From bcab8eddc096dee7aa6156157420b987f30e93b5 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 14:56:22 +0100 Subject: [PATCH 01/26] New LXC: step-ca Initial commit --- ct/headers/step-ca | 6 + ct/step-ca.sh | 46 +++++++ frontend/public/json/step-ca.json | 40 ++++++ install/step-ca-install.sh | 222 ++++++++++++++++++++++++++++++ 4 files changed, 314 insertions(+) create mode 100644 ct/headers/step-ca create mode 100644 ct/step-ca.sh create mode 100644 frontend/public/json/step-ca.json create mode 100644 install/step-ca-install.sh diff --git a/ct/headers/step-ca b/ct/headers/step-ca new file mode 100644 index 000000000..f6d7f7ca4 --- /dev/null +++ b/ct/headers/step-ca @@ -0,0 +1,6 @@ + __ + _____/ /____ ____ _________ _ + / ___/ __/ _ \/ __ \______/ ___/ __ `/ + (__ ) /_/ __/ /_/ /_____/ /__/ /_/ / +/____/\__/\___/ .___/ \___/\__,_/ + /_/ diff --git a/ct/step-ca.sh b/ct/step-ca.sh new file mode 100644 index 000000000..dd30eb009 --- /dev/null +++ b/ct/step-ca.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func) +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Joerg Heinemann (heinemannj) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +APP="step-ca" +var_tags="${var_tags:-certificate-authority;pki;acme-server}" +var_cpu="${var_cpu:-1}" +var_ram="${var_ram:-512}" +var_disk="${var_disk:-2}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + if [[ ! -f /etc/apt/sources.list.d/smallstep.sources ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + msg_info "Updating step-ca and step-cli" + $STD apt update + $STD apt upgrade -y step-ca step-cli + msg_ok "Updated step-ca and step-cli" + msg_ok "Updated successfully!" + exit +} + +start +build_container +description + +msg_ok "Completed successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}https://${IP}/provisioners${CL}" diff --git a/frontend/public/json/step-ca.json b/frontend/public/json/step-ca.json new file mode 100644 index 000000000..2cbf73e4b --- /dev/null +++ b/frontend/public/json/step-ca.json @@ -0,0 +1,40 @@ +{ + "name": "step-ca", + "slug": "step-ca", + "categories": [ + 6 + ], + "date_created": "2026-02-03", + "type": "ct", + "updateable": true, + "privileged": false, + "interface_port": 443, + "documentation": "https://smallstep.com/docs/step-ca/", + "website": "https://github.com/smallstep/certificates", + "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/step-ca.webp", + "config_path": "/etc/step-ca", + "description": "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.", + "install_methods": [ + { + "type": "default", + "script": "ct/step-ca.sh", + "resources": { + "cpu": 1, + "ram": 512, + "hdd": 2, + "os": "debian", + "version": "13" + } + } + ], + "default_credentials": { + "username": "root", + "password": null + }, + "notes": [ + { + "text": "For required post installation actions, checkout: `https://github.com/community-scripts/ProxmoxVE/discussions/tbd-XXXXXXXXXXXX`", + "type": "info" + } + ] +} diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh new file mode 100644 index 000000000..e4223acc0 --- /dev/null +++ b/install/step-ca-install.sh @@ -0,0 +1,222 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Joerg Heinemann (heinemannj) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +msg_info "Install smallstepp repositories" +setup_deb822_repo \ + "smallstep" \ + "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \ + "https://packages.smallstep.com/stable/debian" \ + "debs" \ + "main" +msg_ok "Installed smallstep repositories" + +msg_info "Installing step-ca and step-cli" +$STD apt install -y step-ca step-cli +msg_ok "Installed step-ca and step-cli" + +msg_info "Define smallstep environment variables" +STEPHOME="/root/.step" +$STD export STEPPATH=/etc/step-ca +$STD export STEPHOME=$STEPHOME +msg_ok "Defined smallstep environment variables" + +msg_info "Add smallstep environment variables to /etc/profile" +$STD sed -i '1i export STEPPATH=/etc/step-ca' /etc/profile +$STD sed -i '1i export STEPHOME=/root/.step' /etc/profile +msg_ok "Added smallstep environment variables to /etc/profile" + +msg_info "Authorize step-ca binary with low port-binding capabilities" +$STD setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) +msg_ok "Authorized low port-binding capabilities" + +msg_info "Add a smallstepp CA service user - Will only be used by systemd to manage the CA" +$STD useradd --user-group --system --home $(step path) --shell /bin/false step +msg_ok "Created smallstepp CA service user" + +# +# Quick & Dirty step-ca init options - to be improved via whiptail +# +DeploymentType="standalone" +FQDN=$(hostname -f) +DomainName=$(hostname -d) +IP=$(hostname -I | awk '{print $1}') +LISTENER=":443" +PKIName="MyHomePKI" +PKIProvisioner="pki@$DomainName" +AcmeProvisioner="acme@$DomainName" +X509MinDur="48h" +X509MaxDur="87600h" +X509DefaultDur="168h" + +msg_info "Initializing step-ca" +EncryptionPwdDir="$(step path)/encryption" +PwdFile="$EncryptionPwdDir/ca.pwd" +ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd" + +$STD