step-ca on FreeBSD

[basilhendroff]

I had been trying to set up Caddy to issue internal certs, but then stalled when it appeared that the FreeBSD platform was not supported. My efforts are in this Caddy forum thread.

FreeBSD is absent from the Smallstep installation guide, reinforcing the notion that FreeBSD is not supported.

Interestingly, step-certificates and step-cli have been ported to FreeBSD, but there's no documentation on how to configure it correctly under FreeBSD. I've tried to use the smallstep guides as much as possible, but I'm now out of ideas. I'm hoping for some guidance here. So, this is what I've done so far...

I managed to install the packages in a jail.

root@smallstep:~ # pkg install step-certificates
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        pcsc-lite: 1.9.0_1,2
        step-certificates: 0.15.8
        step-cli: 0.15.13

Number of packages to be installed: 3

The process will require 77 MiB more space.

Proceed with this action? [y/N]: y
[smallstep] [1/3] Installing step-cli-0.15.13...
[smallstep] [1/3] Extracting step-cli-0.15.13: 100%
[smallstep] [2/3] Installing pcsc-lite-1.9.0_1,2...
[smallstep] [2/3] Extracting pcsc-lite-1.9.0_1,2: 100%
[smallstep] [3/3] Installing step-certificates-0.15.8...
===> Creating groups.
Using existing group 'step'.
===> Creating users
Using existing user 'step'.
[smallstep] [3/3] Extracting step-certificates-0.15.8: 100%
=====
Message from step-cli-0.15.13:

--
================================================================================
Step Client requires additional configuration:

Ensure to set the STEPPATH environment variable. This makes using the
commands much simpler.
================================================================================
=====
Message from pcsc-lite-1.9.0_1,2:

--
PC/SC-Lite has been installed.

You need to install a driver for your smartcard reader e.g.,
- devel/libccid
- security/ifd-slb_rf60

For cardreaders connected to the serial port: After installing the driver,
please update the pcscd configuration file:
/usr/local/etc/reader.conf

For USB cardreaders add the following lines to /etc/devd.conf to enable
hotplugging:

attach 100 {
        device-name "ugen[0-9]+";
        action "/usr/local/sbin/pcscd -H";
};

detach 100 {
        device-name "ugen[0-9]+";
        action "/usr/local/sbin/pcscd -H";
};
--
===>   NOTICE:

The pcsc-lite port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
=====
Message from step-certificates-0.15.8:

--
================================================================================
Step Certificates requires additional configuration:

The simple way is via the service start script step_ca.
When there is no configuration it will be created. User input is required!!!

The hard way would be via the step command.

Ensure to set the STEPPATH environment variable. This makes using the
commands much simpler.
================================================================================
root@smallstep:~ #

Relevant parts of how I configure the CA in the jail. The jail IP is 10.1.1.3...

root@smallstep:~ # step ca init
✔ What would you like to name your new PKI? (e.g. Smallstep): Smallstep
✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): 10.1.1.3
✔ What address will your new CA listen at? (e.g. :443): :443

Here's where I come unstuck. Trying to start the step-ca service...

root@smallstep:~ # sysrc step_ca_enable=yes
step_ca_enable: yes -> yes
root@smallstep:~ # service step-ca start
Starting step_ca.
step_ca is not running.
root@smallstep:~ #

[mawi78]

Hi Basil,

I'm the maintainer of the FreeBSD port. I just sent you an answer to your mail you sent earlier.

Thanks
Markus

[maraino]

@mawi78 @basilhendroff Can you post here the steps necessary to configure step-ca properly on FreeBSD, we can ask @tashian to add it to our docs.

[basilhendroff]

Hi @maraino,

I did indicate to @mawi78 in an email that I'd add something here and I'll do that in my next post. I did want to point out though that there are a couple of Smallstep-FreeBSD issues that I'd love to see some progress on.

1. At present, I'm trying to skirt around an issue with Caddy and get it to interact with a Smallstep CA rather than its internal CA. The instructions I've found here https://smallstep.com/docs/tutorials/acme-protocol-acme-clients#caddy-v2 and it's this that initiated my contact with @mawi78. I'm currently working with the Caddy folk to iron out some of the details. You can follow that here https://caddy.community/t/my-mtls-journey/12364/41.
2. It appears I'm not able to use the Caddy internal CA (powered by Smallstep?) because of a trust issue. See this Caddy forum post https://caddy.community/t/my-mtls-journey/12364/38. In that post, I've been asked to comment, but, being an end-user rather than a developer, I'm not sure what words to use to use to make a difference here. All I can think of is 'Hi! Don't forget FreeBSD! We matter as well.'
3. As Caddy, Smallstep and the FreeBSD port evolve and mature, that this gets reflected in the Smallstep documentation. I believe this is the substance of your post.

