aditosoftware / nodepki-docker Goto Github PK

Docker container for NodePKI API server and NodePKI client. Batteries included.

License: MIT License

Shell 100.00%

nodepki-docker's Introduction

NodePKI Docker Image

_   _           _      ____  _  _____
| \ | | ___   __| | ___|  _ \| |/ /_ _|
|  \| |/ _ \ / _` |/ _ \ |_) | ' / | |
| |\  | (_) | (_| |  __/  __/| . \ | |
|_| \_|\___/ \__,_|\___|_|   |_|\_\___|

By ADITO Software GmbH

This Docker container contains the following components:

Installation (productive usage)

See production README.md for more information about the prodictive usage of nodepki.

Installation (development usage)

Install docker-engine: https://docs.docker.com/engine/installation/linux/ubuntu/
Download and install docker-compose: https://docs.docker.com/compose/install/
Download this Git repo:

git clone https://github.com/aditosoftware/nodepki-docker.git
cd nodepki-docker

Build Docker image

sudo docker-compose build

These commands will download NodePKI and NodePKI-Client from GitHub and build the container image.

Configure docker container environment

Set

API_USERNAME and
API_PASSWORD

variables in docker-compose.yml. A initial user account for API access will be created with these login credentials.

Create configuration files

To create the persistent config files, run the following command:

sudo docker-compose run nodepki /bin/sh /opt/nodepki/setup.sh

Configure NodePKI and NodePKI-Client

Now configure NodePKI and NodePKI-Client by editing the config.yml files in data/[nodepki/nodepki-client]/config/ on the host.

Note: PKI settings such as CRL URL, OCSP server URL and CA data cannot be changed during usage! Once you've set these attributes and started using your CA, they will be kept until you create a complete new PKI! Think well about your CA configuration!

Set domains and urls in data/nodepki/config/config.yml:

    server:
        ip: 0.0.0.0
        http:
            domain: ca.adito.local
            port: 8080
        ocsp:
            domain: ca.adito.local
            port: 2560

Configure OCSP and CRL URLs:

    ca:
        intermediate:
            ocsp:
                url: "http://ca.adito.local/ocsp"
            crl:
                url: "http://ca.adito.local/public/ca/intermediate/crl"

Both URLs correspond to the public URLs as they are defined in the HTTP reverse proxy (See Nginx config). Webbrowsers will use these URLs to check certificate validity.

Do not forget to change the CA passphrases! (default: yyyy)

Change the remaining settings according to your needs.

First start

Start NodePKI for the first time by executing

sudo docker-compose up

Your CA will be created on the first startup. You can stop the container again by pressing CTRL+C.

You should now backup your configuration files and PKI by copying the data/ directory on the host. This is where the important data lives.

Configure Nginx proxy

Use an external Nginx reverse proxy server to make URLs nice and to offer TLS encryption.

    ###
    ### NodePKI API server (unencrypted)
    ###

    server {
        listen 80;
        server_name ca.adito.local;

        location = / {
                rewrite ^ https://ca.adito.local/webclient/ permanent;
        }

        location /api {
                rewrite ^ https://$host$request_uri? permanent;
        }

        location /public {
                proxy_pass http://nodepki:8080/public;
        }

        location /ocsp {
                proxy_pass http://nodepki:2560;
        }

        location /webclient/ {
                rewrite ^ https://$host$request_uri? permanent;
        }
    }

    ###
    ### NodePKI API server (encrypted)
    ###

    server {
        listen 443 ssl;
        server_name ca.adito.local;

        ssl_certificate /etc/nginx/certs/ca.adito.local.crt;
        ssl_certificate_key /etc/nginx/certs/ca.adito.local.key;

        location = / {
                rewrite ^ https://ca.adito.local/webclient/ permanent;
        }

        location /api {
                proxy_pass http://nodepki:8080/api;
        }

        location /public {
                proxy_pass http://nodepki:8080/public;
        }

        location /webclient/ {
                proxy_pass http://nodepki:5000/;
        }
    }

api.cert.pem and api.key.pem are the certificate files from the host directory ./data/nodepki/mypki/apicert/
nodepki resolves to the NodePKI docker container, which exposes ports 8080, 5000 and 2560.

Fit the above Nginx configuration to your environment.

Start Docker container

sudo docker-compose up

You can start the container in background mode by attaching the -d flag

Stop Docker container

sudo docker-compose stop

Using the integrated Web-based GUI client "NodePKI Webclient"

Visit https://ca.adito.local/webclient/ and login with the account which was created via the docker-compose environment variables in the beginning.

