Created
June 10, 2015 14:09
-
-
Save schulzh/b3fe5b626e595a2f0792 to your computer and use it in GitHub Desktop.
local boulder docker configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ------------------------------- boulder-config.json: ------------------------------------- | |
| { | |
| "syslog": { | |
| "network": "udp", | |
| "server": "localhost:514", | |
| "tag": "boulder" | |
| }, | |
| "wfe": { | |
| "baseURL": "http://172.17.42.1:4000", | |
| "listenAddress": "0.0.0.0:4000" | |
| }, | |
| "ca": { | |
| "serialPrefix": 255, | |
| "profile": "ee", | |
| "dbDriver": "sqlite3", | |
| "dbName": ":memory:", | |
| "testMode": false, | |
| "issuerCert": "/boulder/cfssl/ca.pem", | |
| "issuerKey": "/boulder/cfssl/ca-key.pem", | |
| "_comment": "This should only be present in testMode. In prod use an HSM.", | |
| "Key": { | |
| "File": "test/test-ca.key" | |
| }, | |
| "expiry": "2160h", | |
| "lifespanOCSP": "96h", | |
| "maxNames": 1000, | |
| "cfssl": { | |
| "signing": { | |
| "profiles": { | |
| "ee": { | |
| "usages": [ | |
| "digital signature", | |
| "key encipherment", | |
| "server auth", | |
| "client auth" | |
| ], | |
| "backdate": "1h", | |
| "is_ca": false, | |
| "issuer_urls": [ | |
| "http://172.17.42.1/cert" | |
| ], | |
| "ocsp_url": "http://172.17.42.1/ocsp", | |
| "crl_url": "http://172.17.42.1/crl", | |
| "policies": [ | |
| "1.3.6.1.4.1.44947.1.1.1", | |
| "2.23.140.1.2.1" | |
| ], | |
| "expiry": "8760h", | |
| "CSRWhitelist": { | |
| "PublicKeyAlgorithm": true, | |
| "PublicKey": true, | |
| "SignatureAlgorithm": true | |
| }, | |
| "UseSerialSeq": true | |
| } | |
| }, | |
| "default": { | |
| "usages": [ | |
| "digital signature" | |
| ], | |
| "expiry": "8760h" | |
| } | |
| } | |
| } | |
| }, | |
| "sa": { | |
| "dbDriver": "sqlite3", | |
| "dbName": ":memory:" | |
| }, | |
| "sql": { | |
| "SQLDebug": false, | |
| "CreateTables": true | |
| }, | |
| "revoker": { | |
| "dbDriver": "sqlite3", | |
| "dbName": ":memory:" | |
| }, | |
| "ocspResponder": { | |
| "dbDriver": "sqlite3", | |
| "dbName": ":memory:", | |
| "path": "/", | |
| "listenAddress": "localhost:4001" | |
| }, | |
| "ocspUpdater": { | |
| "dbDriver": "sqlite3", | |
| "dbName": ":memory:", | |
| "minTimeToExpiry": "72h" | |
| }, | |
| "mail": { | |
| "server": "mail.example.com", | |
| "port": "25", | |
| "username": "cert-master@example.com", | |
| "password": "password" | |
| }, | |
| "common": { | |
| "baseURL": "http://172.17.42.1:4000", | |
| "issuerCert": "/boulder/cfssl/ca.pem", | |
| "maxKeySize": 4096 | |
| }, | |
| "subscriberAgreementURL": "http://172.17.42.1:4000/terms" | |
| } | |
| ------------------------------- ca.cnf: ------------------------------------- | |
| # | |
| # SSLeay example configuration file. | |
| # This is mostly being used for generation of certificate requests. | |
| # | |
| # create RSA certs - CA | |
| RANDFILE = ./.rnd | |
| #################################################################### | |
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| default_md = sha256 | |
| x509_extensions = v3_ca | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_value = US | |
| organizationName = Organization Name (eg, company) | |
| organizationName_value = Test CA | |
| commonName = Common Name (eg, YOUR name) | |
| commonName_value = Test CA | |
| [ v3_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| basicConstraints = CA:true,pathlen:1 | |
| keyUsage = cRLSign, keyCertSign | |
| authorityInfoAccess = OCSP;URI:http://ocsp.example.com:8080/ | |
| ------------------------------- docker startscript: ------------------------------------- | |
| #!/bin/bash | |
| CFSSL_TAG=latest | |
| BOULDER_TAG=latest | |
| ABSPATH=$(cd "$(dirname "$0")"; pwd) | |
| CA_CNF=${ABSPATH}/ca.cnf | |
| CFSSL_DIR=${ABSPATH}/cfssl | |
| BOULDER_CONFIG=${ABSPATH}/boulder-config.json | |
