ejbca-ce
ejbca-ce copied to clipboard
Keyfactor
Unable to restart container when Security parameters are set
When the security parameters "PASSWORD_ENCRYPTION_KEY" and "CA_KEYSTOREPASS" are set in a environment variable, it's only possible to stop and remove the container. A restart makes the cryptotokens not readable.
PKCS12 key store mac invalid - wrong password or corrupted file
In the startup script "after-init-app.sh" these variables are copied to the end of "/ejbca/conf/cesecore.properties". In the case of a restart these variables are copied again. This results in a cesecore.properties file like this:
allow.external-dynamic.configuration=true
\# Optimization for fresh installations on EJBCA 6+
db.keepinternalcakeystores=false
\# All security log events are written to all enabled/configured devices.
\# The following AuditLogDevice implementations are available:
\#securityeventsaudit.implementation.X=org.cesecore.audit.impl.log4j.Log4jDevice
\#securityeventsaudit.implementation.X=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice
securityeventsaudit.implementation.1=null
\# Nodeid used for integrity protected audit log. If not set the hostname of local host is used.
\# Default: not set
password.encryption.key=encryptionkey
password.encryption.key=encryptionkey
password.encryption.key=encryptionkey
My compose file:
version: '3.9'
services:
ejbca-ce:
image: keyfactor/ejbca-ce:latest
hostname: localhost
environment:
- DATABASE_PASSWORD=databasepassword
- DATABASE_USER=ejbca
- 'DATABASE_JDBC_URL=jdbc:mysql://ejbca-db:3306/ejbca?characterEncoding=UTF-8'
- TLS_SETUP_ENABLED=simple
- PASSWORD_ENCRYPTION_KEY=encryptionkey
ports:
- 8443:8443
restart: unless-stopped
After a docker compose restart the cryptotokens are not readable. After a docker compose down and docker compose up -d everything is back to normal.
I guess that was also the case in #293 but it was not a problem with the imported CA keystore.
This is a bug and I will let the dev team know. Thanks for reporting this.
