forked from jan/cacert-devsetup
Start adding signer containers
This is work in progress to add the signer components
This commit is contained in:
parent
f9b0eb5195
commit
e8ad6b9ba7
8 changed files with 189 additions and 3 deletions
|
@ -37,8 +37,8 @@ services:
|
|||
DEPLOYMENT_NAME: "CAcert.org Website (local development)"
|
||||
MYSQL_WEBDB_HOSTNAME: db
|
||||
MYSQL_WEBDB_DATABASE: cacert
|
||||
CSR_DIRECTORY: /csr
|
||||
CRT_DIRECTORY: /crt
|
||||
CSR_DIRECTORY: /certs/csr
|
||||
CRT_DIRECTORY: /certs/crt
|
||||
DEFAULT_HOSTNAME: www.cacert.localhost
|
||||
SECURE_HOSTNAME: secure.cacert.localhost
|
||||
TVERIFY_HOSTNAME: tverify.cacert.localhost
|
||||
|
@ -56,6 +56,7 @@ services:
|
|||
- smtp
|
||||
volumes:
|
||||
- ./cacert-software:/www
|
||||
- certstaging:/certs
|
||||
mgr:
|
||||
build:
|
||||
context: .
|
||||
|
@ -85,7 +86,36 @@ services:
|
|||
- db
|
||||
volumes:
|
||||
- ./cacert-cats:/var/www/cats
|
||||
signer_client:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: signer_client.Dockerfile
|
||||
env_file:
|
||||
- ./.env
|
||||
environment:
|
||||
MYSQL_WEBDB_HOSTNAME: db
|
||||
MYSQL_WEBDB_DATABASE: cacert
|
||||
CSR_DIRECTORY: /srv/certs/csr
|
||||
CRT_DIRECTORY: /srv/certs/crt
|
||||
volumes:
|
||||
- certstaging:/srv/certs
|
||||
- signersockets:/srv/sockets
|
||||
depends_on:
|
||||
- db
|
||||
signer:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: signer.Dockerfile
|
||||
environment:
|
||||
SIGNER_WORKDIR: /srv/ca/work
|
||||
SIGNER_CA_CONFIG: /srv/caconfig
|
||||
volumes:
|
||||
- signersockets:/srv/sockets
|
||||
- signerdata:/srv/ca
|
||||
|
||||
volumes:
|
||||
db: { }
|
||||
maildir: { }
|
||||
maildir: { }
|
||||
certstaging: { }
|
||||
signersockets: { }
|
||||
signerdata: { }
|
14
docker/run-signer
Executable file
14
docker/run-signer
Executable file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
rm -f /srv/sockets/signer
|
||||
socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
|
||||
sleep 1
|
||||
|
||||
export SERIAL_PORT=/dev/ttyUSB0
|
||||
|
||||
cd /srv/CommModule/
|
||||
|
||||
touch server.pl-active
|
||||
exec perl -w server.pl
|
13
docker/run-signer_client
Executable file
13
docker/run-signer_client
Executable file
|
@ -0,0 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
socat -d -d UNIX:/srv/sockets/signer PTY,link=/dev/ttyS0 2>&1 &
|
||||
sleep 1
|
||||
|
||||
export SERIAL_PORT=/dev/ttyS0
|
||||
|
||||
cd /srv/CommModule/
|
||||
|
||||
touch client.pl-active
|
||||
exec perl -w client.pl
|
39
docker/signer-config/class3-client.cnf
Normal file
39
docker/signer-config/class3-client.cnf
Normal file
|
@ -0,0 +1,39 @@
|
|||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
[ CA_default ]
|
||||
dir = /srv/ca/class3 # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
crlnumber = $dir/crlnumber # bug-1438
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
certificate = $dir/ca.crt.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
default_days = 200 # how long to certify for
|
||||
default_crl_days = 30 # how long before next CRL
|
||||
default_md = sha512 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
policy = policy_anything
|
||||
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = optional
|
||||
emailAddress = optional
|
||||
|
||||
[ usr_cert ]
|
||||
basicConstraints = critical, CA:FALSE
|
||||
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
|
||||
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
|
||||
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC
|
||||
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
||||
crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl
|
||||
subjectAltName = email:copy
|
39
docker/signer-config/openssl-client.cnf
Normal file
39
docker/signer-config/openssl-client.cnf
Normal file
|
@ -0,0 +1,39 @@
|
|||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
[ CA_default ]
|
||||
dir = /srv/ca/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
crlnumber = $dir/crlnumber # bug-1438
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir/newcerts # default place for new certs.
|
||||
certificate = $dir/ca.crt.pem # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/ca.key.pem # The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
default_days = 200 # how long to certify for
|
||||
default_crl_days = 30 # how long before next CRL
|
||||
default_md = sha512 # which md to use.
|
||||
preserve = no # keep passed DN ordering
|
||||
policy = policy_anything
|
||||
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = optional
|
||||
emailAddress = optional
|
||||
|
||||
[ usr_cert ]
|
||||
basicConstraints = critical, CA:FALSE
|
||||
nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org"
|
||||
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
|
||||
extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC
|
||||
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
||||
crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl
|
||||
subjectAltName = email:copy
|
24
signer.Dockerfile
Normal file
24
signer.Dockerfile
Normal file
|
@ -0,0 +1,24 @@
|
|||
FROM debian:jessie
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive \
|
||||
apt-get install -y --no-install-recommends \
|
||||
gnupg \
|
||||
libdevice-serialport-perl \
|
||||
libdigest-sha-perl \
|
||||
libfile-counterfile-perl \
|
||||
openssl \
|
||||
perl \
|
||||
socat \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
VOLUME /srv/ca
|
||||
|
||||
COPY cacert-software/CommModule/server.pl \
|
||||
cacert-software/CommModule/logclean.sh \
|
||||
/srv/CommModule/
|
||||
COPY docker/run-signer usr/local/bin/
|
||||
COPY docker/signer-config/* /srv/caconfig/
|
||||
|
||||
CMD ["/usr/local/bin/run-signer"]
|
26
signer_client.Dockerfile
Normal file
26
signer_client.Dockerfile
Normal file
|
@ -0,0 +1,26 @@
|
|||
FROM debian:jessie
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive \
|
||||
apt-get install -y --no-install-recommends \
|
||||
gnupg \
|
||||
libdbd-mysql-perl \
|
||||
libdbi-perl \
|
||||
libdevice-serialport-perl \
|
||||
libfile-counterfile-perl \
|
||||
openssl \
|
||||
perl \
|
||||
socat \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
VOLUME /srv/certs
|
||||
|
||||
COPY cacert-software/CommModule/client.pl \
|
||||
cacert-software/CommModule/logclean.sh \
|
||||
/srv/CommModule/
|
||||
COPY docker/run-signer_client usr/local/bin/
|
||||
|
||||
WORKDIR /srv/CommModule
|
||||
|
||||
CMD ["run-signer_client"]
|
|
@ -52,6 +52,7 @@ COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
|
|||
COPY docker/feed.rss /usr/local/etc/application/feed.rss
|
||||
|
||||
VOLUME /www
|
||||
VOLUME /certs
|
||||
|
||||
RUN a2ensite www.cacert.localhost ; \
|
||||
a2dissite 000-default ; \
|
||||
|
|
Loading…
Reference in a new issue