Better entrypoint and new Readme

README.md

@@ -1 +1,60 @@
-# local-ca
+# Local ACME Certificate authority
+
+This repo builds a container that can be used in a docker-compose environment to create a disposable CA and issue/update certificates using certbot.
+
+It is heavily informed by the smallstep authors via https://github.com/smallstep/certificates/blob/master/docker/entrypoint.sh
+
+## Accessing the root cert
+
+The easiest way to obtain the cert for use validating other certs within the environment is to download the pem from the smallstep ca at the well known url: `https://step-ca:9000/roots.pem`.
+
+The next easiest way to obtain the cert is through mounting a docker volume which contains the certificate.  See the docker-compose example below or follow the OpenCHAMI quickstart.
+
+
+## Docker Compose Usage
+
+This container can be used with docker compose following this example:
+
+```
+  step-ca:
+    container_name: step-ca
+    hostname: step-ca
+    image: ghcr.io/openchami/local-ca:v0.1.0
+    ports: 
+      - "9000:9000"
+    networks:
+      - openchami-certs
+    volumes:
+      - ./configs/step-ca/:/home/step
+      # Keeping the database in a volume improves performance.  I don't understand why.
+      - step-ca-db:/home/step/db
+      # Keeping the root CA in a volume allows us to back it up and restore it.
+      - step-root-ca:/root-ca/
+    environment:
+      # To initialize your CA, modify these environment variables
+      - STEPPATH=/home/step
+      - DOCKER_STEPCA_INIT_NAME=OpenCHAMI
+      - DOCKER_STEPCA_INIT_DNS_NAMES=localhost,step-ca
+      - DOCKER_STEPCA_INIT_ACME=true
+    healthcheck:
+      test: ["CMD", "step", "ca", "health", "--ca-url", "https://step-ca:9000", "--root", "/root-ca/root_ca.crt"]
+      interval: 10s
+      timeout: 10s
+      retries: 5
+  certbot-issue-cert:
+    container_name: certbot
+    hostname: certbot
+    image: certbot/certbot:v2.10.0
+    depends_on:
+      step-ca:
+        condition: service_healthy
+    environment:
+      - REQUESTS_CA_BUNDLE=/root-ca/root_ca.crt # This is the root CA certificate that we use to verify the local CA.
+    command: [ "certonly", "--webroot", "--server", "https://step-ca:9000/acme/acme/directory", "--webroot-path", "/var/www/html", "--agree-tos", "--email", "[email protected]", "-d", "openchami.bikeshack.dev", "-n" ]
+    networks:
+      - openchami-certs
+    volumes:
+      - local-certs:/etc/letsencrypt
+      - certbot-challenges:/var/www/html/
+      - step-root-ca:/root-ca:ro
+```

local-ca/entrypoint.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 set -eo pipefail
 
+# Adapted from the smallstep example entrypoint at: https://github.com/smallstep/certificates/blob/master/docker/entrypoint.sh
+
 # Paraphrased from:
 # https://github.com/influxdata/influxdata-docker/blob/0d341f18067c4652dfa8df7dcb24d69bf707363d/influxdb/2.0/entrypoint.sh
 # (a repo with no LICENSE.md)
@@ -76,7 +78,19 @@ function step_ca_init () {
     echo "🤫 This will only be displayed once."
     shred -u $STEPPATH/provisioner_password
     mv $STEPPATH/password $PWDPATH
+
+    # Copy the CA certificates to a volume that can be shared for future interaction with the CA
+    # First we put the root ca cert and intermediate cert in the easiest place to find it in the volume
     cp /home/step/certs/root_ca.crt /root-ca/root_ca.crt
+    cp /home/step/certs/intermediate_ca.crt /root-ca/intermediate_ca.crt
+    # Then we set up the files in the right place for the step client to find them
+    mkdir -p /root-ca/step/certs
+    cp /home/step/certs/root_ca.crt /root-ca/step/certs/root_ca.crt
+    cp /home/step/certs/intermediate_ca.crt /root-ca/step/certs/intermediate_ca.crt
+    # Finally, we copy the step config files to the volume without exposing any secrets
+    mkdir -p /root-ca/step/config
+    cp /home/step/config/ca.json /root-ca/step/config/ca.json
+    cp /home/step/config/defaults.json /root-ca/step/config/defaults.json
     echo "🔒 Your CA is ready to go!"
 }