mkdir -p "$EncryptionPwdDir" + +$STD gpg --gen-random --armor 2 32 >"$PwdFile" +$STD gpg --gen-random --armor 2 32 >"$ProvisionerPwdFile" + +$STD step ca init \ + --deployment-type=$DeploymentType \ + --ssh \ + --name=$PKIName \ + --dns="$FQDN" \ + --dns="$IP" \ + --address=$LISTENER \ + --provisioner="$PKIProvisioner" \ + --password-file="$PwdFile" \ + --provisioner-password-file="$ProvisionerPwdFile" + +echo +echo "Make a note of the root fingerprint!" +echo "You'll need it in future steps to establish trust with your CA from other environments or hosts." +echo + +$STD ln -s "$PwdFile" "$(step path)/password.txt" + +$STD chown -R step:step $(step path) +$STD chmod -R 700 $(step path) + +msg_ok "Initialized step-ca" + +msg_info "Add ACME provisioner" +$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner" +msg_ok "Added ACME provisioner" + +msg_info "Update provisioner configurations" +$STD step ca provisioner update "$PKIProvisioner" \ + --x509-min-dur=$X509MinDur \ + --x509-max-dur=$X509MaxDur \ + --x509-default-dur=$X509DefaultDur \ + --allow-renewal-after-expiry + +$STD step ca provisioner update "$AcmeProvisioner" \ + --x509-min-dur=$X509MinDur \ + --x509-max-dur=$X509MaxDur \ + --x509-default-dur=$X509DefaultDur \ + --allow-renewal-after-expiry +msg_ok "Updated provisioner configurations" + +msg_info "Start step-ca as a Daemon" +ServiceFileGitHUB="https://raw.githubusercontent.com/smallstep/certificates/refs/heads/master/systemd/step-ca.service" +$STD curl -fsSL $ServiceFileGitHUB >/etc/systemd/system/step-ca.service + +$STD systemctl daemon-reload -q +$STD systemctl enable -q --now step-ca +msg_ok "Started step-ca as a Daemon" + +msg_info "Install root CA certificate into system's default trust store" +$STD step certificate install --all $(step path)/certs/root_ca.crt +$STD update-ca-certificates +msg_ok "Installed root CA certificate into system's default trust store" + +msg_info "Install step-batcher to export step-ca badger database" +StepBadgerGitHUB="https://github.com/lukasz-lobocki/step-badger/releases/latest/download" +StepBadgerArchive="step-badger_Linux_x86_64.tar.gz" +StepBadgerDir="$STEPHOME/step-badger" +StepBadgerExe="$StepBadgerDir/step-badger" +StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh" +StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh" + +$STD mkdir -p $StepBadgerDir +$STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive +$STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir + +$STD chmod 700 $StepBadgerDir +$STD chmod 400 $StepBadgerDir/* +$STD chmod 755 $StepBadgerExe + +$STD cp $StepBadgerExe /usr/local/bin/ + +$STD mkdir --parents "$STEPHOME/db-copy/" +$STD mkdir --parents "$STEPHOME/certs/ca/" +$STD mkdir --parents "$STEPHOME/certs/ssh/" +$STD mkdir --parents "$STEPHOME/certs/x509/" + +$STD cat <<'EOF' >$StepBadgerX509Certs +#!/usr/bin/env bash +# +# See: https://github.com/lukasz-lobocki/step-badger +# + +cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/" +cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" + +step-badger" x509Certs "$STEPHOME/db-copy" \ + --dnsnames \ + --emailaddresses \ + --ipaddresses \ + --uris \ + --issuer \ + --crl \ + --provisioner \ + --algorithm +EOF +$STD cat <<'EOF' >$StepBadgerSshCerts +#!/usr/bin/env bash +# +# See: https://github.com/lukasz-lobocki/step-badger +# + +cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/" +cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" + +step-badger sshCerts "$STEPHOME/db-copy" \ + --algorithm +EOF +$STD chmod 700 $StepBadgerX509Certs +$STD chmod 700 $StepBadgerSshCerts +msg_ok "Installed step-batcher to export step-ca badger database" + +msg_info "Install step-ca helper scripts" +StepRequest="$STEPHOME/step-ca-request.sh" +StepRevoke="$STEPHOME/step-ca-revoke.sh" +$STD cat <<'EOF' >$StepRequest +#!/usr/bin/env bash +# +StepCertDir="$STEPHOME/certs/x509" + +HOST="brw4cd5770e36b4" +IP="192.168.178.136" +DOMAIN="fritz.box" +FQDN=$HOST.$DOMAIN +VALID_TO="2034-01-31T00:00:00Z" +PROVISIONER="pki@fritz.box" + +step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \ + --provisioner=$PROVISIONER \ + --not-after=$VALID_TO \ + --san $FQDN \ + --san $HOST \ + --san $IP + +step certificate inspect $StepCertDir/$FQDN.crt +EOF +$STD cat <<'EOF' >$StepRevoke +#!