Skip to content

HUB management

Jump to bottom
vianneyJouhet edited this page Nov 14, 2018 · 27 revisions

During installation

If you need to setup a shrine hub, the corresponding container must be added to the stack. The corresponding docker-compose file is called docker-compose-hub.yml

In order to indicate this file usage two steps must be done:

  1. Rename docker-compose file
mv docker-compose.yml docker-compose.yml.bkp
mv docker-compose-hub.yml docker-compose.yml
  1. update secrets.txt set IS_HUB=true

Then you can follow the readme file for installation instruction.

Post installation settings

At the end you will obtain a shrine node and a hub (shrine container and hub container). In order to connect them you need init the hub certificate authority and perform the certificate exchange.

Copy shrine node certificate to the hub

sudo cp shrine/cert/shrine/shrinelocal.csr shrine/cert/hub/
sudo cp shrine/cert/shrine/shrinelocal_HTTPS.cer shrine/cert/hub/

Enter into the hub container

sudo docker-compose exec hub /bin/bash

Create a new certification certificate

execute from /opt/shrine

./initHubCa.sh

Answer all the asked questions

Sign shrine node certificate

execute from /opt/shrine

./sign-cert.sh
exit #leave hub container

Copy signed certificate and hub's certificates to the shrine node

sudo cp shrine/cert/hub/shrinelocal-signed.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-ca.crt shrine/cert/shrine/
sudo cp shrine/cert/hub/shrine-hub-https-ca.crt shrine/cert/shrine/

Enter into the shrine container

sudo docker-compose exec shrine /bin/bash

## Import the certificates

./import-cert.sh

Restart shrine and hub containers

sudo docker-compose restart shrine hub

You should be able to query your own shrine instance.

Signing a csr

Copy csr and _HTTPS.crt into SHRINEDocker/shrine/cert/hub/

Enter into the shrine container

sudo docker-compose exec shrine /bin/bash

sign the csr

execute from /opt/shrine

./sign-cert.sh <host-name-to-sign> <node-name> 
# <host-name-to-sign> corresponds to file in /opt/cert/<host-to-sign>.csr
# <node-name> must be a simple character name [A-Z] only without spaces (identifies the node for result output if it fails)

The resulting signed certificate is available with the shrine-hub-ca.crt and the shrine-hub-https-ca.crt at /opt/cert/<host-to-sign>-signed.csr, they are available outside the container at SHRINEDocker/shrine/cert/hub/

Send these three crt files back to the node adminitrator

The node as been added as a downstreamnode in the /opt/shrine/tomcat/lib/shrine.conf file. You can change the human readable name.

Re-sign certificate for a known host

If you need to re-sign known host (i.e. certificat expiration) it is necessary to suppress corresponding keytool alias before signing cert.

  1. Enter into the shrine container
sudo docker-compose exec shrine /bin/bash
  1. Execute from /opt/shrine
keytool -delete -v -alias <hostname> -keystore shrine.keystore
keytool -delete -v -alias <hostname>_HTTPS -keystore shrine.keystore
Clone this wiki locally