| confCheck() { | |
| # Load overrides from /etc/sysconfig/boulder if it exists | |
| if [ -r "/etc/sysconfig/boulder" ] ; then | |
| echo "[?] Loading overrides from /etc/sysconfig/boulder" | |
| source /etc/sysconfig/boulder | |
| else | |
| echo "[?] /etc/sysconfig/boulder does not exist; skipping" | |
| fi | |
| if [ -r "${ABSPATH}/boulder.config" ] ; then | |
| echo "[?] Loading overrides from ${ABSPATH}/boulder.config" | |
| source ${ABSPATH}/boulder.config | |
| else | |
| echo "[?] ${ABSPATH}/boulder.config does not exist; skipping" | |
| fi | |
| if ! [ -r ${BOULDER_CONFIG} ] ; then | |
| echo "[!] Could not find Boulder config at ${BOULDER_CONFIG}; does it exist?" | |
| exit 1 | |
| fi | |
| if ! [ -d ${CFSSL_DIR} ] ; then | |
| echo "[!] Could not open CFSSL directory at ${CFSSL_DIR}; shall I create it and some keys? [Y/n]" | |
| read x | |
| if [ "${x}" == "y" ] || [ "${x}" == "Y" ] ; then | |
| mkdir -p ${CFSSL_DIR} || exit 2 | |
| openssl req -newkey rsa:4096 -sha512 -days 9999 -x509 -nodes \ | |
| -config ${CA_CNF} \ | |
| -keyout ${CFSSL_DIR}/ca-key.pem \ | |
| -out ${CFSSL_DIR}/ca.pem | |
| else | |
| exit 2 | |
| fi | |
| fi | |
| } | |
| running() { | |
| if docker ps | grep ${1} 2>&1 >/dev/null; then | |
| return 0 | |
| fi | |
| return 1 | |
| } | |
| start() { | |
| local bConfDir=$(dirname ${BOULDER_CONFIG}) | |
| local bConfFile=$(basename ${BOULDER_CONFIG}) | |
| if ! running cfssl; then | |
| # Start CFSSL | |
| docker rm cfssl 2>&1 >/dev/null | |
| docker run --name cfssl -d \ | |
| --dns 172.17.42.1 \ | |
| -p 22299:22299 \ | |
| -v ${CFSSL_DIR}:/etc/cfssl:ro \ | |
| quay.io/jcjones/cfssl:${CFSSL_TAG} \ | |
| serve -port=22299 | |
| else | |
| echo "[-] CFSSL already running..." | |
| fi | |
| if ! running boulder; then | |
| # Start Boulder | |
| docker rm boulder 2>&1 >/dev/null | |
| docker run --name boulder -d \ | |
| --dns 172.17.42.1 \ | |
| --link cfssl:cfssl \ | |
| -v ${bConfDir}:/boulder:ro \ | |
| -p 4000:4000 \ | |
| quay.io/letsencrypt/boulder:${BOULDER_TAG} \ | |
| boulder --config /boulder/${bConfFile} | |
| else | |
| echo "[-] Boulder already running..." | |
| fi | |
| } | |
| status() { | |
| if running quay.io/letsencrypt/boulder; then | |
| echo "[-] Boulder is running" | |
| else | |
| echo "[-] Boulder is not running" | |
| fi | |
| if running quay.io/jcjones/cfssl; then | |
| echo "[-] CFSSL is running" | |
| else | |
| echo "[-] CFSSL is not running" | |
| fi | |
| } | |
| stop() { | |
| echo "[-] Stopping..." | |
| docker stop boulder | |
| docker stop cfssl | |
| } | |
| testOneshot() { | |
| echo "[-] Creating one-shot config and not publishing the TCP port..." | |
| echo "[-] Control c to exit" | |
| local bConfDir=$(dirname ${BOULDER_CONFIG}) | |
| local bConfFile=$(basename ${BOULDER_CONFIG}) | |
| docker run --rm=true \ | |
| --link cfssl:cfssl -v \ | |
| ${bConfDir}:/boulder:ro \ | |
| quay.io/letsencrypt/boulder:${BOULDER_TAG} \ | |
| boulder --config /boulder/${bConfFile} | |
| } | |
| update() { | |
| echo "[-] Updating..." | |
| docker pull quay.io/letsencrypt/boulder:${BOULDER_TAG} | |
| docker pull quay.io/jcjones/cfssl:${CFSSL_TAG} | |
| } | |
| case "$1" in | |
| start) | |
| confCheck | |
| start | |
| ;; | |
| stop) | |
| stop | |
| ;; | |
| restart) | |
| confCheck | |
| stop | |
| start | |
| ;; | |
| status) | |
| status | |
| ;; | |
| update) | |
| confCheck | |
| update | |
| ;; | |
| test) | |
| confCheck | |
| testOneshot | |
| ;; | |
| *) | |
| echo $"Usage: $0 {start|stop|restart|status|update|test}" | |
| exit 1 | |
| ;; | |
| esac | |
| ------------------------------- letsencrypt: ------------------------------------- | |
| letsencrypt -d test.de --server http://172.17.42.1:4000/acme/new-reg --no-verify-ssl -vvvvv --text auth |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment