Feel free to submit Pull Requests and report any Issues that you may have found.
Lemur manages TLS certificate creation. While not able to issue certificates itself, Lemur acts as a broker between CAs and environments providing a central portal for developers to issue TLS certificates with 'sane' defaults.
CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.
docker create \
--name=lemur \
-v <path to config>:/config \
-v <path to data>:/data \
-e PGID=<gid> -e PUID=<uid> \
-p 80:80 \
halianelf/lemur
The parameters are split into two halves, separated by a colon, the left hand side representing the host and the right the
container side. For example with a port -p external:internal - what this shows is the port mapping from internal to external
of the container. So -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port
8080 and http://192.168.x.x:8080 would show you what's running INSIDE the container on port 80.
-p 80- The port(s)-v /config- Mapping the config files for Lemur and CFSSL-v /data- Mapping for the Postgres DB data-e PGIDUsed for GroupID - see below for explanation-e PUIDUsed for UserID - see below for explanation
Sometimes when using data volumes (-v flags) permissions issues can arise between the host OS and the container. We avoid
this issue by allowing you to specify the user PUID and group PGID. Ensure the data volume directory on the host is owned
by the same user you specify and it will "just work" ™.
In this instance PUID=1001 and PGID=1001. To find yours use id user as below:
$ id <dockeruser>
uid=1001(dockeruser) gid=1001(dockergroup) groups=1001(dockergroup)
After the initial start up, there will be some template files in /config/cfssl. If you edit these and remove the .tmpl and then
restart the container, it will generate the certificates with the information you put in. If you want to change the length of the
intermediate certificate, change it in the root_to_intermediate_ca.json file.
CFSSL can't actually use any of the parameters for the certificate signing that you can set in Lemur (at least currently) so whatever
is set as the default in cfssl_config.json is what it will use. The config that comes with this is a server certificate with a 3
year expiration. Feel free to edit this to fit your needs.
For Lemur, the config is in /config/lemur/lemur.conf.py. This file is mostly the default with some Digicert stuff added and the
CFSSL config stuff added. Generating the certs with the template files like explained in the first paragraph will add them to the
file as well. This file also can and should be editted to fit your needs. Read over the
Lemur Docs for more information on settings and what you can do with this.
The Lemur web interface is accessible on whatever port you mapped for the container. The default credentials are lemur and password.
This can be changed in the web interface after logging in. You will need to add CFSSL as an authority after you have your certs created.
For more information on this take a look at the "Create certificates using CFSSL" section on
here.
If you wish to build this yourself, you will need to pull CFSSL for the intermediate container.
- Shell access whilst the container is running:
docker exec -it lemur /bin/bash - To monitor the logs of the container in realtime:
docker logs -f lemur