Docker
All applications that make up the TMF platform are build in a Docker container.
Renew Docker certificates on a TMF server
- ssh into the server
- remove all content in the docker-cert folder
- execute the following .sh script:
cd docker-cert
CERT_DIR=$(pwd)
PASS=$(mkpasswd "insert some text")
HOST=$(hostname -I | awk '{print $1; exit}')
openssl genrsa -aes256 -passout pass:$PASS -out ca-key.pem 4096
openssl req -new -x509 -days 1095 -key ca-key.pem -sha256 -out ca.pem \
-subj "/C=BE/ST=Flanders/L=Gent/O=Partago cvba/CN=$HOST" \
-passin pass:$PASS
openssl genrsa -passout pass:$PASS -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:$HOST,IP:127.0.0.1 >> extfile.cnf
openssl x509 -req -days 1095 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf \
-passin pass:$PASS
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 1095 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf \
-passin pass:$PASS
rm -v client.csr server.csr
chmod -v 0444 ca-key.pem key.pem server-key.pem
- restart the Docker daemon
sudo systemctl daemon-reload
sudo service docker restart
- exit ssh and download the newly generated certs using scp
scp root@[server IP]:docker-cert/* .
- Upload zipped certs to bitwarden
- Renew certs in https://portainer.themobilityfactory.coop/#!/endpoints with ca.pem, cert.pem, key.pem