From 82f82d438c50c7a7107f92a3d63b3717d7e219c9 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 27 Jan 2021 17:29:29 -0800 Subject: [PATCH 1/7] Add systemd files --- systemd/cert-renewer@.service | 31 +++++++++++++++++++++ systemd/cert-renewer@.timer | 18 ++++++++++++ systemd/step-ca.service | 52 +++++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 systemd/cert-renewer@.service create mode 100644 systemd/cert-renewer@.timer create mode 100644 systemd/step-ca.service diff --git a/systemd/cert-renewer@.service b/systemd/cert-renewer@.service new file mode 100644 index 00000000..29e5ec8a --- /dev/null +++ b/systemd/cert-renewer@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Certificate renewer for %I +After=network-online.target +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +StartLimitIntervalSec=0 + +[Service] +Type=oneshot +User=root + +Environment=STEPPATH=/etc/step-ca \ + CERT_LOCATION=/etc/step/certs/%i.crt \ + KEY_LOCATION=/etc/step/certs/%i.key + +; ExecStartPre checks if the certificate is ready for renewal, +; based on the exit status of the command. +; (In systemd 243 and above, you can use ExecCondition= here.) +ExecStartPre=/usr/bin/bash -c \ + 'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \ + jq -e "(((.validity.start | fromdate) + \ + ((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \ + - now) <= 0" > /dev/null' + +; ExecStart renews the certificate, if ExecStartPre was successful. +ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION + +; Try to reload or restart the systemd service that relies on this cert-renewer +ExecStartPost=/usr/bin/bash -c 'systemctl --quiet is-enabled %i && systemctl try-reload-or-restart %i' + +[Install] +WantedBy=multi-user.target diff --git a/systemd/cert-renewer@.timer b/systemd/cert-renewer@.timer new file mode 100644 index 00000000..806f3407 --- /dev/null +++ b/systemd/cert-renewer@.timer @@ -0,0 +1,18 @@ +[Unit] +Description=Certificate renewal timer for %I +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production + +[Timer] +Persistent=true + +; Run the timer unit every 5 minutes. +OnCalendar=*:1/5 + +; Always run the timer on time. +AccuracySec=1us + +; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals. +RandomizedDelaySec=5m + +[Install] +WantedBy=timers.target diff --git a/systemd/step-ca.service b/systemd/step-ca.service new file mode 100644 index 00000000..4b9975e7 --- /dev/null +++ b/systemd/step-ca.service @@ -0,0 +1,52 @@ +[Unit] +Description=step-ca service +Documentation=https://smallstep.com/docs/step-ca +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +After=network-online.target +Wants=network-online.target +StartLimitIntervalSec=30 +StartLimitBurst=3 +ConditionFileNotEmpty=/etc/step-ca/config/ca.json +ConditionFileNotEmpty=/etc/step-ca/password.txt + +[Service] +Type=simple +User=step +Group=step +Environment=STEPPATH=/etc/step-ca +WorkingDirectory=/etc/step-ca +ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt +ExecReload=/bin/kill --signal HUP $MAINPID +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=30 +StartLimitBurst=3 + +; Process capabilities & privileges +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +SecureBits=keep-caps +NoNewPrivileges=yes + +; Sandboxing +ProtectSystem=full +RestrictNamespaces=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectKernelModules=true +LockPersonality=true +RestrictSUIDSGID=true +RemoveIPC=true +RestrictRealtime=true +; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2: +PrivateDevices=true +MemoryDenyWriteExecute=true +ReadWriteDirectories=/etc/step-ca/db + +[Install] +WantedBy=multi-user.target From 2af73881d7c1c1d4484c267a60d2d01fe1458389 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 28 Jan 2021 07:48:21 -0800 Subject: [PATCH 2/7] Add ProtectHome=true --- systemd/step-ca.service | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index 4b9975e7..1941a634 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -31,6 +31,7 @@ NoNewPrivileges=yes ; Sandboxing ProtectSystem=full +ProtectHome=true RestrictNamespaces=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 PrivateTmp=true From 9fd0964e1ca1041cb2cffe5e201e969eede0d626 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 28 Jan 2021 09:45:20 -0800 Subject: [PATCH 3/7] Add SystemCallFilter=@system-service --- systemd/step-ca.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index 1941a634..db745c1a 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -30,6 +30,7 @@ SecureBits=keep-caps NoNewPrivileges=yes ; Sandboxing +; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector ProtectSystem=full ProtectHome=true RestrictNamespaces=true @@ -44,8 +45,8 @@ LockPersonality=true RestrictSUIDSGID=true RemoveIPC=true RestrictRealtime=true -; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2: PrivateDevices=true +SystemCallFilter=@system-service MemoryDenyWriteExecute=true ReadWriteDirectories=/etc/step-ca/db From 73fc350b843aecf5550ec80dadc4deee02cd6364 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 1 Feb 2021 11:56:24 -0800 Subject: [PATCH 4/7] Add note about PKCS#11 --- systemd/step-ca.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index db745c1a..352151f5 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -30,7 +30,8 @@ SecureBits=keep-caps NoNewPrivileges=yes ; Sandboxing -; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector +; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely +; too restrictive for PKCS#11 HSMs. ProtectSystem=full ProtectHome=true RestrictNamespaces=true From 05daf22a1e31dbbf0772f2ef3c0352aeeb4c59d3 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 1 Feb 2021 13:07:52 -0800 Subject: [PATCH 5/7] Add SystemCallArchitectures=native --- systemd/step-ca.service | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/step-ca.service b/systemd/step-ca.service index 352151f5..11fdffae 100644 --- a/systemd/step-ca.service +++ b/systemd/step-ca.service @@ -48,6 +48,7 @@ RemoveIPC=true RestrictRealtime=true PrivateDevices=true SystemCallFilter=@system-service +SystemCallArchitectures=native MemoryDenyWriteExecute=true ReadWriteDirectories=/etc/step-ca/db From 52a0edd29ddcb0e9e039058aaa9f4f808485f41f Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 1 Feb 2021 13:11:14 -0800 Subject: [PATCH 6/7] Add readme --- systemd/README.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 systemd/README.md diff --git a/systemd/README.md b/systemd/README.md new file mode 100644 index 00000000..4a43024c --- /dev/null +++ b/systemd/README.md @@ -0,0 +1,5 @@ +### Systemd unit files for `step-ca` + +For documetation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon). + +For documentation on `cert-renewer@.*`, see [Automating Certificate Renewal](https://smallstep.com/docs/step-ca/certificate-authority-server-production#automate-x509-certificate-lifecycle-management) From aaabdca61a68a10ee3554d24fde6458cb939eaea Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 1 Feb 2021 13:47:55 -0800 Subject: [PATCH 7/7] Typofix --- systemd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/README.md b/systemd/README.md index 4a43024c..97aa18dd 100644 --- a/systemd/README.md +++ b/systemd/README.md @@ -1,5 +1,5 @@ ### Systemd unit files for `step-ca` -For documetation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon). +For documentation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon). For documentation on `cert-renewer@.*`, see [Automating Certificate Renewal](https://smallstep.com/docs/step-ca/certificate-authority-server-production#automate-x509-certificate-lifecycle-management)