GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → hakwerk → labca

hakwerk / labca

Licence: other
A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
javascript
184084 projects - #8 most used programming language
HTML
75241 projects
CSS
56736 projects
python
139335 projects - #7 most used programming language
Makefile
30231 projects

Labels

tlsacmepkicertificate-authorityca

Projects that are alternatives of or similar to labca

Boulder
An ACME-based certificate authority, written in Go.
Stars: ✭ 4,091 (+3146.83%)
Mutual labels:  tls, acme, pki, certificate-authority, ca
Certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Stars: ✭ 3,693 (+2830.95%)
Mutual labels:  tls, acme, pki, certificate-authority, ca
Pki
The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
Stars: ✭ 97 (-23.02%)
Mutual labels:  acme, pki, certificate-authority
Pebble
A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority. Let's Encrypt is hiring! Work on Pebble with us.
Stars: ✭ 359 (+184.92%)
Mutual labels:  acme, pki, certificate-authority
diyca
Do-It-Yourself Certificate Authority
Stars: ✭ 18 (-85.71%)
Mutual labels:  tls, pki, certificate-authority
Greenlock
Automatic SSL renewal for NodeJS
Stars: ✭ 30 (-76.19%)
Mutual labels:  tls, acme
Acmez
Premier ACME client library for Go
Stars: ✭ 60 (-52.38%)
Mutual labels:  tls, acme
Acme client
Java ACME Client application
Stars: ✭ 77 (-38.89%)
Mutual labels:  tls, acme
Aspnetcorecertificates
Certificate Manager in .NET Core for creating and using X509 certificates
Stars: ✭ 135 (+7.14%)
Mutual labels:  tls, pki
Kadnode
P2P DNS with content key, crypto key and PKI support. DynDNS alternative.
Stars: ✭ 359 (+184.92%)
Mutual labels:  tls, pki
Dnsproviders
OBSOLETE: DNS providers adapted for use in Caddy to solve the ACME DNS challenge - for Caddy v1 only. See caddy-dns for v2.
Stars: ✭ 106 (-15.87%)
Mutual labels:  tls, acme
Acmetool
🔒 acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)
Stars: ✭ 1,882 (+1393.65%)
Mutual labels:  tls, acme
My internal ca
A set of basic scripts for managing an internal certificate authority.
Stars: ✭ 13 (-89.68%)
Mutual labels:  tls, certificate-authority
Lego
Let's Encrypt client and ACME library written in Go
Stars: ✭ 4,978 (+3850.79%)
Mutual labels:  tls, acme
Babassl
A Brisk and Better Assured Cryptographic Toolkit
Stars: ✭ 68 (-46.03%)
Mutual labels:  tls, pki
Certstrap
Tools to bootstrap CAs, certificate requests, and signed certificates.
Stars: ✭ 1,689 (+1240.48%)
Mutual labels:  tls, certificate-authority
Terraform Provider Acme Old
ACME (Let's Encrypt) Support for Terraform
Stars: ✭ 211 (+67.46%)
Mutual labels:  tls, acme
Manuale
A fully manual Let's Encrypt/ACME client
Stars: ✭ 201 (+59.52%)
Mutual labels:  tls, acme
win-ca
Get Windows System Root certificates
Stars: ✭ 78 (-38.1%)
Mutual labels:  tls, certificate-authority
tipi
Tipi - the All-in-one Web Server for Ruby Apps
Stars: ✭ 214 (+69.84%)
Mutual labels:  tls, acme
View All Similar Projects ➔

LabCA

Go Report Card

A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).

08-dashboard

NEW: standalone version for step-ca status-experimental

See README_standalone

Table of Contents

Background

More and more websites and applications are served over HTTPS, where all traffic between your browser and the web server is encrypted. With standard HTTP the (form) data is unencrypted and open to eavesdroppers and hackers listening to communications between the user and the website. Therefore the Chrome browser now even warns about unsafe plain HTTP sites to nudge users towards HTTPS.

To a lesser extent this also applies to internal applications and sites that are not exposed publicly. Just because the users may have a higher level of trust versus users of a public facing website doesn't mean sensitive content shouldn't be protected as much as possible. Lots of hacking and theft occur from within a company's own walls, virtual or real. Also, no user should get used to ignoring any browser warnings (e.g. about self-signed certificates), even for internal sites.

no user should get used to ignoring any browser warnings

For the public internet, Let's Encrypt™ has made a big impact by providing free HTTPS certificates in an easy and automated way. There are many clients available to interact with their so called ACME (Automated Certificate Management Environment). They also have a staging environment that allows you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits.

One technical requirement however is to have a publicly reachable location where your client application and their server can exchange information. For intranet / company internal applications or for testing clients within your organization this may not always be feasible.

Luckily they have made the core of their application, called "Boulder", available as open source. It is possible to install Boulder on your own server and use it internally to hand out certificates. As long as all client machines / laptops in your organization trust your root CA certificate, all certificates it signed are trusted automatically and users see a green lock icon in their browsers.

Also if you are developing your own client application or integrating one into your own application, a local test ACME can be very handy. There is a lot of information on the internet about setting up your own PKI (Public Key Infrastructure) but those are usually not automated.

