Docker certificate generation and GPG signing issues

- Change entrypoint to require manual cert generation (not auto-gen)
- Add --entrypoint '' flag to bypass validation when generating certs
- Fix GPG_TTY and stderr redirect for passphrase prompts in onboard
- Update DOCKER.md with clearer 3-step deployment process
- Simplify generate-mtls-certs.sh DNS SAN prompting
- Fix sed -i portability for Alpine/BusyBox
- Update erl_gpg dependency to use primary key fingerprints

Docker deployments now require explicit certificate generation step
before starting server, ensuring DNS SANs can be configured properly.

Author: etnt

bin/cryptic-onboard

@@ -578,7 +578,10 @@ EOF
     CSR_DATA=${CSR_DATA%x}
     # Use fingerprint with ! suffix to force exact key match
     # Sign the exact CSR data we're going to send
-    GPG_SIG=$(printf '%s' "$CSR_DATA" | gpg --armor --detach-sign --local-user "${GPG_FP}!" 2>/dev/null)
+    # Set GPG_TTY so pinentry knows which terminal to use for passphrase prompt
+    export GPG_TTY=$(tty)
+    # Redirect stderr to terminal (not /dev/null) so passphrase prompts appear
+    GPG_SIG=$(printf '%s' "$CSR_DATA" | gpg --armor --detach-sign --local-user "${GPG_FP}!" 2>/dev/tty)
     if [ $? -ne 0 ]; then
         echo ""
         error "Failed to sign CSR with GPG key.\n\nFingerprint: $GPG_FP\nUID: $GPG_EMAIL\n\nMake sure you have the private key and it's not expired."

docs/DOCKER.md

@@ -37,24 +37,26 @@ docker run -it --rm --name cryptic-client \
            --add-host=cryptic-server:host-gateway \
            ghcr.io/etnt/cryptic-tui:latest sh -c 'cryptic --onboard'
 
-# Start the Cryptic client with your username (e.g `franz`)
+# Start the Cryptic client with your username (e.g `bob`)
 # You'll be prompted for a Passphrase which is used to encrypt your local DB
 
 # Method 1: Using environment variables
 docker run -it --rm --name cryptic-client \
            -v ~/.cryptic:/home/cryptic/.cryptic \
            -v ~/.cryptic-gpg:/home/cryptic/.gnupg \
            --add-host=cryptic-server:host-gateway \
-           -e CRYPTIC_USERNAME=franz \
+           -e CRYPTIC_USERNAME=bob \
            -e CRYPTIC_ENABLE_DB=true \
            ghcr.io/etnt/cryptic-tui:latest
 