/usr/bin/env bash +# +# step ca revoke +# +step ca revoke +EOF +$STD chmod 700 $StepRequest +$STD chmod 700 $StepRevoke +msg_ok "Installed step-ca helper scripts" + +motd_ssh +customize +cleanup_lxc From 06a1b98dc660f24e7dcdb9fdd913b905d7d373e8 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:25:32 +0100 Subject: [PATCH 02/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index e4223acc0..cf78012c7 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -156,7 +156,7 @@ $STD cat <<'EOF' >$StepBadgerX509Certs cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/" cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" -step-badger" x509Certs "$STEPHOME/db-copy" \ +step-badger x509Certs "$STEPHOME/db-copy" \ --dnsnames \ --emailaddresses \ --ipaddresses \ From 7736d3673da6fc4c79b61c93297f7bf4cbbdecb7 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:26:38 +0100 Subject: [PATCH 03/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index cf78012c7..eefa5a9ca 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -114,8 +114,6 @@ msg_ok "Updated provisioner configurations" msg_info "Start step-ca as a Daemon" ServiceFileGitHUB="https://raw.githubusercontent.com/smallstep/certificates/refs/heads/master/systemd/step-ca.service" $STD curl -fsSL $ServiceFileGitHUB >/etc/systemd/system/step-ca.service - -$STD systemctl daemon-reload -q $STD systemctl enable -q --now step-ca msg_ok "Started step-ca as a Daemon" From 9bdc1d810680866497a5c34c4e4259c6be6dce19 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:30:42 +0100 Subject: [PATCH 04/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index eefa5a9ca..b1402015e 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -13,7 +13,7 @@ setting_up_container network_check update_os -msg_info "Install smallstepp repositories" +msg_info "Install smallstep repositories" setup_deb822_repo \ "smallstep" \ "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \ From 1697f5acf7da234e5c2ad48577b52e2e53e13da4 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:31:06 +0100 Subject: [PATCH 05/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index b1402015e..4a7070c1e 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -41,7 +41,7 @@ msg_info "Authorize step-ca binary with low port-binding capabilities" $STD setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) msg_ok "Authorized low port-binding capabilities" -msg_info "Add a smallstepp CA service user - Will only be used by systemd to manage the CA" +msg_info "Add a smallstep CA service user - Will only be used by systemd to manage the CA" $STD useradd --user-group --system --home $(step path) --shell /bin/false step msg_ok "Created smallstepp CA service user" From 0008b8d2845e69b193acfc041803287f59bfb455 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:31:21 +0100 Subject: [PATCH 06/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 4a7070c1e..0f3910d48 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -43,7 +43,7 @@ msg_ok "Authorized low port-binding capabilities" msg_info "Add a smallstep CA service user - Will only be used by systemd to manage the CA" $STD useradd --user-group --system --home $(step path) --shell /bin/false step -msg_ok "Created smallstepp CA service user" +msg_ok "Created smallstep CA service user" # # Quick & Dirty step-ca init options - to be improved via whiptail From 1a1bb6e88747726729c11aeb400b1ebfaa02f4d9 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:54:31 +0100 Subject: [PATCH 07/26] Update URL in step-ca.json notes Update with discussion Link --- frontend/public/json/step-ca.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/public/json/step-ca.json b/frontend/public/json/step-ca.json index 2cbf73e4b..cda8080ac 100644 --- a/frontend/public/json/step-ca.json +++ b/frontend/public/json/step-ca.json @@ -33,7 +33,7 @@ }, "notes": [ { - "text": "For required post installation actions, checkout: `https://github.com/community-scripts/ProxmoxVE/discussions/tbd-XXXXXXXXXXXX`", + "text": "For required post installation actions, checkout: `https://github.com/community-scripts/ProxmoxVE/discussions/11504`", "type": "info" } ] From f23c0d8fef5bdcb2f17b739d255ccb11745a06c5 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 15:56:37 +0100 Subject: [PATCH 08/26] Update install/step-ca-install.sh Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com> --- install/step-ca-install.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 0f3910d48..058c34766 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -13,14 +13,12 @@ setting_up_container network_check update_os -msg_info "Install smallstep repositories" setup_deb822_repo \ "smallstep" \ "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \ "https://packages.smallstep.com/stable/debian" \ "debs" \ "main" -msg_ok "Installed smallstep repositories" msg_info "Installing step-ca and step-cli" $STD apt install -y step-ca step-cli From c77f33983ebeb80a66959801e06df973c931affe Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 16:16:19 +0100 Subject: [PATCH 09/26] Remove redundant STD prefix from commands --- install/step-ca-install.