certificates icon indicating copy to clipboard operation
certificates copied to clipboard
verified publisher icon smallstep

Support executable provisioner password files in RA install script

Open yarcod opened this issue 2 years ago • 4 comments

Name of feature:

Fixing install source of step-ca in setup script

Pain or issue this feature alleviates:

Following the guide on: https://smallstep.com/docs/registration-authorities/acme-for-certificate-manager/index.html?fingerprint=41363fbbc3b4c23a38b1ad6120da34a7876e0480bebd8aa72c12d7a7dbe75d29&caUrl=https://home.edholm.ca.smallstep.com&#1-create-your-ra leads me to download a setup script. Most of the script works as intended, but after the extraction of step-ca, the install looks for the step-ca in the wrong directory. This PR adjusts the source dir to where step-ca actually ends up.

yarcod avatar Feb 13 '24 20:02 yarcod

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Feb 13 '24 20:02 CLAassistant

Apologies, I intended to push this next part as a separate PR.

The idea behind the last part is that if a runnable executable is provided as the password file, it will be run in order to get the passphrase from some other tool. My use case for it is to retrieve an item from 1password (op), but it could likewise be used to generate and store a new password in a safe place.

If this last feature is acceptable, the documentation on the previously mentioned website would need updating. Both with the fact that there is such an option, and that it can be provided as an executable.

yarcod avatar Feb 13 '24 20:02 yarcod

Hi @yarcod, Thanks for pointing out the issue with the RA installer, and for your contribution. I created #1719 to address that with a newer URL. Could you please update this PR only cover the password executable? Thanks.

tashian avatar Feb 13 '24 22:02 tashian

@tashian I reverted the initial commit and kept the second one, as well as edited the PR title to reflect the actual changes.

I realised that the --provisioner-password-file is used in other places as well. For consistency, should this flag be updated for, e.g., step as well?

yarcod avatar Feb 14 '24 21:02 yarcod

Hi @yarcod,

We took a look at this PR during our open source review. Unfortunately, having an executable for fetching the password is not a feature that we're able to support at the moment. It's a bit confusing to have a "password file" that is actually an executable, maybe if it were a separate flag we could make it work. But, my suggestion would be to make a copy of this script for yourself and add what you need for supporting the password manager you use. It's not a script that changes very often. Hope this helps.

tashian avatar Feb 21 '24 20:02 tashian