Closed systemcrash closed 4 years ago
They are placed into the same folder beside the binary. Did you try to map that folder as volume.
Yeah - it didn't work. A red ERROR message was immediately printed about the file heplify-server
and the container did not start.
Mapped an empty local folder to /root
and it did not like it.
Ok mby it's better to expose two config options for cert and key path.
It seems like the error comes from Docker:
ERROR: for heplify-server Cannot start service heplify-server: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"./heplify-server\": stat ./heplify-server: no such file or directory": unknown
ERROR: for heplify-server Cannot start service heplify-server: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"./heplify-server\": stat ./heplify-server: no such file or directory": unknown
ERROR: Encountered errors while bringing up the project.
I like the idea of exposing a folder/volume - makes getting certs in easier. Instead of squashing a cert into an environment variable.
Will look into it over the next days, weeks, months depending on my time budget. PR's are always welcome :)
I guess this is partially to do with the container, and how it's constructed. heplify-server
runs as root, so it lands in the /root
folder, it seems. If heplify-server
looks in e.g. /root/certs/
- would this be an acceptable fix? Should be able to map this relatively easily.
So add to https://github.com/sipcapture/heplify-server/blob/master/docker/Dockerfile e.g.:
RUN mkdir -p /root/certs
Then in theory just update:
ca, err := cert.NewCertificateAuthority("heplify-server")
to, I think,
ca, err := cert.NewCertificateAuthority("certs/heplify-server")
Or?
Yeah something like this could be a possible way. Many possiblities.
For your review #399 - fairly simplez.
Was able to test and verify that heplify-server
starts up correctly, and accepts an external X509 (basically how your https://github.com/negbie/cert/blob/master/cert.go works). The only potential problem now is for heplify-server not in containers - it logs this:
ERR open certs/heplify-server-cert.pem: no such file or directory
With this error state, a connection is possible, but no TLS is established. Perhaps an os.MkDir
is better placed in the library? Thoughts?
Fixed in #399
A restart of heplify-server seems to generate a new X509 local-cert.
Example:
Upgrading a
heplify-server
instance likely forces generation of a new CA.Is there a way I can feed in a "seed" or my own CA.pem so future upgrades/restarts don't generate a new cert? This is so remote endpoints configured to use TLS don't need updating.
I see
tls.go
uses https://github.com/negbie/cert - but I don't see how we get this into the docker image via a docker-compose.yml param.A volume mapping (more convenient) or environment variable would be useful here. Is it just a question of mapping a volume to a folder and putting in the necessary
heplify-server-{cert|key}.pem
? If so, to which folder? And is this folder location stable?https://github.com/sipcapture/heplify-serve/blob/42ac9e7bc2aaa234825d458c74b15cf40dad5fd4/server/tls.go#L29