[mawi78]

Hi @maraino ,

as far as I'm concerned and using it it's just a matter of the following steps:

1. pkg install step-certificates
2. sysrc step_ca_enable=yes
3. service step-ca start

The step ca init part is taken care of by the start-up script I created for the package to make it easy to quickly get up and running. You can have a look at what it does at /usr/local/etc/rc.d/step-ca and also customize most of the settings used via rc.conf variables .
The step ca directory is kept in /usr/local/etc/step/ca by default

[basilhendroff]

Hi @mawi78,

Thanks for your assistance in helping me get the Smallstep FreeBSD port working. Here's an extract from your email:

Did you try with just installing it and starting the service with "service step-ca start” ?
That’s how I installed it on my certificates-jail.
Maybe some other hints:

• I’m using a jail with vnet
• the service listens on port 8443, maybe port 443 is already in use by your host if not using vnet?

I've got some queries about the FreeBSD port of Smallstep, but I'll take this offline and communicate directly with you via email.

@maraino Here's a log of a successful installation of step-ca and step-cli in a FreeBSD jail that other FreeBSD users can follow.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.05.18 14:18:20 =~=~=~=~=~=~=~=~=~=~=~=
root@smallstep:~ # freebsd-version
12.2-RELEASE-p6
root@smallstep:~ # pkg install step-certificates

The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[smallstep] Extracting pkg-1.16.3: 100%
Updating FreeBSD repository catalogue...
[smallstep] Fetching meta.conf:   0%
[smallstep] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[smallstep] Fetching packagesite.txz: 100%    6 MiB   3.3MB/s    00:02    
Processing entries: 100%
FreeBSD repository update completed. 30504 packages processed.
All repositories are up to date.
Updating database digests format:   0%
Updating database digests format:   0%
Updating database digests format: 100%
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	pcsc-lite: 1.9.0_1,2
	step-certificates: 0.15.8
	step-cli: 0.15.13

Number of packages to be installed: 3

The process will require 77 MiB more space.
23 MiB to be downloaded.

Proceed with this action? [y/N]: y
[smallstep] [1/3] Fetching step-certificates-0.15.8.txz: 100%   17 MiB   4.4MB/s    00:04    
[smallstep] [2/3] Fetching step-cli-0.15.13.txz: 100%    6 MiB   3.0MB/s    00:02    
[smallstep] [3/3] Fetching pcsc-lite-1.9.0_1,2.txz: 100%   97 KiB  98.9kB/s    00:01    
Checking integrity... done (0 conflicting)
[smallstep] [1/3] Installing step-cli-0.15.13...
[smallstep] [1/3] Extracting step-cli-0.15.13: 100%
[smallstep] [2/3] Installing pcsc-lite-1.9.0_1,2...
[smallstep] [2/3] Extracting pcsc-lite-1.9.0_1,2: 100%
[smallstep] [3/3] Installing step-certificates-0.15.8...
===> Creating groups.
Creating group 'step' with gid '266'.
===> Creating users
Creating user 'step' with uid '266'.
[smallstep] [3/3] Extracting step-certificates-0.15.8: 100%
=====
Message from step-cli-0.15.13:

--
================================================================================
Step Client requires additional configuration:

Ensure to set the STEPPATH environment variable. This makes using the
commands much simpler.
================================================================================
=====
Message from pcsc-lite-1.9.0_1,2:

--
PC/SC-Lite has been installed.

You need to install a driver for your smartcard reader e.g.,
- devel/libccid
- security/ifd-slb_rf60

For cardreaders connected to the serial port: After installing the driver,
please update the pcscd configuration file:
/usr/local/etc/reader.conf

For USB cardreaders add the following lines to /etc/devd.conf to enable
hotplugging:

attach 100 {
        device-name "ugen[0-9]+";
        action "/usr/local/sbin/pcscd -H";
};

detach 100 {
        device-name "ugen[0-9]+";
        action "/usr/local/sbin/pcscd -H";
};
--
===>   NOTICE:

The pcsc-lite port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
=====
Message from step-certificates-0.15.8:

--
================================================================================
Step Certificates requires additional configuration:

The simple way is via the service start script step_ca. 
When there is no configuration it will be created. User input is required!!!

The hard way would be via the step command.