Getting Boulder up and running has quite a learning curve though and that is where LabCA comes in. It is a self-contained installation with a nice web GUI built on top of Boulder so you can quickly start using it. All regular management tasks can be done from the web interface. It is best installed in a Virtual Machine and uses Debian Linux as a base.

Install

LabCA is best run on its own server / virtual machine to prevent any issues caused by conflicting applications. On a freshly installed Linux machine (currently tested with Debian 11/bullseye, Debian 10/buster, Ubuntu 22.04 and Ubuntu 20.04) run this command as root user (or as a regular user that already is in the sudo group):

curl -sSL https://raw.githubusercontent.com/hakwerk/labca/master/install | bash

Alternatively, clone this git repository and run the install script locally. Or a combination: run the above curl command, but abort (ctrl-c) the script after the [✓] Clone https://github.com/hakwerk/labca/ to /home/labca/labca line (it will be waiting for the FQDN input) so that this repository is cloned in its final location, and then inspect, tweak and/or run the script /home/labca/labca/install.

The first-time install will take a while, depending on the power of your server and your internet speed. On my machine it takes about 12 minutes. It will install the latest versions of some packages, download the relevant programs and configure everything. If all goes well it should look like this:

Setup

After the base install you must go through the setup in your browser. To give an idea of the setup process, see these screenshots:

Once the setup is completed, please make a backup of your Root and Issuer certificates! They can be exported from the "Certificates" tab of the Manage page. On the "Backup" tab you can also create a backup of the relevant data on the server. The backup files should be synchronized to an external location, but that is out of scope of this document.

Update

When updates are available, this will be indicated on the Dashboard page (System Overview section). They can be installed from the Manage page where you can also manually check for available updates (but this is done regularly automatically).

Updates can also be done from the Linux shell, on the server run this command as root to update the installation:

~labca/labca/install

Usage

Once LabCA has been setup you should go through the admin pages and e.g. configure the email details for outgoing notifications. Now your instance is ready to provide HTTPS certificates for your internal applications.

Admin

The admin section is only accessible to the user account created at the start of the setup. The dashboard gives an overview of the current status of your LabCA instance. Via the menu you can navigate to the details of your ACME objects such as the certificates, to several system logfiles and to the various management tasks such as backup/restore, email settings and changing your password.

These screenshots give a preview of the admin section:

ACME Client

To request and automatically renew certificates for your applications, you need one of the many standard ACME clients that are out there. Just make sure to configure the server hostname to be your LabCA instance.

Some of the commonly used clients are:

Make sure to configure the client to use the server URL "https://YOUR_LABCA_FQDN/directory".

Public Pages

The end users in your organization / lab can visit the public pages of you LabCA instance to get some basic information, and to download the root certificate that needs to be installed on each device that should trust the certificates generated by the LabCA instance. To give you and idea of what that looks like:

Troubleshooting

After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. First, make sure that all five containers are running:

root@testpki:/home/labca/boulder# docker-compose ps -a
NAME                COMMAND                  SERVICE             STATUS              PORTS
boulder-bmysql-1    "docker-entrypoint.s…"   bmysql              running             3306/tcp
boulder-boulder-1   "labca/entrypoint.sh"    boulder             running             4001-4003/tcp
boulder-control-1   "./control.sh"           control             running             3030/tcp
boulder-labca-1     "./setup.sh"             labca               running             3000/tcp
boulder-nginx-1     "/docker-entrypoint.…"   nginx               running             0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, :::80->80/tcp, :::443->443/tcp

Some log files to check in case of issues are:

  • /home/labca/nginx_data/ssl/acme_tiny.log
  • cd /home/labca/boulder; docker-compose exec control cat /logs/commander.log (if it exists)
  • cd /home/labca/boulder; docker-compose logs control
  • cd /home/labca/boulder; docker-compose logs boulder
  • cd /home/labca/boulder; docker-compose logs labca
  • possibly cd /home/labca/boulder; docker-compose logs nginx

Common error messages

If you get "No valid IP addresses found for " in /home/labca/nginx_data/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "Could not resolve host: " in one of those docker-compose logs.

When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "SERVFAIL looking up CAA for internal" or "CAA record for ca01.foo.internal prevents issuance", you can try to add something like this to your DNS domain:

foo.internal. CAA 0 issue "foo.internal"

The value in the issue field should be the domain of your LabCA instance, not the hostname. This value can be found in the issuerDomain property in the /home/labca/boulder_labca/config/va.json file. See also the Let's Encrypt™ page on CAA.

NOTE

Although LabCA tries to be as robust as possible, use it at your own risk. If you depend on it, make sure that you know what you are doing!

Contributing

Feel free to dive in! Open an issue or submit PRs.

License

"Commons Clause" License Condition v1.0

The Software is provided to you by the Licensor under the License, as defined below, subject to the following condition.

Without limiting other conditions in the License, the grant of rights under the License will not include, and the License does not grant to you, the right to Sell the Software.

For purposes of the foregoing, "Sell" means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/ support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software. Any license notice or attribution required by the License must also include this Commons Cause License Condition notice.

Software: LabCA

License: Mozilla Public License 2.0

Licensor: hakwerk

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].