├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── docker-compose.yml ├── production ├── .env.tmpl ├── Dockerfile ├── README.md ├── docker-compose.yml ├── docker_entrypoint.sh └── supervisord.conf ├── setup.sh └── supervisord.conf /.gitignore: -------------------------------------------------------------------------------- 1 | ### 2 | ### Dirs for dynamic app data 3 | ### 4 | 5 | certs/ 6 | data/ 7 | .env 8 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:7-alpine 2 | 3 | RUN apk add --no-cache \ 4 | openssl \ 5 | curl \ 6 | supervisor 7 | 8 | ## Add supervisor config 9 | COPY supervisord.conf /etc/supervisor/supervisord.conf 10 | 11 | ### Add setup script to create persistent content 12 | RUN mkdir -p /opt/nodepki 13 | COPY setup.sh /opt/nodepki/ 14 | 15 | WORKDIR /opt/nodepki 16 | RUN curl -L https://github.com/aditosoftware/nodepki/archive/master.tar.gz | tar xz && mv nodepki-master nodepki \ 17 | && curl -L https://github.com/aditosoftware/nodepki-client/archive/master.tar.gz | tar xz && mv nodepki-client-master nodepki-client \ 18 | && curl -L https://github.com/aditosoftware/nodepki-webclient/archive/master.tar.gz | tar xz && mv nodepki-webclient-master nodepki-webclient \ 19 | && cd /opt/nodepki/nodepki-client \ 20 | && npm install \ 21 | && cd /opt/nodepki/nodepki-webclient \ 22 | && npm install \ 23 | && cd /opt/nodepki/nodepki \ 24 | && npm install 25 | 26 | RUN adduser -D -g '' nodepki 27 | RUN chown -R nodepki:nodepki /opt/nodepki 28 | USER nodepki 29 | 30 | EXPOSE 8080 5000 2560 31 | 32 | ### Run everything via supervisor 33 | CMD /usr/bin/supervisord -c /etc/supervisor/supervisord.conf 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Thomas Leister 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NodePKI Docker Image 2 | 3 | ``` 4 | _ _ _ ____ _ _____ 5 | | \ | | ___ __| | ___| _ \| |/ /_ _| 6 | | \| |/ _ \ / _` |/ _ \ |_) | ' / | | 7 | | |\ | (_) | (_| | __/ __/| . \ | | 8 | |_| \_|\___/ \__,_|\___|_| |_|\_\___| 9 | 10 | By ADITO Software GmbH 11 | ``` 12 | 13 | This Docker container contains the following components: 14 | * [NodePKI API Server](https://github.com/aditosoftware/nodepki/) 15 | * [NodePKI Webclient](https://github.com/aditosoftware/nodepki-webclient/) 16 | * [NodePKI reference CLI client](https://github.com/aditosoftware/nodepki-client/) 17 | 18 | ## Installation (productive usage) 19 | See [production README.md](production/README.md) for more information about the prodictive usage of nodepki. 20 | 21 | ## Installation (development usage) 22 | 23 | * Install docker-engine: https://docs.docker.com/engine/installation/linux/ubuntu/ 24 | * Download and install docker-compose: https://docs.docker.com/compose/install/ 25 | * Download this Git repo: 26 | 27 | ``` 28 | git clone https://github.com/aditosoftware/nodepki-docker.git 29 | cd nodepki-docker 30 | ``` 31 | 32 | 33 | ## Build Docker image 34 | ```bash 35 | sudo docker-compose build 36 | ``` 37 | 38 | These commands will download NodePKI and NodePKI-Client from GitHub and build the container image. 39 | 40 | 41 | ## Configure docker container environment 42 | 43 | Set 44 | 45 | * `API_USERNAME` and 46 | * `API_PASSWORD` 47 | 48 | variables in `docker-compose.yml`. A initial user account for API access will be created with these login credentials. 