From b6a78dd3a366c2d0f8327b6060587e1dd965e1fb Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:14:23 +0100 Subject: [PATCH 01/36] Initial skeleton for step-ca script --- ct/step-ca.sh | 85 ++++++++++++++++++++++++++++++++ install/alpine-stepca-install.sh | 45 +++++++++++++++++ json/step-ca.json | 34 +++++++++++++ 3 files changed, 164 insertions(+) create mode 100644 ct/step-ca.sh create mode 100644 install/alpine-stepca-install.sh create mode 100644 json/step-ca.json diff --git a/ct/step-ca.sh b/ct/step-ca.sh new file mode 100644 index 00000000..b116b4f0 --- /dev/null +++ b/ct/step-ca.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash +source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +# Copyright (c) 2021-2025 community-scripts ORG +# Author: FWiegerinck +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +# App Default Values +APP="Step-CA" +TAGS="alpine;step-ca" +var_cpu="1" +var_ram="512" +var_disk="1024" +var_os="alpine" +var_version="3.20" +var_unprivileged="0" + +# App Output & Base Settings +header_info "$APP" +base_settings + +# Core +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + + # Check if installation is present | -f for file, -d for folder + if [[ ! -f [INSTALLATION_CHECK_PATH] ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + # Crawling the new version and checking whether an update is required + RELEASE=$(curl -fsSL [RELEASE_URL] | [PARSE_RELEASE_COMMAND]) + if [[ "${RELEASE}" != "$(cat /opt/${APP}_version.txt)" ]] || [[ ! -f /opt/${APP}_version.txt ]]; then + msg_info "Updating $APP" + + # Stopping Services + msg_info "Stopping $APP" + systemctl stop [SERVICE_NAME] + msg_ok "Stopped $APP" + + # Creating Backup + msg_info "Creating Backup" + tar -czf "/opt/${APP}_backup_$(date +%F).tar.gz" [IMPORTANT_PATHS] + msg_ok "Backup Created" + + # Execute Update + msg_info "Updating $APP to v${RELEASE}" + [UPDATE_COMMANDS] + msg_ok "Updated $APP to v${RELEASE}" + + # Starting Services + msg_info "Starting $APP" + systemctl start [SERVICE_NAME] + sleep 2 + msg_ok "Started $APP" + + # Cleaning up + msg_info "Cleaning Up" + rm -rf [TEMP_FILES] + msg_ok "Cleanup Completed" + + # Last Action + echo "${RELEASE}" >/opt/${APP}_version.txt + msg_ok "Update Successful" + else + msg_ok "No update required. ${APP} is already at v${RELEASE}" + fi + exit +} + +start +build_container +description + +msg_ok "Completed Successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:[PORT]${CL}" diff --git a/install/alpine-stepca-install.sh b/install/alpine-stepca-install.sh new file mode 100644 index 00000000..48844ad4 --- /dev/null +++ b/install/alpine-stepca-install.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2025 community-scripts ORG +# Author: FWiegerinck +# License: MIT +# Source: https://github.com/smallstep/certificates + +# Import Functions und Setup +source /dev/stdin <<< "$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +# Installing Dependencies with the 3 core dependencies (curl;sudo;mc) +#msg_info "Installing Dependencies" +#msg_ok "Installed Dependencies" + +msg_info "Installing Alpine Step-CA" +$STD apk add step-cli step-certificates +msg_ok "Installed Alpine Step-CA" + +# Initialize CA +CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" +config_dir="/etc/step-ca" +log_dir="/var/log/step-ca" +error_log="${log_dir}/${RC_SVCNAME}.log" +profile_file="${config_dir}/.profile" +ca_file="${config_dir}/config/ca.json" +passwd_file="${config_dir}/password.txt" + +cat <${passwd_file} +${CA_PASS} +EOF + +# Start application +msg_info "Starting Alpine Step-CA" +$STD rc-service step-ca start +$STD rc-update add step-ca default +msg_ok "Started Alpine Step-CA" + +motd_ssh +customize diff --git a/json/step-ca.json b/json/step-ca.json new file mode 100644 index 00000000..ed55de2e --- /dev/null +++ b/json/step-ca.json @@ -0,0 +1,34 @@ +{ + "name": "Step CA", + "slug": "step-ca", + "categories": [ + 11 + ], + "date_created": "2025-01-10", + "type": "ct", + "updateable": false, + "privileged": false, + "interface_port": 443, + "documentation": "https://smallstep.com/docs/step-ca/configuration/", + "website": "https://smallstep.com/docs/step-ca/", + "logo": "https://avatars.githubusercontent.com/u/23183426?v=4", + "description": "Step CA is an open source Certificate Authority provided by Smallstep. This script creates a step-ca instance as your local online Certificate Authority with ACME support. It provides secure, automated X.509 and SSH certificate management. ", + "install_methods": [ + { + "type": "alpine", + "script": "/ct/alpine-step-ca.sh", + "resources": { + "cpu": 1, + "ram": 512, + "hdd": 1, + "os": null, + "version": null + } + } + ], + "default_credentials": { + "username": null, + "password": null + }, + "notes": [] + } \ No newline at end of file From a8f4997b685561e45ee806498ffb3442e311e77f Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:19:36 +0100 Subject: [PATCH 02/36] Fix name of file and update flow --- ct/alpine-step-ca.sh | 56 +++++++++++++++++++++++++++++ ct/step-ca.sh | 85 -------------------------------------------- 2 files changed, 56 insertions(+), 85 deletions(-) create mode 100644 ct/alpine-step-ca.sh delete mode 100644 ct/step-ca.sh diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh new file mode 100644 index 00000000..93a627ef --- /dev/null +++ b/ct/alpine-step-ca.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash +source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +# Copyright (c) 2021-2025 community-scripts ORG +# Author: FWiegerinck +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +# App Default Values +APP="Step-CA" +TAGS="alpine;step-ca" +var_cpu="1" +var_ram="512" +var_disk="1024" +var_os="alpine" +var_version="3.20" +var_unprivileged="0" + +# App Output & Base Settings +header_info "$APP" +base_settings + +# Core +variables +color +catch_errors + +function update_script() { + if ! apk -e info newt >/dev/null 2>&1; then + apk add -q newt + fi + while true; do + CHOICE=$( + whiptail --backtitle "Proxmox VE Helper Scripts" --title "SUPPORT" --menu "Select option" 11 58 1 \ + "1" "Check for Step CA Updates" 3>&2 2>&1 1>&3 + ) + exit_status=$? + if [ $exit_status == 1 ]; then + clear + exit-script + fi + header_info + case $CHOICE in + 1) + apk update && apk upgrade + exit + ;; + esac + done +} + +start +build_container +description + +msg_ok "Completed Successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" diff --git a/ct/step-ca.sh b/ct/step-ca.sh deleted file mode 100644 index b116b4f0..00000000 --- a/ct/step-ca.