Add option to set ca_ttl

tuxmea · tuxmea · commit 614c90d82aa2 · 2025-01-24T14:49:11.000+01:00
diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ The following environment variables are supported:
 | __OPENVOXSERVER_PORT__                      | The port of the openvoxserver<br><br>`8140`                                                                                                                    |
 | __AUTOSIGN__                               | Whether or not to enable autosigning on the openvoxserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.<br><br>Defaults to `true`. |
 | __CA_ENABLED__                             | Whether or not this openvoxserver instance has a running CA (Certificate Authority)<br><br>`true`                                                              |
+| __CA_TTL__                                 | CA expire date (in seconds or with suffix `s`, `m`, `h`, `d`, `y`)<br><br>`157680000`                                                                          |
 | __CA_HOSTNAME__                            | The DNS hostname for the openvoxserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet`                                                  |
 | __CA_PORT__                                | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140`                                                                            |
 | __CA_ALLOW_SUBJECT_ALT_NAMES__             | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false`        |
diff --git a/openvoxserver/Containerfile b/openvoxserver/Containerfile
@@ -48,6 +48,7 @@ ENV OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
     OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \
     OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
     CA_ENABLED=true \
+    CA_TTL=157680000 \
     CA_HOSTNAME=puppet \
     CA_PORT=8140 \
     CA_ALLOW_SUBJECT_ALT_NAMES=false \
diff --git a/openvoxserver/docker-entrypoint.d/90-ca.sh b/openvoxserver/docker-entrypoint.d/90-ca.sh
@@ -42,6 +42,7 @@ EOF
   fi
 else
   # we are the CA
+  puppet config set --section server ca_ttl "${CA_TTL}"
   hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
     set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"
 
