4.5 KiB
LabCA Standalone Version 
As the ACME protocol is a standard (RFC8555) and not limited to boulder, there also are other implementations, e.g. step-ca from Smallstep™ that you can run and manage yourself.
Getting started with step-ca is much easier than starting with boulder. But Smallstep is not providing a self-managed web GUI to easily see what certificates have been issued by step-ca and what their expiry statuses are. In fact they are using a very specific database storage that does not allow you to query the data directly from a normal database client either.
As the structure of the ACME data is pretty standard anyway, this standalone version of the LabCA GUI was created to work with step-ca (and potentially other ACME implementations in the future). It only works with their MySQL backend, as the BadgerDB backend has several limitations.
The standalone GUI is distributed as a single binary so that it can be easily installed and started. There is also a docker image available.
Usage
Install package
Download the latest .deb file for your platform architecture from the latest release on GitHub.
Install the .deb file:
dpkg -i labca-gui_<version>_<arch>.deb
The first time you can use the -init flag to create the config file. The location of the config file (default data/config.json), the IP address to listen on (default 0.0.0.0) and the port number (default 3000) can be specified, e.g.:
labca-gui -config stepca.json -address 127.0.0.1 -port 8080 -init
For consecutive starts you only need to specify the config file if it is not data/config.json
labca-gui -config stepca.json
The first time you connect to the application, you can create an admin account and specify the MySQL connection details for your step-ca database.
Docker
When running a docker container you can map local filesystem files or directories as volumes to have the config data outside of the image, e.g.:
docker run -it --rm -v /home/username/acme/stepca_config.json:/usr/data/config.json ghcr.io/hakwerk/labca-standalone
or
docker run -it --rm -v /home/username/acme:/opt/acme ghcr.io/hakwerk/labca-standalone labca-gui -config /opt/acme/stepca.json
Docker Compose
Here is a sample docker-compose.yml file for using both StepCA and the LabCA gui:
services:
smallstep:
image: smallstep/step-ca
restart: unless-stopped
ports:
- 9000:9000
volumes:
- /mystorage/stepca:/home/step
environment:
DOCKER_STEPCA_INIT_NAME: StepCA
DOCKER_STEPCA_INIT_DNS_NAMES: mydomain
DOCKER_STEPCA_INIT_PROVISIONER_NAME: admin
depends_on:
- db
web:
image: ghcr.io/hakwerk/labca-standalone
ports:
- 3000:3000
volumes:
- /mystorage/labca/config/stepca_config.json:/usr/data/config.json
depends_on:
- db
db:
user: 3020:3020
image: mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: stepca
MYSQL_USER: stepca
MYSQL_PASSWORD: userpassword
MYSQL_TCP_PORT: 3306
volumes:
- /mystorage/labca/db:/var/lib/mysql
healthcheck:
test:
- CMD
- mysqladmin
- ping
- -h
- localhost
- -uroot
- -prootpassword
interval: 10s
timeout: 5s
retries: 5
networks: {}
systemd service
If you want to have the standalone version running all the time, even after a system reboot, you can create a service with the following steps (with thanks to budulinek):
$ sudo mkdir -p /etc/labca
$ sudo labca-gui -config /etc/labca/labca.json -port 3000 -init
$ sudo useradd --system --home /etc/labca --shell /bin/false labca
$ sudo chown -R labca:labca /etc/labca
$ sudo nano /etc/systemd/system/labca.service
Put the following into that service file:
[Unit]
Description=LabCA service
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
[Service]
Type=simple
User=labca
Group=labca
WorkingDirectory=/etc/labca
ExecStart=/usr/bin/labca-gui -config /etc/labca/labca.json
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
And finally
$ sudo systemctl daemon-reload
$ systemctl enable --now labca