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) -# Copyright (c) 2021-2025 community-scripts ORG -# Author: FWiegerinck -# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE -# Source: https://github.com/smallstep/certificates - -# App Default Values -APP="Step-CA" -TAGS="alpine;step-ca" -var_cpu="1" -var_ram="512" -var_disk="1024" -var_os="alpine" -var_version="3.20" -var_unprivileged="0" - -# App Output & Base Settings -header_info "$APP" -base_settings - -# Core -variables -color -catch_errors - -function update_script() { - header_info - check_container_storage - check_container_resources - - # Check if installation is present | -f for file, -d for folder - if [[ ! -f [INSTALLATION_CHECK_PATH] ]]; then - msg_error "No ${APP} Installation Found!" - exit - fi - - # Crawling the new version and checking whether an update is required - RELEASE=$(curl -fsSL [RELEASE_URL] | [PARSE_RELEASE_COMMAND]) - if [[ "${RELEASE}" != "$(cat /opt/${APP}_version.txt)" ]] || [[ ! -f /opt/${APP}_version.txt ]]; then - msg_info "Updating $APP" - - # Stopping Services - msg_info "Stopping $APP" - systemctl stop [SERVICE_NAME] - msg_ok "Stopped $APP" - - # Creating Backup - msg_info "Creating Backup" - tar -czf "/opt/${APP}_backup_$(date +%F).tar.gz" [IMPORTANT_PATHS] - msg_ok "Backup Created" - - # Execute Update - msg_info "Updating $APP to v${RELEASE}" - [UPDATE_COMMANDS] - msg_ok "Updated $APP to v${RELEASE}" - - # Starting Services - msg_info "Starting $APP" - systemctl start [SERVICE_NAME] - sleep 2 - msg_ok "Started $APP" - - # Cleaning up - msg_info "Cleaning Up" - rm -rf [TEMP_FILES] - msg_ok "Cleanup Completed" - - # Last Action - echo "${RELEASE}" >/opt/${APP}_version.txt - msg_ok "Update Successful" - else - msg_ok "No update required. ${APP} is already at v${RELEASE}" - fi - exit -} - -start -build_container -description - -msg_ok "Completed Successfully!\n" -echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" -echo -e "${INFO}${YW} Access it using the following URL:${CL}" -echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:[PORT]${CL}" From 5a8a1c208e37eb50845fc41d5cb30acba628309f Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:31:36 +0100 Subject: [PATCH 03/36] Fix filename --- install/{alpine-stepca-install.sh => alpine-step-ca-install.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename install/{alpine-stepca-install.sh => alpine-step-ca-install.sh} (100%) diff --git a/install/alpine-stepca-install.sh b/install/alpine-step-ca-install.sh similarity index 100% rename from install/alpine-stepca-install.sh rename to install/alpine-step-ca-install.sh From 58616c97fd098c7a1c67e61b992271612876b6d0 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:47:03 +0100 Subject: [PATCH 04/36] Set default password --- json/step-ca.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/json/step-ca.json b/json/step-ca.json index ed55de2e..1e0de122 100644 --- a/json/step-ca.json +++ b/json/step-ca.json @@ -28,7 +28,7 @@ ], "default_credentials": { "username": null, - "password": null + "password": "alpine" }, "notes": [] } \ No newline at end of file From dde9dccbd72f3b6d397d62474783491f3bbd5a08 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:47:11 +0100 Subject: [PATCH 05/36] Fix dependency path --- ct/alpine-step-ca.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 93a627ef..262369d7 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/head/step-ca/misc/build.func) # Copyright (c) 2021-2025 community-scripts ORG # Author: FWiegerinck # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE From 67be6ae51266d080fda7792eab1ca84073077f69 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 00:50:38 +0100 Subject: [PATCH 06/36] Fix build paths --- ct/alpine-step-ca.sh | 2 +- misc/build.func | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 262369d7..7c059b1e 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/head/step-ca/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/build.func) # Copyright (c) 2021-2025 community-scripts ORG # Author: FWiegerinck # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE diff --git a/misc/build.func b/misc/build.func index 26937e76..256735b5 100644 --- a/misc/build.func +++ b/misc/build.func @@ -799,9 +799,11 @@ build_container() { TEMP_DIR=$(mktemp -d) pushd $TEMP_DIR >/dev/null if [ "$var_os" == "alpine" ]; then - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" +# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/alpine-install.func)" else - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" +# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/install.func)" fi export CACHER="$APT_CACHER" export CACHER_IP="$APT_CACHER_IP" @@ -831,7 +833,8 @@ build_container() { $PW " # This executes create_lxc.sh and creates the container and .conf file - bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit +# bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit + bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/ct/create_lxc.sh)" || exit LXC_CONFIG=/etc/pve/lxc/${CTID}.conf if [ "$CT_TYPE" == "0" ]; then @@ -893,7 +896,8 @@ http://dl-cdn.alpinelinux.org/alpine/latest-stable/community EOF' pct exec "$CTID" -- ash -c "apk add bash >/dev/null" fi - lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit +# lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit + lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/install/$var_install.sh)" || exit } From 7fa9aadcda5e2f115f9e7fdf6581e743085bea4a Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 01:00:40 +0100 Subject: [PATCH 07/36] Fix variables and names --- ct/alpine-step-ca.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 7c059b1e..ee5f517f 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -6,8 +6,8 @@ source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/he # Source: https://github.com/smallstep/certificates # App Default Values -APP="Step-CA" -TAGS="alpine;step-ca" +APP="Alpine-Step-CA" +var_tags="alpine;step-ca" var_cpu="1" var_ram="512" var_disk="1024" From 0ca441e7e1aeecccfb92e34c1ada8ce2a94f4fc6 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 01:10:13 +0100 Subject: [PATCH 08/36] Added dependencies --- install/alpine-step-ca-install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 48844ad4..eff1e9ba 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -14,8 +14,10 @@ setting_up_container network_check update_os -# Installing Dependencies with the 3 core dependencies (curl;sudo;mc) +# Installing Dependencies #msg_info "Installing Dependencies" +$STD apk add newt +$STD apk add openssl #msg_ok "Installed Dependencies" msg_info "Installing Alpine Step-CA" From b31d88b8f93a3f9bfdd33e963600fcfe7776ccce Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 01:16:27 +0100 Subject: [PATCH 09/36] Add more comments --- install/alpine-step-ca-install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index eff1e9ba..63313f93 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -25,7 +25,6 @@ $STD apk add step-cli step-certificates msg_ok "Installed Alpine Step-CA" # Initialize CA -CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" config_dir="/etc/step-ca" log_dir="/var/log/step-ca" error_log="${log_dir}/${RC_SVCNAME}.log" @@ -33,9 +32,12 @@ profile_file="${config_dir}/.profile" ca_file="${config_dir}/config/ca.json" passwd_file="${config_dir}/password.txt" -cat <${passwd_file} +msg_info "Generate CA secret" +CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" +$STD cat <${passwd_file} ${CA_PASS} EOF +msg_ok "Generated CA secret in ${passwd_file} - ${CA_PASS}" # Start application msg_info "Starting Alpine Step-CA" From 4ea7e25eebfb113828f0acae630aba4651d51f2d Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 01:18:32 +0100 Subject: [PATCH 10/36] Remove wrong ENV-var --- install/alpine-step-ca-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 63313f93..9045ce8c 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -27,7 +27,6 @@ msg_ok "Installed Alpine Step-CA" # Initialize CA config_dir="/etc/step-ca" log_dir="/var/log/step-ca" -error_log="${log_dir}/${RC_SVCNAME}.log" profile_file="${config_dir}/.profile" ca_file="${config_dir}/config/ca.json" passwd_file="${config_dir}/password.txt" From 