SSL no sei-docker
abreujean opened this issue · 8 comments
abreujean commented
Olá @marlinhares
Como eu posso ativar o ssl no sei-docker usando Let's Encrypt?
marlinhares commented
Editing...
marlinhares commented
Olá @abreujean,
Tem várias formas, não é bem o escopo desse projeto, mas vou mostrar algumas ações possíveis:
-
Use o letsencrypt no seu proxy externo, do proxy externo vc redireciona via proxy-transparente para o seu servidor ou vm interna com o sei-docker rodando (ai no caso o sei-docker pode estar com qualquer cert inclusive o auto-assinado. O usuário vai ver apenas o cert válido letsencrypt)
-
Use um orquestrador como o kubernetes ou rancher-cattle
-
Caso queira colocar o sei-docker com um cert letsencrypt tb é possivel, pode seguir assim, por ex:
- altere a var APP_HOST no envlocal.env para a url do seu cert, ai no meu usei super.dev..., por ex
export APP_HOST=super.dev.processoeletronico.gov.br
- posicione o seu letsencrypt válido como um unico arquivo pem no seu desktop e com o nome cert0.pem (veja o formato na resposta abaixo)
- agora vamos criar o volume certs e copiar o seu letsencrypt valido para ficar no balanceador
make clear && make apagar_volumes
make criar_volume_certs
docker run -it --rm -v local-certs-storage:/t -v ~/Desktop/:/acopiar busybox sh -c "cp /acopiar/cert0.pem /t/"
docker run -it --rm -v local-certs-storage:/t busybox cat /t/cert0.pem
- agora pode subir normalmente, se for o caso altere o seu /etc/hosts para apontar o nome correto para a sua maquina
make setup
make logs
sudo vim /etc/hosts
curl -v https://super.dev.processoeletronico.gov.br/
* Trying 127.0.0.1:443...
* Connected to super.dev.processoeletronico.gov.br (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server finished (14):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=console.dev.processoeletronico.gov.br
* start date: Mar 30 12:51:03 2023 GMT
* expire date: Jun 28 12:51:02 2023 GMT
* subjectAltName: host "super.dev.processoeletronico.gov.br" matched cert's "super.dev.processoeletronico.gov.br"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: super.dev.processoeletronico.gov.br
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: http://super.dev.processoeletronico.gov.br/sei/
<
* Connection #0 to host super.dev.processoeletronico.gov.br left intact
Aqui na minha vm ficou fino. Cadeado fechado.
marlinhares commented
aqui o meu cert válido cert0.pem. Alterei apenas a chave privada. O seu deve ter o mesmo formato pem.
-----BEGIN CERTIFICATE-----
MIIFxzCCBK+gAwIBAgISA6SdEUcqU8yOLuoURsdhXFCIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAzMzAxMjUxMDNaFw0yMzA2MjgxMjUxMDJaMDAxLjAsBgNVBAMT
JWNvbnNvbGUuZGV2LnByb2Nlc3NvZWxldHJvbmljby5nb3YuYnIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCujhQwV0/ghdh2KOEOxZkD0TeWuO2qVcui
R/CWo0tOTyKeSy9bNOdqruo2jY38FxzMW9Cvbsgcp3jJ1TJS/xgD5hw5NRr2dNdo
ob5EXQ/adIgvJSeiDX7JWRcAsnyFwJh8/i1i3sZUruZ3DJ2FrhHjGlaP8b4X3wyT
IyWHJOArKvPPEVFiZFbjcfGSb3PxMwuJNBAHEG0hm7eX1NGqLOds8Zbz+wYyy6fF
fD0YCp02v9WRZtdBGOj7XB4CeBTkueRTXHDK3YY5Y9QmoNMHFw0oTXVPm6cEDUcQ
wDGWtt+jwohMbtnM3O/PZlZjMm+CQB0FMFFgX9aGSyrfxJQ4eiOjAgMBAAGjggLX
MIIC0zAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIx+13zQNXSCE3CgUNHPOQgoYwOD
MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkw
RzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAC
hhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMIGoBgNVHREEgaAwgZ2CJWNvbnNvbGUu
ZGV2LnByb2Nlc3NvZWxldHJvbmljby5nb3YuYnKCJWVzdGVpcmEuZGV2LnByb2Nl
c3NvZWxldHJvbmljby5nb3YuYnKCI3N1cGVyLmRldi5wcm9jZXNzb2VsZXRyb25p
Y28uZ292LmJygihzdXBlci5wZC50ZXN0ZS5wcm9jZXNzb2VsZXRyb25pY28uZ292
LmJyMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYB
BQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIE
AgSB8wSB8ADuAHUAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGH
MslDlwAABAMARjBEAiAX1tUf3HxfNPw1XEl+N/14NXfkqpCPh5cjkizPFuVZXgIg
Zfw8DyGaGc6aUB26dt2EiyFepoyFbZWBxp2R+ozxax8AdQB6MoxU2LcttiDqOOBS
HumEFnAyE4VNO9IrwTpXo1LrUgAAAYcyyUOvAAAEAwBGMEQCIDKG8r5TdOw8VrV3
QuGOlHweWn9r/NpEqYLSQU5zs6BKAiBlfH/XaVQomUduJrSs5KtZlYwIKABBlCRh
/4IQKHbadTANBgkqhkiG9w0BAQsFAAOCAQEAdoAvuoC/cZiydem6n6/vxFG0UiQb
WE895tfL94D4CHEq4t+GgrUi+Zn5Gkx+XaoAFxOVrn/Zia1IieNuJc/APUuG2uir
r9FHap46UqNLgUt1f9vfGx4Ehh0KTHyL+N9XveDtiuOervfKTwG3EPvWYkp6S0IT
egm0X0yA6PjLhQVdkSJJOK80TgEzIGaSv5Gbb3sPIVc6lBBjeQyHwHN3ZmBGyEv+
bTo8VwqstpnmbYAtUFPL7cBXZnpDjLTt3YcCReYUXNeC9B+t76Ffg/jOA0Nid1f4
er9cd/nCyOnK9jkbBYRDQ4Vjqp4LyJhqPj/6OKUTgfor/YlQRgG88MtoWw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCujhQwV0/ghdh2
KOEOxZkD0TeWuO2qVcuiR/CWo0tOTyKeSy9bNOdqruo2jY38FxzMW9Cvbsgcp3jJ
1....
....
WWW8WCaWWWoe4GEzDxzVffw=
-----END PRIVATE KEY-----
marlinhares commented
Na verdade era pra ser bem mais simples, apenas copiar o teu cert valido para o dir default: ~/sei/certs e rodar make setup
Mas há um bug entao tem q seguir os passos acima. Vou criar uma issue para ajeitar o bug em momento oportuno.
Duvidas avisar
marlinhares commented
abreujean commented
Na minha situação o projeto já está rodando
eu preciso apagar todos os volumes ou eu posso apagar somente os containers o volume local-certs-storage, criando depois e novo e subindo a aplicação?
outra duvida
esse arquivo você gerou juntando os arquivos
cert.pem
chain.pem
privkey.pem
fullchain.pem
certo?
marlinhares commented
bom dia prezado,
não precisa apagar os volumes.
Basta acessar o volume e jogar la o cert0.pem (assumindo q vc esteja usando o haproxy do projeto)
Depois basta restartar o haproxy. Ou make clear e depois make run pra ele subir td de novo usando os volumes antigos.
O arquivo cert0.pem basta juntar o fullchain.pem e privkey.pem do letsencrypt q vai rodar fino.
abreujean commented
@marlinhares Consegui resolver seguindo essas orientações
copiei os arquivos cert.pem, chain.pem, privkey.pem e fullchain.pem para um arquivo cert0.pem e sobrescrevi no volumes de certificados o mesmo, depois de subir novamente os containers funcionou.