-
|
Hi there! Going on my step-ca discovery, it looks like a kind of one step forward, two steps back story… I’m now stuck in trying to apply a template to my JWK provisioner. I did it successfully the first time issuing the following command, from within the container:
The template was applied: 02f7d02123a1:/home/step# step ca provisioner list
[
{
"type": "JWK",
"name": "Admin JWK",
"key": {
"use": "sig",
"kty": "EC",
"kid": "uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg",
"crv": "P-256",
"alg": "ES256",
"x": "Vq38mf_YBbTrAuXRbmIc8tLcl3dBB2zy7F9npppr0kI",
"y": "hwFYB7iX_Dy4Dhz140QR7GbjJ2GWM8CimBpguJxJUAY"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiSzRJRVJiNzVnX3dKYUVYRmpxV3BMUSJ9.XmHVcJzhGQ2SeK3Zjhx1atRdmBay9erwBVUrsfXmJhaCDg2DVjgU6g.0JPSwq_6qb_Aj-9N.UpIzNp6Ac75hL1TPsj4HgiAN1R9wOSXGD6c796dWpe1cgr1peUD1uUG6ReGxlRTqJf744cqlGWc4JJ5AiS-sOLKyq6yadY3JsrmPN_BVqUsprJx85wZE3vs8HPMOvp_pRZyw1tDmVj45EpzLY8zrfh7IUTaYFRZBKTJIO4zrSQFtLjXc7Jy9DoQGcgg4Cv4ixrIUVqDx3ic0-lW9SJ8Ld511U-gVPFtnO7PRUACK25HiVhWEH-7EN1P-EUV2WAxTr0PMhU6iY_DGAYfvLyODcllzhZQPvBZEM6FlW4bDTzwaPcZHKrEJ_nmqVHrBTEDCqjyLxr0fL4Ruus0pkfc.Q5Nl9kjaVfIPmxBqOhWREg",
"claims": {
"defaultTLSCertDuration": "24h0m0s",
"enableSSHCA": false,
"disableRenewal": false,
"allowRenewalAfterExpiry": false,
"disableSmallstepExtensions": false
},
"options": {
"x509": {
"template": "{\n \"subject\": {\n \"commonName\": {{ toJson .Subject.CommonName }},\n \"country\": \"FR\",\n\t\t\"state\": \"XXX\",\n \"locality\": \ »XXX\ »,\n \"organization\": \"Home\",\n\t\t\"emailAddress\": [email protected]\n },\n{{- if .SANs }}\n \"sans\": {{ toJson .SANs }},\n{{- end }}\n{{- if typeIs \"*rsa.PublicKey\" .Insecure.CR.PublicKey }}\n \"keyUsage\": [\"keyEncipherment\", \"digitalSignature\"],\n{{- else }}\n \"keyUsage\": [\"digitalSignature\"],\n{{- end }}\n \"extKeyUsage\": [\"serverAuth\", \"clientAuth\"]\n}\n"
},
"ssh": {}
}
}
]But now, each time I try to apply another template or reset the setting, I get the following error: 02f7d02123a1:/home/step# step ca provisioner update "Admin JWK" --x509-template ""
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: Admin JWK (JWK) [kid: uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg]
Please enter the password to decrypt the provisioner key:
error applying certificate template
Re-run with STEPDEBUG=1 for more info.
02f7d02123a1:/home/step# step ca provisioner update JWK --x509-template ""
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: Admin JWK (JWK) [kid: uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg]
Please enter the password to decrypt the provisioner key:
error applying certificate template
Re-run with STEPDEBUG=1 for more info.
02f7d02123a1:/home/step# step ca provisioner update JWK --x509-template ""
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: Admin JWK (JWK) [kid: uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg]
Please enter the password to decrypt the provisioner key:
error applying certificate template
Re-run with STEPDEBUG=1 for more info.
02f7d02123a1:/home/step# step ca provisioner update JWK --create --x509-template /home/step/templates/x509/leaf.tpl
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: Admin JWK (JWK) [kid: uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg]
Please enter the password to decrypt the provisioner key:
error applying certificate template
Re-run with STEPDEBUG=1 for more infoHere is the log output: What is weird, is that I get the same kind of error when trying to list the admin accounts… 02f7d02123a1:/home/step# step ca admin list
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., [email protected]): step
✔ Provisioner: Admin JWK (JWK) [kid: uDS4xYsPH1dJC5xzzPKlisxny5LliQoNvsPm0Jf5_Zg]
Please enter the password to decrypt the provisioner key:
error applying certificate template
Re-run with STEPDEBUG=1 for more info.Is there something I didn’t understand? As a reminder, here is my docker-compose: version: '3.7'
x-step-ca: &step-ca_environment
DOCKER_STEPCA_INIT_NAME: 'Test-CA'
DOCKER_STEPCA_INIT_DNS_NAMES: ‘xxx, xxx’
DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: true
DOCKER_STEPCA_INIT_SSH: true
DOCKER_STEPCA_INIT_PROVISIONER_NAME: 'ca-test-admin'
TZ: 'Europe/Paris'
x-step-db: &step-db_environment
MYSQL_DATABASE: step-ca
MYSQL_USER: step-ca-user
MYSQL_PASSWORD: ‘xxx’
MYSQL_ROOT_PASSWORD: ‘xxx’
TZ: 'Europe/Paris'
services:
step-ca-server:
image: smallstep/step-ca:latest
container_name: step-ca
restart: unless-stopped
user: root
environment: *step-ca_environment
volumes:
- '/mnt/docker/step-ca:/home/step'
networks:
- step-ca-network
ports:
- '9000:9000'
depends_on:
- db
db:
image: mysql:9.0
container_name: step-db
hostname: step-db
restart: unless-stopped
volumes:
- '/mnt/docker/step-ca/mysql:/var/lib/mysql'
environment: *step-db_environment
mem_limit: 512M # Limit the container to 512MB of memory
cpus: "1.0" # Limit the container to 1 CPU core
networks:
- step-ca-network
networks:
step-ca-network:
driver: bridgeI would need any insight if possible… |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Well. I think I identified what is going wrong and looks like to be a kind of bug. The issue is when applying a template to a provisioner, in which there is an error, then you get this behavior. I needed to delete the provisioner and recreate it, in order to be able to execute commands again... |
Beta Was this translation helpful? Give feedback.
-
|
@BHuck74 when authenticating to the CA as an admin using the JWK provisioner, it will issue a certificate. When issuing that certificate, it will try to apply the template configured on the provisioner. If the template contains an error, it'll then result in the behavior you're seeing. It is advisable to not diverge too much from the default template for the admin JWK provisioner when updating it. To be safe, it's good to try things with a separate provisioner first, so that you don't get locked out. In this case you could still go in, and delete the provisioner from the configuration, but that's not always possible. Then after you get the right result, apply it to the actual provisioner you want to use it with. Can you show the contents of the template file? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your answer and sorry for my late reply. Indeed, I deduced, by force of circumstances, that it was better to create a second account :-) . Let's move forward on discovering this tool! Cheers |
Beta Was this translation helpful? Give feedback.
@BHuck74 when authenticating to the CA as an admin using the JWK provisioner, it will issue a certificate. When issuing that certificate, it will try to apply the template configured on the provisioner. If the template contains an error, it'll then result in the behavior you're seeing.
It is advisable to not diverge too much from the default template for the admin JWK provisioner when updating it. To be safe, it's good to try things with a separate provisioner first, so that you don't get locked out. In this case you could still go in, and delete the provisioner from the configuration, but that's not always possible. Then after you get the right result, apply it to the actual provisioner …