55447b00fb7a9571e1d139d4f24e177fc2db8d0a Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 23:19:50 +0100 Subject: [PATCH 11/36] Request additional attributes --- ct/alpine-step-ca.sh | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index ee5f517f..3f5b3835 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -15,6 +15,10 @@ var_os="alpine" var_version="3.20" var_unprivileged="0" +# CA default values +DEFAULT_CA_NAME="HomeLab" + + # App Output & Base Settings header_info "$APP" base_settings @@ -48,7 +52,50 @@ function update_script() { done } +function caDetails() { + whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 + + if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -z "$CA_NAME" ]; then + CA_NAME="$DEFAULT_CA_NAME" + fi + else + exit + fi + + CA_DNS=() + DEFAULT_CA_DNS_ENTRY="${HN}.local" + if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -z "$CA_DNS_ENTRY" ]; then + CA_DNS+=("$DEFAULT_CA_DNS_ENTRY") + else + CA_DNS+=("$CA_DNS_ENTRY") + fi + else + exit + fi + + while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72 ; do + + if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -n "$CA_DNS_ENTRY" ]; then + CA_DNS+=("$CA_DNS_ENTRY") + fi + fi + done + + echo -e "${CONTAINERID}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}" + echo -e "CA DNS entries:" + for DNS_ENTRY in ${CA_DNS[*]}; do + echo -e "- $DNS_ENTRY" + done + + export CA_NAME + export CA_DNS +} + start +caDetails build_container description From 6703755766c28ffa24bd6c04bcdd42b8f20a1667 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 11 Jan 2025 23:19:59 +0100 Subject: [PATCH 12/36] Initialize CA --- install/alpine-step-ca-install.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 9045ce8c..2a17c98c 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -20,6 +20,10 @@ $STD apk add newt $STD apk add openssl #msg_ok "Installed Dependencies" +msg_info "Preparing environment" +$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile +msg_ok "Environment prepared" + msg_info "Installing Alpine Step-CA" $STD apk add step-cli step-certificates msg_ok "Installed Alpine Step-CA" @@ -38,6 +42,16 @@ ${CA_PASS} EOF msg_ok "Generated CA secret in ${passwd_file} - ${CA_PASS}" + +msg_info "Initialize CA" +DNS_FLAT="" +for DNS_ENTRY in ${CA_DNS[*]}; do + DNS_FLAT="$DNS_FLAT --dns=\"$DNS_ENTRY\"" +done +$STD step ca init --name="$CA_NAME" $DNS_FLAT --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme +$STD step ca provisioner update acme --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h +msg_ok "Finished initialization of CA" + # Start application msg_info "Starting Alpine Step-CA" $STD rc-service step-ca start From a64d440cfe5c4e4af164dfd54d33d264d7d4ee6c Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Mon, 13 Jan 2025 01:05:51 +0100 Subject: [PATCH 13/36] debug environment details --- install/alpine-step-ca-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 2a17c98c..a4b8b631 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -44,6 +44,7 @@ msg_ok "Generated CA secret in ${passwd_file} - ${CA_PASS}" msg_info "Initialize CA" +env DNS_FLAT="" for DNS_ENTRY in ${CA_DNS[*]}; do DNS_FLAT="$DNS_FLAT --dns=\"$DNS_ENTRY\"" From 9759a005d29b3d900d23dcfc7d2a947e8c4bc9f0 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 14 Jan 2025 00:14:55 +0100 Subject: [PATCH 14/36] Use flat environment variables exported --- ct/alpine-step-ca.sh | 27 ++++++++++++++------------- install/alpine-step-ca-install.sh | 17 +++++++---------- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 3f5b3835..ed76d4c8 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -52,9 +52,9 @@ function update_script() { done } -function caDetails() { +function ca_settings() { + whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 - if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_NAME" ]; then CA_NAME="$DEFAULT_CA_NAME" @@ -63,35 +63,36 @@ function caDetails() { exit fi - CA_DNS=() + CA_DNS_ENTRIES=() DEFAULT_CA_DNS_ENTRY="${HN}.local" if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_DNS_ENTRY" ]; then - CA_DNS+=("$DEFAULT_CA_DNS_ENTRY") + CA_DNS_ENTRIES+=("--dns=\"$DEFAULT_CA_DNS_ENTRY\"") else - CA_DNS+=("$CA_DNS_ENTRY") + CA_DNS_ENTRIES+=("--dns=\"$CA_DNS_ENTRY\"") fi else exit fi while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72 ; do - if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -n "$CA_DNS_ENTRY" ]; then - CA_DNS+=("$CA_DNS_ENTRY") + CA_DNS_ENTRIES+=(" --dns=\"$CA_DNS_ENTRY\"") fi fi done - echo -e "${CONTAINERID}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}" - echo -e "CA DNS entries:" - for DNS_ENTRY in ${CA_DNS[*]}; do - echo -e "- $DNS_ENTRY" - done + if [ "$VERBOSE" = "yes" ]; then + echo -e "${DEFAULT}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}" + echo -e "${DEFAULT}${BOLD}${DGN}DNS entries of CA:${CL}" + for DNS_ENTRY in ${CA_DNS_ENTRIES[*]}; do + echo -e "- $DNS_ENTRY" + done + fi export CA_NAME - export CA_DNS + export CA_DNS=${CA_DNS_ENTRIES[@]}; } start diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index a4b8b631..d3bc5307 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -22,6 +22,11 @@ $STD apk add openssl msg_info "Preparing environment" $STD echo "export STEPPATH=/etc/step-ca" > ~/.profile +$STD export STEPPATH=/etc/step-ca + +if [ "$VERBOSE" = "yes" ]; then + env #Display environment details +fi msg_ok "Environment prepared" msg_info "Installing Alpine Step-CA" @@ -30,9 +35,6 @@ msg_ok "Installed Alpine Step-CA" # Initialize CA config_dir="/etc/step-ca" -log_dir="/var/log/step-ca" -profile_file="${config_dir}/.profile" -ca_file="${config_dir}/config/ca.json" passwd_file="${config_dir}/password.txt" msg_info "Generate CA secret" @@ -40,16 +42,11 @@ CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" $STD cat <${passwd_file} ${CA_PASS} EOF -msg_ok "Generated CA secret in ${passwd_file} - ${CA_PASS}" +msg_ok "Generated CA secret stored in ${passwd_file}" msg_info "Initialize CA" -env -DNS_FLAT="" -for DNS_ENTRY in ${CA_DNS[*]}; do - DNS_FLAT="$DNS_FLAT --dns=\"$DNS_ENTRY\"" -done -$STD step ca init --name="$CA_NAME" $DNS_FLAT --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme +$STD step ca init --name="$CA_NAME" $CA_DNS --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme $STD step ca provisioner update acme --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h msg_ok "Finished initialization of CA" From 915971b5bfb6ed6dcbfdfde5422a3edf9a3cba9f Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 14 Jan 2025 00:18:24 +0100 Subject: [PATCH 15/36] Fix callout to ca-settings --- ct/alpine-step-ca.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index ed76d4c8..b87ddbd6 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -92,11 +92,11 @@ function ca_settings() { fi export CA_NAME - export CA_DNS=${CA_DNS_ENTRIES[@]}; + export CA_DNS=${CA_DNS_ENTRIES[*}; } start -caDetails +ca_settings build_container description From 7cb5ebf00ef3481e2c839952fedb52249d50f15a Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 14 Jan 2025 00:23:06 +0100 Subject: [PATCH 16/36] fix syntax --- ct/alpine-step-ca.