smallstep au lieu de mkcert dans la vm

2023-05-26 11:36:05 +02:00
parent 4117afd993
commit 41e7591163
6 changed files with 41 additions and 55 deletions
--- a/files/snster-kaz/hoster-a/kaz1/provision.sh
+++ b/files/snster-kaz/hoster-a/kaz1/provision.sh
@ -55,10 +55,13 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc


 # On place les certifs
+# On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi
 if  [ -d letsencrypt ]; then
  cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
-  /usr/sbin/update-ca-certificates --fresh
 fi

 # On sauve le proxy APT
--- a/files/snster-kaz/hoster-b/kaz2/provision.sh
+++ b/files/snster-kaz/hoster-b/kaz2/provision.sh
@ -55,10 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc


 # On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi
 if  [ -d letsencrypt ]; then
  cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
-  /usr/sbin/update-ca-certificates --fresh
 fi

 # On sauve le proxy APT
--- a/files/snster-kaz/isp-a/home/provision.sh
+++ b/files/snster-kaz/isp-a/home/provision.sh
@ -23,9 +23,8 @@ if [ -f /clawsmail/addclawsuser.sh ]; then
 fi

 # On place les certifs
-if  [ -d letsencrypt ]; then
-  cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
  /usr/sbin/update-ca-certificates --fresh
 fi

@ -34,7 +33,7 @@ echo -e '{
 "policies": {
   "Certificates": {
      "ImportEnterpriseRoots": true,
-      "Install": ["/etc/ssl/certs/root.pem"]
+      "Install": ["/etc/ssl/certs/root_ca.pem"]
   }
 }
 }' > /usr/lib/firefox-esr/distribution/policies.json
--- a/files/snster-kaz/mica/infra/provision.sh
+++ b/files/snster-kaz/mica/infra/provision.sh
@ -14,6 +14,11 @@ apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
 cp dns.conf /etc/unbound/unbound.conf.d/

+# On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi

 # Install smallstep CA / ACME server
 cd /tmp
@ -23,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
 dpkg -i step-ca_0.24.2_amd64.deb

 echo "password" > /root/ca-passwordfile
-step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="letsencrypt/local/rootCA.pem" --key "letsencrypt/local/rootCA-key.pem"
+step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
 echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
 chmod +x /etc/rc.local