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 058c34766..a3a35f60e 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -86,8 +86,8 @@ echo $STD ln -s "$PwdFile" "$(step path)/password.txt" -$STD chown -R step:step $(step path) -$STD chmod -R 700 $(step path) +chown -R step:step $(step path) +chmod -R 700 $(step path) msg_ok "Initialized step-ca" @@ -128,20 +128,20 @@ StepBadgerExe="$StepBadgerDir/step-badger" StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh" StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh" -$STD mkdir -p $StepBadgerDir +mkdir -p $StepBadgerDir $STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive $STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir -$STD chmod 700 $StepBadgerDir -$STD chmod 400 $StepBadgerDir/* -$STD chmod 755 $StepBadgerExe +chmod 700 $StepBadgerDir +chmod 400 $StepBadgerDir/* +chmod 755 $StepBadgerExe -$STD cp $StepBadgerExe /usr/local/bin/ +cp $StepBadgerExe /usr/local/bin/ -$STD mkdir --parents "$STEPHOME/db-copy/" -$STD mkdir --parents "$STEPHOME/certs/ca/" -$STD mkdir --parents "$STEPHOME/certs/ssh/" -$STD mkdir --parents "$STEPHOME/certs/x509/" +mkdir --parents "$STEPHOME/db-copy/" +mkdir --parents "$STEPHOME/certs/ca/" +mkdir --parents "$STEPHOME/certs/ssh/" +mkdir --parents "$STEPHOME/certs/x509/" $STD cat <<'EOF' >$StepBadgerX509Certs #!/usr/bin/env bash @@ -174,8 +174,8 @@ cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" step-badger sshCerts "$STEPHOME/db-copy" \ --algorithm EOF -$STD chmod 700 $StepBadgerX509Certs -$STD chmod 700 $StepBadgerSshCerts +chmod 700 $StepBadgerX509Certs +chmod 700 $StepBadgerSshCerts msg_ok "Installed step-batcher to export step-ca badger database" msg_info "Install step-ca helper scripts" @@ -209,8 +209,8 @@ $STD cat <<'EOF' >$StepRevoke # step ca revoke EOF -$STD chmod 700 $StepRequest -$STD chmod 700 $StepRevoke +chmod 700 $StepRequest +chmod 700 $StepRevoke msg_ok "Installed step-ca helper scripts" motd_ssh From 788a76381556dfcab1c2e1388314314bff827350 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 17:07:37 +0100 Subject: [PATCH 10/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index a3a35f60e..2277410f4 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -43,9 +43,7 @@ msg_info "Add a smallstep CA service user - Will only be used by systemd to mana $STD useradd --user-group --system --home $(step path) --shell /bin/false step msg_ok "Created smallstep CA service user" -# -# Quick & Dirty step-ca init options - to be improved via whiptail -# +DeploymentType="standalone" DeploymentType="standalone" FQDN=$(hostname -f) DomainName=$(hostname -d) From afd10e2516f3d8628177983e8ac7d327a499a893 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 17:18:46 +0100 Subject: [PATCH 11/26] Refactor password file creation and cleanup --- install/step-ca-install.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 2277410f4..d0cd08237 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -61,8 +61,7 @@ EncryptionPwdDir="$(step path)/encryption" PwdFile="$EncryptionPwdDir/ca.pwd" ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd" -$STD mkdir -p "$EncryptionPwdDir" - +mkdir -p "$EncryptionPwdDir" $STD gpg --gen-random --armor 2 32 >"$PwdFile" $STD gpg --gen-random --armor 2 32 >"$ProvisionerPwdFile" @@ -77,16 +76,9 @@ $STD step ca init \ --password-file="$PwdFile" \ --provisioner-password-file="$ProvisionerPwdFile" -echo -echo "Make a note of the root fingerprint!" -echo "You'll need it in future steps to establish trust with your CA from other environments or hosts." -echo - -$STD ln -s "$PwdFile" "$(step path)/password.txt" - +ln -s "$PwdFile" "$(step path)/password.txt" chown -R step:step $(step path) chmod -R 700 $(step path) - msg_ok "Initialized step-ca" msg_info "Add ACME provisioner" From 96b786d6472a3e74c6c29b04099a236d8d50cce0 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Tue, 3 Feb 2026 18:37:51 +0100 Subject: [PATCH 12/26] Update install/step-ca-install.sh Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --- install/step-ca-install.sh | 58 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index d0cd08237..b24644c27 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -100,8 +100,62 @@ $STD step ca provisioner update "$AcmeProvisioner" \ msg_ok "Updated provisioner configurations" msg_info "Start step-ca as a Daemon" -ServiceFileGitHUB="https://raw.githubusercontent.com/smallstep/certificates/refs/heads/master/systemd/step-ca.service" -$STD curl -fsSL $ServiceFileGitHUB >/etc/systemd/system/step-ca.service +msg_info "Start step-ca as a Daemon" +cat <<'EOF' >/etc/systemd/system/step-ca.service +[Unit] +Description=step-ca service +Documentation=https://smallstep.com/docs/step-ca +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +After=network-online.target +Wants=network-online.target +StartLimitIntervalSec=30 +StartLimitBurst=3 +ConditionFileNotEmpty=/etc/step-ca/config/ca.json +ConditionFileNotEmpty=/etc/step-ca/password.txt + +[Service] +Type=simple +User=step +Group=step +Environment=STEPPATH=/etc/step-ca +WorkingDirectory=/etc/step-ca +ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt +ExecReload=/bin/kill -USR1 $MAINPID +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitAction=reboot + +; Process capabilities & privileges +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +SecureBits=keep-caps +NoNewPrivileges=yes + +; Sandboxing +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +PrivateMounts=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=/etc/step-ca/db + +; Read only paths +ReadOnlyPaths=/etc/step-ca + +[Install] +WantedBy=multi-user.target +EOF +systemctl enable -q --now step-ca $STD systemctl