Installation of Lemur Certificate Manager on Ubuntu

This tutorial shows the installation of the Lemur certificate management software on Ubuntu 16.04 LTS.  Lemur is an open source project of NetFlix and used to generate the certificates for customers/clients. In this article, we will set up a Python-based virtual environment, install the required packages, configure the basic web service and access the dashboard of the certificate manager. It is assumed that you have a clean Ubuntu 16.04 LTS instance running, e.g. in the Cloud (like AWS) or a local virtualized environment. 

Dependencies

Some basic prerequisites which you'll need in order to run Lemur:

  • Linux operating system (Ubuntu 16.04 LTS is used in this tutorial).
  • Python 3.5 or greater.
  • PostgreSQL 9.4 or greater.
  • Nginx Web server.

Installing Build Dependencies

When you install Lemur on a bare Ubuntu OS, you will need to grab the following packages so that Lemur can correctly build its dependencies:

.. code-block:: bash

sudo apt-get update
sudo apt-get install nodejs nodejs-legacy python-pip python-dev python3-dev libpq-dev build-essential libssl-dev libffi-dev libsasl2-dev libldap2-dev nginx git supervisor npm postgresql

Install Build dependencies

The above command will install nodejs, pip, nginx , git, npm, and PostgreSQL database packages. 

Note: Installing the node package manager may create the nodejs bin at /usr/bin/nodejs path instead of /usr/bin/node. Run the following command to create a soft link at the desired path.

sudo ln -s /user/bin/nodejs /usr/bin/node

Now, install virtualenv package using following command.

sudo pip install -U virtualenv

Install virtualenv

Setting up the build environment

In this guide, Lemur will be installed in the /www directory, so you need to create that directory first:

sudo mkdir /www
cd /www

Create the www directory

Now, clone Lemur latest source inside the just created directory and give yourself write permission (lemur user is the created in this tutorial):

sudo useradd lemur
sudo passwd lemur
sudo mkdir /home/lemur
sudo chown lemur:lemur /home/lemur

Add a user for lemur

sudo git clone https://github.com/Netflix/lemur
sudo chown -R lemur lemur/

Clone lemur source code

Also, create the virtual environment, activate it and enter Lemur's directory:

su lemur
virtualenv -p python3 lemur

Create virtualenv


source /www/lemur/bin/activate
cd lemur

source lemur directory

Activating the environment adjusts PATH environment variable , so that things like pip now install into the virtualenv by default.

Installing Lemur from Source

After setting up the system, make sure that you are in the virtualenv to run "make release" command.

which python

Check python release

And run the following command to install npm dependencies as well as compile static assets.

 make release

Build the release code

Creating Lemur configuration

Before we run Lemur, we must create a valid configuration file for it. The Lemur command line interface comes with a simple command to get you up and running quickly. The following command will create a default configuration under "~/.lemur/lemur.conf.py" and this location can be specify by passing the config_path parameter to the create_config command.

 lemur create_config

Create lemur configuration

Update Lemur configuration

Once created, you will need to update the configuration file with information about your environment, such as which database to talk to, where keys are stored etc.

vi ~/.lemur/lemur.conf.py

The SQLALCHEMY_DATABASE_URI string of Postgresql can be broken up like this:
"postgresql://userame:[email protected]<database-fqdn>:<database-port>/<database-name>"

The below given screenshot shows that following required variables are filled in the configuration file:

LEMUR_SECURITY_TEAM_EMAIL
LEMUR_DEFAULT_COUNTRY
LEMUR_DEFAULT_STATE
LEMUR_DEFAULT_LOCATION
LEMUR_DEFAULT_ORGANIZATION
LEMUR_DEFAULT_ORGANIZATIONAL_UNIT

Update lemur config

Setup Postgres Database

For production, a dedicated database is recommended. For this guide, I will assume postgres has been installed and is on the same machine that Lemur is installed on.

First, set a password for the postgres user. For this guide, we will use lemur as an example but you should use the database password generated by Lemur:

sudo -u postgres -i

Add lemur user in postgres

psql
postgres=# CREATE USER lemur WITH PASSWORD 'lemur';

Create user

Once successful, type CTRL-D to exit the Postgres shell.

Next, we will create our new database:

sudo -u postgres createdb lemur

Create the database

Initializing Lemur Certificate Manager 

Lemur provides a helpful command that will initialize your database for you. It creates a default user (lemur) that is used by Lemur to help associate certificates that do not currently have an owner. This is most commonly the case when Lemur has discovered certificates from a third party source. This is also a default user that can be used to administer Lemur.

In addition to creating a new user, Lemur also creates a few default email notifications. These notifications are based on a few configuration options such as LEMUR_SECURITY_TEAM_EMAIL. They basically guarantee that every certificate within Lemur will send one expiration notification to the security team.

Make note of the password used as this will be used during first login to the Lemur UI.

cd /www/lemur/lemur 
lemur init

Initiate lemur

The following snapshot shows the output of the "lemur init" command.

Lemur init command

NGINX web server configuration for Lemur

By default, Lemur runs on port 8000. Even if you change this, under normal conditions you won't be able to bind to port 80. To get around this (and to avoid running Lemur as a privileged user, which you shouldn't), we need setup a simple web proxy. There are many different web servers you can use for this, we like and recommend Nginx.

Add following lines in the configuration file "/etc/nginx/sites-available/default".

location /api {
proxy_pass http://127.0.0.1:8000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
root /www/lemur/lemur/static/dist;
include mime.types;
index index.html;
}

Configure nginx as proxy for lemur

After making these changes, restart Nginx service to apply them:

sudo service nginx restart

Restart nginx

Starting the Web Service

Lemur provides a built-in web server (powered by gunicorn and eventlet) to get you off the ground quickly. To start the web server, you simply use "lemur start".

Start lemur web server

You can login with the default user created during Initializing Lemur or any other user you may have created.You should now be able to test the web service by visiting http://192.168.10.51:8000/. (192.168.10.51 is the ip address of the Lemur machine).

Login to lemur certificate manager

The Dashboard of the Lemur is shown above. It is used to create certificates using self signed or root Certificate Authorities. 

Conclusion

In this tutorial, the Lemur certificate manager is installed on the latest Ubuntu LTS version. The purpose of Lemur is to create and manage certificates. It also supports different roles of users. 

Share this page:

Suggested articles

0 Comment(s)

Add comment