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index b87ddbd6..bc1589a1 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -92,7 +92,7 @@ function ca_settings() { fi export CA_NAME - export CA_DNS=${CA_DNS_ENTRIES[*}; + export CA_DNS=${CA_DNS_ENTRIES[*]}; } start From a81592d9c0601cb3ba3b0349973dd75f1599b334 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 14 Jan 2025 08:44:10 +0100 Subject: [PATCH 17/36] Remove quotes from the parameters --- ct/alpine-step-ca.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index bc1589a1..e5f3aad7 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -67,9 +67,9 @@ function ca_settings() { DEFAULT_CA_DNS_ENTRY="${HN}.local" if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_DNS_ENTRY" ]; then - CA_DNS_ENTRIES+=("--dns=\"$DEFAULT_CA_DNS_ENTRY\"") + CA_DNS_ENTRIES+=("--dns=$DEFAULT_CA_DNS_ENTRY") else - CA_DNS_ENTRIES+=("--dns=\"$CA_DNS_ENTRY\"") + CA_DNS_ENTRIES+=("--dns=$CA_DNS_ENTRY") fi else exit @@ -78,7 +78,7 @@ function ca_settings() { while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72 ; do if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -n "$CA_DNS_ENTRY" ]; then - CA_DNS_ENTRIES+=(" --dns=\"$CA_DNS_ENTRY\"") + CA_DNS_ENTRIES+=(" --dns=$CA_DNS_ENTRY") fi fi done From 07d1d22917dd51a1d4a8ce57cf0d92cc1c97ab3f Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Wed, 15 Jan 2025 00:08:15 +0100 Subject: [PATCH 18/36] Make ACM optional and allow X509 policies --- ct/alpine-step-ca.sh | 90 +++++++++++++++++++++++++++---- install/alpine-step-ca-install.sh | 25 +++++++-- 2 files changed, 101 insertions(+), 14 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index e5f3aad7..c17affb5 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -16,7 +16,8 @@ var_version="3.20" var_unprivileged="0" # CA default values -DEFAULT_CA_NAME="HomeLab" +DEFAULT_CA_NAME="HomeLab CA" + # App Output & Base Settings @@ -54,7 +55,10 @@ function update_script() { function ca_settings() { + # Step 0: Announce whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 + + # Basic - Step 1: Name of CA if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_NAME" ]; then CA_NAME="$DEFAULT_CA_NAME" @@ -63,36 +67,97 @@ function ca_settings() { exit fi + # Basic - Step 2: DNS entries of CA CA_DNS_ENTRIES=() DEFAULT_CA_DNS_ENTRY="${HN}.local" - if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then - if [ -z "$CA_DNS_ENTRY" ]; then - CA_DNS_ENTRIES+=("--dns=$DEFAULT_CA_DNS_ENTRY") - else - CA_DNS_ENTRIES+=("--dns=$CA_DNS_ENTRY") + + if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -z "$CA_PRIMARY_DNS" ]; then + CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY fi + CA_DNS_ENTRIES+=("--dns=$CA_PRIMARY_DNS") else exit fi while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72 ; do - if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then - if [ -n "$CA_DNS_ENTRY" ]; then - CA_DNS_ENTRIES+=(" --dns=$CA_DNS_ENTRY") + if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -n "$dns_entry" ]; then + CA_DNS_ENTRIES+=(" --dns=$dns_entry") fi fi done + # Basic - Step 3: X509 policy allow by DNS name + x509_policy_dns=() + while true; do + if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -n "$dns_entry" ]; then + x509_policy_dns+=("$(dns_entry)") + else + break + fi + else + exit + fi + done + + # Basic - Step 4: X509 policy allow by IP address/range + x509_policy_ips=() + while true; do + if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -n "$ip_entry" ]; then + x509_policy_ips+=("$(ip_entry)") + else + break + fi + else + exit + fi + done + + # ACME - Step 1: Should ACME be enabled? + if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then + CA_ACME="yes" + + # ACME - Step 2: Name of ACME provider + default_ca_acme_name="acme" + if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then + if [ -z "$CA_ACME_NAME" ]; then + CA_ACME_NAME="$default_ca_acme_name" + fi + else + exit + fi + + else + CA_ACME="no" + fi + if [ "$VERBOSE" = "yes" ]; then echo -e "${DEFAULT}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}" echo -e "${DEFAULT}${BOLD}${DGN}DNS entries of CA:${CL}" for DNS_ENTRY in ${CA_DNS_ENTRIES[*]}; do - echo -e "- $DNS_ENTRY" + echo -e " - $DNS_ENTRY" done + echo -e "${DEFAULT}${BOLD}${DGN}X509 Policy - allow:{CL}" + echo -e " - DNS entries: ${x509_policy_dns[*]}" + echo -e " - IP addresses: ${x509_policy_ips[*]}" + + echo -e "${DEFAULT}${BOLD}${DGN}Enable ACME: ${BGN}$CA_ACME${CL}" + if [ "${CA_ACME}" = "yes" ]; then + echo -e " - Name of provider: ${CA_ACME_NAME}" + echo -e " - Allowed domains: " + fi fi export CA_NAME - export CA_DNS=${CA_DNS_ENTRIES[*]}; + export CA_PRIMARY_DNS + export CA_DNS=${CA_DNS_ENTRIES[*]} + export CA_X509_POLICY_DNS=${x509_policy_dns[*]} + export CA_X509_POLICY_IPS=${x509_policy_ips[*]} + export CA_ACME + export CA_ACME_NAME } start @@ -102,3 +167,6 @@ description msg_ok "Completed Successfully!\n" echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +if [ "${CA_ACME}" = "yes" ]; then + echo -e " ACME should be reachable at URL: https://${CA_PRIMARY_DNS}/acme/{$CA_ACME_NAME}/directory" +fi diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index d3bc5307..a37aa056 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -27,6 +27,10 @@ $STD export STEPPATH=/etc/step-ca if [ "$VERBOSE" = "yes" ]; then env #Display environment details fi + +x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n')) +x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n')) + msg_ok "Environment prepared" msg_info "Installing Alpine Step-CA" @@ -45,9 +49,24 @@ EOF msg_ok "Generated CA secret stored in ${passwd_file}" -msg_info "Initialize CA" -$STD step ca init --name="$CA_NAME" $CA_DNS --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme -$STD step ca provisioner update acme --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h +msg_info "Initialize base CA" +$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type=standalone --address ":443" --provisioner=admin + +for dns_entry in "${x509_policy_dns[@]}"; do + $STD step ca policy authority x509 allow dns "${dns_entry}" +done +for ip_entry in "${x509_policy_ips[@]}"; do + $STD step ca policy authority x509 allow ip ${ip_entry} +done + +if [ "${CA_ACME}" = "yes" ]; then + msg_info "Initialize ACME for CA" + $STD step ca provisioner add ${CA_ACME_NAME} --type ACME + $STD step ca provisioner update ${CA_ACME_NAME} --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h +fi +if [ "${CA_SSH}" = "yes" ]; then + msg_info "Inititialize CA for SSH" +fi msg_ok "Finished initialization of CA" # Start application From 17b775609c004aca12db09357fb5493c2f8d68f3 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Wed, 15 Jan 2025 00:16:57 +0100 Subject: [PATCH 19/36] Small fixes --- ct/alpine-step-ca.sh | 4 ++-- install/alpine-step-ca-install.