49 | 50 | 51 | ## Create configuration files 52 | 53 | To create the persistent config files, run the following command: 54 | ```bash 55 | sudo docker-compose run nodepki /bin/sh /opt/nodepki/setup.sh 56 | ``` 57 | 58 | ## Configure NodePKI and NodePKI-Client 59 | 60 | Now configure NodePKI and NodePKI-Client by editing the `config.yml` files in `data/[nodepki/nodepki-client]/config/` on the host. 61 | 62 | **Note: PKI settings such as CRL URL, OCSP server URL and CA data cannot be changed during usage! Once you've set these attributes and started using your CA, they will be kept until you create a complete new PKI! Think well about your CA configuration!** 63 | 64 | Set domains and urls in `data/nodepki/config/config.yml`: 65 | ``` 66 | server: 67 | ip: 0.0.0.0 68 | http: 69 | domain: ca.adito.local 70 | port: 8080 71 | ocsp: 72 | domain: ca.adito.local 73 | port: 2560 74 | ``` 75 | 76 | Configure OCSP and CRL URLs: 77 | ``` 78 | ca: 79 | intermediate: 80 | ocsp: 81 | url: "http://ca.adito.local/ocsp" 82 | crl: 83 | url: "http://ca.adito.local/public/ca/intermediate/crl" 84 | ``` 85 | Both URLs correspond to the public URLs as they are defined in the HTTP reverse proxy (See Nginx config). Webbrowsers will use these URLs to check certificate validity. 86 | 87 | 88 | **Do not forget to change the CA passphrases! (default: `yyyy`)** 89 | 90 | Change the remaining settings according to your needs. 91 | 92 | 93 | ## First start 94 | 95 | Start NodePKI for the first time by executing 96 | ```bash 97 | sudo docker-compose up 98 | ``` 99 | 100 | Your CA will be created on the first startup. You can stop the container again by pressing `CTRL+C`. 101 | 102 | You should now backup your configuration files and PKI by copying the `data/` directory on the host. This is where the important data lives. 103 | 104 | 105 | ## Configure Nginx proxy 106 | 107 | Use an external Nginx reverse proxy server to make URLs nice and to offer TLS encryption. 108 | ``` 109 | ### 110 | ### NodePKI API server (unencrypted) 111 | ### 112 | 113 | server { 114 | listen 80; 115 | server_name ca.adito.local; 116 | 117 | location = / { 118 | rewrite ^ https://ca.adito.local/webclient/ permanent; 119 | } 120 | 121 | location /api { 122 | rewrite ^ https://$host$request_uri? permanent; 123 | } 124 | 125 | location /public { 126 | proxy_pass http://nodepki:8080/public; 127 | } 128 | 129 | location /ocsp { 130 | proxy_pass http://nodepki:2560; 131 | } 132 | 133 | location /webclient/ { 134 | rewrite ^ https://$host$request_uri? permanent; 135 | } 136 | } 137 | ``` 138 | ``` 139 | ### 140 | ### NodePKI API server (encrypted) 141 | ### 142 | 143 | server { 144 | listen 443 ssl; 145 | server_name ca.adito.local; 146 | 147 | ssl_certificate /etc/nginx/certs/ca.adito.local.crt; 148 | ssl_certificate_key /etc/nginx/certs/ca.adito.local.key; 149 | 150 | location = / { 151 | rewrite ^ https://ca.adito.local/webclient/ permanent; 152 | } 153 | 154 | location /api { 155 | proxy_pass http://nodepki:8080/api; 156 | } 157 | 158 | location /public { 159 | proxy_pass http://nodepki:8080/public; 160 | } 161 | 162 | location /webclient/ { 163 | proxy_pass http://nodepki:5000/; 164 | } 165 | } 166 | ``` 167 | 168 | * `api.cert.pem` and `api.key.pem` are the certificate files from the host directory `./data/nodepki/mypki/apicert/` 169 | * `nodepki` resolves to the NodePKI docker container, which exposes ports `8080`, `5000` and `2560`. 170 | 171 | Fit the above Nginx configuration to your environment. 172 | 173 | 174 | ## Start Docker container 175 | ```bash 176 | sudo docker-compose up 177 | ``` 178 | You can start the container in background mode by attaching the `-d` flag 179 | 180 | 181 | ### Stop Docker container 182 | ```bash 183 | sudo docker-compose stop 184 | ``` 185 | 186 | ## Using the integrated Web-based GUI client "NodePKI Webclient" 187 | 188 | Visit https://ca.adito.local/webclient/ and login with the account which was created via the docker-compose environment variables in the beginning. 