enable -q --now step-ca msg_ok "Started step-ca as a Daemon" From da4a3667647eb09abb8a82b8cfe88cdac5f79b5a Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 08:31:44 +0100 Subject: [PATCH 13/26] Replace IP assignment with LOCAL_IP variable --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index b24644c27..7bfeaedc6 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -47,7 +47,7 @@ DeploymentType="standalone" DeploymentType="standalone" FQDN=$(hostname -f) DomainName=$(hostname -d) -IP=$(hostname -I | awk '{print $1}') +IP=${LOCAL_IP} LISTENER=":443" PKIName="MyHomePKI" PKIProvisioner="pki@$DomainName" From ce6bff97514e2e7f52d286f8f345e4bd849dd17e Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 08:53:56 +0100 Subject: [PATCH 14/26] Refactor step-ca installation script Updated installation script for step-ca to use new paths and methods for step-badger installation. --- install/step-ca-install.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 7bfeaedc6..0d4f49df1 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -99,7 +99,6 @@ $STD step ca provisioner update "$AcmeProvisioner" \ --allow-renewal-after-expiry msg_ok "Updated provisioner configurations" -msg_info "Start step-ca as a Daemon" msg_info "Start step-ca as a Daemon" cat <<'EOF' >/etc/systemd/system/step-ca.service [Unit] @@ -155,7 +154,6 @@ ReadOnlyPaths=/etc/step-ca [Install] WantedBy=multi-user.target EOF -systemctl enable -q --now step-ca $STD systemctl enable -q --now step-ca msg_ok "Started step-ca as a Daemon" @@ -167,18 +165,20 @@ msg_ok "Installed root CA certificate into system's default trust store" msg_info "Install step-batcher to export step-ca badger database" StepBadgerGitHUB="https://github.com/lukasz-lobocki/step-badger/releases/latest/download" StepBadgerArchive="step-badger_Linux_x86_64.tar.gz" -StepBadgerDir="$STEPHOME/step-badger" +StepBadgerDir="/opt/step-badger" StepBadgerExe="$StepBadgerDir/step-badger" StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh" StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh" -mkdir -p $StepBadgerDir -$STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive -$STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir +#mkdir -p $StepBadgerDir +#$STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive +#$STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir -chmod 700 $StepBadgerDir -chmod 400 $StepBadgerDir/* -chmod 755 $StepBadgerExe +#chmod 700 $StepBadgerDir +#chmod 400 $StepBadgerDir/* +#chmod 755 $StepBadgerExe + +fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz" cp $StepBadgerExe /usr/local/bin/ From 8ec380ebbf7a7d0511c4966ded3dc6b931f417e0 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 09:37:42 +0100 Subject: [PATCH 15/26] Refactor step-badger installation process Removed manual installation steps for step-badger and replaced with fetch_and_deploy_gh_release function. --- install/step-ca-install.sh | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 0d4f49df1..99ed716ed 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -163,24 +163,11 @@ $STD update-ca-certificates msg_ok "Installed root CA certificate into system's default trust store" msg_info "Install step-batcher to export step-ca badger database" -StepBadgerGitHUB="https://github.com/lukasz-lobocki/step-badger/releases/latest/download" -StepBadgerArchive="step-badger_Linux_x86_64.tar.gz" -StepBadgerDir="/opt/step-badger" -StepBadgerExe="$StepBadgerDir/step-badger" StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh" StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh" -#mkdir -p $StepBadgerDir -#$STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive -#$STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir - -#chmod 700 $StepBadgerDir -#chmod 400 $StepBadgerDir/* -#chmod 755 $StepBadgerExe - fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz" - -cp $StepBadgerExe /usr/local/bin/ +ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger mkdir --parents "$STEPHOME/db-copy/" mkdir --parents "$STEPHOME/certs/ca/" From 3fd2382eef806035331243e9ed8d46dd4d54471c Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 12:03:05 +0100 Subject: [PATCH 16/26] Implement interactive PKI configuration prompts Added interactive prompts for PKI configuration options. --- install/step-ca-install.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 99ed716ed..1661850d7 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -56,6 +56,28 @@ X509MinDur="48h" X509MaxDur="87600h" X509DefaultDur="168h" +while true; +do + +if whiptail_yesno=$(whiptail --title "step ca init options" --yesno "Continue with below?