Using the integrated CLI client

(in another shell instance)

sudo docker-compose exec nodepki /bin/sh
cd ../nodepki-client/
node client

Request a certificate

node client request --out out/

The created cert.pem and key.pem are located in the certs directory on the host and in the out directory in the container. For further information see NodePKI-Client README.

Using an external CLI client

You can use external NodePKI-Client instances to retrieve certificates by adding another API user account. The external client must be configured to send requests to the container host.

Setting up secure API access

Configure client to use TLS: data/nodepki-client/config/config.yml:

    server:
        hostname: ca.adito.local
        port_plain: 80
        port_tls: 443
        tls: true

Exposed ports and volumes

Ports:

8080 (API + HTTP server for certificate and CRL retrieval)
2560 (OCSP server)
5000 (NodePKI Webclient - HTTP)

Volumes:

data: Contains persistent container data (mounted to /opt/nodepki/nodepki/data/ and /opt/nodepki/nodepki-client/data/)
certs: Can be used to transfer and store cert files. (mounted to /opt/nodepki/nodepki-client/out/)

Add new API user

sudo docker-compose run nodepki node /opt/nodepki/nodepki/nodepkictl.js useradd --username user1 --password password

CLI client Examples

Certificate for Nginx Webserver

Request root certificate for browser import:

node client getcacert --ca root --out out/root.cert.pem

Import this file into your webbrowser.

Request new webserver certificate:

node client request --type server --out out/ --fullchain

(Use domain name as commonName)

Certificates are in certs/[uuid]/ on your host machine. Copy them to your webserver:

sudo cp key.pem /etc/nginx/myssl/cert.key.pem
sudo cp cert.pem /etc/nginx/myssl/fullchain.pem

Reload webserver:

sudo systemctl restart nginx

OpenVPN certificates

For server

Get intermediate certificate + root certificate

node client getcacert --ca intermediate --chain --out out/intermediate.cert.pem

Create Server certificate and key

node client request --type server --fullchain --out out/

(Use VPN domain name as common name) [uuid]/cert.pem and [uuid]/key.pem are server cert and key.

For client

Get Root cert for client

node client getcacert --ca root --out out/root.cert.pem

Get Client certificate and key ...

node client request --type client --out out/

Import Root CA certificate on Linux and Windows

See this repo for more information on how to get things working :-) https://github.com/ThomasLeister/root-certificate-deployment

nodepki-docker's People

Contributors

Stargazers

Watchers

Forkers

provisiondata celevra evaluation-alex ramireddyashok bher2000 drsnowbird bartzjegr fza xits-coders anusorn osmeteor daniel-lenz

nodepki-docker's Issues

Bind IP-Address is not dynamic

IP-Addresses are currently statically defined via Dockerfile. Make this dynamic.

Container force quit

Container exit must be forced. Doesn't react on CTRL+C :(

Add nodepki-client to docker container.

Don't load complete new config file

Don't load complete new config file but use sed and environment variables to customize config in container.

Unable to setup

This project looks to be pretty dead but here I go anyway :

I think I followed instructions, but still the setup scripts doesn't have the data directory to work with. mkdir -p seems to help with this issue but I still get empty config when trying to continue with the procedure.

> sudo docker-compose run nodepki /bin/sh /opt/nodepki/setup.sh
>>>>>> Setting up NodePKI-Client ...
mkdir: can't create directory 'data/config': No such file or directory
cp: can't create 'data/config/config.yml': No such file or directory
/opt/nodepki/setup.sh: line 10: can't create data/config/config.yml.tmp: nonexistent directory
/opt/nodepki/setup.sh: line 11: can't create data/config/config.yml.tmp: nonexistent directory
>>>>>> Setting up NodePKI-Webclient ...
mkdir: can't create directory 'data/config': No such file or directory
cp: can't create 'data/config/config.yml': No such file or directory
>>>>>> Setting up NodePKI ...
mkdir: can't create directory 'data/config': No such file or directory
cp: can't create 'data/config/config.yml': No such file or directory
[15:55:28] User created successfully.
>>>>>> Setup finished.

INFO exited: nodepki (exit status 1; not expected)

Hi there,

I tried to run nodepki-docker but the nodepki server seems to crash every time docker-compose up entered.