189 | 190 | 191 | 192 | ## Using the integrated CLI client 193 | 194 | (in another shell instance) 195 | ```bash 196 | sudo docker-compose exec nodepki /bin/sh 197 | cd ../nodepki-client/ 198 | node client 199 | ``` 200 | Request a certificate 201 | ```bash 202 | node client request --out out/ 203 | ``` 204 | The created `cert.pem` and `key.pem` are located in the `certs` directory on the host and in the `out` directory in the container. For further information see [NodePKI-Client README](https://github.com/ThomasLeister/nodepki-client/blob/master/README.md). 205 | 206 | 207 | ## Using an external CLI client 208 | 209 | You can use external [NodePKI-Client](https://github.com/ThomasLeister/nodepki-client/) instances to retrieve certificates by adding another API user account. The external client must be configured to send requests to the container host. 210 | 211 | 212 | ### Setting up secure API access 213 | 214 | **Configure client** to use TLS: `data/nodepki-client/config/config.yml`: 215 | ``` 216 | server: 217 | hostname: ca.adito.local 218 | port_plain: 80 219 | port_tls: 443 220 | tls: true 221 | ``` 222 | 223 | ## Exposed ports and volumes 224 | 225 | Ports: 226 | * `8080` (API + HTTP server for certificate and CRL retrieval) 227 | * `2560` (OCSP server) 228 | * `5000` (NodePKI Webclient - HTTP) 229 | 230 | Volumes: 231 | * `data`: Contains persistent container data (mounted to `/opt/nodepki/nodepki/data/` and `/opt/nodepki/nodepki-client/data/`) 232 | * `certs`: Can be used to transfer and store cert files. (mounted to `/opt/nodepki/nodepki-client/out/`) 233 | 234 | 235 | ## Add new API user 236 | ```bash 237 | sudo docker-compose run nodepki node /opt/nodepki/nodepki/nodepkictl.js useradd --username user1 --password password 238 | ``` 239 | 240 | ## CLI client Examples 241 | 242 | ### Certificate for Nginx Webserver 243 | 244 | Request root certificate for browser import: 245 | ```bash 246 | node client getcacert --ca root --out out/root.cert.pem 247 | ``` 248 | Import this file into your webbrowser. 249 | 250 | Request new webserver certificate: 251 | ```bash 252 | node client request --type server --out out/ --fullchain 253 | ``` 254 | (Use domain name as commonName) 255 | 256 | Certificates are in `certs/[uuid]/` on your host machine. Copy them to your webserver: 257 | ```bash 258 | sudo cp key.pem /etc/nginx/myssl/cert.key.pem 259 | sudo cp cert.pem /etc/nginx/myssl/fullchain.pem 260 | ``` 261 | Reload webserver: 262 | ```bash 263 | sudo systemctl restart nginx 264 | ``` 265 | 266 | ### OpenVPN certificates 267 | 268 | #### For server 269 | 270 | Get intermediate certificate + root certificate 271 | ```bash 272 | node client getcacert --ca intermediate --chain --out out/intermediate.cert.pem 273 | ``` 274 | Create Server certificate and key 275 | ```bash 276 | node client request --type server --fullchain --out out/ 277 | ``` 278 | (Use VPN domain name as common name) 279 | `[uuid]/cert.pem` and `[uuid]/key.pem` are server cert and key. 280 | 281 | 282 | #### For client 283 | 284 | Get Root cert for client 285 | ```bash 286 | node client getcacert --ca root --out out/root.cert.pem 287 | ``` 288 | Get Client certificate and key ... 289 | ```bash 290 | node client request --type client --out out/ 291 | ``` 292 | 293 | ## Import Root CA certificate on Linux and Windows 294 | 295 | See this repo for more information on how to get things working :-) https://github.com/ThomasLeister/root-certificate-deployment 296 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | nodepki: 4 | build: . 