\n +PKIName: $PKIName +PKIProvisioner: $PKIProvisioner +AcmeProvisioner: $AcmeProvisioner +X509MinDur: $X509MinDur +X509MaxDur: $X509MaxDur +X509DefaultDur: $X509DefaultDur" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then +break +fi + +PKIName=$(whiptail --title "step ca init options" --inputbox 'PKIName (e.g. MyHomePKI)' 10 50 "$PKIName" 3>&1 1>&2 2>&3) +PKIProvisioner=$(whiptail --title "step ca init options" --inputbox 'PKIProvisioner (e.g. pki@$YourDomainName)' 10 50 "$PKIProvisioner" 3>&1 1>&2 2>&3) +AcmeProvisioner=$(whiptail --title "step ca init options" --inputbox 'AcmeProvisioner (e.g. acme@YourDomainName)' 10 50 "$AcmeProvisioner" 3>&1 1>&2 2>&3) +X509MinDur=$(whiptail --title "step ca init options" --inputbox 'X509MinDur (e.g. 48h)' 10 50 "$X509MinDur" 3>&1 1>&2 2>&3) +X509MaxDur=$(whiptail --title "step ca init options" --inputbox 'X509MaxDur (e.g. 87600h)' 10 50 "$X509MaxDur" 3>&1 1>&2 2>&3) +X509DefaultDur=$(whiptail --title "step ca init options" --inputbox 'X509DefaultDur (e.g. 168h)' 10 50 "$X509DefaultDur" 3>&1 1>&2 2>&3) + +done + msg_info "Initializing step-ca" EncryptionPwdDir="$(step path)/encryption" PwdFile="$EncryptionPwdDir/ca.pwd" From e186f0e4c24904125cfacd097ab6a37c51bb9eee Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 15:18:52 +0100 Subject: [PATCH 17/26] Update step-ca-install.sh for dynamic input handling Updated helper script for CSR request --- install/step-ca-install.sh | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 1661850d7..2ab7887a7 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -238,22 +238,40 @@ $STD cat <<'EOF' >$StepRequest #!/usr/bin/env bash # StepCertDir="$STEPHOME/certs/x509" +PROVISIONER_PASSWORD=$(step path)/encryption//provisioner.pwd -HOST="brw4cd5770e36b4" -IP="192.168.178.136" -DOMAIN="fritz.box" -FQDN=$HOST.$DOMAIN -VALID_TO="2034-01-31T00:00:00Z" -PROVISIONER="pki@fritz.box" +while true; +do + +FQDN=$(whiptail --title "step ca certificate options" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3) +IP=$(dig +short $FQDN) +if [[ -z "$IP" ]]; then + echo "Resolution failed for $FQDN" + exit +fi +HOST=$(echo $FQDN | awk -F'.' '{print $1}') +IP=$(whiptail --title "step ca certificate options" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) +HOST=$(whiptail --title "step ca init options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) +VALID_TO=$(whiptail --title "step ca init options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) + +if whiptail_yesno=$(whiptail --title "step ca init options" --yesno "Continue with below?\n +HOST: $HOST +IP: $IP +FQDN: $FQDN +VALID_TO: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then +break +fi + +done step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \ - --provisioner=$PROVISIONER \ + --provisioner-password-file=$PROVISIONER_PASSWORD \ --not-after=$VALID_TO \ --san $FQDN \ --san $HOST \ - --san $IP - -step certificate inspect $StepCertDir/$FQDN.crt + --san $IP \ + && step certificate inspect $StepCertDir/$FQDN.crt \ + || echo "Failed to request certificate"; exit EOF $STD cat <<'EOF' >$StepRevoke #!/usr/bin/env bash From 64a3696786fb7947df48cdde8896f35d673bf200 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 4 Feb 2026 18:38:57 +0100 Subject: [PATCH 18/26] Remove installation of step-ca revoke script Removed step-ca revoke script installation. --- install/step-ca-install.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 2ab7887a7..55d2102fa 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -233,7 +233,6 @@ msg_ok "Installed step-batcher to export step-ca badger database" msg_info "Install step-ca helper scripts" StepRequest="$STEPHOME/step-ca-request.sh" -StepRevoke="$STEPHOME/step-ca-revoke.sh" $STD cat <<'EOF' >$StepRequest #!/usr/bin/env bash # @@ -273,15 +272,7 @@ step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \ && step certificate inspect $StepCertDir/$FQDN.crt \ || echo "Failed to request certificate"; exit EOF -$STD cat <<'EOF' >$StepRevoke -#!/usr/bin/env bash -# -# step ca revoke -# -step ca revoke -EOF chmod 700 $StepRequest -chmod 700 $StepRevoke msg_ok "Installed step-ca helper scripts" motd_ssh From 55f6be3e2dc39ef5db6171f85730c51b3b39b5cb Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Fri, 6 Feb 2026 15:26:52 +0100 Subject: [PATCH 19/26] Change input prompts to certificate options section --- install/step-ca-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 55d2102fa..89bfbf697 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -250,10 +250,10 @@ if [[ -z "$IP" ]]; then fi HOST=$(echo $FQDN | awk -F'.' '{print $1}') IP=$(whiptail --title "step ca certificate options" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) -HOST=$(whiptail --title "step ca init options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) -VALID_TO=$(whiptail --title "step ca init options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) +HOST=$(whiptail --title "step ca certificate options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) +VALID_TO=$(whiptail --title "step ca certificate options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) -if whiptail_yesno=$(whiptail --title "step ca init options" --yesno "Continue with below?\n +if whiptail_yesno=$(whiptail --title "step ca certificate options" --yesno "Continue with below?