Docker wrapper of serles-acme ACME server for EJBCA.
To get started:
- Create an EJBCA client certificate:
mkdir -p ejbca/csr ebjca/cert(assuming./ejbcais mapped to/mnt/persistent/within the EJBCA container).chown -R 10001:10001 ejbca/csr.chown -R 10001:10001 ejbca/cert.docker compose exec -it ejbca ejbca.sh gencsr --destination /mnt/persistent/csr/ --keyalg RSA --keyspec 3072 --subjectdn "CN=ACME Server".- In the EJBCA RA WebUI create an end entity for the client certificate to issue against,
replacing
acmeserverandstrong-Pa55w0rd_herebelow with the end entity's details. docker compose exec -it ejbca ejbca.sh createcert --username acmeserver --password strong-Pa55w0rd_here -c /mnt/persistent/csr/certificateSigningRequest.csr -f /mnt/persistent/cert/acme.crt
- Authorise the client certificate to issue certificates:
openssl x509 -text -noout -in ejbca/cert/acme.crtcopy the certificate serial number.- In the EJBCA WebUI, go to System Functions > Roles and Access Rules.
- Click Add, and give the new role a name, e.g.
ACME, and click Add. - Click Members next to the new role, paste the serial number into the Match Value box, and click Add.
- Click Edit Access Rules and set Role Template to RA Administrators, select the appropriate Authorized CAs and End Entity Profiles, and click Save.
- Save the client certificate to
./serles-acme/client.pem:mkdir -p ./serles-acmecat ejbca/cert/acme.crt ejbca/csr/privkey.pem > serles-acme/client.pem
- Add the
serles-acmeservice as shown in docker-compose.yml, overriding any Environment Variables (see below). - Bring the
serles-acmeserver up:docker compose up -d serles-acme. - Check the logs to ensure everything is OK:
docker compose logs serles-acme -f. - After 30-60 seconds
docker compose psshould also report a Healthy status. - Stand up an HTTPS reverse proxy in front of
serles-acmewith a trusted certificate. - Issue certificates using
certbot --server https://reverse.proxy.tld/directory ....- After initial setup, the reverse proxy can use the same to maintain its own certificate.
- If the reverse proxy is using an internal certificate then the snapd and Docker versions of
certbotmay fail to validate it as these use bundled CA Trust Lists.
| Variable | Purpose | Default Value |
|---|---|---|
ALLOWED_IPS |
Subnets to allow requests from (comma-separated). | 0.0.0.0/0,::/0 (unrestricted) |
BLOCKED_IPS |
Any exclusions to to ALLOWED_IPS (comma-separated). |
0.0.0.0/32 (invalid IP) |
CA_NAME |
The name of the CA to use for signing issued certificates. | ManagementCA |
CERT_PROFILE |
The EJBCA Certificate Profile to use for issued certificates. | SERVER |
EJBCA_API_VERIFY |
Whether to do TLS verification when speaking to the EJBCA API. | false |
EJBCA_API |
The EJBCA Web Service endpoint URL (must include https:// and /ejbca/ejbcaws/ejbcaws?wsdl). |
https://ejbca:8443/ejbca/ejbcaws/ejbcaws?wsdl |
ENTITY_PROFILE |
The EJBCA End Entity Profile to use when issuing certificates. | EMPTY |
MYSQL_DATABASE |
When MySQL is enabled, the database to connect to. | serles |
MYSQL_HOST |
When MySQL is enabled, the hostname to connect to. | mysql |
MYSQL_PASSWORD |
When MySQL is enabled, the password to authenticate with. | changeme |
MYSQL_PORT |
When MySQL is enabled, the TCP port to connect to. | 3306 |
MYSQL_USERNAME |
When MySQL is enabled, the username to authenticate as. | serles |
USE_MYSQL |
Whether to use MySQL for Serles' database, otherwise a SQLite3 database file is used. | false |
VERIFY_PTR |
Whether to verify that a correct PTR record exists during validation.: | false |
It is recommended to verify the EJBCA certificate when Serles talks to the EJBCA API, to do this:
- Save the PEM-encoded CA Certificate (including any required chain certificates) for the EJBCA API
(
ManagementCAby default) to./serles-acme/ca.bundle. - Set the
EJBCA_API_VERIFYEnvironment Variable totrue. - Recreate the container with
docker compose up -d --force-recreate serles-acme.