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index c17affb5..e631f01d 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -93,7 +93,7 @@ function ca_settings() { while true; do if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -n "$dns_entry" ]; then - x509_policy_dns+=("$(dns_entry)") + x509_policy_dns+=("$dns_entry") else break fi @@ -107,7 +107,7 @@ function ca_settings() { while true; do if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -n "$ip_entry" ]; then - x509_policy_ips+=("$(ip_entry)") + x509_policy_ips+=("$ip_entry") else break fi diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index a37aa056..1ecd697b 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -50,7 +50,7 @@ msg_ok "Generated CA secret stored in ${passwd_file}" msg_info "Initialize base CA" -$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type=standalone --address ":443" --provisioner=admin +$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type standalone --address ":443" --provisioner admin for dns_entry in "${x509_policy_dns[@]}"; do $STD step ca policy authority x509 allow dns "${dns_entry}" From c1f48e92c9431b027d78f282c8f1a5b8105b46b1 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Wed, 15 Jan 2025 21:08:23 +0100 Subject: [PATCH 20/36] Remove obsolete line --- ct/alpine-step-ca.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index e631f01d..2e429dbb 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -147,7 +147,6 @@ function ca_settings() { echo -e "${DEFAULT}${BOLD}${DGN}Enable ACME: ${BGN}$CA_ACME${CL}" if [ "${CA_ACME}" = "yes" ]; then echo -e " - Name of provider: ${CA_ACME_NAME}" - echo -e " - Allowed domains: " fi fi From 4494fbb0b97f4e61c74289fe13e5a1cde45293ca Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Wed, 15 Jan 2025 23:26:57 +0100 Subject: [PATCH 21/36] - Update motd - Disable policy update due to issues - Small updates --- install/alpine-step-ca-install.sh | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 1ecd697b..b1dce8b3 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -41,31 +41,27 @@ msg_ok "Installed Alpine Step-CA" config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" -msg_info "Generate CA secret" +msg_info "Generate CA secrets" CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" $STD cat <${passwd_file} ${CA_PASS} EOF -msg_ok "Generated CA secret stored in ${passwd_file}" +msg_ok "Generated CA secrets" msg_info "Initialize base CA" -$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type standalone --address ":443" --provisioner admin +$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner admin -for dns_entry in "${x509_policy_dns[@]}"; do - $STD step ca policy authority x509 allow dns "${dns_entry}" -done -for ip_entry in "${x509_policy_ips[@]}"; do - $STD step ca policy authority x509 allow ip ${ip_entry} -done +#for dns_entry in "${x509_policy_dns[@]}"; do +# $STD step ca policy authority x509 allow dns "${dns_entry}" +#done +#for ip_entry in "${x509_policy_ips[@]}"; do +# $STD step ca policy authority x509 allow ip ${ip_entry} +#done if [ "${CA_ACME}" = "yes" ]; then msg_info "Initialize ACME for CA" - $STD step ca provisioner add ${CA_ACME_NAME} --type ACME - $STD step ca provisioner update ${CA_ACME_NAME} --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h -fi -if [ "${CA_SSH}" = "yes" ]; then - msg_info "Inititialize CA for SSH" + $STD step ca provisioner add ${CA_ACME_NAME} --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h fi msg_ok "Finished initialization of CA" @@ -76,4 +72,9 @@ $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" motd_ssh + +# add fingerprint to motd +ca_root_fingerprint=${step certificate fingerprint root_${STEPPATH}/certs/ca.crt} +echo -e "${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> /etc/motd + customize From 3ddc5bf2a7169d1d20159f91e7a77f6f19113160 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Fri, 17 Jan 2025 21:47:30 +0100 Subject: [PATCH 22/36] Fix inclusion of command output --- install/alpine-step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index b1dce8b3..111a52b2 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -74,7 +74,7 @@ msg_ok "Started Alpine Step-CA" motd_ssh # add fingerprint to motd -ca_root_fingerprint=${step certificate fingerprint root_${STEPPATH}/certs/ca.crt} +ca_root_fingerprint=$(step certificate fingerprint root_${STEPPATH}/certs/ca.crt) echo -e "${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> /etc/motd customize From 0e1f064287b2b02535c7869f5bdd54cb1937d3b0 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Fri, 17 Jan 2025 22:04:52 +0100 Subject: [PATCH 23/36] Fix name of file --- install/alpine-step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 111a52b2..fa5ea9f8 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -74,7 +74,7 @@ msg_ok "Started Alpine Step-CA" motd_ssh # add fingerprint to motd -ca_root_fingerprint=$(step certificate fingerprint root_${STEPPATH}/certs/ca.crt) +ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) echo -e "${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> /etc/motd customize From 8769ebc969c0c0f5bcce6f6c89e676af972da4cc Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sat, 18 Jan 2025 00:40:28 +0100 Subject: [PATCH 24/36] Setup remote management for policies --- install/alpine-step-ca-install.sh | 62 +++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 15 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index fa5ea9f8..0140e14b 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -28,8 +28,8 @@ if [ "$VERBOSE" = "yes" ]; then env #Display environment details fi -x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n')) -x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n')) +#x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n')) +#x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n')) msg_ok "Environment prepared" @@ -40,41 +40,73 @@ msg_ok "Installed Alpine Step-CA" # Initialize CA config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" +ca_admin_provisioner="Admin JWK" +ca_admin_subject="admin@localhost" +ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" msg_info "Generate CA secrets" + CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" $STD cat <${passwd_file} ${CA_PASS} EOF + +CA_ADMIN_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" +$STD cat <${ca_admin_provisioner_passwd_file} +${CA_ADMIN_PASS} +EOF + +chmod 600 ${passwd_file} +chmod 600 ${ca_admin_provisioner_passwd_file} + msg_ok "Generated CA secrets" msg_info "Initialize base CA" -$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner admin -#for dns_entry in "${x509_policy_dns[@]}"; do -# $STD step ca policy authority x509 allow dns "${dns_entry}" -#done -#for ip_entry in "${x509_policy_ips[@]}"; do -# $STD step ca policy authority x509 allow ip ${ip_entry} -#done +# Do initialize and immediately start it for further configuration +$STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management +$STD rc-service step-ca start + +# Verify whether CA policy is requested +if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then + + # Ensure admin subject is added to the allow list + $STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} + + if [ -n "${CA_X509_POLICY_DNS}" ]; then + $STD step ca policy authority x509 allow dns ${CA_X509_POLICY_DNS} --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} + fi + if [ -n "${CA_X509_POLICY_IPS}" ]; then + $STD step ca policy authority x509 allow ip ${CA_X509_POLICY_IPS} --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} + fi + + #for dns_entry in "${x509_policy_dns[@]}"; do + # $STD step ca policy authority x509 allow dns "${dns_entry}" + #done + #for ip_entry in "${x509_policy_ips[@]}"; do + # $STD step ca policy authority x509 allow ip ${ip_entry} + #done +fi if [ "${CA_ACME}" = "yes" ]; then msg_info "Initialize ACME for CA" - $STD step ca provisioner add ${CA_ACME_NAME} --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h + $STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} fi msg_ok "Finished initialization of CA" # Start application msg_info "Starting Alpine Step-CA" -$STD rc-service step-ca start +$STD rc-service step-ca restart $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" motd_ssh - -# add fingerprint to motd -ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) -echo -e "${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> /etc/motd +# Extend motd with step-ca fingerprint of root CA +MOTD_FILE="/etc/motd" +if [ -f "$MOTD_FILE" ]; then + ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) + echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE" +fi customize From 265ae98a27ea9521e1aa4516ead9ef63b06bdb80 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sun, 19 Jan 2025 22:34:07 +0100 Subject: [PATCH 25/36] Improve order of actions --- install/alpine-step-ca-install.sh | 82 +++++++++++++++++-------------- 1 file changed, 46 insertions(+), 36 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 0140e14b..dfafa3ca 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -14,54 +14,67 @@ setting_up_container network_check update_os -# Installing Dependencies -#msg_info "Installing Dependencies" -$STD apk add newt -$STD apk add openssl -#msg_ok "Installed Dependencies" +motd_ssh +customize -msg_info "Preparing environment" -$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile -$STD export STEPPATH=/etc/step-ca +# Finished base install.... now install and setup Step-CA -if [ "$VERBOSE" = "yes" ]; then - env #Display environment details -fi - -#x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n')) -#x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n')) - -msg_ok "Environment prepared" - -msg_info "Installing Alpine Step-CA" -$STD apk add step-cli step-certificates -msg_ok "Installed Alpine Step-CA" - -# Initialize CA +# Step 0: Set internal values config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" ca_admin_provisioner="Admin JWK" ca_admin_subject="admin@localhost" ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" + +# Step 1: Installing Dependencies +msg_info "Installing dependencies" +$STD apk add newt +$STD apk add openssl +msg_ok "Installed dependencies" + + +# Step 2: Prepare environment +msg_info "Preparing environment" +$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile +$STD export STEPPATH=/etc/step-ca +msg_ok "Environment prepared" + +# Step 3: Do actual install of step-ca +msg_info "Installing Alpine Step-CA" +$STD apk add step-cli step-certificates +msg_ok "Installed Alpine Step-CA" + +# Step 4: Setup step-ca + +# Step 4a: Prepare secrets msg_info "Generate CA secrets" -CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" -$STD cat <${passwd_file} -${CA_PASS} -EOF +function generatePasswordFile(){ # argument: path of file -CA_ADMIN_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" -$STD cat <${ca_admin_provisioner_passwd_file} -${CA_ADMIN_PASS} -EOF + $STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1" + chmod 600 "$1" -chmod 600 ${passwd_file} -chmod 600 ${ca_admin_provisioner_passwd_file} +} +generatePasswordFile "${passwd_file}" +generatePasswordFile "${ca_admin_provisioner_passwd_file}" + +#CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" +#$STD cat <${passwd_file} +#${CA_PASS} +#EOF + +#CA_ADMIN_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" +#$STD cat <${ca_admin_provisioner_passwd_file} +#${CA_ADMIN_PASS} +#EOF + +#chmod 600 ${passwd_file} +#chmod 600 ${ca_admin_provisioner_passwd_file} msg_ok "Generated CA secrets" - +# Step 4b: Configure base CA msg_info "Initialize base CA" # Do initialize and immediately start it for further configuration @@ -101,12 +114,9 @@ $STD rc-service step-ca restart $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" -motd_ssh # Extend motd with step-ca fingerprint of root CA MOTD_FILE="/etc/motd" if [ -f "$MOTD_FILE" ]; then ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE" fi - -customize From 98dcab2d8da6b6ad3aea9a66b11da9de84f29a47 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Sun, 19 Jan 2025 23:39:47 +0100 Subject: [PATCH 26/36] - Fixed defaults - Wait for service to be completed - Cleanup old code - Added documentation --- install/alpine-step-ca-install.sh | 49 ++++++++++++++++--------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index dfafa3ca..cf89e827 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -23,7 +23,7 @@ customize config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" ca_admin_provisioner="Admin JWK" -ca_admin_subject="admin@localhost" +ca_admin_subject="admin-localhost" ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" @@ -60,18 +60,6 @@ function generatePasswordFile(){ # argument: path of file generatePasswordFile "${passwd_file}" generatePasswordFile "${ca_admin_provisioner_passwd_file}" -#CA_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" -#$STD cat <${passwd_file} -#${CA_PASS} -#EOF - -#CA_ADMIN_PASS="$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" -#$STD cat <${ca_admin_provisioner_passwd_file} -#${CA_ADMIN_PASS} -#EOF - -#chmod 600 ${passwd_file} -#chmod 600 ${ca_admin_provisioner_passwd_file} msg_ok "Generated CA secrets" # Step 4b: Configure base CA @@ -81,8 +69,23 @@ msg_info "Initialize base CA" $STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management $STD rc-service step-ca start -# Verify whether CA policy is requested +# Wait till service has started and port is available +timeout_counter=0 +while ! nc -z localhost 443; do + sleep 0.5 + + ((timeout_counter++)) + if [[ $timeout_counter -gt 30 ]]; then + msg_error "Failed to start Step-CA" + exit + fi +done + +msg_ok "Initialized base CA" + +# Step 4c: Configure CA policy if necessary if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then + msg_info "Configure CA policy" # Ensure admin subject is added to the allow list $STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} @@ -94,27 +97,27 @@ if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then $STD step ca policy authority x509 allow ip ${CA_X509_POLICY_IPS} --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} fi - #for dns_entry in "${x509_policy_dns[@]}"; do - # $STD step ca policy authority x509 allow dns "${dns_entry}" - #done - #for ip_entry in "${x509_policy_ips[@]}"; do - # $STD step ca policy authority x509 allow ip ${ip_entry} - #done + msg_ok "Configured CA policy" fi +# Step 4d: Configure ACME if desired if [ "${CA_ACME}" = "yes" ]; then msg_info "Initialize ACME for CA" $STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} + msg_ok "Initialized ACME for CA" fi -msg_ok "Finished initialization of CA" -# Start application + +# Step 4e: Restart service and enable auto-start msg_info "Starting Alpine Step-CA" $STD rc-service step-ca restart $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" -# Extend motd with step-ca fingerprint of root CA +# Step 4f: Report back completion as it works from here! +msg_ok "Completed setup of CA" + +# Step 4g: Extend motd with step-ca fingerprint of root CA MOTD_FILE="/etc/motd" if [ -f "$MOTD_FILE" ]; then ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) From 9fa583de06547eac110317bdc2cfddf0fbd1c5fc Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Mon, 20 Jan 2025 00:03:23 +0100 Subject: [PATCH 