5 | ports: 6 | - "127.0.0.1:8080:8080" 7 | - "127.0.0.1:2560:2560" 8 | - "127.0.0.1:5000:5000" 9 | volumes: 10 | - "./data/nodepki/:/root/nodepki/data" 11 | - "./data/nodepki-client/:/root/nodepki-client/data" 12 | - "./data/nodepki-webclient/:/root/nodepki-webclient/data" 13 | - "./certs/:/root/nodepki-client/out" 14 | extra_hosts: 15 | - "ca.adito.local:127.0.0.1" 16 | environment: 17 | API_USERNAME: thomas 18 | API_PASSWORD: test 19 | -------------------------------------------------------------------------------- /production/.env.tmpl: -------------------------------------------------------------------------------- 1 | API_USERNAME= 2 | API_PASSWORD= 3 | CA_API_SERVER_BIND_IP_ADDRESS=0.0.0.0 4 | CA_API_SERVER_URL=ca.example.com 5 | CA_API_SERVER_PLAIN_PORT=80 6 | CA_API_SERVER_TLS_PORT=443 7 | CA_API_SERVER_TLS_ENABLED=false 8 | CA_WEBCLIENT_SERVER_URL=admin-ca.example.com 9 | CA_WEBCLIENT_BIND_IP_ADDRESS=0.0.0.0 10 | CA_WEBCLIENT_SERVER_PORT=5000 11 | CA_OSCP_SERVER_URL=oscp.example.com 12 | CA_OSCP_SERVER_PORT=2560 13 | CA_WEBCLIENT_HTTP_URL=http://admin-ca.example.com 14 | CA_CRL_SERVER_HTTP_URL=http://ca.example.com/public/ca/intermediate/crl 15 | CA_OSCP_SERVER_HTTP_URL=http://oscp.example.com 16 | COUNTRY_CODE= 17 | STATE_NAME= 18 | LOCALITY_NAME= 19 | ORGANIZATION_NAME= 20 | CERT_MIN_LIFETIME_IN_DAYS=1 21 | CERT_MAX_LIFETIME_IN_DAYS=365 22 | ROOT_PASSPHRASE= 23 | INTERMEDIATE_PASSPHRASE= 24 | OCSP_PASSPHRASE= 25 | CA_CERT_EXPIRE_IN_DAYS=3650 26 | ROOT_CA_COMMON_NAME=Root CA Example.com 27 | INTERMEDIATE_CA_COMMON_NAME=Intermediate CA Example.com 28 | -------------------------------------------------------------------------------- /production/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:9.11.1-alpine 2 | 3 | RUN apk add --no-cache \ 4 | openssl \ 5 | curl \ 6 | supervisor 7 | 8 | WORKDIR /opt 9 | RUN curl -L https://github.com/aditosoftware/nodepki/archive/master.tar.gz | tar xz && mv nodepki-master nodepki \ 10 | && curl -L https://github.com/aditosoftware/nodepki-client/archive/master.tar.gz | tar xz && mv nodepki-client-master nodepki-client \ 11 | && curl -L https://github.com/aditosoftware/nodepki-webclient/archive/master.tar.gz | tar xz && mv nodepki-webclient-master nodepki-webclient \ 12 | && cd /opt/nodepki-client \ 13 | && npm install \ 14 | && cd /opt/nodepki-webclient \ 15 | && npm install \ 16 | && cd /opt/nodepki \ 17 | && npm install 18 | 19 | ## Add supervisor config 20 | COPY supervisord.conf /etc/supervisor/supervisord.conf 21 | 22 | ### Add setup script to create persistent content 23 | COPY docker_entrypoint.sh /opt 24 | RUN chmod +x /opt/docker_entrypoint.sh 25 | 26 | #RUN adduser -D -g '' nodepki 27 | #RUN chown -R nodepki:nodepki /opt/nodepki* 28 | 29 | EXPOSE 8080 5000 2560 30 | 31 | ENTRYPOINT ["/opt/docker_entrypoint.sh"] 32 | -------------------------------------------------------------------------------- /production/README.md: -------------------------------------------------------------------------------- 1 | # NodePKI Docker Image - productive usage 2 | 3 | ``` 4 | _ _ _ ____ _ _____ 5 | | \ | | ___ __| | ___| _ \| |/ /_ _| 6 | | \| |/ _ \ / _` |/ _ \ |_) | ' / | | 7 | | |\ | (_) | (_| | __/ __/| . \ | | 8 | |_| \_|\___/ \__,_|\___|_| |_|\_\___| 9 | 10 | By ADITO Software GmbH 11 | ``` 12 | 13 | This Docker container contains the following components: 14 | * [NodePKI API Server](https://github.com/aditosoftware/nodepki/) 15 | * [NodePKI Webclient](https://github.com/aditosoftware/nodepki-webclient/) 16 | * [NodePKI reference CLI client](https://github.com/aditosoftware/nodepki-client/) 17 | * [Traefik loadbalancer](https://traefik.io/) 18 | 19 | ## Installation 20 | 21 | ### Setup limitations 22 | - The example setup from the `docker-compose.yml` file does also use a Traefik load balancing service. Remove this service (`traefik`) and publish the ports `8080:8080`, `2560:2560` and `5000:5000` if you would like to access `nodepki` directly. 