-# Method 2: Using command-line flags 
+# Method 2: Using command-line flags
+#           (but here also increase log output details)
 docker run -it --rm --name cryptic-client \
            -v ~/.cryptic:/home/cryptic/.cryptic \
            -v ~/.cryptic-gpg:/home/cryptic/.gnupg \
            --add-host=cryptic-server:host-gateway \
-           ghcr.io/etnt/cryptic-tui:latest sh -c 'cryptic -u franz --enable-db --tui'
+           -e CRYPTIC_DEBUG=true \
+           ghcr.io/etnt/cryptic-tui:latest sh -c 'cryptic -u bob --enable-db --tui'
 ```
 
 **Run the latest server image:**
@@ -64,27 +66,28 @@ docker run -it --rm --name cryptic-client \
 docker pull ghcr.io/etnt/cryptic:latest
 
 # Create a directory for storing all Cryptic server data
-mkdir ~/.cryptic_server
+mkdir -p ~/.cryptic_server
 cd ~/.cryptic_server
 
-# Setup the server certificates (one-time step)
-# Creates ca.crt, ca.key, server.crt, server.key in ./priv/ssl/
+# Step 1: Generate CA and server certificates (one-time setup)
+# This will prompt for optional DNS Subject Alternative Names (SANs)
 docker run -it --rm \
+  --entrypoint '' \
   -v $(pwd):/opt/cryptic/server_data \
   -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \
   ghcr.io/etnt/cryptic:latest \
-  sh -c 'DIR=${CRYPTIC_SERVER_DIR}/priv/ssl generate-mtls-certs.sh'
+  sh -c 'DIR="${CRYPTIC_SERVER_DIR}/priv/ssl" generate-mtls-certs.sh'
 
-# Bootstrap the first admin user BEFORE starting the server
-# Step 1: Generate a GPG key on your host (if you don't have one)
-#         No passphrase needed - it's only used for signing CSRs
+# Step 2: Bootstrap the first admin user
+# Generate a GPG key on your host (if you don't have one)
+# No passphrase needed - it's only used for signing CSRs
 gpg --quick-generate-key 'alice <alice@cryptic.local>' rsa4096
 
-# Step 2: Export your GPG public key to the bootstrap directory
+# Export your GPG public key to the bootstrap directory
 mkdir -p priv/ca/bootstrap
 gpg --armor --export alice@cryptic.local > priv/ca/bootstrap/alice.gpg
 
-# Run the server with single directory mount
+# Step 3: Run the server
 # All server data (priv/, logs/, data/) will be in ~/.cryptic_server/
 # Note: Mount to /opt/cryptic/server_data (not /opt/cryptic which contains the Erlang release)
 # For debug log output, add: -e CRYPTIC_DEBUG=true
@@ -96,13 +99,30 @@ docker run -d \
   -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \
   ghcr.io/etnt/cryptic:latest
 
-# Check server logs
+# Check server logs (you'll see certificate information on first start)
 docker logs -f cryptic-server
 
 # Stop the server and remove the container
 docker stop cryptic-server && docker rm cryptic-server
 ```
 
+### Manual Certificate Generation (Optional)
+
+The Quick Deployment section above includes certificate generation as Step 1.
+If you need to regenerate certificates or add additional DNS SANs later:
+
+```bash
+cd ~/.cryptic_server
+
+# Run certificate generation interactively (will prompt for DNS SANs)
+docker run -it --rm \
+  --entrypoint '' \
+  -v $(pwd):/opt/cryptic/server_data \
+  -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \
+  ghcr.io/etnt/cryptic:latest \
+  sh -c 'DIR="${CRYPTIC_SERVER_DIR}/priv/ssl" generate-mtls-certs.sh'
+```
+
 ## The Client
 
 The Cryptic TUI (Terminal User Interface) client can run in Docker to

rebar.lock

@@ -3,7 +3,7 @@
  {<<"cowlib">>,{pkg,<<"cowlib">>,<<"2.16.0">>},0},
  {<<"erl_gpg">>,
   {git,"https://github.com/etnt/erl_gpg.git",
-       {ref,"adea5da8a7f78964d84b50c8a921a44ffa7af3e1"}},
+       {ref,"ce79a49bb40557698ea6d596c2b69f1328fcd8f4"}},
   0},
  {<<"esqlite">>,
   {git,"https://github.com/mmzeeman/esqlite.git",

scripts/docker-entrypoint.sh

@@ -25,10 +25,19 @@ echo "  ${CRYPTIC_SERVER_DIR}/priv/ca/bootstrap/*.gpg - Bootstrap GPG keys"
 echo "  ${CRYPTIC_SERVER_DIR}/data/                   - Database files"
 echo "  ${CRYPTIC_SERVER_DIR}/logs/                   - Log files"
 
