vasceannie/code-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
code-tools/cert-mgmt
History
Travis Vasceannie 9701a6ed89 stuff
2025-09-29 14:14:30 +00:00
..
inventory
stuff
2025-09-29 14:14:30 +00:00
scripts
stuff
2025-09-29 14:14:30 +00:00
README.md
stuff
2025-09-29 14:14:30 +00:00
test_validation.sh
stuff
2025-09-29 14:14:30 +00:00

README.md

TLS Certificate Manager for git.lab

A comprehensive solution for generating, deploying, and managing TLS certificates for git.lab across your network infrastructure, including SSH-accessible hosts and Docker containers.

🎯 Overview

This tool provides:

  • Certificate Generation: Creates self-signed TLS certificates for git.lab domain
  • Network Discovery: Automatically scans for SSH-accessible hosts and Docker containers
  • Automated Deployment: Deploys certificates to hosts and containers in parallel
  • Verification: Validates certificate installation and functionality
  • Coolify Integration: Works with existing Coolify proxy infrastructure

📋 Prerequisites

Required Tools

  • openssl - For certificate operations
  • ssh/scp - For remote host access
  • docker - For container operations
  • curl - For HTTPS testing
  • nslookup - For DNS resolution

Network Requirements

  • SSH key-based authentication to target hosts
  • Docker daemon access
  • DNS resolution for git.lab domain

Permissions

  • Sudo access for certificate installation
  • Docker socket access
  • Read/write access to certificate directories

🚀 Quick Start

1. Initial Setup

# Clone or create the directory structure
mkdir -p ~/tls-cert-manager/{certificates,scripts,inventory,logs}
cd ~/tls-cert-manager

# Make scripts executable
chmod +x scripts/*.sh

2. Generate Certificate

./scripts/generate_certificate.sh

3. Create Network Inventory

# This scans your network - may take a few minutes
./scripts/create_inventory.sh

4. Deploy Certificates

# Full deployment (recommended)
./scripts/cert_deployment_orchestrator.sh full-deploy

# Or deploy selectively
./scripts/cert_deployment_orchestrator.sh deploy-hosts
./scripts/cert_deployment_orchestrator.sh deploy-containers

5. Verify Installation

./scripts/cert_deployment_orchestrator.sh validate

📁 Directory Structure

tls-cert-manager/
├── certificates/           # Generated certificates
│   ├── git.lab.crt        # Public certificate
│   └── git.lab.key        # Private key (600 permissions)
├── scripts/               # Deployment scripts
│   ├── generate_certificate.sh
│   ├── create_inventory.sh
│   ├── deploy_to_hosts.sh
│   ├── deploy_to_containers.sh
│   └── cert_deployment_orchestrator.sh
├── inventory/             # Network inventory
│   └── network_inventory.yaml
├── logs/                  # Deployment logs
│   └── deployment.log
└── README.md             # This file

🔧 Script Details

Certificate Generation (generate_certificate.sh)

  • Creates 4096-bit RSA certificate valid for 1 year
  • Includes SAN entries for git.lab, *.git.lab, and IP 192.168.50.210
  • Sets proper file permissions (644 for .crt, 600 for .key)
  • Optionally copies to Coolify directory if available

Network Discovery (create_inventory.sh)

  • Scans 192.168.50.x subnet for SSH-accessible hosts
  • Enumerates running Docker containers
  • Excludes Coolify-managed containers
  • Creates YAML inventory file

Host Deployment (deploy_to_hosts.sh)

  • Connects via SSH to each target host
  • Installs certificate in /usr/local/share/ca-certificates/
  • Runs update-ca-certificates
  • Deploys SSL certificates to /etc/ssl/git.lab/
  • Gracefully reloads web services (nginx, apache2, httpd)

Container Deployment (deploy_to_containers.sh)

  • Iterates through Docker containers
  • Skips Coolify-managed containers automatically
  • Installs ca-certificates package if needed
  • Updates certificate store within containers
  • Handles different Linux distributions (apt, yum, apk)

Orchestrator (cert_deployment_orchestrator.sh)

  • Unified interface for all operations
  • Parallel deployment for efficiency
  • Comprehensive validation and verification
  • Colored output and logging
  • Error handling and retry logic

🔍 Validation Report

The current setup validation shows:

What's Working

  • Certificate Files: Properly generated with correct permissions
  • Certificate Validity: Valid for 365 days, proper SAN entries
  • Scripts: All executable and ready to use
  • Network: git.lab resolves correctly, HTTPS service responding
  • Docker: 96+ containers available for deployment

⚠️ Current Configuration

  • Active Certificate: Coolify is serving *.lab wildcard certificate (valid until 2035)
  • New Certificate: Our git.lab specific certificate ready for deployment
  • Scope: New certificate covers git.lab, *.git.lab, and IP 192.168.50.210

📖 Usage Examples

Basic Operations

# Check current status
./scripts/cert_deployment_orchestrator.sh status

# Validate setup
./scripts/cert_deployment_orchestrator.sh validate

# Generate new certificate
./scripts/cert_deployment_orchestrator.sh generate

Deployment Options

# Deploy to everything
./scripts/cert_deployment_orchestrator.sh full-deploy

# Deploy to hosts only
./scripts/cert_deployment_orchestrator.sh deploy-hosts

# Deploy to containers only
./scripts/cert_deployment_orchestrator.sh deploy-containers

# Skip specific targets
./scripts/cert_deployment_orchestrator.sh full-deploy --skip-containers

Troubleshooting

# Check logs
tail -f logs/deployment.log

# Test individual scripts
./scripts/deploy_to_hosts.sh
./scripts/deploy_to_containers.sh

# Manual certificate verification
openssl x509 -in certificates/git.lab.crt -text -noout

🛡️ Security Considerations

Certificate Security

  • Private keys have 600 permissions
  • Certificates use 4096-bit RSA encryption
  • Self-signed certificates for internal use only
  • Regular rotation recommended (currently valid for 1 year)

Network Security

  • SSH key-based authentication required
  • Temporary files cleaned up after deployment
  • Sudo access required only for certificate installation
  • Coolify-managed containers are automatically excluded

Access Control

  • Scripts validate prerequisites before execution
  • Error handling prevents partial deployments
  • Comprehensive logging for audit trails

🔄 Certificate Rotation

To rotate certificates:

  1. Generate new certificate:

    ./scripts/generate_certificate.sh

  2. Deploy to all targets:

    ./scripts/cert_deployment_orchestrator.sh full-deploy

  3. Verify deployment:

    ./scripts/cert_deployment_orchestrator.sh verify

🐛 Troubleshooting

Common Issues

SSH Connection Failures

  • Ensure SSH key authentication is configured
  • Check network connectivity to target hosts
  • Verify sudo access on target hosts

Docker Permission Issues

  • Add user to docker group: sudo usermod -aG docker $USER
  • Ensure Docker daemon is running
  • Check container accessibility

Certificate Validation Errors

  • Verify certificate files exist and have correct permissions
  • Check certificate expiration dates
  • Ensure OpenSSL is available

Coolify Integration Issues

  • Check if /data/coolify/proxy/certificates/ exists
  • Verify proper permissions on Coolify directories
  • Consider manual certificate placement if needed

Log Analysis

Check deployment logs for detailed error information:

tail -f logs/deployment.log
grep ERROR logs/deployment.log

🤝 Contributing

To extend or modify the certificate manager:

  1. Add new target types: Modify inventory creation and deployment scripts
  2. Customize certificate parameters: Edit generate_certificate.sh
  3. Add verification methods: Extend validation functions
  4. Implement new deployment strategies: Create additional deployment scripts

📝 License

This tool is provided as-is for internal infrastructure management. Ensure compliance with your organization's security policies before deployment.

Last Updated: September 29, 2025
Version: 1.0
Supported OS: Ubuntu Linux (tested on Ubuntu with Zsh)

Reference in New Issue View Git Blame Copy Permalink