23 | - Traefik only serves `http` to ease the setup process. Switch to `https` for productive usage! 24 | - The `docker-compose.yml` file works with variable substitution. It's therefore required to start this setup by using Docker Compose. If the `docker-compose.yml` file is used for Docker Swarm Stacks, replace the variables (e.g. `${CA_API_SERVER_URL}`) with real values. 25 | - Set `CA_API_SERVER_PLAIN_PORT` to `80` and `CA_API_SERVER_TLS_ENABLED` to `false` if you are running nodepki behind a reverse proxy which handles the SSL/TLS termination. 26 | 27 | ### Prerequisites 28 | 29 | Required files and directories (change the base path `/opt/data` according to your setup): 30 | ```bash 31 | cd production/ 32 | cp .env.tmpl .env 33 | 34 | sudo mkdir -p /opt/data/nodepki 35 | sudo mkdir -p /opt/data/nodepki-client 36 | sudo mkdir -p /opt/data/nodepki-webclient 37 | sudo mkdir -p /opt/data/nodepki-certs 38 | ``` 39 | 40 | Now you need to set/change the app variables inside `.env`. 41 | 42 | Required host files entries for local development setups: 43 | ```bash 44 | 127.0.0.1 admin-ca.example.com ca.example.com ocsp.example.com 45 | ``` 46 | **Notice**: Adjust your `/etc/hosts` entries according to your values inside `.env`. 47 | 48 | ### Start up 49 | ```bash 50 | docker-compose up 51 | ``` 52 | 53 | ### Clean up 54 | ```bash 55 | docker-compose down 56 | rm -rf /opt/data/nodepki*/* 57 | ``` 58 | -------------------------------------------------------------------------------- /production/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.4' 2 | 3 | services: 4 | nodepki: 5 | image: adito/nodepki-docker:production 6 | restart: unless-stopped 7 | env_file: 8 | - .env 9 | environment: 10 | TZ: Europe/Berlin 11 | healthcheck: 12 | test: ["CMD-SHELL", "curl --fail http://localhost:$${CA_WEBCLIENT_SERVER_PORT} || exit 1"] 13 | interval: 30s 14 | timeout: 10s 15 | retries: 3 16 | volumes: 17 | - /opt/data/nodepki:/opt/nodepki/data 18 | - /opt/data/nodepki-client:/opt/nodepki-client/data 19 | - /opt/data/nodepki-webclient:/opt/nodepki-webclient/data 20 | - /opt/data/nodepki-certs:/opt/nodepki-client/out 21 | extra_hosts: 22 | - ${CA_API_SERVER_URL}:127.0.0.1 23 | networks: 24 | - traefik_transit 25 | labels: 26 | traefik.ca-admin.port: ${CA_WEBCLIENT_SERVER_PORT} 27 | traefik.ca-admin.frontend.rule: Host:${CA_WEBCLIENT_SERVER_URL} 28 | traefik.ca-admin.protocol: http 29 | traefik.ca.port: ${CA_API_SERVER_PLAIN_PORT} 30 | traefik.ca.frontend.rule: Host:${CA_API_SERVER_URL} 31 | traefik.ca.protocol: http 32 | traefik.ocsp.port: ${CA_OSCP_SERVER_PORT} 33 | traefik.ocsp.frontend.rule: Host:${CA_OSCP_SERVER_URL} 34 | traefik.ocsp.protocol: http 35 | 36 | traefik: 37 | image: traefik:1.6-alpine 38 | restart: unless-stopped 39 | environment: 40 | TZ: Europe/Berlin 41 | ports: 42 | - 80:80 43 | - 443:443 44 | - 8080:8080 45 | command: --docker --docker.domain=example.com --docker.watch --web --loglevel=WARN 46 | volumes: 47 | - /var/run/docker.sock:/var/run/docker.sock 48 | networks: 49 | - traefik_transit 50 | 51 | networks: 52 | traefik_transit: 53 | -------------------------------------------------------------------------------- /production/docker_entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ ! -f /opt/nodepki-client/data/config/config.yml ]; then 4 | 5 | echo ">>>>>> Setting up NodePKI-Client ..." 