Ensure to set the STEPPATH environment variable. This makes using the
commands much simpler.
================================================================================

root@smallstep:~ # sysrc step_ca_enable=yes

step_ca_enable:  -> yes
root@smallstep:~ # service step-ca start

No configured Step CA found.
Creating new one....
✔What would you like to name your new PKI? (e.g. Smallstep): Smallstep
✔What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): 10.1.1.3
✔What address will your new CA listen at? (e.g. :443): :8443
✔What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): myname@mymail.com
✔What do you want your password to be? [leave empty and we'll generate one]: secret

Generating root certificate... 
all done!

Generating intermediate certificate... 
all done!

✔Root certificate: /usr/local/etc/step/ca/certs/root_ca.crt
✔Root private key: /usr/local/etc/step/ca/secrets/root_ca_key
✔Root fingerprint: [REDACTED]
✔Intermediate certificate: /usr/local/etc/step/ca/certs/intermediate_ca.crt
✔Intermediate private key: /usr/local/etc/step/ca/secrets/intermediate_ca_key
✔Database folder: /usr/local/etc/step/ca/db
✔Default configuration: /usr/local/etc/step/ca/config/defaults.json
✔Certificate Authority configuration: /usr/local/etc/step/ca/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

FEEDBACK 😍 🍻
      The step utility is not instrumented for usage statistics. It does not
      phone home. But your feedback is extremely valuable. Any information you
      can provide regarding how you’re using `step` helps. Please send us a
      sentence or two, good or bad: feedback@smallstep.com or join
      https://github.com/smallstep/certificates/discussions.
Step CA Password file for auto-start not found
Creating it....
Please enter the Step CA Password:

Starting step_ca.
step_ca is running as pid 95912.
root@smallstep:~ # 

[basilhendroff]

I'm not convinced that Smallstep functions as intended under FreeBSD due to this issue smallstep/truststore#1.
Testing under the FreeBSD port seems to confirm the issue:

root@smallstep:~ # step certificate install /usr/local/etc/step/ca/certs/root_ca.crt
failed to install /usr/local/etc/step/ca/certs/root_ca.crt: trust not supported

This is the same issue identified when using the Caddy internal CA, which is based on the Smallstep library. More info in this Caddy forum post https://caddy.community/t/my-mtls-journey/12364/37

[maraino]

I believe that's the only command that will not work. But if you can provide the appropriate commands to install a root certificate in FreeBSD we can add support for it. The only thing that truststore does is run the appropriate command to do it. See for example the code for Linux https://github.com/smallstep/truststore/blob/master/truststore_linux.go

[basilhendroff]

smallstep/truststore#1 (comment)

[ahallrq]

Apologies for bumping a 3 year old thread.

Thanks for creating this write-up. I've noticed there is a particularly nasty bug in how the initial setup works that's had me pulling my hair out for the last hour or so trying to get step-ca to to run via service/rc.d. In my experience if the machine is restarted before the service is started for the first time when your CA hasn't yet been created, FreeBSD locks up on the next boot waiting for user input requiring a restart and creates a broken set of configs (namely an empty /usr/local/etc/step/ca directory). At that point step-ca won't run and there's no output telling you what's wrong.

I know the guide does specifically tell the user to start step-ca as soon as the service is enabled but it may trip anyone up who happens to do a reboot before setting up their CA for the first time.

I'm not overly familiar on how to send patches to FreeBSD's ports but I'd be happy to try and add a couple of checks to the rc.d script file to mitigate this issue.

Cheers.

[mawi78]

Hi all, I’m just preparing the new version of step-certificates and step-cli. I will change the rc -script accordingly, so that in the future it will just exit in case there is no configuration and add a new configure command to it to generate the configuration. This should mitigate the observed errors. Thanks Markus

…

On 26. Mar 2024, at 04:04, Andrew ***@***.***> wrote: Apologies for bumping a 3 year old thread. Thanks for creating this write-up. I've noticed there is a particularly nasty bug in how the initial setup works that's had me pulling my hair out for the last hour or so trying to get step-ca to to run via service/rc.d. In my experience if the machine is restarted before the service is started for the first time when your CA hasn't yet been created, FreeBSD locks up on the next boot waiting for user input requiring a restart and creates a broken set of configs (namely an empty /usr/local/etc/step/ca directory). At that point step-ca won't run and there's no output telling you what's wrong. I know the guide does specifically tell the user to start step-ca as soon as the service is enabled but it may trip anyone up who happens to do a reboot before setting up their CA for the first time. I'm not overly familiar on how to send patches to FreeBSD's ports but I'd be happy to try and add a couple of checks to the rc.d script file to mitigate this issue. Cheers. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>