LinkerD Create Certificates Command Error

[agardnerIT]

Describe the bug
On this page, I run the LinkerD Create Certificates command:

certDir=$(exe='step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure \
&& step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 87600h --no-password --insecure \
--ca ca.crt --ca-key ca.key'; \
  sudo docker run --mount "type=bind,src=$(pwd),dst=/home/step"  -i smallstep/step-cli /bin/bash -c "$exe";  \
echo $(pwd));

and get:

Unable to find image 'smallstep/step-cli:latest' locally
latest: Pulling from smallstep/step-cli
f56be85fc22e: Pulling fs layer
27fe088ea5a4: Pulling fs layer
ce4a63d0b3ed: Pulling fs layer
4f4fb700ef54: Pulling fs layer
4f4fb700ef54: Waiting
27fe088ea5a4: Verifying Checksum
27fe088ea5a4: Download complete
f56be85fc22e: Verifying Checksum
f56be85fc22e: Download complete
4f4fb700ef54: Verifying Checksum
4f4fb700ef54: Download complete
ce4a63d0b3ed: Verifying Checksum
ce4a63d0b3ed: Download complete
f56be85fc22e: Pull complete
27fe088ea5a4: Pull complete
ce4a63d0b3ed: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:635a07124877c258f4bc90b7b2ddbe06dddfab84bae89cfeb09de4bd82fd9017
Status: Downloaded newer image for smallstep/step-cli:latest
error reading information for ca.key: stat ca.key: permission denied

whoami

$ whoami
root

ls -al

After command has failed (no keys created):

$ pwd
/root
$ ls
filesystem # a folder that should be there as standard on my system

[wwonigkeit]

Also tested this and not working for me either. Managed to use the command below to get it working:

certDir=$(exe='cd /tmp/certs && step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure \
&& step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 87600h --no-password --insecure \
--ca ca.crt --ca-key ca.key'; \
  sudo docker run --mount "type=bind,source=/tmp,destination=/tmp/certs"  -i smallstep/step-cli /bin/bash -c "$exe";  \
echo $(pwd));

Output is shown below:

wilhelmwonig@MacBook~ % ls -la /tmp/
total 32
drwxrwxrwt  12 root              wheel  384 29 Apr 15:55 .
drwxr-xr-x   6 root              wheel  192 12 Apr 20:41 ..
-rw-------   1 wilhelmwonigkeit  wheel  599 29 Apr 15:55 ca.crt
-rw-------   1 wilhelmwonigkeit  wheel  227 29 Apr 15:55 ca.key
-rw-------   1 wilhelmwonigkeit  wheel  652 29 Apr 15:55 issuer.crt
-rw-------   1 wilhelmwonigkeit  wheel  227 29 Apr 15:55 issuer.key

[agardnerIT]

Some follow up on the above. The command generates files into /tmp. But $certDir is still set to /root (in my case).

This causes the following step (Install Linkerd) on this page to fail because the command is looking for certs in $certDir (/root) rather than /tmp.

So working command set would be:

certDir=/tmp

helm repo add linkerd https://helm.linkerd.io/stable;

helm install linkerd-crds linkerd/linkerd-crds -n linkerd --create-namespace 

helm install linkerd-control-plane \
  -n linkerd \
  --set-file identityTrustAnchorsPEM=$certDir/ca.crt \
  --set-file identity.issuer.tls.crtPEM=$certDir/issuer.crt \
  --set-file identity.issuer.tls.keyPEM=$certDir/issuer.key \
  linkerd/linkerd-control-plane --wait

[jensg-st]

Thanks. We need to update the docs. There is a info box for that but it seems the solution is to use the /tmp dir by default for the generated certs.