certificates icon indicating copy to clipboard operation
certificates copied to clipboard
verified publisher icon smallstep

[Bug]: Install of root certificate fails on Ubuntu Jammy

Open dawnstrider opened this issue 7 months ago • 3 comments

Steps to Reproduce

  • Install and configure step-ca on system A
  • Install step-cli on system B
  • run step ca bootstrap --ca-url xxxxxxx --fingerprint xxxxxxxx --install

Your Environment

System A

  • OS - Rocky Linux release 9.6 (Blue Onyx)
  • step-ca Version - Smallstep CA/0.28.3 (linux/amd64) Release Date: 2025-03-18T15:56:22Z

System B

  • OS - Ubuntu 22.04 'Jammy'
  • 'step' Version - Smallstep CLI/0.28.6 (linux/amd64) Release Date: 2025-03-18T02:24:56Z

Expected Behavior

Root certificate is installed into the system.

Actual Behavior

An error occurs: The root certificate has been saved in /root/.step/certs/root_ca.crt. The authority configuration has been saved in /root/.step/config/defaults.json. Installing the root certificate in the system truststore... failed to execute sudo: exit status 1

Additional Context

Command was executed as non-root user AND with "sudo", both behave the same way. I attempted to get more output by setting export STEPDEBUG=1 but no extra output is generated.

I can see a successful sudo attempt in the auth.log:

Jun 26 14:44:53 cmdb sudo: pam_unix(sudo:session): session opened for user root(uid=0) by ubuntu(uid=1000) Jun 26 14:44:53 cmdb sudo: root : TTY=pts/1 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/tee /etc/pki/ca-trust/source/anchors/root_CA_7985472376057871168.pem

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

dawnstrider avatar Jun 26 '25 12:06 dawnstrider

Hi @dawnstrider, our CLI uses the code of our truststore package to interact with the Linux trust store. Do you have one of the commands available listed here: https://github.com/smallstep/truststore/blob/master/truststore_linux.go#L29-L47?

hslatman avatar Jun 26 '25 14:06 hslatman

Hi @hslatman. the tool update-cy-certificates is available in the system B where the --install is supposed to happen. See the following output for validation:

xxxx@hostB:~$ sudo step ca bootstrap --ca-url https://pki.domain.org --fingerprint aabbccddeeffgghh --install
The root certificate has been saved in /root/.step/certs/root_ca.crt.
The authority configuration has been saved in /root/.step/config/defaults.json.
Installing the root certificate in the system truststore...
failed to execute sudo: exit status 1
xxxx@hostB:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

dawnstrider avatar Jun 30 '25 10:06 dawnstrider

Does the selection logic for one of the two cases work: https://github.com/smallstep/truststore/blob/master/truststore_linux.go#L34-L39, i.e. does one of those directories exist? If not, is there a different directory on your system?

hslatman avatar Jun 30 '25 10:06 hslatman