forked from jan/cacert-devsetup
f9b0eb5195
This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency.
85 lines
3.5 KiB
Markdown
85 lines
3.5 KiB
Markdown
# CAcert local development setup
|
|
|
|
This repository contains a local development environment setup for the CAcert
|
|
software.
|
|
|
|
It runs multiple Docker containers using docker-compose the provide different
|
|
parts of the CAcert software. This includes CATS (CAcert automated testing
|
|
system), the test manager software and the WebDB software as well as supporting
|
|
server components (database, SMTP and IMAP).
|
|
|
|
## Prerequisites
|
|
|
|
* Linux system (tested on Debian Bullseye)
|
|
* [Docker](https://tracker.debian.org/pkg/docker.io)
|
|
* [docker-compose](https://pypi.org/project/docker-compose/)
|
|
* [openssl](https://tracker.debian.org/pkg/openssl)
|
|
* [myrepos](https://tracker.debian.org/pkg/myrepos)
|
|
|
|
```shell
|
|
sudo apt-get update
|
|
sudo apt-get install docker.io openssl myrepos
|
|
sudo adduser $USER docker
|
|
newgrp docker
|
|
python3 -m pip install --user -U docker-compose
|
|
# make sure that ~/.local/bin is in $PATH
|
|
```
|
|
|
|
## Usage
|
|
|
|
|
|
```shell
|
|
git clone https://git.dittberner.info/jan/cacert-devsetup.git
|
|
cd cacert-devsetup
|
|
mr checkout
|
|
```
|
|
|
|
Create a .env file that defines the following variables
|
|
|
|
Variable | Usage
|
|
--- | ---
|
|
`CATCHALL_MAILBOX_PASSWORD` | The password of the IMAP mailbox used by the test manager software
|
|
`CLIENT_CERT_EMAIL` | email address for client certificate generated by `setup_test_ca.sh`
|
|
`CLIENT_CERT_EMAIL` | email address that should be included in the test client certificate that is generated in `testca/certs/testclient.crt.pem` and included in `testca/certs/testclient.p12`
|
|
`CLIENT_CERT_PASSWORD` | PKCS#12 keystore password for client certificate generated by `setup_test_ca.sh`
|
|
`CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12`
|
|
`CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate
|
|
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
|
|
`MYSQL_CATS_PASSWORD` | Database password for cats
|
|
`MYSQL_CATS_USER` | Database user for cats
|
|
`MYSQL_MGR_PASSWORD` | Database password for the test manager
|
|
`MYSQL_MGR_USER` | Database user for the test manager
|
|
`MYSQL_ROOT_PASSWORD` | Database root password
|
|
`MYSQL_WEBDB_PASSWORD` | Database password for webdb
|
|
`MYSQL_WEBDB_USER` | Database user for webdb
|
|
|
|
|
|
```shell
|
|
echo "CATCHALL_MAILBOX_PASSWORD=$(openssl rand -base64 18)
|
|
CLIENT_CERT_EMAIL=user@example.org
|
|
CLIENT_CERT_PASSWORD=$(openssl rand -base64 18)
|
|
CLIENT_CERT_USERNAME="John Doe"
|
|
MYSQL_WEBDB_PASSWORD=$(openssl rand -base64 18)
|
|
MYSQL_WEBDB_USER=cacert_dev
|
|
MYSQL_CATS_PASSWORD=$(openssl rand -base64 18)
|
|
MYSQL_CATS_USER=cats
|
|
MYSQL_MGR_PASSWORD=$(openssl rand -base64 18)
|
|
MYSQL_MGR_USER=cacert_mgr
|
|
MYSQL_ROOT_PASSWORD=$(openssl rand -base64 18)" > .env
|
|
./setup_test_ca.sh
|
|
docker-compose up
|
|
```
|
|
|
|
After these steps you should be able to reach the CAcert application at
|
|
https://www.cacert.localhost:8443/. The test manager application is reachable
|
|
at https://mgr.cacert.localhost:9443/. CATS is reachable at
|
|
https://cats.cacert.localhost:7443/. The magic hostname resolution works on
|
|
systems using systemd's nss module for host resolution. If you do not have that
|
|
on your system you might need a set of entries in your `/etc/hosts` or its
|
|
equivalent for your operating system.
|
|
|
|
A client certificate is created by `setup_test_ca.sh` and is placed in
|
|
`testca/certs/clientcert.p12` which can be imported in a browser to support
|
|
client certificate authentication. You may also wish to add the CA certificates
|
|
in `testca/root/ca.crt.pem` and `testca/class3/ca.crt.pem` to your browser's
|
|
trusted CA certificate list.
|