\n HOST: $HOST IP: $IP FQDN: $FQDN From b68eb1ef5e17e99a611ffbe1521ef3762c5d8c67 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Sun, 8 Feb 2026 10:24:59 +0100 Subject: [PATCH 20/26] Change whiptail title to include backtitle --- install/step-ca-install.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 89bfbf697..cad8fd8be 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -59,7 +59,7 @@ X509DefaultDur="168h" while true; do -if whiptail_yesno=$(whiptail --title "step ca init options" --yesno "Continue with below?\n +if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --yesno "Continue with below?\n PKIName: $PKIName PKIProvisioner: $PKIProvisioner AcmeProvisioner: $AcmeProvisioner @@ -69,12 +69,12 @@ X509DefaultDur: $X509DefaultDur" --no-button "Change" --yes-button "Continue" 15 break fi -PKIName=$(whiptail --title "step ca init options" --inputbox 'PKIName (e.g. MyHomePKI)' 10 50 "$PKIName" 3>&1 1>&2 2>&3) -PKIProvisioner=$(whiptail --title "step ca init options" --inputbox 'PKIProvisioner (e.g. pki@$YourDomainName)' 10 50 "$PKIProvisioner" 3>&1 1>&2 2>&3) -AcmeProvisioner=$(whiptail --title "step ca init options" --inputbox 'AcmeProvisioner (e.g. acme@YourDomainName)' 10 50 "$AcmeProvisioner" 3>&1 1>&2 2>&3) -X509MinDur=$(whiptail --title "step ca init options" --inputbox 'X509MinDur (e.g. 48h)' 10 50 "$X509MinDur" 3>&1 1>&2 2>&3) -X509MaxDur=$(whiptail --title "step ca init options" --inputbox 'X509MaxDur (e.g. 87600h)' 10 50 "$X509MaxDur" 3>&1 1>&2 2>&3) -X509DefaultDur=$(whiptail --title "step ca init options" --inputbox 'X509DefaultDur (e.g. 168h)' 10 50 "$X509DefaultDur" 3>&1 1>&2 2>&3) +PKIName=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'PKIName (e.g. MyHomePKI)' 10 50 "$PKIName" 3>&1 1>&2 2>&3) +PKIProvisioner=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'PKIProvisioner (e.g. pki@$YourDomainName)' 10 50 "$PKIProvisioner" 3>&1 1>&2 2>&3) +AcmeProvisioner=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'AcmeProvisioner (e.g. acme@YourDomainName)' 10 50 "$AcmeProvisioner" 3>&1 1>&2 2>&3) +X509MinDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509MinDur (e.g. 48h)' 10 50 "$X509MinDur" 3>&1 1>&2 2>&3) +X509MaxDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509MaxDur (e.g. 87600h)' 10 50 "$X509MaxDur" 3>&1 1>&2 2>&3) +X509DefaultDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509DefaultDur (e.g. 168h)' 10 50 "$X509DefaultDur" 3>&1 1>&2 2>&3) done @@ -249,11 +249,11 @@ if [[ -z "$IP" ]]; then exit fi HOST=$(echo $FQDN | awk -F'.' '{print $1}') -IP=$(whiptail --title "step ca certificate options" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) -HOST=$(whiptail --title "step ca certificate options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) -VALID_TO=$(whiptail --title "step ca certificate options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) +IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) +HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) +VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) -if whiptail_yesno=$(whiptail --title "step ca certificate options" --yesno "Continue with below?\n +if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --yesno "Continue with below?\n HOST: $HOST IP: $IP FQDN: $FQDN From 81af9f5c132b9f07140238b9218407893f4c865e Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Sun, 8 Feb 2026 10:32:42 +0100 Subject: [PATCH 21/26] Fix FQDN input prompt in step-ca-install.sh --- install/step-ca-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index cad8fd8be..993da25d4 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -43,7 +43,6 @@ msg_info "Add a smallstep CA service user - Will only be used by systemd to mana $STD useradd --user-group --system --home $(step path) --shell /bin/false step msg_ok "Created smallstep CA service user" -DeploymentType="standalone" DeploymentType="standalone" FQDN=$(hostname -f) DomainName=$(hostname -d) @@ -242,7 +241,7 @@ PROVISIONER_PASSWORD=$(step path)/encryption//provisioner.pwd while true; do -FQDN=$(whiptail --title "step ca certificate options" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3) +FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3) IP=$(dig +short $FQDN) if [[ -z "$IP" ]]; then echo "Resolution failed for $FQDN" From 954202e8a77f34f7de2762bf6106057f9e0e690f Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 11 Feb 2026 15:28:44 +0100 Subject: [PATCH 22/26] Enhance step-ca.sh to update step-badger Added logic to check for and update step-badger. --- ct/step-ca.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ct/step-ca.sh b/ct/step-ca.sh index dd30eb009..7c971b32b 100644 --- a/ct/step-ca.sh +++ b/ct/step-ca.sh @@ -27,11 +27,15 @@ function update_script() { msg_error "No ${APP} Installation Found!" exit fi - msg_info "Updating step-ca and step-cli" $STD apt update $STD apt upgrade -y step-ca step-cli msg_ok "Updated step-ca and step-cli" + + if check_for_gh_release "step-badger" "lukasz-lobocki/step-badger"; then + fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz" + msg_ok "Updated successfully!" + fi msg_ok "Updated successfully!" exit } From 667ba8a2f35e218eb2ac255e044e433b27b3a5a8 Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 11 Feb 2026 15:46:33 +0100 Subject: [PATCH 23/26] Fix path for PROVISIONER_PASSWORD variable --- install/step-ca-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 993da25d4..9297d1b69 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -236,7 +236,7 @@ $STD cat <<'EOF' >$StepRequest #!