EFS Deployment Guide

EFS Deployment Guide

EFS components can be deployed as docker containers. The deployment scripts of EFS components can be found on the gitlab here : https://gitlab.fit.fraunhofer.de/efpf-pilots/efpf-security-components/efpf_efs_srfg_components

run-efac-portal.sh script allows you to start the necessary EFS docker components.

The sequence in which the components of EFS should be deployed are stated below:

Keycloak :

./run-efac-porta.sh keycloak

API Security Gateway :

./run-efac-porta.sh apisix

API Security Gateway Importer :

./run-efac-porta.sh asg importer

How to create and renew Let’s encrypt certificate for EFS

The following document explains how to setup the Let’s Encrypt certificate with the cert bot:

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

First, add the repository and install the certbot:

sudo apt-get update

sudo apt-get install software-properties-common

sudo add-apt-repository universe

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

Then create the certificates via the following command (Make sure to stop any running Nginx containers during this process) We assume you are using NGINX as a reverse-proxy in your deployment.

    sudo certbot-auto certonly --standalone -d efpf-security-portal.salzburgresearch.at www.efpf-security-portal.salzburgresearch.at

The certificates should be available in the following directory:

    /etc/letsencrypt/live/efpf-security-portal.salzburgresearch.at

This folder will contain the following files:

    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem

Use the fullchain and privatekey to configure the NGINX instance:

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

How to renew the certificate

  • If NGINX is running; turn Nginx via the following command:

    docker-compose stop nginx
    
  • Dry run command:

    sudo certbot-auto renew --dry-run
    
  • Renew certificates command:

    sudo certbot-auto renew
    
  • The certificates will be available in the following directory:

    /etc/letsencrypt/live/efpf-security-portal.salzburgresearch.at
    

How to write a cron job for auto-renewal

  • Use the following command to auto-renew the certificates:
    0 2 * * * sudo /usr/sbin/certbot-auto -q renew
    
Previous
Next