Steps to reproduce

Clone the repo:

git clone [email protected]:aditosoftware/nodepki-docker.git

Edit docker-compose.yml:

version: '3.4'

services:
  nodepki:
    image: adito/nodepki-docker
    ports:
      - "8080:8080"
      - "2560:2560"
      - "5000:5000"
      - "5858:5858"
    volumes:
      - "/opt/data/nodepki/nodepki:/root/nodepki/data"
      - "/opt/data/nodepki/nodepki-client/:/root/nodepki-client/data"
      - "/opt/data/nodepki/nodepki-webclient/:/root/nodepki-webclient/data"
      - "/opt/data/nodepki/certs/:/root/nodepki-client/out"
    extra_hosts:
      - "ca.example.com:127.0.0.1"
      - "ocsp.example.com:127.0.0.1"
      - "ca-admin.example.com:127.0.0.1"
    environment:
      API_USERNAME: localadmin
      API_PASSWORD: top_secret
    labels:
      traefik.ca-admin.port: 5000
      traefik.ca-admin.frontend.rule: Host:ca-admin.example.com
      traefik.ca-admin.protocol: http
      traefik.ca.port: 8080
      traefik.ca.frontend.rule: Host:ca.example.com
      traefik.ca.protocol: http
      traefik.ocsp.port: 2560
      traefik.ocsp.frontend.rule: Host:ocsp.example.com
      traefik.ocsp.protocol: http

Let the basic config generate:

[root@node01]# docker-compose run nodepki /bin/sh /root/setup.sh
>>>>>> Setting up NodePKI-Client ...
>>>>>> Setting up NodePKI-Webclient ...
>>>>>> Setting up NodePKI ...
[14:21:15] User created successfully.
>>>>>> Setup finished.

Edited the configuration nodepki/config/config.yml:

###
### Server config: IP-Address and port to listen to.
###

server:
    ip: 0.0.0.0
    http:
        domain: ca.example.com
        port: 8080
    ocsp:
        domain: ocsp.example.com
        port: 2560



###
### CA config: Passphrase for CA Key
###

ca:
    root:
        passphrase: <secret>
        days: 3650
        country: CH
        state: Zurich
        locality: Zurich
        organization: Example GmbH
        commonname: Root CA
    intermediate:
        passphrase: <secret>
        days: 3650
        country: CH
        state: Zurich
        locality: Zurich
        organization: Example ORG
        commonname: Intermediate CA
        ocsp:
            passphrase: <secret>
            country: CH
            url: "http://ocsp.example.com"
        crl:
            url: "http://ca.example.com/public/ca/intermediate/crl"


###
### Settings for end user certificates
###
cert:
    lifetime_default: 1
    lifetime_max: 1095

nodepki-webclient config.yml:

server:
    baseurl: http://ca-admin.example.com
    ip: 0.0.0.0
    port: 5000

apiserver:
    hostname: ca.example.com
    port: 8080
    publicport: 8080
    tls: false

csr_defaults:
    country: CH
    state: Zurich
    locality: Zurich
    organization: Example ORG

nodepki-client config.yml:

###
### Hostnames and ports of the NodePKI server
###

server:
    hostname: ca.example.com
    port_plain: 8080
    port_tls: 443
    tls: false


###
### Username and password to authenticate with
###

user:
    username: localadmin
    password: top_secret


###
### CSR default values
###

csr_defaults:
    country: "CH"
    state: "Zurich"
    locality: "Zurich"
    organization: "Example ORG"


###
### Default certificate lifetime
###

cert_lifetime_default: 1095

Start of nodepki:

[root@node01]# docker-compose up
Recreating nodepki_nodepki_1 ... done
Attaching to nodepki_nodepki_1
nodepki_1  | 2018-04-28 14:23:16,479 CRIT Supervisor running as root (no user in config file)
nodepki_1  | 2018-04-28 14:23:16,482 INFO supervisord started with pid 7
nodepki_1  | 2018-04-28 14:23:17,484 INFO spawned: 'nodepki' with pid 10
nodepki_1  | 2018-04-28 14:23:17,485 INFO spawned: 'nodepki_webclient' with pid 11
nodepki_1  | 2018-04-28 14:23:17,936 INFO exited: nodepki (exit status 1; not expected)
nodepki_1  | 2018-04-28 14:23:18,938 INFO spawned: 'nodepki' with pid 32
nodepki_1  | 2018-04-28 14:23:18,939 INFO success: nodepki_webclient entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
nodepki_1  | 2018-04-28 14:23:19,350 INFO exited: nodepki (exit status 1; not expected)
nodepki_1  | 2018-04-28 14:23:21,354 INFO spawned: 'nodepki' with pid 48
nodepki_1  | 2018-04-28 14:23:21,761 INFO exited: nodepki (exit status 1; not expected)
nodepki_1  | 2018-04-28 14:23:24,764 INFO spawned: 'nodepki' with pid 64
nodepki_1  | 2018-04-28 14:23:25,169 INFO exited: nodepki (exit status 1; not expected)
nodepki_1  | 2018-04-28 14:23:26,171 INFO gave up: nodepki entered FATAL state, too many start retries too quickly

