OpenXPKI를 이용한 인증서 시스템 구축
이 문서는 OpenXPKI를 Docker-compose로 구축해 테스트하는 문서이다.
Docker-compose를 실행하기 전 아래의 구성요소를 미리 가져온다.
$ git clone https://github.com/openxpki/openxpki-config.git \ --single-branch --branch=community
아래의 Docker-compose 파일로 전환한다.
docker compose up -d
changeme의 부분을 자신이 사용하는 값으로 변경한다.
.env
MYSQL_USER=changeme MYSQL_PASSWORD=changeme MYSQL_ROOT_PASSWORD=changeme
changeme 부분을 DB USER와 PASSWORD에 사용한 값으로 변경한다.
default.yml
User: changeme Password: changeme
docker-compose.yml 원본 펼치기
services:
db:
restart: always
container_name: OpenXPKI_Database
image: mariadb:10
command: --default-authentication-plugin=mysql_native_password
user: mysql:mysql
volumes:
- openxpkidb:/var/lib/mysql
- openxpkidbsocket:/var/run/mysqld/
- ./openxpki-config/contrib/sql/schema-mariadb.sql:/docker-entrypoint-initdb.d/schema-mariadb.sql
healthcheck:
test: ["CMD-SHELL", "[ -S /var/run/mysqld/mysqld.sock ]"]
interval: 5s
timeout: 3s
retries: 5
environment:
MYSQL_DATABASE: openxpki
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
server:
restart: always
container_name: OpenXPKI_Server
image: whiterabbitsecurity/openxpki3
command: /usr/bin/openxpkictl start server --nd
user: openxpki:openxpki
group_add:
- openxpkiclient
tmpfs:
- /tmp
volumes:
- ./openxpki-config:/etc/openxpki
- openxpkilog:/var/log/openxpki
- openxpkisocket:/run/openxpkid
- openxpkidbsocket:/var/run/mysqld/
- openxpkidownload:/var/www/download
# this will not work on all OS
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
healthcheck:
test: /usr/bin/openxpkictl status server
interval: 5s
timeout: 3s
retries: 5
depends_on:
db:
condition: service_healthy
client:
restart: always
container_name: OpenXPKI_Client
image: whiterabbitsecurity/openxpki3
command: /usr/bin/openxpkictl start client --nd
user: openxpkiclient:openxpkiclient
group_add:
- www-data
tmpfs:
- /tmp
volumes:
- ./openxpki-config:/etc/openxpki
- openxpkilogui:/var/log/openxpki-client
- openxpkisocket:/run/openxpkid
- openxpkiclientsocket:/run/openxpki-clientd
- openxpkidbsocket:/var/run/mysqld/
healthcheck:
test: /usr/bin/openxpkictl status client
interval: 5s
timeout: 3s
retries: 5
depends_on:
server:
condition: service_healthy
web: &web-apache
container_name: OpenXPKI_WebUI
image: whiterabbitsecurity/openxpki3
command: /usr/bin/start-webserver apache
ports:
- "80:80/tcp"
- "8443:443/tcp"
volumes:
- ./openxpki-config/contrib/apache2-openxpki-site.conf:/etc/apache2/sites-enabled/openxpki.conf
- ./openxpki-config/tls/:/etc/openxpki/tls/
- ./openxpki-config/tls/democa.crt:/etc/openxpki/tls/democa.crt
- ./openxpki-config/tls/democa.key:/etc/openxpki/tls/democa.key
- openxpkiclientsocket:/run/openxpki-clientd
- openxpkidownload:/var/www/download:ro
- ./openxpki-config/tls/ca-chain.pem:/etc/openxpki/tls/ca-chain.pem
- ./test-site:/var/www/test
healthcheck:
test: wget -q http://localhost/healthcheck/ping
interval: 5s
timeout: 3s
retries: 5
depends_on:
client:
condition: service_healthy
#tester는 사용하지 않아도 됨
renewal-tester:
container_name: OpenXPKI_Renewal_Tester
image: ubuntu:22.04
command: tail -f /dev/null
volumes:
- ./client_data:/data
depends_on:
web:
condition: service_healthy
volumes:
openxpkidb:
openxpkisocket:
openxpkiclientsocket:
openxpkidbsocket:
openxpkilog:
openxpkilogui:
openxpkidownload:
참조 문서