Skip to content

Commit

Permalink
Update pkispawn to support ACME
Browse files Browse the repository at this point in the history
pkispawn has been modified to support installing ACME in a
shared PKI server (e.g. with existing CA).

New pkispawn params have been added to specify the ACME
database, issuer, and realm. A sample configuration has been
provided in acme.cfg.

The pki_ds_setup, pki_security_domain_setup, and
pki_registry_enable params in the default.cfg have been moved
from [DEFAULT] into each subsystem's section so that ACME can
skip DS setup, security domain setup, and registry setup by
default.

The templates for ACME database, issuer, and realm configs
have been modified to no longer contain passwords. The
passwords need to be specified during installation.

Some code in acme.py has been moved into subsystem.py so that
it can be reused.

The basic ACME test and the test with PostgreSQL have been
modified to install ACME using pkispawn.
  • Loading branch information
edewata committed Sep 12, 2024
1 parent f876267 commit 9d529f7
Show file tree
Hide file tree
Showing 22 changed files with 541 additions and 173 deletions.
33 changes: 22 additions & 11 deletions .github/workflows/acme-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,17 +100,28 @@ jobs:
- name: Install ACME in PKI container
run: |
docker exec pki pki-server acme-create
docker exec pki pki-server acme-database-mod \
--type ds \
-D url=ldap://ds.example.com:3389
docker exec pki pki-server acme-issuer-mod \
--type pki \
-D url=https://pki.example.com:8443
docker exec pki pki-server acme-realm-mod \
--type ds \
-D url=ldap://ds.example.com:3389
docker exec pki pki-server acme-deploy --wait
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/acme.cfg \
-s ACME \
-D acme_database_url=ldap://ds.example.com:3389 \
-D acme_issuer_url=https://pki.example.com:8443 \
-D acme_realm_url=ldap://ds.example.com:3389 \
-v
- name: Check ACME database config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/database.conf
- name: Check ACME issuer config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/issuer.conf
- name: Check ACME realm config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/realm.conf
- name: Check initial ACME accounts
run: |
Expand Down
39 changes: 26 additions & 13 deletions .github/workflows/acme-postgresql-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -149,19 +149,32 @@ jobs:
- name: Install ACME in PKI container
run: |
docker exec pki pki-server acme-create
docker exec pki pki-server acme-database-mod \
--type postgresql \
-Dpassword=mysecretpassword \
-Durl='jdbc:postgresql://postgresql.example.com:5432/acme?ssl=true&sslmode=require'
docker exec pki pki-server acme-issuer-mod \
--type pki \
-D url=https://pki.example.com:8443
docker exec pki pki-server acme-realm-mod \
--type postgresql \
-Dpassword=mysecretpassword \
-Durl='jdbc:postgresql://postgresql.example.com:5432/acme?ssl=true&sslmode=require'
docker exec pki pki-server acme-deploy --wait
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/acme.cfg \
-s ACME \
-D acme_database_type=postgresql \
-D acme_database_url="jdbc:postgresql://postgresql.example.com:5432/acme?ssl=true&sslmode=require" \
-D acme_database_password=mysecretpassword \
-D acme_issuer_url=https://pki.example.com:8443 \
-D acme_realm_type=postgresql \
-D acme_realm_url="jdbc:postgresql://postgresql.example.com:5432/acme?ssl=true&sslmode=require" \
-D acme_realm_password=mysecretpassword \
-v
- name: Check ACME database config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/database.conf
- name: Check ACME issuer config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/issuer.conf
- name: Check ACME realm config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/realm.conf
- name: Run PKI healthcheck in PKI container
run: docker exec pki pki-healthcheck --failures-only
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/acme-switchover-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,13 +80,16 @@ jobs:
docker exec pki pki-server acme-create
docker exec pki pki-server acme-database-mod \
--type ds \
-D url=ldap://ds.example.com:3389
-D url=ldap://ds.example.com:3389 \
-D bindPassword=Secret.123
docker exec pki pki-server acme-issuer-mod \
--type pki \
-D url=https://pki.example.com:8443
-D url=https://pki.example.com:8443 \
-D password=Secret.123
docker exec pki pki-server acme-realm-mod \
--type ds \
-D url=ldap://ds.example.com:3389
-D url=ldap://ds.example.com:3389 \
-D bindPassword=Secret.123
docker exec pki bash -c "echo baseURL=http://server1.example.com:8080/acme >> /var/lib/pki/pki-tomcat/conf/acme/engine.conf"
docker exec pki pki-server acme-deploy --wait
Expand Down