6 | 7 | cd /opt/nodepki-client/data 8 | 9 | mkdir config/ 10 | cp ../config.default.yml config/config.yml 11 | 12 | sed -e "s/API_USERNAME/$API_USERNAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 13 | sed -e "s/API_PASSWORD/$API_PASSWORD/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 14 | sed -e "s/CA_API_SERVER_URL/$CA_API_SERVER_URL/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 15 | sed -e "s/CA_API_SERVER_PLAIN_PORT/$CA_API_SERVER_PLAIN_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 16 | sed -e "s/CA_API_SERVER_TLS_PORT/$CA_API_SERVER_TLS_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 17 | sed -e "s/CA_API_SERVER_TLS_ENABLED/$CA_API_SERVER_TLS_ENABLED/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 18 | sed -e "s/COUNTRY_CODE/$COUNTRY_CODE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 19 | sed -e "s/STATE_NAME/$STATE_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 20 | sed -e "s/LOCALITY_NAME/$LOCALITY_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 21 | sed -e "s/ORGANIZATION_NAME/$ORGANIZATION_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 22 | sed -e "s/CERT_MAX_LIFETIME_IN_DAYS/$CERT_MAX_LIFETIME_IN_DAYS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 23 | 24 | cd /opt/nodepki-client/ 25 | 26 | fi 27 | 28 | if [ ! -f /opt/nodepki-webclient/data/config/config.yml ]; then 29 | 30 | echo ">>>>>> Setting up NodePKI-Webclient ..." 31 | cd /opt/nodepki-webclient/data 32 | mkdir config/ 33 | cp ../config.default.yml config/config.yml 34 | 35 | sed -e "s#CA_WEBCLIENT_HTTP_URL#$CA_WEBCLIENT_HTTP_URL#" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 36 | sed -e "s/CA_API_SERVER_URL/$CA_API_SERVER_URL/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 37 | sed -e "s/CA_WEBCLIENT_BIND_IP_ADDRESS/$CA_WEBCLIENT_BIND_IP_ADDRESS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 38 | sed -e "s/CA_WEBCLIENT_SERVER_PORT/$CA_WEBCLIENT_SERVER_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 39 | sed -e "s/CA_API_SERVER_PLAIN_PORT/$CA_API_SERVER_PLAIN_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 40 | sed -e "s/CA_API_SERVER_TLS_PORT/$CA_API_SERVER_TLS_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 41 | sed -e "s/CA_API_SERVER_TLS_ENABLED/$CA_API_SERVER_TLS_ENABLED/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 42 | sed -e "s/COUNTRY_CODE/$COUNTRY_CODE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 43 | sed -e "s/STATE_NAME/$STATE_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 44 | sed -e "s/LOCALITY_NAME/$LOCALITY_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 45 | sed -e "s/ORGANIZATION_NAME/$ORGANIZATION_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 46 | 47 | cd /opt/nodepki-webclient/ 48 | 49 | fi 50 | 51 | if [ ! -f /opt/nodepki/data/config/config.yml ]; then 52 | 53 | echo ">>>>>> Setting up NodePKI ..." 54 | 55 | cd /opt/nodepki/data 56 | mkdir config/ 57 | cp ../config.default.yml config/config.yml 58 | 59 | sed -e "s/CA_API_SERVER_BIND_IP_ADDRESS/$CA_API_SERVER_BIND_IP_ADDRESS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 60 | sed -e "s/CA_API_SERVER_URL/$CA_API_SERVER_URL/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 61 | sed -e "s/CA_OSCP_SERVER_URL/$CA_OSCP_SERVER_URL/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 62 | sed -e "s/CA_API_SERVER_PLAIN_PORT/$CA_API_SERVER_PLAIN_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 63 | sed -e "s/CA_OSCP_SERVER_PORT/$CA_OSCP_SERVER_PORT/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 64 | sed -e "s/ROOT_PASSPHRASE/$ROOT_PASSPHRASE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 65 | sed -e "s/INTERMEDIATE_PASSPHRASE/$INTERMEDIATE_PASSPHRASE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 66 | sed -e "s/OCSP_PASSPHRASE/$OCSP_PASSPHRASE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 67 | sed -e "s/CA_CERT_EXPIRE_IN_DAYS/$CA_CERT_EXPIRE_IN_DAYS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 68 | sed -e "s/COUNTRY_CODE/$COUNTRY_CODE/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 69 | sed -e "s/STATE_NAME/$STATE_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 70 | sed -e "s/LOCALITY_NAME/$LOCALITY_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 71 | sed -e "s/ORGANIZATION_NAME/$ORGANIZATION_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 72 | sed -e "s/ROOT_CA_COMMON_NAME/$ROOT_CA_COMMON_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 73 | sed -e "s/INTERMEDIATE_CA_COMMON_NAME/$INTERMEDIATE_CA_COMMON_NAME/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 74 | sed -e "s#CA_OSCP_SERVER_HTTP_URL#$CA_OSCP_SERVER_HTTP_URL#" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 75 | sed -e "s#CA_CRL_SERVER_HTTP_URL#$CA_CRL_SERVER_HTTP_URL#" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 76 | sed -e "s/CERT_MIN_LIFETIME_IN_DAYS/$CERT_MIN_LIFETIME_IN_DAYS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 77 | sed -e "s/CERT_MAX_LIFETIME_IN_DAYS/$CERT_MAX_LIFETIME_IN_DAYS/" config/config.yml > config/config.yml.tmp && mv config/config.yml.tmp config/config.yml 78 | 79 | cd /opt/nodepki/ 80 | 81 | node nodepkictl useradd --username $API_USERNAME --password $API_PASSWORD 82 | 83 | echo ">>>>>> Setup finished." 84 | 85 | fi 86 | 87 | echo ">>>>>> Finished setting up NodePKI ..." 88 | # Start the application 89 | /usr/bin/supervisord -c /etc/supervisor/supervisord.conf 90 | -------------------------------------------------------------------------------- /production/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | 4 | [program:nodepki] 5 | directory=/opt/nodepki 6 | command=node server.js 7 | 8 | [program:nodepki_webclient] 9 | directory=/opt/nodepki-webclient/ 10 | command=node app.js 11 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ### Set up NodePKI-Client 4 | echo ">>>>>> Setting up NodePKI-Client ..." 5 | 6 | cd /opt/nodepki/nodepki-client 7 | mkdir data/config 8 | cp config.default.yml data/config/config.yml 9 | 10 | sed -e "s/api_username/$API_USERNAME/" data/config/config.yml > data/config/config.yml.tmp && mv data/config/config.yml.tmp data/config/config.yml 11 | sed -e "s/api_password/$API_PASSWORD/" data/config/config.yml > data/config/config.yml.tmp && mv data/config/config.yml.tmp data/config/config.yml 12 | 13 | 14 | echo ">>>>>> Setting up NodePKI-Webclient ..." 15 | cd /opt/nodepki/nodepki-webclient 16 | mkdir data/config 17 | cp config.default.yml data/config/config.yml 18 | 19 | 20 | ### Set up NodePKI 21 | echo ">>>>>> Setting up NodePKI ..." 22 | 23 | cd /opt/nodepki/nodepki 24 | mkdir data/config 25 | cp config.default.yml data/config/config.yml 26 | node nodepkictl useradd --username $API_USERNAME --password $API_PASSWORD 27 | 28 | 29 | echo ">>>>>> Setup finished." 30 | -------------------------------------------------------------------------------- /supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | user = nodepki 4 | 5 | [program:nodepki] 6 | directory=/opt/nodepki/nodepki/ 7 | command=node server.js 8 | 9 | [program:nodepki_webclient] 10 | directory=/opt/nodepki/nodepki-webclient/ 11 | command=node app.js 12 | --------------------------------------------------------------------------------