Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: X5C provisioner is not enabled #2132

Open
hydratlas opened this issue Jan 9, 2025 · 6 comments
Open

[Bug]: X5C provisioner is not enabled #2132

hydratlas opened this issue Jan 9, 2025 · 6 comments
Assignees
@hslatman
Labels
needs triage Waiting for discussion / prioritization by team

Comments

@hydratlas
Copy link

Steps to Reproduce

sudo apt-get install -y podman &&
if ! id "step-ca" &>/dev/null; then
  sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin "step-ca"
fi &&
STEPCA_CONTAINER_DATAPATH="/home/step" &&
PROVISIONER_PASSWORD_FILENAME="provisioner-password" &&
PASSWORD_FILENAME="password" &&
sudo install -o "root" -g "step-ca" -m 775 -d "/opt/step-ca" &&
sudo install -o "step-ca" -g "step-ca" -m 700 -d "/opt/step-ca/secrets" &&
OUT_FILEPATH="/opt/step-ca/secrets/${PROVISIONER_PASSWORD_FILENAME}" &&
sudo -u "step-ca" openssl rand -base64 -out "${OUT_FILEPATH}" 32 &&
sudo chmod 600 "${OUT_FILEPATH}" &&
sudo chown "step-ca:step-ca" "${OUT_FILEPATH}" &&
OUT_FILEPATH="/opt/step-ca/secrets/${PASSWORD_FILENAME}" &&
sudo -u "step-ca" openssl rand -base64 -out "${OUT_FILEPATH}" 32 &&
sudo chmod 600 "${OUT_FILEPATH}" &&
sudo chown "step-ca:step-ca" "${OUT_FILEPATH}" &&
sudo podman run \
  --user "$(id -u step-ca):$(id -g step-ca)" \
  --interactive --tty \
  --userns=keep-id \
  --volume "/opt/step-ca:${STEPCA_CONTAINER_DATAPATH}:Z" \
  docker.io/smallstep/step-ca \
    step ca init \
    --deployment-type="standalone" \
    --name="Private $(hostname)" \
    --dns="$(hostname -A | tr ' ' '\n' | grep -F '.' | paste -sd ',' -),localhost" \
    --address=":8443" \
    --password-file="${STEPCA_CONTAINER_DATAPATH}/secrets/${PASSWORD_FILENAME}" \
    --provisioner="admin" \
    --provisioner-password-file="${STEPCA_CONTAINER_DATAPATH}/secrets/${PROVISIONER_PASSWORD_FILENAME}" \
    --acme \
    --ssh \
    --remote-management &&
sudo podman run \
  --user "$(id -u step-ca):$(id -g step-ca)" \
  --interactive --tty \
  --userns=keep-id \
  --volume "/opt/step-ca:${STEPCA_CONTAINER_DATAPATH}:Z" \
  docker.io/smallstep/step-ca \
    step ca provisioner add x5c-provisioner \
      --type=X5C \
      --x5c-roots "${STEPCA_CONTAINER_DATAPATH}/certs/root_ca.crt" &&
sudo podman run \
  --user "$(id -u step-ca):$(id -g step-ca)" \
  --interactive --tty \
  --userns=keep-id \
  --volume "/opt/step-ca:${STEPCA_CONTAINER_DATAPATH}:Z" \
  docker.io/smallstep/step-ca \
    step version &&
sudo tee "/etc/containers/systemd/step-ca.container" << EOS > /dev/null &&
[Container]
Image=docker.io/smallstep/step-ca
ContainerName=step-ca
AutoUpdate=registry
LogDriver=journald

PublishPort=8443:8443
Volume=/opt/step-ca:${STEPCA_CONTAINER_DATAPATH}:Z
User=$(id -u step-ca)
Group=$(id -g step-ca)
UserNS=keep-id

[Service]
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOS
sudo systemctl daemon-reload &&
sudo systemctl start step-ca.service &&
wget --no-check-certificate -O - https://localhost:8443/provisioners

Your Environment

  • OS - Ubuntu 24.04
  • step-ca Version - Smallstep CLI/0.28.2 (linux/amd64) Release Date: 2024-11-20 19:14 UTC

Expected Behavior

The information displayed at https://localhost:8443/provisioners includes X5C provisioner.

Actual Behavior

The information displayed at https://localhost:8443/provisioners does not include X5C provisioner.

