removed any 'instance.*.pem' reference

.DEBIAN/postinst

@@ -3,14 +3,6 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 
-if [ ! -f $CONFIG_DIR/instance.private.pem ]; then
-  echo "> Create dls-instance keypair ..."
-  openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
-  openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
-else
-  echo "> Create dls-instance keypair skipped! (exists)"
-fi
-
 while true; do
   [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
   [ $default_answer == "Y" ] && V="Y/n" || V="y/N"

.PKGBUILD/PKGBUILD

@@ -30,8 +30,6 @@ pkgver() {
 check() {
     cd "$srcdir/$pkgname/test"
     mkdir "$srcdir/$pkgname/app/cert"
-    openssl genrsa -out "$srcdir/$pkgname/app/cert/instance.private.pem" 2048
-    openssl rsa -in "$srcdir/$pkgname/app/cert/instance.private.pem" -outform PEM -pubout -out "$srcdir/$pkgname/app/cert/instance.public.pem"
     python "$srcdir/$pkgname/test/main.py"
     rm -rf "$srcdir/$pkgname/app/cert"
 }

.PKGBUILD/fastapi-dls.install

@@ -7,8 +7,4 @@ post_install() {
     echo
     echo 'A valid HTTPS certificate needs to be installed to /var/lib/fastapi-dls/cert/webserver.{crt,key}'
     echo 'A self-signed certificate can be generated with: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/lib/fastapi-dls/cert/webserver.key -out /var/lib/fastapi-dls/cert/webserver.crt'
-    echo
-    echo 'The signing keys for your instance need to be generated as well. Generate them with these commands:'
-    echo 'openssl genrsa -out /var/lib/fastapi-dls/instance.private.pem 2048'
-    echo 'openssl rsa -in /var/lib/fastapi-dls/instance.private.pem -outform PEM -pubout -out /var/lib/fastapi-dls/instance.public.pem'
 }

.UNRAID/FastAPI-DLS.xml

@@ -18,9 +18,6 @@ Make sure you create these certificates before starting the container for the fi
 WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
-# create instance private and public key for singing JWT's
-openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
-openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 ```


.gitlab-ci.yml

@@ -151,8 +151,6 @@ test:
     - pip install -r $REQUIREMENTS
     - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
-    - openssl genrsa -out app/cert/instance.private.pem 2048
-    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
     - cd test
   script:
     - python -m pytest main.py --junitxml=report.xml
@@ -265,8 +263,6 @@ test_coverage:
     - pip install -r requirements.txt
     - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
-    - openssl genrsa -out app/cert/instance.private.pem 2048
-    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
     - cd test
   script:
     - coverage run -m pytest main.py --junitxml=report.xml --suppress-no-test-exit-code

README.md

@@ -66,9 +66,6 @@ The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 WORKING_DIR=/opt/docker/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
-# create instance private and public key for singing JWT's
-openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
-openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 ```
@@ -153,9 +150,6 @@ chown -R www-data:www-data $WORKING_DIR
 WORKING_DIR=/opt/fastapi-dls/app/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
-# create instance private and public key for singing JWT's
-openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
-openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 chown -R www-data:www-data $WORKING_DIR
@@ -255,9 +249,6 @@ CERT_DIR=${BASE_DIR}/app/cert
 SERVICE_USER=dls
 mkdir ${CERT_DIR}
 cd ${CERT_DIR}
-# create instance private and public key for singing JWT's
-openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 
-openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt
 chown -R ${SERVICE_USER} ${CERT_DIR}
@@ -617,7 +608,7 @@ Please download a new client-token. The guest have to register within an hour af
 
 ### `jose.exceptions.JWTError: Signature verification failed.`
 
-- Did you recreate `instance.public.pem` / `instance.private.pem`?
+- Did you recreate any certificate or keypair?
 
 Then you have to download a **new** client-token on each of your guests.
 

app/util.py

@@ -23,17 +23,24 @@ class CASetup:
     #
     ###
 
+    ROOT_PRIVATE_KEY_FILENAME = 'root_private_key.pem'
+    ROOT_CERTIFICATE_FILENAME = 'root_certificate.pem'
+    CA_PRIVATE_KEY_FILENAME = 'ca_private_key.pem'
+    CA_CERTIFICATE_FILENAME = 'ca_certificate.pem'
+    SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem'
+    SI_CERTIFICATE_FILENAME = 'si_certificate.pem'
+
     def __init__(self, service_instance_ref: str):
         self.service_instance_ref = service_instance_ref
-        self.root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem')
-        self.root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem')
-        self.ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem')
-        self.ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem')
-        self.si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem')
-        self.si_public_key_filename = join(dirname(__file__), 'cert/my_demo_si_public_key.pem')
-        self.si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem')
+        self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME)
+        self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME)
+        self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME)
+        self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)
+        self.si_private_key_filename = join(dirname(__file__), 'cert', CASetup.SI_PRIVATE_KEY_FILENAME)
+        self.si_certificate_filename = join(dirname(__file__), 'cert', CASetup.SI_CERTIFICATE_FILENAME)
 
         if not (isfile(self.root_private_key_filename)
+                and isfile(self.root_certificate_filename)
                 and isfile(self.ca_private_key_filename)
                 and isfile(self.ca_certificate_filename)
                 and isfile(self.si_private_key_filename)
@@ -156,8 +163,8 @@ class CASetup:
         with open(self.si_private_key_filename, 'wb') as f:
             f.write(my_si_private_key_as_pem)
 
-        with open(self.si_public_key_filename, 'wb') as f:
-            f.write(my_si_public_key_as_pem)
+        # with open(self.si_public_key_filename, 'wb') as f:
+        #    f.write(my_si_public_key_as_pem)
 
         # create si-certificate subject
         my_si_subject = x509.Name([
@@ -192,9 +199,6 @@ class CASetup:
             ]), critical=False)
             .sign(my_ca_private_key, hashes.SHA256()))
 
-        my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e
-        my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}'  # hex value without "0x" prefix
-
         with open(self.si_certificate_filename, 'wb') as f:
             f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
 

examples/docker-compose-http-and-https.yml

@@ -15,7 +15,7 @@ services:
       <<: *dls-variables
     volumes:
       - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - /opt/docker/fastapi-dls/cert:/app/cert
       - db:/app/database
     entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
     healthcheck: