forked from TrueCloudLab/certificates
commit
9572c62520
2 changed files with 257 additions and 0 deletions
4
scripts/README.md
Normal file
4
scripts/README.md
Normal file
|
@ -0,0 +1,4 @@
|
|||
# Scripts folder
|
||||
|
||||
Please note that `install-step-ra.sh` is referenced on the `files.smallstep.com` S3 website bucket as a redirect to `raw.githubusercontent.com`. If you move it, please update the S3 redirect.
|
||||
|
253
scripts/install-step-ra.sh
Normal file
253
scripts/install-step-ra.sh
Normal file
|
@ -0,0 +1,253 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
echo "This script will install and start a step-ca server running in Registration Authority (RA) mode."
|
||||
echo ""
|
||||
echo "You will need an upstream CA (URL and fingerprint)"
|
||||
echo "Don't have a CA? Sign up for a hosted CA at smallstep.com — or run your own."
|
||||
echo ""
|
||||
|
||||
# Fail if this script is not run as root.
|
||||
if ! [ $(id -u) = 0 ]; then
|
||||
echo "This script must be run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Architecture detection
|
||||
arch=$(uname -m)
|
||||
case $arch in
|
||||
x86_64) arch="amd64" ;;
|
||||
x86) arch="386" ;;
|
||||
i686) arch="386" ;;
|
||||
i386) arch="386" ;;
|
||||
aarch64) arch="arm64" ;;
|
||||
armv5*) arch="armv5" ;;
|
||||
armv6*) arch="armv6" ;;
|
||||
armv7*) arch="armv7" ;;
|
||||
esac
|
||||
|
||||
if [ "$arch" = "armv5" ]; then
|
||||
echo "This script doesn't work on armv5 machines"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! hash jq &> /dev/null; then
|
||||
echo "This script requires the jq commmand; please install it."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! hash curl &> /dev/null; then
|
||||
echo "This script requires the curl commmand; please install it."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! hash tar &> /dev/null; then
|
||||
echo "This script requires the tar commmand; please install it."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--ca-url)
|
||||
CA_URL="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--fingerprint)
|
||||
CA_FINGERPRINT="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--provisioner-name)
|
||||
CA_PROVISIONER_NAME="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--provisioner-password-file)
|
||||
CA_PROVISIONER_JWK_PASSWORD_FILE="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--dns-names)
|
||||
RA_DNS_NAMES="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--listen-address)
|
||||
RA_ADDRESS="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
# Install step
|
||||
if ! hash step &> /dev/null; then
|
||||
echo "Installing 'step' in /usr/bin..."
|
||||
STEP_VERSION=$(curl -s https://api.github.com/repos/smallstep/cli/releases/latest | jq -r '.tag_name')
|
||||
|
||||
curl -sLO https://github.com/smallstep/cli/releases/download/$STEP_VERSION/step_linux_${STEP_VERSION:1}_$arch.tar.gz
|
||||
tar xvzf step_linux_${STEP_VERSION:1}_$arch.tar.gz
|
||||
install -m 0755 -t /usr/bin step_${STEP_VERSION:1}/bin/step
|
||||
|
||||
rm step_linux_${STEP_VERSION:1}_$arch.tar.gz
|
||||
rm -rf step_${STEP_VERSION:1}
|
||||
fi
|
||||
|
||||
# Prompt for required parameters
|
||||
if [ -z "$CA_URL" ]; then
|
||||
CA_URL=""
|
||||
while [[ $CA_URL = "" ]]; do
|
||||
read -p "Issuing CA URL: " CA_URL < /dev/tty
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$CA_FINGERPRINT" ]; then
|
||||
CA_FINGERPRINT=""
|
||||
while [[ $CA_FINGERPRINT = "" ]]; do
|
||||
read -p "Issuing CA Fingerprint: " CA_FINGERPRINT < /dev/tty
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Bootstrapping with the CA..."
|
||||
export STEPPATH=$(mktemp -d)
|
||||
export STEP_CONSOLE=true
|
||||
|
||||
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
|
||||
|
||||
if [ -z "$CA_PROVISIONER_NAME" ]; then
|
||||
declare -a provisioners
|
||||
readarray -t provisioners < <(step ca provisioner list | jq -r '.[] | select(.type == "JWK") | .name')
|
||||
provisioners+=("Create provisioner")
|
||||
printf '%s\n' "${provisioners[@]}"
|
||||
|
||||
printf "%b" "\nSelect a JWK provisioner:\n" >&2
|
||||
select provisioner in "${provisioners[@]}"; do
|
||||
if [ "$provisioner" == "Create provisioner" ]; then
|
||||
echo "Creating a JWK provisioner on the upstream CA..."
|
||||
echo ""
|
||||
read -p "Label your provisioner (e.g. example-ra): " CA_PROVISIONER_NAME < /dev/tty
|
||||
step beta ca provisioner add $CA_PROVISIONER_NAME --type JWK --create
|
||||
break
|
||||
elif [ -n "$provisioner" ]; then
|
||||
echo "Using existing provisioner $provisioner."
