github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use ceremony tool for generating keys and certs; store keys on SoftHSM

Browse Source 
Replace openssl certificate / CRL generation with the tool as used by
Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware
Security Module).
Include migration of old setups where key files were also stored on
disk.
This commit is contained in:
Arjan H
2025-01-31 20:44:48 +01:00
parent 8852d49425
commit 6d72d32398
38 changed files with 2181 additions and 583 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
build/Dockerfile-control
View File

@@ -37,6 +37,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \
cron \
curl \
python3 \
softhsm2 \
tzdata \
ucspi-tcp \
&& rm -rf /var/lib/apt/lists/*
@@ -59,6 +60,7 @@ COPY tmp/restore /opt/labca/
COPY tmp/utils.sh /opt/labca/
COPY tmp/src/labca /opt/staging/boulder_labca
COPY tmp/admin/apply-boulder /opt/labca/
COPY tmp/admin/apply /opt/labca/
COPY tmp/admin/static /opt/staging/static
COPY tmp/admin/data /opt/staging/data
@@ -68,7 +70,4 @@ COPY tmp/admin/apply-nginx /opt/labca/
COPY tmp/bin/boulder /opt/boulder/bin/
RUN cd /opt/boulder/bin/ \
&& ln -s boulder admin-revoker \
&& ln -s boulder mail-tester \
&& mkdir /opt/logs
RUN mkdir /opt/logs

6
build/Dockerfile-gui
View File

@@ -1,4 +1,4 @@
FROM ubuntu:focal as builder
FROM ubuntu:focal AS builder
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
@@ -31,6 +31,7 @@ FROM ubuntu:focal
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
softhsm2 \
tzdata \
unzip \
zip \
@@ -46,3 +47,6 @@ COPY tmp/admin/apply-boulder /opt/labca/
COPY tmp/admin/apply-nginx /opt/labca/
COPY tmp/admin/restart_control /opt/labca/
COPY tmp/admin/templates /opt/labca/templates/
COPY tmp/bin/ceremony /opt/boulder/bin/
COPY tmp/bin/nameid /opt/boulder/bin/

4
build/docker-compose.yml
View File

@@ -22,7 +22,7 @@ services:
- boulder_data:/opt/boulder/labca
- certificates:/opt/boulder/labca/certs
- nginx_html:/opt/wwwstatic
- softhsm:/var/lib/softhsm/tokens:cached
- softhsm:/var/lib/softhsm/tokens
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -113,6 +113,7 @@ services:
- backup:/opt/backup
- boulder_data:/opt/boulder/labca
- certificates:/opt/boulder/labca/certs
- softhsm:/var/lib/softhsm/tokens
expose:
- 3000
depends_on:
@@ -154,6 +155,7 @@ services:
- logs:/opt/logs
- boulder_data:/opt/boulder/labca
- certificates:/opt/boulder/labca/certs
- softhsm:/var/lib/softhsm/tokens
- nginx_conf:/etc/nginx/conf.d
- nginx_ssl:/etc/nginx/ssl
- nginx_html:/var/www/html

2
build/tag_and_upload.sh
View File

@@ -35,7 +35,7 @@ if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
fi
cnt=$(ls -1 tmp/bin | wc -l)
[ $cnt -gt 20 ] || die "Only found $cnt boulder binaries!" # ?? still correct??
[ $cnt -gt 16 ] || die "Only found $cnt boulder binaries!" # ?? still correct??
docker build -f Dockerfile-boulder -t $LABCA_BOULDER_TAG .
if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then

16
build/tmp.patch
View File

@@ -1,5 +1,5 @@
diff --git a/docker-compose.yml b/docker-compose.yml
index c7939ece4..0a2854919 100644
index 71203004d..b17125e54 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
@@ -19,11 +19,11 @@ index c7939ece4..0a2854919 100644
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/nginx_data/static:/opt/wwwstatic
- - ./.gocache:/root/.cache/go-build:cached
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - nginx_html:/opt/wwwstatic
+ - softhsm:/var/lib/softhsm/tokens:cached
+ - softhsm:/var/lib/softhsm/tokens
networks:
bouldernet:
ipv4_address: 10.77.77.77
@@ -35,7 +35,7 @@ index c7939ece4..0a2854919 100644
entrypoint: labca/entrypoint.sh
working_dir: &boulder_working_dir /opt/boulder
logging:
@@ -87,34 +87,39 @@ services:
@@ -87,35 +87,40 @@ services:
bconsul:
image: hashicorp/consul:1.15.4
@@ -67,12 +67,14 @@ index c7939ece4..0a2854919 100644
- - /home/labca/backup:/opt/backup
- - .:/opt/boulder
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
+ - ./docker-compose.yml:/opt/boulder/docker-compose.yml
+ - ldata:/opt/labca/data
+ - nginx_html:/opt/wwwstatic
+ - backup:/opt/backup
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - softhsm:/var/lib/softhsm/tokens
expose:
- 3000
depends_on:
@@ -85,7 +87,7 @@ index c7939ece4..0a2854919 100644
logging:
driver: "json-file"
options:
@@ -131,27 +136,27 @@ services:
@@ -132,28 +137,28 @@ services:
- 80:80
- 443:443
volumes:
@@ -113,6 +115,7 @@ index c7939ece4..0a2854919 100644
- - /home/labca/control_logs:/opt/logs
- - .:/opt/boulder
- - /home/labca/boulder_labca:/opt/boulder/labca
- - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
- - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d
- - /home/labca/nginx_data/ssl:/etc/nginx/ssl
- - /home/labca/nginx_data/static:/var/www/html
@@ -122,13 +125,14 @@ index c7939ece4..0a2854919 100644
+ - logs:/opt/logs
+ - boulder_data:/opt/boulder/labca
+ - certificates:/opt/boulder/labca/certs
+ - softhsm:/var/lib/softhsm/tokens
+ - nginx_conf:/etc/nginx/conf.d
+ - nginx_ssl:/etc/nginx/ssl
+ - nginx_html:/var/www/html
expose:
- 3030
environment:
@@ -169,6 +174,15 @@ services:
@@ -171,6 +176,15 @@ services:
volumes:
dbdata: