negbie
commented
4 years ago They are placed into the same folder beside the binary. Did you try to map that folder as volume.
Closed systemcrash closed 4 years ago
negbie
commented
4 years ago They are placed into the same folder beside the binary. Did you try to map that folder as volume.
systemcrash
commented
4 years ago Yeah - it didn't work. A red ERROR message was immediately printed about the file heplify-server and the container did not start.
Mapped an empty local folder to /root and it did not like it.
negbie
commented
4 years ago Ok mby it's better to expose two config options for cert and key path.
systemcrash
commented
4 years ago It seems like the error comes from Docker:
ERROR: for heplify-server Cannot start service heplify-server: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"./heplify-server\": stat ./heplify-server: no such file or directory": unknown
ERROR: for heplify-server Cannot start service heplify-server: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"./heplify-server\": stat ./heplify-server: no such file or directory": unknown
ERROR: Encountered errors while bringing up the project.I like the idea of exposing a folder/volume - makes getting certs in easier. Instead of squashing a cert into an environment variable.
negbie
commented
4 years ago Will look into it over the next days, weeks, months depending on my time budget. PR's are always welcome :)
systemcrash
commented
4 years ago I guess this is partially to do with the container, and how it's constructed. heplify-server runs as root, so it lands in the /root folder, it seems. If heplify-server looks in e.g. /root/certs/ - would this be an acceptable fix? Should be able to map this relatively easily.
systemcrash
commented
4 years ago So add to https://github.com/sipcapture/heplify-server/blob/master/docker/Dockerfile e.g.:
RUN mkdir -p /root/certs
systemcrash
commented
4 years ago Then in theory just update:
ca, err := cert.NewCertificateAuthority("heplify-server")to, I think,
ca, err := cert.NewCertificateAuthority("certs/heplify-server")Or?
negbie
commented
4 years ago Yeah something like this could be a possible way. Many possiblities.
systemcrash
commented
4 years ago For your review #399 - fairly simplez.
systemcrash
commented
4 years ago Was able to test and verify that heplify-server starts up correctly, and accepts an external X509 (basically how your https://github.com/negbie/cert/blob/master/cert.go works). The only potential problem now is for heplify-server not in containers - it logs this:
ERR open certs/heplify-server-cert.pem: no such file or directoryWith this error state, a connection is possible, but no TLS is established. Perhaps an os.MkDir is better placed in the library? Thoughts?
systemcrash
commented
4 years ago Fixed in #399
A restart of heplify-server seems to generate a new X509 local-cert.
Example:
Upgrading a
heplify-serverinstance likely forces generation of a new CA.Is there a way I can feed in a "seed" or my own CA.pem so future upgrades/restarts don't generate a new cert? This is so remote endpoints configured to use TLS don't need updating.
I see
tls.gouses https://github.com/negbie/cert - but I don't see how we get this into the docker image via a docker-compose.yml param.A volume mapping (more convenient) or environment variable would be useful here. Is it just a question of mapping a volume to a folder and putting in the necessary
heplify-server-{cert|key}.pem? If so, to which folder? And is this folder location stable?https://github.com/sipcapture/heplify-serve/blob/42ac9e7bc2aaa234825d458c74b15cf40dad5fd4/server/tls.go#L29