Installing Boulder in an isolated environment


#1

Hello,

There is an issue I’ve run into and it’s difficult to find a proper solution to it online-
How do I install Boulder if the build expects me to download packages over the internet, to which my machine has no access to?

I understand that it clones code to various locations including dependencies, but I wanted to ask if there is a more efficient method, that is far less prone to error.

Thanks in advance.


#2

OK so I’ll take the bait.
@enemystand… you say that it is “difficult to find a proper solution to it online” …

Networking “best practice” indicates security certificates for lots of applications and reasons. It’s a good idea and SA’s worldwide are constantly “locking down” scripts and processes to make their networking environment more sane and secure.

Let’s Encrypt’s mission is to play a significant role in “securing the web” not private networks.

There must be a bunch more information you can share with the community. I for one must be missing some major details here.

  1. Why would you need or desire to install a certificate on a server that has no public facing interface?
  2. Have you considered configuring a “self-signed” certificate?
    Is this a “private” part of a “public” resource?

Please provide more information regarding your configuration and ultimate goals so the experts here can help you accomplish it.

Please don’t misinterpret my questions, but there’s a lot more we need to know if you really want assistance.

Regards
Rip


#3

I think OP might mean that the included runtime environment for the Boulder project requires pulling Docker images off the internet.

Can’t disagree that the “production ops manual” is missing for the project (though understandable as there are probably relatively few parties looking for it).


#4

It makes perfect sense to me that someone would like to run Boulder as the basis of a private CA on a network that’s air-gapped from the public Internet. However, I don’t think that the Boulder developers have created documentation to facilitate this, even though it could be quite valuable.

@enemystand, I would suggest opening a ticket on

to track the process of creating documentation for this, and then maybe you can contribute your own experience back to that and hopefully also get advice from others.

As @Rip implies, this hasn’t been a high priority for Let’s Encrypt due to the heightened focus on running the public CA, but that doesn’t mean that it wouldn’t be a valuable service to the community. I assume that there are already several Boulder-based CAs running that we don’t know about. :slight_smile:

It would be terrific to have something like this out there eventually. :slight_smile: (not necessarily disclosing lots of operational choices that Let’s Encrypt itself has made, but giving prospective CA operators some useful options to work with)


#5

Thank you all.

From what I’ve seen it is more efficient to pull Docker images instead of simply copying the entirety of Github to the intranet in question (Or all the dependencies, if there were an easy way to list them all outside of the packages retrieved by ‘go get’). What I meant by difficult is retrieving all the dependencies from the various sources the projects builds itself, in order to run properly without fail.

The desire to install a CA certificate on a server that doesn’t serve the internet, does conflict with Let’s Encrypt’s mission statement, but it does not conflict with the use cases for which I’m looking to use the open-source technology the project is based on.

I do understand Let’s Encrypt’s mission and I highly support it, it’s just that I’m trying to see if the CA technology you provide fits my use cases in various ways. And stemming from that mission statement I also understand the current focus, and the lack for a production ops manual like @_az suggested.

Still, I don’t think it’s downright impossible to make the process of container-less deployment a lot more efficient. As of now I’m more focused on running the solution and experimenting with it in my intranet, so future questions I may have will be Boulder-operation-oriented.

Again, thank you for your time, and apologies if the question was … strange/misunderstood.


#6

Thanks @enemystand for your reply. It was I who misunderstood your original post on this thread. @_az and @schoen (and you) are the “experts” I referenced here and they pointed me at the boulder script. Your description was good enough that they could recognize your environment and ultimate goal. My response was impulsive and shows my lack of experience in this area of I.T… In a way, this “topic” could have been tailored for me because I’m the one who learned the most.
@enemystand, @_az , @schoen:+1:

Cheers
Rip


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.