27/36] Attempt to fix validation --- install/alpine-step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index cf89e827..93cb3a5f 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -75,7 +75,7 @@ while ! nc -z localhost 443; do sleep 0.5 ((timeout_counter++)) - if [[ $timeout_counter -gt 30 ]]; then + if (( timeout_counter > 30 )); then msg_error "Failed to start Step-CA" exit fi From 8681fa79ee3667152a443beda962b344bc3c177a Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Mon, 20 Jan 2025 00:09:00 +0100 Subject: [PATCH 28/36] Use other command to increase value --- install/alpine-step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 93cb3a5f..5401e39e 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -74,7 +74,7 @@ timeout_counter=0 while ! nc -z localhost 443; do sleep 0.5 - ((timeout_counter++)) + ((timeout_counter=counter+1)) if (( timeout_counter > 30 )); then msg_error "Failed to start Step-CA" exit From 01107a6336e01c9976cfd6ff0e4111f087bdf99b Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Mon, 20 Jan 2025 00:12:59 +0100 Subject: [PATCH 29/36] Fix name of variable --- install/alpine-step-ca-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index 5401e39e..a0a14166 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -73,8 +73,8 @@ $STD rc-service step-ca start timeout_counter=0 while ! nc -z localhost 443; do sleep 0.5 - - ((timeout_counter=counter+1)) + + ((timeout_counter=timeout_counter+1)) if (( timeout_counter > 30 )); then msg_error "Failed to start Step-CA" exit From 55e3ee691a5f128627946570620c027ce861cb70 Mon Sep 17 00:00:00 2001 From: Frank Wiegerinck Date: Tue, 21 Jan 2025 21:26:20 +0100 Subject: [PATCH 30/36] Revert build.func --- misc/build.func | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/misc/build.func b/misc/build.func index 256735b5..26937e76 100644 --- a/misc/build.func +++ b/misc/build.func @@ -799,11 +799,9 @@ build_container() { TEMP_DIR=$(mktemp -d) pushd $TEMP_DIR >/dev/null if [ "$var_os" == "alpine" ]; then -# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/alpine-install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" else -# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" fi export CACHER="$APT_CACHER" export CACHER_IP="$APT_CACHER_IP" @@ -833,8 +831,7 @@ build_container() { $PW " # This executes create_lxc.sh and creates the container and .conf file -# bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit - bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/ct/create_lxc.sh)" || exit + bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit LXC_CONFIG=/etc/pve/lxc/${CTID}.conf if [ "$CT_TYPE" == "0" ]; then @@ -896,8 +893,7 @@ http://dl-cdn.alpinelinux.org/alpine/latest-stable/community EOF' pct exec "$CTID" -- ash -c "apk add bash >/dev/null" fi -# lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit - lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/install/$var_install.sh)" || exit + lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit } From a6a212b63e7b65fe573b234fd617dc286072a185 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 21:28:04 +0100 Subject: [PATCH 31/36] Adjust source for PR --- ct/alpine-step-ca.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 2e429dbb..b5e95b30 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) # Copyright (c) 2021-2025 community-scripts ORG # Author: FWiegerinck # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE From ad390cedef8bd4c66c4d999cf3ce02f542617c41 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:12:34 +0100 Subject: [PATCH 32/36] - Remove comments - replace motd with .profile --- ct/alpine-step-ca.sh | 15 -------------- install/alpine-step-ca-install.sh | 34 ++++--------------------------- 2 files changed, 4 insertions(+), 45 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index b5e95b30..5de62fb6 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -5,7 +5,6 @@ source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/m # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE # Source: https://github.com/smallstep/certificates -# App Default Values APP="Alpine-Step-CA" var_tags="alpine;step-ca" var_cpu="1" @@ -15,16 +14,10 @@ var_os="alpine" var_version="3.20" var_unprivileged="0" -# CA default values DEFAULT_CA_NAME="HomeLab CA" - - -# App Output & Base Settings header_info "$APP" base_settings - -# Core variables color catch_errors @@ -55,10 +48,8 @@ function update_script() { function ca_settings() { - # Step 0: Announce whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58 - # Basic - Step 1: Name of CA if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_NAME" ]; then CA_NAME="$DEFAULT_CA_NAME" @@ -67,10 +58,8 @@ function ca_settings() { exit fi - # Basic - Step 2: DNS entries of CA CA_DNS_ENTRIES=() DEFAULT_CA_DNS_ENTRY="${HN}.local" - if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_PRIMARY_DNS" ]; then CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY @@ -88,7 +77,6 @@ function ca_settings() { fi done - # Basic - Step 3: X509 policy allow by DNS name x509_policy_dns=() while true; do if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then @@ -102,7 +90,6 @@ function ca_settings() { fi done - # Basic - Step 4: X509 policy allow by IP address/range x509_policy_ips=() while true; do if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then @@ -116,11 +103,9 @@ function ca_settings() { fi done - # ACME - Step 1: Should ACME be enabled? if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then CA_ACME="yes" - # ACME - Step 2: Name of ACME provider default_ca_acme_name="acme" if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then if [ -z "$CA_ACME_NAME" ]; then diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh index a0a14166..aeb5fbb5 100644 --- a/install/alpine-step-ca-install.sh +++ b/install/alpine-step-ca-install.sh @@ -17,44 +17,31 @@ update_os motd_ssh customize -# Finished base install.... now install and setup Step-CA - -# Step 0: Set internal values config_dir="/etc/step-ca" passwd_file="${config_dir}/password.txt" ca_admin_provisioner="Admin JWK" ca_admin_subject="admin-localhost" ca_admin_provisioner_passwd_file="${config_dir}/admin-jwk-password.txt" - -# Step 1: Installing Dependencies msg_info "Installing dependencies" $STD apk add newt $STD apk add openssl msg_ok "Installed dependencies" - -# Step 2: Prepare environment msg_info "Preparing environment" -$STD echo "export STEPPATH=/etc/step-ca" > ~/.profile +$STD echo "export STEPPATH=/etc/step-ca" >> ~/.profile $STD export STEPPATH=/etc/step-ca msg_ok "Environment prepared" -# Step 3: Do actual install of step-ca msg_info "Installing Alpine Step-CA" $STD apk add step-cli step-certificates msg_ok "Installed Alpine Step-CA" -# Step 4: Setup step-ca - -# Step 4a: Prepare secrets msg_info "Generate CA secrets" -function generatePasswordFile(){ # argument: path of file - +function generatePasswordFile(){ $STD echo "$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)" > "$1" chmod 600 "$1" - } generatePasswordFile "${passwd_file}" @@ -62,14 +49,11 @@ generatePasswordFile "${ca_admin_provisioner_passwd_file}" msg_ok "Generated CA secrets" -# Step 4b: Configure base CA msg_info "Initialize base CA" -# Do initialize and immediately start it for further configuration $STD step ca init --name "${CA_NAME}" --dns