-
Notifications
You must be signed in to change notification settings - Fork 4
HUB management
If you need to setup a shrine hub, the corresponding container must be added to the stack. The corresponding docker-compose file is called docker-compose-hub.yml
In order to indicate this file usage two steps must be done:
- Rename docker-compose file
mv docker-compose.yml docker-compose.yml.bkp
mv docker-compose-hub.yml docker-compose.yml
- update secrets.txt set
IS_HUB=true
Then you can follow the readme file for installation instruction.
At the end you will obtain a shrine node and a hub (shrine container and hub container). In order to connect them you need init the hub certificate authority and perform the certificate exchange.
sudo cp shrine/cert/shrine/shrinelocal.csr shrine/cert/hub/
sudo cp shrine/cert/shrine/shrinelocal_HTTPS.cer shrine/cert/hub/
sudo docker-compose exec hub /bin/bash
execute from /opt/shrine
./initHubCa.sh
Answer all the asked questions
execute from /opt/shrine
./sign-cert.sh
exit #leave hub container
sudo cp shrine/cert/hub/shrinelocal-signed.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-ca.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-https-ca.crt shrine/cert/shrine/
sudo docker-compose exec shrine /bin/bash
## Import the certificates
./import-cert.sh
sudo docker-compose restart shrine hub
You should be able to query your own shrine instance.
sudo docker-compose exec shrine /bin/bash
execute from /opt/shrine
./sign-cert.sh <host-name-to-sign> <node-name>
# <host-name-to-sign> corresponds to file in /opt/cert/<host-to-sign>.csr
# <node-name> must be a simple character name [A-Z] only without spaces (identifies the node for result output if it fails)
The resulting signed certificate is available with the shrine-hub-ca.crt
and the shrine-hub-https-ca.crt
at /opt/cert/<host-to-sign>-signed.csr
, they are available outside the container at SHRINEDocker/shrine/cert/hub/
Send these three crt files back to the node adminitrator
The node as been added as a downstreamnode
in the /opt/shrine/tomcat/lib/shrine.conf
file. You can change the human readable name.
If you need to re-sign known host (i.e. certificat expiration) it is necessary to suppress corresponding keytool alias before signing cert.
- Enter into the shrine container
sudo docker-compose exec shrine /bin/bash
- Execute from /opt/shrine
keytool -delete -v -alias <hostname> -keystore shrine.keystore
keytool -delete -v -alias <hostname>_HTTPS -keystore shrine.keystore