly under FreeBSD. I've tried to use the smallstep guides as much as possible, but I'm now out of ideas. I'm hoping for some guidance here. So, this is what I've done so far...
I managed to install the packages in a jail.
Relevant parts of how I configure the CA in the jail. The jail IP is 10.1.1.3...
Here's where I come unstuck. Trying to start the step-ca service...
Beta Was this translation helpful? Give feedback.
All reactions