-# Check if CA certificates exist, generate if missing
+# Check if CA certificates exist
 if [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.crt" ] || [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.key" ]; then
-    echo "INFO: CA certificates not found, generating..."
-    DIR="${CRYPTIC_SERVER_DIR}/priv/ssl" /usr/local/bin/generate-mtls-certs.sh
+    echo "ERROR: CA certificates not found!"
+    echo "Please generate certificates before starting the server:"
+    echo ""
+    echo "  docker run -it --rm \\"
+    echo "    --entrypoint '' \\"
+    echo "    -v \$(pwd):/opt/cryptic/server_data \\"
+    echo "    -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \\"
+    echo "    <image-name> \\"
+    echo "    sh -c 'DIR=\"\${CRYPTIC_SERVER_DIR}/priv/ssl\" generate-mtls-certs.sh'"
+    echo ""
+    exit 1
 else
     echo "INFO: CA certificates found"
 fi
@@ -45,10 +54,10 @@ if [ "${CRYPTIC_DEBUG}" = "true" ]; then
     ls -ld "${CRYPTIC_SERVER_DIR}/data/ca"
     echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data/ca contents:"
     ls -la "${CRYPTIC_SERVER_DIR}/data/ca/" || echo "Directory empty or not readable"
-    
+
     echo "DEBUG: ${CRYPTIC_SERVER_DIR}/priv contents:"
     ls -laR "${CRYPTIC_SERVER_DIR}/priv" 2>/dev/null || echo "Directory not readable"
-    
+
     echo "DEBUG: Environment variables:"
     echo "  CRYPTIC_SERVER_DIR=${CRYPTIC_SERVER_DIR}"
     echo "  CRYPTIC_CA_DB_FILE=${CRYPTIC_CA_DB_FILE}"

scripts/generate-mtls-certs.sh

@@ -22,8 +22,8 @@ if [ ! -f "${DIR}/serial" ]; then
 fi
 
 DNS_SANS=""
-echo "Enter DNS Subject Alternative Name (SAN) (unless localhost only) - press Enter to skip:"
-printf "DNS names (comma-separated): " ; read DNS_SANS
+printf "Enter DNS Subject Alternative Name (SAN) - press Enter to skip\nDNS names (comma-separated): "
+read DNS_SANS
 
 # Build SAN string for OpenSSL config file format (DNS.3 = hostname, DNS.4 = hostname, ...)
 SAN_LINES=""
@@ -38,7 +38,7 @@ if [ -n "$DNS_SANS" ]; then
         if [ -n "$name" ]; then
             if [ -n "$SAN_LINES" ]; then
                 SAN_LINES="${SAN_LINES}
-DNS.$INDEX = $name"
+                DNS.$INDEX = $name"
             else
                 SAN_LINES="DNS.$INDEX = $name"
             fi
@@ -79,11 +79,13 @@ echo "Using OpenSSL config: $OPENSSL_CNF"
 
 # Create temporary config file with SAN extension
 TEMP_CONFIG="/tmp/openssl_san_server.cnf"
+rm -f "$TEMP_CONFIG"
 cp "$OPENSSL_CNF" "$TEMP_CONFIG"
 
 # Update the dir path in the config to match our $DIR
 # This replaces "dir = priv/ssl" (or similar) with the actual DIR path
-sed -i "s|^dir[[:space:]]*=.*|dir = $DIR|" "$TEMP_CONFIG"
+# Use temporary file for POSIX compatibility (Alpine/BusyBox doesn't support sed -i the same way)
+sed "s|^dir[[:space:]]*=.*|dir = $DIR|" "$TEMP_CONFIG" > "$TEMP_CONFIG.tmp" && mv "$TEMP_CONFIG.tmp" "$TEMP_CONFIG"
 
 # Add SAN to the [ alt_names_server ] section after DNS.2 line
 if [ -n "$SAN_LINES" ]; then
@@ -113,7 +115,8 @@ openssl ca -config ${CONFIG_FILE} -extensions v3_server -batch -notext \
 
 
 # Clean up temporary files
-rm ${DIR}/server.csr
+rm -f ${DIR}/server.csr
+rm -f "$TEMP_CONFIG"
 
 # Set appropriate permissions
 chmod 600 ${DIR}/*.key ${DIR}/*.pem