localhost $CA_DNS --password-file ${passwd_file} --deployment-type standalone --address ":443" --provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --provisioner-password-file ${ca_admin_provisioner_passwd_file} --remote-management $STD rc-service step-ca start -# Wait till service has started and port is available timeout_counter=0 while ! nc -z localhost 443; do sleep 0.5 @@ -83,11 +67,9 @@ done msg_ok "Initialized base CA" -# Step 4c: Configure CA policy if necessary if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then msg_info "Configure CA policy" - # Ensure admin subject is added to the allow list $STD step ca policy authority x509 allow dns "${ca_admin_subject}" --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} if [ -n "${CA_X509_POLICY_DNS}" ]; then @@ -100,26 +82,18 @@ if [ -n "${CA_X509_POLICY_DNS}" ] || [ -n "${CA_X509_POLICY_IPS}" ]; then msg_ok "Configured CA policy" fi -# Step 4d: Configure ACME if desired if [ "${CA_ACME}" = "yes" ]; then msg_info "Initialize ACME for CA" $STD step ca provisioner add "${CA_ACME_NAME}" --type ACME --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h --admin-provisioner "${ca_admin_provisioner}" --admin-subject "${ca_admin_subject}" --password-file ${ca_admin_provisioner_passwd_file} msg_ok "Initialized ACME for CA" fi - -# Step 4e: Restart service and enable auto-start msg_info "Starting Alpine Step-CA" $STD rc-service step-ca restart $STD rc-update add step-ca default msg_ok "Started Alpine Step-CA" -# Step 4f: Report back completion as it works from here! msg_ok "Completed setup of CA" -# Step 4g: Extend motd with step-ca fingerprint of root CA -MOTD_FILE="/etc/motd" -if [ -f "$MOTD_FILE" ]; then - ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) - echo -e "\n${TAB}${DEFAULT}${YW} Fingerprint CA Root Certificate: ${GN}${ca_root_fingerprint}${CL}" >> "$MOTD_FILE" -fi +ca_root_fingerprint=$(step certificate fingerprint ${STEPPATH}/certs/root_ca.crt) +$STD echo "echo \"Fingerprint CA Root Certificate: ${ca_root_fingerprint}\" " >> ~/.profile \ No newline at end of file From 2897e3ba6aa26f14f2f421fcf1570e4c57739467 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:15:05 +0100 Subject: [PATCH 33/36] update build env --- ct/alpine-step-ca.sh | 3 ++- misc/build.func | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 5de62fb6..4c451bf2 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/build.func) +#source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) # Copyright (c) 2021-2025 community-scripts ORG # Author: FWiegerinck # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE diff --git a/misc/build.func b/misc/build.func index 26937e76..72ea76fd 100644 --- a/misc/build.func +++ b/misc/build.func @@ -1,3 +1,4 @@ + # Copyright (c) 2021-2025 tteck # Author: tteck (tteckster) # Co-Author: MickLesk @@ -799,9 +800,11 @@ build_container() { TEMP_DIR=$(mktemp -d) pushd $TEMP_DIR >/dev/null if [ "$var_os" == "alpine" ]; then - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" +# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/alpine-install.func)" else - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" +# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/install.func)" fi export CACHER="$APT_CACHER" export CACHER_IP="$APT_CACHER_IP" @@ -831,7 +834,8 @@ build_container() { $PW " # This executes create_lxc.sh and creates the container and .conf file - bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit +# bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit + bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/ct/create_lxc.sh)" || exit LXC_CONFIG=/etc/pve/lxc/${CTID}.conf if [ "$CT_TYPE" == "0" ]; then @@ -893,7 +897,8 @@ http://dl-cdn.alpinelinux.org/alpine/latest-stable/community EOF' pct exec "$CTID" -- ash -c "apk add bash >/dev/null" fi - lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit +# lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit + lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/install/$var_install.sh)" || exit } From 192319d6d40cdf180dfa9f3b8cd070e91b5476f8 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:51:10 +0100 Subject: [PATCH 34/36] Ensure not privileged is the default --- ct/alpine-step-ca.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 4c451bf2..2684c671 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -13,7 +13,7 @@ var_ram="512" var_disk="1024" var_os="alpine" var_version="3.20" -var_unprivileged="0" +var_unprivileged="1" DEFAULT_CA_NAME="HomeLab CA" From f7db35dc6b5f558a760ed24d24429549ba947492 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:51:19 +0100 Subject: [PATCH 35/36] Remove default password --- json/step-ca.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/json/step-ca.json b/json/step-ca.json index 1e0de122..ed55de2e 100644 --- a/json/step-ca.json +++ b/json/step-ca.json @@ -28,7 +28,7 @@ ], "default_credentials": { "username": null, - "password": "alpine" + "password": null }, "notes": [] } \ No newline at end of file From cc6af57ed29aad5d175e66a1b81d3855a7aa15e0 Mon Sep 17 00:00:00 2001 From: fwiegerinck Date: Tue, 21 Jan 2025 23:57:13 +0100 Subject: [PATCH 36/36] Revert build origin --- ct/alpine-step-ca.sh | 3 +-- misc/build.func | 13 ++++--------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh index 2684c671..fd349194 100644 --- a/ct/alpine-step-ca.sh +++ b/ct/alpine-step-ca.sh @@ -1,6 +1,5 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/build.func) -#source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) # Copyright (c) 2021-2025 community-scripts ORG # Author: FWiegerinck # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE diff --git a/misc/build.func b/misc/build.func index 72ea76fd..26937e76 100644 --- a/misc/build.func +++ b/misc/build.func @@ -1,4 +1,3 @@ - # Copyright (c) 2021-2025 tteck # Author: tteck (tteckster) # Co-Author: MickLesk @@ -800,11 +799,9 @@ build_container() { TEMP_DIR=$(mktemp -d) pushd $TEMP_DIR >/dev/null if [ "$var_os" == "alpine" ]; then -# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/alpine-install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/alpine-install.func)" else -# export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" - export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/misc/install.func)" + export FUNCTIONS_FILE_PATH="$(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/install.func)" fi export CACHER="$APT_CACHER" export CACHER_IP="$APT_CACHER_IP" @@ -834,8 +831,7 @@ build_container() { $PW " # This executes create_lxc.sh and creates the container and .conf file -# bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit - bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/ct/create_lxc.sh)" || exit + bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/create_lxc.sh)" || exit LXC_CONFIG=/etc/pve/lxc/${CTID}.conf if [ "$CT_TYPE" == "0" ]; then @@ -897,8 +893,7 @@ http://dl-cdn.alpinelinux.org/alpine/latest-stable/community EOF' pct exec "$CTID" -- ash -c "apk add bash >/dev/null" fi -# lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit - lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/fwiegerinck/ProxmoxVE/refs/heads/step-ca/install/$var_install.sh)" || exit + lxc-attach -n "$CTID" -- bash -c "$(wget -qLO - https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/$var_install.sh)" || exit }