fixed openssl call

scripts/setup_wizard.sh

@@ -102,8 +102,15 @@ install_unit() {
     local filename=$(basename "$template_url")
     local dest_path=/etc/systemd/system/"$filename"
 
-    log_info "Installing $filename..."
+    if [ -e "$dest_path" ]; then
+        get_input "CONFIRM_OVERWRITE" "Overwrite $dest_path? (y/n)" "y" "false"
+        if [[ "${CONFIRM_OVERWRITE,,}" != "y" ]]; then
+            echo "Skipping overwrite of ${dest_path}."
+            return
+        fi
+    fi
 
+    log_info "Installing $filename..."
     curl -sL $template_url | envsubst > "$dest_path"
     log_success "$filename installed to $dest_path"
 }
@@ -115,31 +122,75 @@ install_unit() {
 echo "Starting Interactive Setup..."
 echo "-----------------------------"
 
-# 1. Collect Inputs
-# Example:
-get_input "HOST_NAME" "Enter Hostname" "$(hostname)" "false"
-get_input "CERT_DIR" "Enter directory for certificates" "$(step path)/certs" "false"
-get_input "CERT_LOCATION" "Enter specific path for cert" "${CERT_DIR}/${HOSTNAME}.crt" "false"
-get_input "KEY_LOCATION" "Enter specific path for private key" "${CERT_DIR}/${HOSTNAME}.key" "false"
+# Verify required external binaries
+if ! command -v step >/dev/null 2>&1; then
+    # Prompt the user to install the step CLI
+    get_input "INSTALL_STEP" "The 'step' CLI was not found. Install now? (y/n)" "y" "false"
 
-export CERT_LOCATION=$(readlink -f $CERT_LOCATION)
-export KEY_LOCATION=$(readlink -f $KEY_LOCATION)
+    if [[ "${INSTALL_STEP,,}" == "y" ]]; then
+        apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates
+        curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
+            echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
+            | tee /etc/apt/sources.list.d/smallstep.list
+        apt-get update && apt-get -y install step-cli step-ca
+    else
+        log_error "Cannot continue without 'step'. Aborting." >&2
+        exit 1
+    fi
+else
+    log_success "Step CA installed\n"
+fi
+
+get_input "CERT_DIR" "Enter directory for certificates" "/var/lib/tls" "false"
+get_input "CERT_FILENAME" "Name for cert file" "cert.pem" "false"
+get_input "KEY_FILENAME" "Name for private key" "key.pem" "false"
+get_input "SPIFFE" "SPIFFE identity" "node" "false"
+
+
+if [ ! -e "$CERT_DIR" ]; then
+    (umask 077; mkdir -p "${CERT_DIR}")
+    log_info "Created ${CERT_DIR}"
+fi
+
+# These need to get set so that they get filled into the service correctly.
+export CERT_LOCATION=$(readlink -f ${CERT_DIR}/$CERT_FILENAME)
+export KEY_LOCATION=$(readlink -f ${CERT_DIR}/$KEY_FILENAME)
 
-# 2. Confirm
 confirm_inputs "CERT_LOCATION" "KEY_LOCATION"
 
-# 3. Configure
-REPO_URL_BASE=https://gitea.john-stream.com/john/soteria/raw/branch/main/
-SERVICE_TEMPLATE_URL="${REPO_URL_BASE}systemd/cert-renewer.service"
-TIMER_TEMPLATE_URL="${REPO_URL_BASE}systemd/cert-renewer.timer"
+if [ ! -e "${CERT_DIR}/root_ca.crt" ]; then
+    step ca root "${CERT_DIR}/root_ca.crt"
+fi
 
-# 3. Execute
-# echo "Configuring $HOST_NAME..."
+if [ ! -f "$CERT_LOCATION" ] || [ ! -f "$KEY_LOCATION" ]; then
+    hostname=$(hostname -s)
+    ip_address=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1)
+    step ca certificate "$hostname" \
+        "${CERT_DIR}/cert.pem" "${CERT_DIR}/key.pem" \
+        --san "$hostname" \
+        --san "$hostname.john-stream.com" \
+        --san "$ip_address" \
+        --san "spiffe://john-stream.com/$SPIFFE" \
+        --provisioner admin
+fi
+
+echo "" >&2
+echo -e "${GREEN}=== Cert information ===${NC}" >&2
+openssl x509 -noout -subject -issuer -ext extendedKeyUsage,subjectAltName -enddate -in "$CERT_LOCATION"
+
+SERVICE_FILE="cert-renewer.service"
+TIMER_FILE="cert-renewer.timer"
+REPO_URL_BASE=https://gitea.john-stream.com/john/soteria/raw/branch/main/
+SERVICE_TEMPLATE_URL="${REPO_URL_BASE}systemd/${SERVICE_FILE}"
+TIMER_TEMPLATE_URL="${REPO_URL_BASE}systemd/${TIMER_FILE}"
+
+echo "" >&2
+echo -e "${GREEN}=== Installing rotation services ===${NC}" >&2
 install_unit ${SERVICE_TEMPLATE_URL}
 install_unit ${TIMER_TEMPLATE_URL}
 
+echo "" >&2
+echo -e "${GREEN}=== Reloading services ===${NC}" >&2
 systemctl daemon-reload
-systemctl enable --now "$(basename "${TIMER_TEMPLATE_URL}")"
-
-systemctl status "$(basename "${SERVICE_TEMPLATE_URL}")" --no-pager
-systemctl status "$(basename "${TIMER_TEMPLATE_URL}")" --no-pager
+systemctl enable --now "${TIMER_FILE}" "${SERVICE_FILE}"
+systemctl list-unit-files $SERVICE_FILE $TIMER_FILE

systemd/cert-renewer.service

@@ -3,22 +3,18 @@ Description=Certificate renewal
 After=network-online.target
 Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
 StartLimitIntervalSec=0
-; PartOf=cert-renewer.target
 
 [Service]
 Type=oneshot
 User=root
 
-; ExecCondition checks if the certificate is ready for renewal,
-; based on the exit status of the command.
-; (In systemd <242, you can use ExecStartPre= here.)
-ExecCondition=/usr/bin/step certificate needs-renewal ${CERT_LOCATION}
+; ExecCondition checks if the certificate is ready for renewal.
+; ExecCondition=/usr/bin/step certificate needs-renewal ${CERT_LOCATION}
 
-; ExecStart renews the certificate, if ExecStartPre was successful.
+; ExecStart renews the certificate, if ExecCondition was successful.
 ExecStart=/usr/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION}
 
-; ExecStartPost=/usr/bin/openssl x509 -noout -enddate -in ${CERT_LOCATION}
-; ExecStartPost=/usr/bin/docker exec caddy caddy reload --config /etc/caddy/Caddyfile
+ExecStartPost=/usr/bin/openssl x509 -noout -subject -issuer -enddate -in ${CERT_LOCATION}
 
 [Install]
 WantedBy=multi-user.target