Do you guys have any guess that the issue could be? I guess its something with the configuration but I don't have any clue what's wrong. The nodepki server unfortunately does not deliver a more specific error message.

No reverse proxy is currently used in front of the nodepki application.

Thanks!

Regards,
Philip

Update Files

add user.db creation
Include updated configs

Having a hard time deploying this container

Hello,

I was able to deploy this on my local machine and it worked very well (thank you!), however, when I tried moving it to my NAS, things were not as smooth as I would've hoped them to be.

My setup is as follows:
Synology NAS with 2 containers:

nginx
nodepki

Nginx container is essentially a reverse proxy for my other services. So, when I go to https://myservice.mydomain.com, nginx will proxy_pass to an internal url. I thought that I would do the same thing with nodepki, but I cannot figure out proper environment variables for everything to just work. All my service subdomains have a Let's Encrypt cert installed, so I have the following connection flow: Internet ----> SSL ---> NGinx ---> HTTP ----> service

I am trying to have all the services on a single subdomain (say, certification.mydomain.com), instead of multiple. I have also used your nginx template from main readme file, where different services are at different locations.

I am pretty sure that the issue is with environment variables, but I am not sure.

Here's my nginx.conf:

server {
	listen 443 ssl;
	server_name certifications.mydomain.com;

	include /config/snippets/le_cert.conf;

	location = / {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		rewrite ^ https://certifications.mydomain.com/webclient/ permanent;
	}

	location /api {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://nodepki:8080/api;
	}

	location /public {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://nodepki:8080/public;
	}

	location /webclient/ {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://nodepki:5000/;
	}

	location /ocsp {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://nodepki:2560;
	}

	access_log   logs/nodepki.access.log  main;
	error_log	logs/nodepki.error.log;
}

Here's my env variables:

INTERMEDIATE_CA_COMMON_NAME=Intermediate CA,
ROOT_CA_COMMON_NAME=CA,
CA_CERT_EXPIRE_IN_DAYS=3650,
OCSP_PASSPHRASE=my_ocsp_password,
INTERMEDIATE_PASSPHRASE=my_intermediate_password,
ROOT_PASSPHRASE=my_root_password,
CERT_MAX_LIFETIME_IN_DAYS=3650,
CERT_MIN_LIFETIME_IN_DAYS=1,
ORGANIZATION_NAME=My Org,
LOCALITY_NAME=Some City,
STATE_NAME=Some State,
COUNTRY_CODE=US,
CA_OSCP_SERVER_HTTP_URL=https://certifications.mydomain.com/ocsp,
CA_CRL_SERVER_HTTP_URL=https://certifications.mydomain.com/public/ca/intermediate/crl,
CA_WEBCLIENT_HTTP_URL=https://certifications.mydomain.com/webclient,
CA_OSCP_SERVER_PORT=2560,
CA_OSCP_SERVER_URL=certifications.mydomain.net/ocsp,
CA_WEBCLIENT_SERVER_PORT=8080,
CA_WEBCLIENT_BIND_IP_ADDRESS=0.0.0.0,
CA_WEBCLIENT_SERVER_URL=certifications.mydomain.net/webclient,
CA_API_SERVER_TLS_ENABLED=false,
CA_API_SERVER_TLS_PORT=443,
CA_API_SERVER_PLAIN_PORT=5000,
CA_API_SERVER_URL=certifications.mydomain.net/api,
CA_API_SERVER_BIND_IP_ADDRESS=0.0.0.0,
API_PASSWORD=my_api_password,
API_USERNAME=my_api_user

Containers are linked to each other, which is why I am able to use nodepki as a hostname in my nginx config.

Thanks for your help!