debug certif

This commit is contained in:
Francois Lesueur 2023-05-26 15:02:34 +02:00
parent 958a6225b1
commit 5b2f572453
5 changed files with 17 additions and 14 deletions

View File

@ -33,6 +33,9 @@ export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/ cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/
done done
# copie certif de la CA locale pour traefik (nécessaire pour ACME/Smallstep)
cp /usr/local/share/ca-certificates/root_ca.crt /kaz/dockers/traefik/conf/
echo -e "\n #### secretGen\n" echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh /kaz/bin/secretGen.sh

View File

@ -55,13 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs # On place les certifs
if [ -f tls/root_ca.crt ]; then cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ /usr/sbin/update-ca-certificates --fresh
/usr/sbin/update-ca-certificates --fresh
fi mkdir -p /etc/letsencrypt/live/kaz.sns
if [ -d letsencrypt ]; then cp tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
cp -ar letsencrypt /etc/ cp tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
fi
# On sauve le proxy APT # On sauve le proxy APT
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1) proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)

View File

@ -24,7 +24,7 @@ fi
# On place les certifs # On place les certifs
if [ -f tls/root_ca.crt ]; then if [ -f tls/root_ca.crt ]; then
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/ cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/root.crt
/usr/sbin/update-ca-certificates --fresh /usr/sbin/update-ca-certificates --fresh
fi fi
@ -33,7 +33,7 @@ echo -e '{
"policies": { "policies": {
"Certificates": { "Certificates": {
"ImportEnterpriseRoots": true, "ImportEnterpriseRoots": true,
"Install": ["/etc/ssl/certs/root_ca.pem"] "Install": ["/etc/ssl/certs/root.pem"]
} }
} }
}' > /usr/lib/firefox-esr/distribution/policies.json }' > /usr/lib/firefox-esr/distribution/policies.json

View File

@ -28,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
dpkg -i step-ca_0.24.2_amd64.deb dpkg -i step-ca_0.24.2_amd64.deb
echo "password" > /root/ca-passwordfile echo "password" > /root/ca-passwordfile
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key" step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca.key"
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
chmod +x /etc/rc.local chmod +x /etc/rc.local

View File

@ -153,11 +153,12 @@ EOF
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
mkdir -p /root/tls mkdir -p /root/tls
cp /root/.step/certs/root_ca.crt /root/tls/ cp /root/.step/certs/root_ca.crt /root/tls/root_ca.crt
cp /root/.step/secrets/root_ca_key /root/tls/ chmod 644 /root/tls/root_ca.crt
step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force cp /root/.step/secrets/root_ca_key /root/tls/root_ca.key
step crypto change-pass /root/tls/root_ca.key --no-password --insecure --password-file="/root/ca-passwordfile" --force
step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure --not-after 20000h
# Cache docker registry # Cache docker registry
echo "proxy: echo "proxy: