Difference between revisions of "App Certificates"
From Univention Wiki
m |
Wiesenthal (talk | contribs) |
||
| Line 3: | Line 3: | ||
UCS provides a certificate infrastructure secure communication protocols (see [http://docs.software-univention.de/manual-4.3.html#domain:ssl]) | UCS provides a certificate infrastructure secure communication protocols (see [http://docs.software-univention.de/manual-4.3.html#domain:ssl]) | ||
| − | Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3 | + | Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3-0 errata91 the Univention App Center provides a simple way to manage certificates inside an App. |
This is simply a new action called '''update-certificates''' in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates. | This is simply a new action called '''update-certificates''' in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates. | ||
| Line 9: | Line 9: | ||
== When is update-certificates called? == | == When is update-certificates called? == | ||
| − | '''update_certificates''' is automatically called during the installation and | + | '''update_certificates''' is automatically called during the installation and upgrade of an App. But it can be called any time on the command line with: |
<pre> | <pre> | ||
# update all apps | # update all apps | ||
-> univention-app update-certificates | -> univention-app update-certificates | ||
| − | # update app " | + | # update app "my-app" |
| − | -> univention-app update-certificates | + | -> univention-app update-certificates my-app |
| − | + | </pre> | |
== What is being done in update-certificates? == | == What is being done in update-certificates? == | ||
| Line 27: | Line 27: | ||
'''Example:''' | '''Example:''' | ||
<pre> | <pre> | ||
| + | #!/bin/bash | ||
# cat the UCS root CA to the App's root CA chain | # cat the UCS root CA to the App's root CA chain | ||
| − | cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/ | + | cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/my-app/ca-bundle.crt |
service my-app-daemon restart | service my-app-daemon restart | ||
</pre> | </pre> | ||
| Line 37: | Line 38: | ||
* ''update-ca-certificates'' is executed inside the container (if existing) | * ''update-ca-certificates'' is executed inside the container (if existing) | ||
* The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container | * The UCS root CA certificate is copied to ''/etc/univention/ssl/ucsCA/CAcert.pem'' inside the container | ||
| − | * The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/cert.pem | + | * The docker host UCS certificate is copied to ''/etc/univention/ssl/docker-host-certificate/{cert.pem,private.key}'' and ''/etc/univention/ssl/$FQDN_DOCKER_HOST/{cert.pem,private.key}'' |
Revision as of 08:22, 4 July 2018
UCS provides a certificate infrastructure secure communication protocols (see [1])
Apps may need access to the UCS certificate infrastructure or need to be aware of changes to the certificates. Starting with UCS 4.3-0 errata91 the Univention App Center provides a simple way to manage certificates inside an App.
This is simply a new action called update-certificates in the App Center which is called automatically during the installation and upgrade of Apps (but can also be executed manually) and gives Apps a simple way to gain access to certificates and to react upon changes to certificates.
Contents
When is update-certificates called?
update_certificates is automatically called during the installation and upgrade of an App. But it can be called any time on the command line with:
# update all apps -> univention-app update-certificates # update app "my-app" -> univention-app update-certificates my-app
What is being done in update-certificates?
All Apps
- Every App can define a update_certificates script
- This script is executed on the UCS system (the docker Host) upon the App Center's update-certificates
Example:
#!/bin/bash # cat the UCS root CA to the App's root CA chain cat /etc/univention/ssl/ucsCA/CAcert.pem >> /opt/my-app/ca-bundle.crt service my-app-daemon restart
Docker/Container Apps
- The UCS root CA certificate is copied to /usr/local/share/ca-certificates/ucs.crt inside the container
- update-ca-certificates is executed inside the container (if existing)
- The UCS root CA certificate is copied to /etc/univention/ssl/ucsCA/CAcert.pem inside the container
- The docker host UCS certificate is copied to /etc/univention/ssl/docker-host-certificate/{cert.pem,private.key} and /etc/univention/ssl/$FQDN_DOCKER_HOST/{cert.pem,private.key}
