Team Password Manager Docker images expose ports 80 and 443, thus allowing access to Team Password Manager using http and https. The https way uses a self signed SSL certificate, which is not valid in a production installation. If you intend to use this Docker image in production you need to configure a valid certificate. In this document we explain how to do it.
In this tutorial we're going to use:
- A Docker container running Team Password Manager, named
teampasswordmanager. This name is the one used in the--nameparameter ofdocker runor the "services" name in adocker-compose.ymlfile. - The (sub)domain to access Team Password Manager is
tpm.mycompany.com, so the URL to access it ishttps://tpm.mycompany.com.
We're going to divide the tutorial in the following parts:
Default container configuration
By default, Team Password Manager Docker containers have a self signed certificate installed in the /var/www/html/ssl/ folder. This certificate consists of the following two files: a key file named tpm-ssl-key.key and a certificate file named tpm-ssl-cert.crt.
To install a valid commercial certificate we'll need to replace these two files with the ones of the commercial certificate. Let's get to it.
Installing an existing certificate
If you have an SSL certificate you'll have at least the following two files:
- A private key file, let's name it
private_key.key - A certificate file, let's name it
certificate.crt
We're going to copy these files to the container running Team Password Manager and reload Apache to put them to work.
1. Copy the certificate files to the container
Open a terminal screen and go to the folder where you have the certificate files. Then execute these instructions to copy them to the container:
docker cp private_key.key teampasswordmanager:/var/www/html/ssl docker cp certificate.crt teampasswordmanager:/var/www/html/ssl
2. Replace the self signed certificate files with the ones of your certificate
To do it, login into the container:
docker exec -it teampasswordmanager bash
The "default" folder of the container is /var/www/html/, so go to the ssl folder /var/www/html/ssl/:
cd ssl
If you list the contents of the ssl folder you should see something like this:
root@a47ba79c9c70:/var/www/html/ssl# ls certificate.crt private_key.key tpm-ssl-cert.crt tpm-ssl-key.key
So now replace the default certificate files with yours:
mv private_key.key tpm-ssl-key.key mv certificate.crt tpm-ssl-cert.crt
Make sure the certificate files are owned by root and have 600 permissions:
chown root:root tpm* chmod 600 tpm*
So you should now have something like this:
root@a47ba79c9c70:/var/www/html/ssl# ls -la -rw------- 1 root root 2049 Nov 10 19:53 tpm-ssl-cert.crt -rw------- 1 root root 1704 Nov 10 19:53 tpm-ssl-key.key
3. Reload Apache
Execute this to reload Apache:
service apache2 reload
If everything goes well you should now be able to open the Team Password Manager installation in https://tpm.mycompany.com.
You can exit the container typing exit on the command line, and you'll return to the host.
Creating a new certificate
If you don't have an SSL certificate for your tpm.mycompany.com subdomain, we're going to create/purchase one in this section.
1. Create the Private Key and the Certificate Signing Request (CSR) files
We'll first begin by logging into the container:
docker exec -it teampasswordmanager bash
Then update the system:
apt-get update && apt-get upgrade
Then go to the ssl folder (/var/www/html/ssl/) and delete the current certificate files (or you can rename them if you want to keep them):
cd /var/www/html/ssl rm *
Execute openssl to create the private key and CSR (please do use the names of the certificate files as they're here):
openssl req -newkey rsa:2048 -nodes -keyout tpm-ssl-key.key -out tpm-ssl-csr.csr
When you execute this you'll be required to enter some information that will be integrated into your certificate request. It's specially important that you correctly enter the "Common name", which is the URL you want to use to access your installation of Team Password Manager. In this case we've used tpm.mycompany.com because we'll use https://tpm.mycompany.com to access our Team Password Manager installation (marked in red):
Generating a RSA private key
.....................+++++
......+++++
writing new private key to 'tpm-ssl-key.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Barcelona
Locality Name (eg, city) []:My city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My company
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:tpm.mycompany.com
Email Address []:info@mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The outcome of executing openssl are two files: tpm-ssl-key.key and tpm-ssl-csr.csr.
tpm-ssl-key.key is the private key, and you should protect it and not disclose it to anyone. tpm-ssl-csr.csr is the CSR file. You'll be required to copy and paste its contents into the online enrollment form when requesting the certificate.
You should now purchase the certificate from a Commercial Authority (CA). We've used Namecheap (PositiveSSL certificate) but you can use any CA that you like. The CA will ask you to copy the information in the CSR file (everything from -----BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST-----) and paste it on the indicated form. You can see the contents of the CSR file with this command: cat tpm-ssl-csr.csr. You'll also need to validate your domain, the CA will provide various methods for doing so.
The CA will provide you with at least the certificate file: tpm_mycompany_com.crt. Once you have it continue with the following step.
2. Copy the certificate file to the container
We'll now copy the certificate file you got from the CA (tpm_mycompany_com.crt) to the container, renaming it to tpm-ssl-cert.crt.
First exit out of the container if you still were in it with the exit command.
Then go to the folder where you have the tpm_mycompany_com.crt file and enter this command to copy it to the container:
docker cp tpm_mycompany_com.crt teampasswordmanager:/var/www/html/ssl/tpm-ssl-cert.crt
Login back to the container:
docker exec -it teampasswordmanager bash
Go to the ssl folder and make sure the certificate files are owned by root and have 600 permissions:
cd /var/www/html/ssl chown root:root tpm* chmod 600 tpm*
So you should now have something like this:
root@a47ba79c9c70:/var/www/html/ssl# ls -la -rw------- 1 root root 2049 Nov 10 20:07 tpm-ssl-cert.crt -rw------- 1 root root 1704 Nov 10 19:32 tpm-ssl-key.key -rw------- 1 root root 1234 Nov 10 19:32 tpm-ssl-csr.csr
3. Reload Apache
Execute this to reload Apache:
service apache2 reload
If everything goes well you should now be able to open the Team Password Manager installation in https://tpm.mycompany.com using your new certificate.
You can exit the container typing exit on the command line, and you'll return to the host.
4. Keep the private key file
As a closing note, you should get the private key file from the container and keep it in a safe place. You can also keep the CSR file. To do it, execute these commands to copy these files from the container to the host:
docker cp teampasswordmanager:/var/www/html/ssl/tpm-ssl-key.key . docker cp teampasswordmanager:/var/www/html/ssl/tpm-ssl-csr.csr .
You can also delete the CSR file from the container as it's not needed there.
Document changelog
| Nov 18, 2020: | Document created |