|
||||
CA_PROVISIONER_NAME=$provisioner
|
||||
break
|
||||
else
|
||||
echo "Invalid selection!"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$RA_DNS_NAMES" ]; then
|
||||
RA_DNS_NAMES=""
|
||||
while [[ $RA_DNS_NAMES = "" ]]; do
|
||||
echo "What DNS names or IP addresses will your RA use?"
|
||||
read -p "(e.g. acme.example.com[,1.1.1.1,etc.]): " RA_DNS_NAMES < /dev/tty
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$RA_ADDRESS" ]; then
|
||||
RA_ADDRESS=""
|
||||
while [[ $RA_ADDRESS = "" ]] ; do
|
||||
echo "What address should your RA listen on?"
|
||||
read -p "(e.g. :443 or 10.2.1.201:4430): " RA_ADDRESS < /dev/tty
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$CA_PROVISIONER_JWK_PASSWORD_FILE" ]; then
|
||||
read -s -p "Enter the CA Provisioner Password: " CA_PROVISIONER_JWK_PASSWORD < /dev/tty
|
||||
printf "%b" "\n"
|
||||
fi
|
||||
|
||||
echo "Installing 'step-ca' in /usr/bin..."
|
||||
CA_VERSION=$(curl -s https://api.github.com/repos/smallstep/certificates/releases/latest | jq -r '.tag_name')
|
||||
|
||||
curl -sLO https://github.com/smallstep/certificates/releases/download/$CA_VERSION/step-ca_linux_${CA_VERSION:1}_$arch.tar.gz
|
||||
tar -xf step-ca_linux_${CA_VERSION:1}_$arch.tar.gz
|
||||
install -m 0755 -t /usr/bin step-ca_${CA_VERSION:1}/bin/step-ca
|
||||
setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
|
||||
rm step-ca_linux_${CA_VERSION:1}_$arch.tar.gz
|
||||
rm -rf step-ca_${CA_VERSION:1}
|
||||
|
||||
echo "Creating 'step' user..."
|
||||
export STEPPATH=/etc/step-ca
|
||||
|
||||
useradd --system --home $(step path) --shell /bin/false step
|
||||
|
||||
echo "Creating RA configuration..."
|
||||
mkdir -p $(step path)/db
|
||||
mkdir -p $(step path)/config
|
||||
|
||||
cat <<EOF > $(step path)/config/ca.json
|
||||
{
|
||||
"address": "$RA_ADDRESS",
|
||||
"dnsNames": ["$RA_DNS_NAMES"],
|
||||
"db": {
|
||||
"type": "badgerV2",
|
||||
"dataSource": "/etc/step-ca/db"
|
||||
},
|
||||
"logger": {"format": "text"},
|
||||
"authority": {
|
||||
"type": "stepcas",
|
||||
"certificateAuthority": "$CA_URL",
|
||||
"certificateAuthorityFingerprint": "$CA_FINGERPRINT",
|
||||
"certificateIssuer": {
|
||||
"type" : "jwk",
|
||||
"provisioner": "$CA_PROVISIONER_NAME"
|
||||
},
|
||||
"provisioners": [{
|
||||
"type": "ACME",
|
||||
"name": "acme"
|
||||
}]
|
||||
},
|
||||
"tls": {
|
||||
"cipherSuites": [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
],
|
||||
"minVersion": 1.2,
|
||||
"maxVersion": 1.3,
|
||||
"renegotiation": false
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
if ! [ -z "$CA_PROVISIONER_JWK_PASSWORD" ]; then
|
||||
echo "Saving provisoiner password to $(step path)/password.txt..."
|
||||
echo $CA_PROVISIONER_JWK_PASSWORD > $(step path)/password.txt
|
||||
else
|
||||
echo "Copying provisioner password file to $(step path)/password.txt..."
|
||||
cp $CA_PROVISIONER_JWK_PASSWORD_FILE $(step path)/password.txt
|
||||
fi
|
||||
chmod 440 $(step path)/password.txt
|
||||
|
||||
# Add a service to systemd for the RA.
|
||||
echo "Creating systemd service step-ca.service..."
|
||||
curl -sL https://raw.githubusercontent.com/smallstep/certificates/master/systemd/step-ca.service \
|
||||
-o /etc/systemd/system/step-ca.service
|
||||
|
||||
echo "Creating RA mode override /etc/systemd/system/step-ca.service.d/local.conf..."
|
||||
mkdir /etc/systemd/system/step-ca.service.d
|
||||
cat <<EOF > /etc/systemd/system/step-ca.service.d/local.conf
|
||||
[Service]
|
||||
; The empty ExecStart= clears the inherited ExecStart= value
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/step-ca config/ca.json --issuer-password-file password.txt
|
||||
EOF
|
||||
|
||||
echo "Starting step-ca.service..."
|
||||
systemctl daemon-reload
|
||||
|
||||
chown -R step:step $(step path)
|
||||
|
||||
systemctl enable --now step-ca
|
||||
|
||||
echo "Adding STEPPATH export to /root/.bash_profile..."
|
||||
echo "export STEPPATH=$STEPPATH" >> /root/.bash_profile
|
||||
|
||||
echo "Finished. Check the journal with journalctl -fu step-ca.service"
|
||||
|
Loading…
Reference in a new issue