diff --git a/files/snster-kaz/hoster-a/kaz1/provision.sh b/files/snster-kaz/hoster-a/kaz1/provision.sh index b7f5800..1220759 100644 --- a/files/snster-kaz/hoster-a/kaz1/provision.sh +++ b/files/snster-kaz/hoster-a/kaz1/provision.sh @@ -55,10 +55,13 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc # On place les certifs +# On place les certifs +if [ -f tls/root_ca.crt ]; then + cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ + /usr/sbin/update-ca-certificates --fresh +fi if [ -d letsencrypt ]; then cp -ar letsencrypt /etc/ - cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt - /usr/sbin/update-ca-certificates --fresh fi # On sauve le proxy APT diff --git a/files/snster-kaz/hoster-b/kaz2/provision.sh b/files/snster-kaz/hoster-b/kaz2/provision.sh index 38f79a9..68e6b20 100644 --- a/files/snster-kaz/hoster-b/kaz2/provision.sh +++ b/files/snster-kaz/hoster-b/kaz2/provision.sh @@ -55,10 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc # On place les certifs +if [ -f tls/root_ca.crt ]; then + cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ + /usr/sbin/update-ca-certificates --fresh +fi if [ -d letsencrypt ]; then cp -ar letsencrypt /etc/ - cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt - /usr/sbin/update-ca-certificates --fresh fi # On sauve le proxy APT diff --git a/files/snster-kaz/isp-a/home/provision.sh b/files/snster-kaz/isp-a/home/provision.sh index 52b6a64..9db8a76 100644 --- a/files/snster-kaz/isp-a/home/provision.sh +++ b/files/snster-kaz/isp-a/home/provision.sh @@ -23,9 +23,8 @@ if [ -f /clawsmail/addclawsuser.sh ]; then fi # On place les certifs -if [ -d letsencrypt ]; then - cp -ar letsencrypt /etc/ - cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt +if [ -f tls/root_ca.crt ]; then + cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ /usr/sbin/update-ca-certificates --fresh fi @@ -34,7 +33,7 @@ echo -e '{ "policies": { "Certificates": { "ImportEnterpriseRoots": true, - "Install": ["/etc/ssl/certs/root.pem"] + "Install": ["/etc/ssl/certs/root_ca.pem"] } } }' > /usr/lib/firefox-esr/distribution/policies.json diff --git a/files/snster-kaz/mica/infra/provision.sh b/files/snster-kaz/mica/infra/provision.sh index f514752..efd4725 100644 --- a/files/snster-kaz/mica/infra/provision.sh +++ b/files/snster-kaz/mica/infra/provision.sh @@ -14,6 +14,11 @@ apt-get update DEBIAN_FRONTEND=noninteractive apt-get install -y unbound cp dns.conf /etc/unbound/unbound.conf.d/ +# On place les certifs +if [ -f tls/root_ca.crt ]; then + cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ + /usr/sbin/update-ca-certificates --fresh +fi # Install smallstep CA / ACME server cd /tmp @@ -23,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2 dpkg -i step-ca_0.24.2_amd64.deb echo "password" > /root/ca-passwordfile -step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="letsencrypt/local/rootCA.pem" --key "letsencrypt/local/rootCA-key.pem" +step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key" echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local chmod +x /etc/rc.local diff --git a/files/vm-provision.sh b/files/vm-provision.sh index 15755eb..6fde8e4 100755 --- a/files/vm-provision.sh +++ b/files/vm-provision.sh @@ -143,48 +143,25 @@ SystemMaxFileSize=2M EOF fi - # CA et certifs avec mkcert + # CA et certifs avec smallstep - echo -e "\n #### mkcert\n" - DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools + echo -e "\n #### smallstep\n" + cd /tmp + wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb" + dpkg -i step-cli_0.24.4_amd64.deb + echo "password" > /root/ca-passwordfile + step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" - mkdir -p /root/mkcert - cd /root/mkcert - if [ ! -f mkcert ]; then - wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert - chmod +x mkcert - mkdir -p /etc/letsencrypt/local/ - export CAROOT=/etc/letsencrypt/local/ - /root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/ - cd "${CAROOT}" - cat > "${CAROOT}/kaz.sns.cnf" <