Additional Context

{"provisioners":[{"type":"ACME","name":"acme","options":{"x509":{},"ssh":{}}},{"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false}},{"type":"JWK","name":"admin","key":{"use":"sig","kty":"EC","kid":"kw9de20b1cQCYgdX8-y6LbUyTD1CrISEVcSG06fDsVk","crv":"P-256","alg":"ES256","x":"v5V2DvuKzCxZYtc9TOxRo8bXsCLCpiD2HtX_rTNsVTc","y":"-uSWMw4PjC34uGOTmdynql4356CkzMBxXJXx9D2PmyY"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiN0ZPam9HNWdnbnRsZU9sUlhBUVhPQSJ9.BcB3UY2Im1-3SD4rLR-fWipi2rZuGStT8NkgFnuMLc-V2rLnLck7rQ.uMadBxpjeepySQ5_.zQvKbCFiXc1I8STCrwmp1QaI8yU9w7WchupH2pYOoqvQu9Tc-kjtpe0RS2WKf9y7rHuAVEb8zkh43cPtsE3WFrrU9dCmbJ-ivkyCa3kxe-dk1v8fZRzNadIDog6152bPyxULQnIeA0nsUcUurlJ-T4NgS9O49zJjOZTkYYcoxmOJhZ5dsqIFtExradMKMzOJTUm5GgQ-By0FZ9OEvcLmxQWe534Tiyqra67Vr1vZY7Ay0Pg-Udf4EVHhqACP-KtieIBim5HVtJ5BIOWxuc410FuQeuG7EYEnfEaeEswNUn_nkoqaq5iaeioQlGvr9fEI1AeBEQg_sM8gem77Jxo.vojOeMfR3x1xUcG4afoPCA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}],"nextCursor":""}

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@hydratlas hydratlas added bug needs triage Waiting for discussion / prioritization by team labels Jan 9, 2025
@hslatman
Copy link
Member

hslatman commented Jan 13, 2025
edited
Loading

Hey @hydratlas,

Have you tried performing the operations manually before scripting them? I suspect the step ca provisioner add x5c-provisioner operation fails because the command is not authenticated. When you run it manually, you'll have to pick an admin provisioner (a JWK by default), use step as the admin username, and provide the JWK password. To use it in an unattended mode, such as using your script, see https://smallstep.com/docs/step-ca/provisioners/index.html#unattended-remote-provisioner-management on how to obtain a certificate to use as authentication.

@hslatman hslatman self-assigned this Jan 13, 2025
@hslatman hslatman removed the bug label Jan 13, 2025
@hydratlas
Copy link
Author

The settings themselves seem to be working fine, because the ca.json file already has the following line. Is this not good enough?

                "provisioners": [
                        {
                                "type": "X5C",
                                "name": "x5c-provisioner",
                                "roots": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJaVENDQVJlZ0F3SUJBZ0lVS3czbmgyeWhHUzJrc1drVjBnbUpLSmlUTFJJd0JRWURLMlZ3TUNBeEhqQWMKQmdOVkJBTU1GVkJ5YVhaaGRHVWdZMkV0TURFZ1VtOXZkQ0JEUVRBZUZ3MHlOVEF4TURneE9USXpNekZhRncwMApOVEF4TURNeE9USXpNekZhTUNBeEhqQWNCZ05WQkFNTUZWQnlhWFpoZEdVZ1kyRXRNREVnVW05dmRDQkRRVEFxCk1BVUdBeXRsY0FNaEFJUEZQbVV1QU5ibHNPZk05Y3ozYVBuNllTeFhwdlFGTE9DVnQyaFBtaEt4bzJNd1lUQWQKQmdOVkhRNEVGZ1FVQlZtZGU5elFoaGtEOWg0WGpxRWozQjNVV05rd0h3WURWUjBqQkJnd0ZvQVVCVm1kZTl6UQpoaGtEOWg0WGpxRWozQjNVV05rd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBT0JnTlZIUThCQWY4RUJBTUNBUVl3CkJRWURLMlZ3QTBFQXIzeXZhYUlVbko1d1JKQ2J1N0xyUy9YZVhxOGZlYkxwWEJZVnVIVFJZV2Q4MjhEazFLWmUKY1o5SVM4dGtCYnlPYWVlRURYTVpwbE9ncU81bnNaaW9Edz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
                                "claims": {
                                        "enableSSHCA": true,
                                        "disableRenewal": false,
                                        "allowRenewalAfterExpiry": false,
                                        "disableSmallstepExtensions": false
                                },
                                "options": {
                                        "x509": {},
                                        "ssh": {}
                                }
                        }
                ],

@hslatman
Copy link
Member

When are those the contents? Because it looks like the X5C provisioner isn't added using remote administration if it ends up in ca.json; it's supposed to exist in the database.

Have you tried running the steps locally, manually; not using your script? Because I still think you're missing the proper authentication for doing remote management.

@hslatman
Copy link
Member

hslatman commented Jan 13, 2025
edited
Loading

Oh, I think I know what's going on:

When you initialize the CA with Remote Management enabled, and then add the X5C provisioner (but without the CA running), it's likely added to the ca.json, whereas with Remote Management enabled all provisioners are only read from the database. So even though the provisioner is listed in ca.json, it will not be returned as an active provisioner.

If you want the X5C provisioner to be added, it has to be added either 1) after the CA is running, or 2) before enabling Remote Management. In the latter case the X5C provisioner will be migrated to the database automatically.

@hydratlas
Copy link
Author

Thank you. The problem has been resolved by not using the “--remote-management” option with the “step ca init” command.

@hslatman
Copy link
Member

hslatman commented Jan 13, 2025
edited
Loading

Great 😄

Now, with step-ca running in a container it generally is useful to enable Remote Management, as the container in which step-ca runs is effectively remote. In this case you'll have to do that after adding the X5C provisioner. That is documented here: https://smallstep.com/docs/step-ca/provisioners/#on-an-existing-ca.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hslatman @hydratlas