2 changes: 1 addition & 1 deletion base/acme/database/ds/database.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ class=org.dogtagpki.acme.database.DSDatabase
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
bindPassword=
baseDN=dc=acme,dc=pki,dc=example,dc=com
2 changes: 1 addition & 1 deletion base/acme/database/ldap/database.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ class=org.dogtagpki.acme.database.LDAPDatabase
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
bindPassword=
baseDN=dc=acme,dc=pki,dc=example,dc=com
2 changes: 1 addition & 1 deletion base/acme/database/openldap/database.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ class=org.dogtagpki.acme.database.OpenLDAPDatabase
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Manager,dc=example,dc=com
bindPassword=Secret.123
bindPassword=
baseDN=dc=acme,dc=pki,dc=example,dc=com
2 changes: 1 addition & 1 deletion base/acme/database/postgresql/database.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
class=org.dogtagpki.acme.database.PostgreSQLDatabase
url=jdbc:postgresql://localhost.localdomain:5432/acme
user=acme
password=Secret.123
password=
2 changes: 1 addition & 1 deletion base/acme/issuer/pki/issuer.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ class=org.dogtagpki.acme.issuer.PKIIssuer
url=https://localhost.localdomain:8443
profile=acmeServerCert
username=caadmin
password=Secret.123
password=
6 changes: 3 additions & 3 deletions base/acme/openshift/pki-acme-database.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ stringData:
# url: ldap://ds:389
# authType: BasicAuth
# bindDN: cn=Directory Manager
# bindPassword: Secret.123
# bindPassword: ...
# baseDN: dc=acme,dc=pki,dc=example,dc=com
#
# OpenLDAP Database
Expand All @@ -23,12 +23,12 @@ stringData:
# url: ldap://openldap:389
# authType: BasicAuth
# bindDN: cn=Manager,dc=example,dc=com
# bindPassword: Secret.123
# bindPassword: ...
# baseDN: dc=acme,dc=pki,dc=example,dc=com
#
# PostgreSQL Database
# -------------------
# class: org.dogtagpki.acme.database.PostgreSQLDatabase
# password: Secret.123
# password: ...
# url: jdbc:postgresql://postgresql:5432/acme
# user: acme
2 changes: 1 addition & 1 deletion base/acme/openshift/pki-acme-issuer.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ stringData:
# url: https://pki-ca:8443
# profile: acmeServerCert
# username: caadmin
# password: Secret.123
# password: ...
4 changes: 2 additions & 2 deletions base/acme/openshift/pki-acme-realm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ stringData:
# url: ldap://ds:389
# authType: BasicAuth
# bindDN: cn=Directory Manager
# bindPassword: Secret.123
# bindPassword: ...
# usersDN: ou=people,dc=acme,dc=pki,dc=example,dc=com
# groupsDN: ou=groups,dc=acme,dc=pki,dc=example,dc=com
#
# PostgreSQL Realm
# ----------------
# class: org.dogtagpki.acme.realm.PostgreSQLRealm
# password: Secret.123
# password: ...
# url: jdbc:postgresql://postgresql:5432/acme
# user: acme
2 changes: 1 addition & 1 deletion base/acme/realm/ds/realm.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ class=org.dogtagpki.acme.realm.DSRealm
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
bindPassword=
usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
2 changes: 1 addition & 1 deletion base/acme/realm/in-memory/realm.conf
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
class=org.dogtagpki.acme.realm.InMemoryRealm
username=admin
password=Secret.123
password=
2 changes: 1 addition & 1 deletion base/acme/realm/postgresql/realm.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
class=org.dogtagpki.acme.realm.PostgreSQLRealm
url=jdbc:postgresql://localhost.localdomain:5432/acme
user=acme
password=Secret.123
password=
82 changes: 78 additions & 4 deletions base/server/etc/default.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ sensitive_parameters=
pki_server_database_password
pki_server_pkcs12_password
pki_token_password
acme_database_bind_password
acme_database_password
acme_issuer_password
acme_realm_bind_password
acme_realm_password

pki_instance_name=pki-tomcat
pki_http_port=8080
Expand Down Expand Up @@ -80,7 +85,6 @@ pki_ds_ldap_port=389
pki_ds_ldaps_port=636
pki_ds_password=
pki_ds_remove_data=True
pki_ds_setup=True
pki_ds_secure_connection=False
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=
Expand All @@ -94,13 +98,14 @@ pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_po
pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_status_request_timeout=
pki_security_domain_setup=True

pki_security_domain_hostname=%(pki_hostname)s
pki_security_domain_https_port=8443
pki_security_domain_uri=https://%(pki_security_domain_hostname)s:%(pki_security_domain_https_port)s
pki_security_domain_name=%(pki_dns_domainname)s Security Domain
pki_security_domain_password=
pki_security_domain_user=caadmin

#for supporting server cert SAN injection
pki_san_inject=False
pki_san_for_server_cert=
Expand Down Expand Up @@ -247,8 +252,6 @@ CATALINA_HOME=/usr/share/tomcat
pki_tomcat_bin_path=%(CATALINA_HOME)s/bin
pki_tomcat_lib_path=%(CATALINA_HOME)s/lib

pki_registry_enable=True

###############################################################################
## CA Configuration: ##
## ##
Expand Down Expand Up @@ -329,9 +332,11 @@ pki_admin_uid=caadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s

pki_ds_setup=True
pki_ds_base_dn=o=%(pki_instance_name)s-CA
pki_ds_database=%(pki_instance_name)s-CA
pki_ds_hostname=%(pki_hostname)s

pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
pki_share_db=False
pki_master_crl_enable=True
Expand Down Expand Up @@ -360,6 +365,9 @@ pki_request_id_generator=random
# Cert request ID length in bits
pki_request_id_length=128

pki_security_domain_setup=True
pki_registry_enable=True

###############################################################################
## KRA Configuration: ##
## ##
Expand Down Expand Up @@ -441,9 +449,11 @@ pki_admin_uid=kraadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s

pki_ds_setup=True
pki_ds_base_dn=o=%(pki_instance_name)s-KRA
pki_ds_database=%(pki_instance_name)s-KRA
pki_ds_hostname=%(pki_hostname)s

pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
Expand All @@ -460,6 +470,9 @@ pki_request_id_generator=random
# Key request ID length in bits
pki_request_id_length=128

pki_security_domain_setup=True
pki_registry_enable=True

###############################################################################
## OCSP Configuration: ##
## ##
Expand Down Expand Up @@ -528,13 +541,17 @@ pki_admin_uid=ocspadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s

pki_ds_setup=True
pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
pki_ds_database=%(pki_instance_name)s-OCSP
pki_ds_hostname=%(pki_hostname)s

pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s

pki_security_domain_setup=True
pki_registry_enable=True

###############################################################################
## TKS Configuration: ##
Expand All @@ -552,13 +569,19 @@ pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instanc
pki_admin_uid=tksadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s

pki_ds_setup=True
pki_ds_base_dn=o=%(pki_instance_name)s-TKS
pki_ds_database=%(pki_instance_name)s-TKS
pki_ds_hostname=%(pki_hostname)s

pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s

pki_security_domain_setup=True
pki_registry_enable=True

###############################################################################
## TPS Configuration: ##
## ##
Expand All @@ -574,9 +597,12 @@ pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instanc
pki_admin_uid=tpsadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s

pki_ds_setup=True
pki_ds_base_dn=o=%(pki_instance_name)s-TPS
pki_ds_database=%(pki_instance_name)s-TPS
pki_ds_hostname=%(pki_hostname)s

pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s
pki_authdb_hostname=%(pki_hostname)s
pki_authdb_port=389
Expand All @@ -589,3 +615,51 @@ pki_import_shared_secret=False
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml

pki_security_domain_setup=True
pki_registry_enable=True

[ACME]
pki_ds_setup=False
pki_security_domain_setup=False
pki_registry_enable=False

# Database params:
# - acme_database_type
# - acme_database_url
# - acme_database_auth_type
# - acme_database_bind_dn
# - acme_database_bind_password
# - acme_database_bind_nickname
# - acme_database_user
# - acme_database_password
# - acme_database_base_dn
#
# See /usr/share/pki/acme/database/<type>/database.conf

# Issuer params:
# - acme_issuer_type
# - acme_issuer_url
# - acme_issuer_nickname
# - acme_issuer_extensions
# - acme_issuer_username
# - acme_issuer_password
# - acme_issuer_password_file
# - acme_issuer_profile
#
# See /usr/share/pki/acme/issuer/<type>/issuer.conf

# Realm params:
# - acme_realm_type
# - acme_realm_url
# - acme_realm_auth_type
# - acme_realm_bind_dn
# - acme_realm_bind_password
# - acme_realm_nickname
# - acme_realm_user
# - acme_realm_username
# - acme_realm_password
# - acme_realm_users_dn
# - acme_realm_groups_dn
#
# See /usr/share/pki/acme/realm/<type>/realm.conf
Loading

0 comments on commit 9d529f7

Please sign in to comment.