HUB management

During installation

If you need to setup a shrine hub, the corresponding container must be added to the stack. The corresponding docker-compose file is called docker-compose-hub.yml

For this reason you Must use the -f option of docker compose for every interactions with the stack

#examples of docker-compose commands for a hub deployment
sudo docker-compose -f docker-compose-hub.yml up
sudo docker-compose -f docker-compose-hub.yml exec shrine /bin/bash

Secondly you need to update secrets.txt and set IS_HUB=true and modify the SHRINE_HUB_PORT=6443 or SHRINE_PORT=6443 depending on your port-mapping in the docker-compose-hub.yml

Then you can follow the readme file for installation instruction Except that you should add -f option to docker compose (until the Manage certificates section starts).

Post installation settings

At the end you will obtain a shrine node and a hub (shrine container and hub container). In order to connect them you need init the hub certificate authority and perform the certificate exchange locally for your own shrine node.

Copy shrine node certificate to the hub

sudo cp shrine/cert/shrine/shrinelocal.csr shrine/cert/hub/
sudo cp shrine/cert/shrine/shrinelocal_HTTPS.cer shrine/cert/hub/

Enter into the hub container

sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash

Create a new certification certificate

execute from /opt/shrine

./initHubCa.sh

Answer all the asked questions

Sign shrine node certificate

execute from /opt/shrine

./sign-cert.sh shrinelocal
exit #leave hub container

Copy signed certificate and hub's certificates to the shrine node

sudo cp shrine/cert/hub/shrinelocal-signed.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-ca.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-https-ca.crt shrine/cert/shrine/

Enter into the shrine container

sudo docker-compose -f docker-compose-hub.yml exec shrine /bin/bash

Import the certificates

./import-cert.sh

Restart shrine and hub containers

sudo docker-compose -f docker-compose-hub.yml restart shrine hub

You should be able to query your own shrine instance.

Signing a csr

Copy csr and _HTTPS.crt into SHRINEDocker/shrine/cert/hub/

Enter into the hub container

sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash

sign the csr

execute from /opt/shrine

./sign-cert.sh <host-name-to-sign> <node-name> 
# <host-name-to-sign> corresponds to file in /opt/cert/<host-to-sign>.csr
# <node-name> must be a simple character name [A-Z] only without spaces (identifies the node for result output if it fails)

The resulting signed certificate is available with the shrine-hub-ca.crt and the shrine-hub-https-ca.crt at /opt/cert/<host-to-sign>-signed.crt, they are available outside the container at SHRINEDocker/shrine/cert/hub/

Send these three crt files back to the node adminitrator

The node as been added as a downstreamnode in the /opt/shrine/tomcat/lib/shrine.conf file. You can change the human readable name.

Re-sign certificate for a known host

If you need to re-sign known hosts (i.e. certificat expiration) it is necessary to suppress corresponding keytool alias before signing cert.

1. Enter into the shrine container

sudo docker-compose -f docker-compose-hub.yml exec hub /bin/bash

2. Execute from /opt/shrine

keytool -delete -v -alias <hostname> -keystore shrine.keystore
keytool -delete -v -alias <hostname>_HTTPS -keystore shrine.keystore