/usr/bin/env bash # StepCertDir="$STEPHOME/certs/x509" -PROVISIONER_PASSWORD=$(step path)/encryption//provisioner.pwd +PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd while true; do From 69d44dddfab4b406ab5cc505159e12ece5ffae4b Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 11 Feb 2026 16:40:33 +0100 Subject: [PATCH 24/26] Update user prompts for CSR details in script --- install/step-ca-install.sh | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 9297d1b69..0f8989659 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -241,33 +241,41 @@ PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd while true; do -FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3) +FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3) IP=$(dig +short $FQDN) if [[ -z "$IP" ]]; then echo "Resolution failed for $FQDN" exit fi HOST=$(echo $FQDN | awk -F'.' '{print $1}') -IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) -HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) -VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) +IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) +HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) +SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Subject Alternative Name(s) (SANs) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3) +VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) -if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca certificate options" --yesno "Continue with below?\n -HOST: $HOST -IP: $IP +if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n FQDN: $FQDN +Hostname: $HOST +IP Address: $IP +Subject Alternative Name(s) (SANs): $SAN VALID_TO: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then break fi done +SAN="$FQDN, $HOST, $IP, $SAN" + +IFS=', ' read -r -a array <<< "$SAN" +for element in "${array[@]}" +do + SAN_ARRAY+=(--san "$element") +done + step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \ --provisioner-password-file=$PROVISIONER_PASSWORD \ --not-after=$VALID_TO \ - --san $FQDN \ - --san $HOST \ - --san $IP \ + "${SAN_ARRAY[@]}" \ && step certificate inspect $StepCertDir/$FQDN.crt \ || echo "Failed to request certificate"; exit EOF From 9eac6659570b151a6940f7237dd4687e0ffd4fdc Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 11 Feb 2026 16:48:28 +0100 Subject: [PATCH 25/26] Update input prompts for CSR script --- install/step-ca-install.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh index 0f8989659..aa45b7dab 100644 --- a/install/step-ca-install.sh +++ b/install/step-ca-install.sh @@ -248,17 +248,17 @@ if [[ -z "$IP" ]]; then exit fi HOST=$(echo $FQDN | awk -F'.' '{print $1}') -IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'IP (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) -HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'HOST (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) -SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Subject Alternative Name(s) (SANs) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3) -VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'VALID_TO (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) +IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'IP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3) +HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Hostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3) +SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Subject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3) +VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Validity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3) if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n FQDN: $FQDN Hostname: $HOST IP Address: $IP -Subject Alternative Name(s) (SANs): $SAN -VALID_TO: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then +Subject Alternative Name(s) (SAN): $SAN +Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then break fi From 5194bf18ca8a6274ef1b201b9ac4847fbafebf7a Mon Sep 17 00:00:00 2001 From: Joerg Heinemann Date: Wed, 11 Feb 2026 17:02:12 +0100 Subject: [PATCH 26/26] Add restart command for step-ca service Restart step-ca service after updating packages. --- ct/step-ca.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ct/step-ca.sh b/ct/step-ca.sh index 7c971b32b..b5ebb2eeb 100644 --- a/ct/step-ca.sh +++ b/ct/step-ca.sh @@ -30,6 +30,7 @@ function update_script() { msg_info "Updating step-ca and step-cli" $STD apt update $STD apt upgrade -y step-ca step-cli + $STD systemctl restart step-ca msg_ok "Updated step-ca and step-cli" if check_for_gh_release "step-badger" "lukasz-lobocki/step-badger"; then