Skip to main content

🐳 Docker / Podman

OpenUEM can be run using Docker/Podman containers that are hosted on Docker Hub

You can use docker compose or podman compose to install and run all OpenUEM components on a single machine following these steps:

danger

For deployments carried out before December 22, 2025, breaking changes are introduced. Please go to the Legacy section in this document to know how you can migrate from the older docker compose file.

1. Get the compose file​

Clone the openuem-docker repository:

git clone https://github.com/open-uem/openuem-docker

2. Create .env file with environment variables​

Use the file named .env-example file to create a .env file

note

The file must be named .env without extension and with a dot before the env word as required by Docker to read the environment variables

In the .env file, edit the environment variables that docker compose will use to build and get the containers up and running. The .env-example you just copied already sets up a working demo instance of OpenUEM on the openuem.example domain. If you want to simply try out OpenUEM you can just use it as-is. If you want to setup a production system or use your own domain and information, you can customize the .env you just created.

danger

It's strongly recommended to change the JWT key with a random 32 characters long string

Here are the possible environment variables that can appear in the .env file.

warning

The variables prefixed with DATABASE are used to create a Postgres connection URI string. Note that the connection URI needs to be encoded with percent-encoding if it includes symbols with special meaning in any of its parts as mentioned in Postgres docs. If you use special characters in your username or password, you may find the following page of interest to encode the value set to the variable. For example if your password is te=st you should use the following value te%3Dst to replace the = sign.

NameDescriptionRequiredExample value
DATABASE_DB_NAMEName of the postgres database used (will be created automatically on first start)yesopenuem
DATABASE_PORTPublic port exposed by the database serviceyes5432
DATABASE_USERUsername used to connect to the database (will be created automatically on first start)yesopenuem
DATABASE_PASSWORDPassword used to connect to the database (will be set automatically on first start)yessupersecret-dbpassword
OPENUEM_DATABASE_URLThe database url in format postgres://user:password@openuem-db-1:port/openuemyespostgres://openuem:supersecret-dbpassword@openuem-db:5432/openuem
OPENUEM_ORGNAMEYour organization's nameyesOpenUEM
OPENUEM_ORGPROVINCEYour organization's provincenoValladolid
OPENUEM_ORGLOCALITYYour organization's localitynoValladolid
OPENUEM_ORGADDRESSYour organization's addressnoMy org's address
OPENUEM_COUNTRYYour organization's countryyesES
OPENUEM_DOMAINYour DNS domain. All other services should resolve to either this domain or a subdomain.yesopenuem.example
TZThe timezone used by OpenUEM containersnoEurope/Madrid
REVERSE_PROXY_HOSTIf you want to use a reverse proxy, set the domain name that you want to use to visit the console, use an empty value otherwiseyesconsole.openuem.example or use an empty value otherwise
REVERSE_PROXY_CONSOLE_PORTIf you want to use a reverse proxy, set the port that will be used to serve the console web ui, use an empty value otherwiseyes443 or use an empty value otherwise
REVERSE_PROXY_AUTH_PORTIf you want to use a reverse proxy, set the port that will be used to answer for auth, use an empty value otherwiseyes4443 or use an empty value otherwise
NATS_HOSTThe domain name used by the NATS serveryesnats.openuem.example
NATS_PORTThe port used by the NATS serveryes4433
OCSP_URLThe URL for the OCSP responder serviceyeshttp://ocsp.openuem.example:8000
OCSP_HOSTThe host domain for the OCSP responder serviceyesocsp.openuem.example
OCSP_PORTThe port used by the OCSP responderyes8000
CONSOLE_HOSTThe name of the server where the console is hostedyesconsole.openuem.example
CONSOLE_PORTThe port used by the consoleyes1323
CONSOLE_AUTH_PORTThe port used by the auth serveryes1324
CONSOLE_JWT_KEYThe key used to encrypt JWT tokens for user registrationyesaverylongsecret
OPENUEM_NATS_SERVERSList of all NATS servers that will be used by many OpenUEM components. Normally this will be $NATS_HOST:$NATS_PORTyesnats.openuem.example:4433
RE_ENABLE_CERTIFICATES_AUTHIf you want to re-enable the use of certificates to log innotrue or false
RE_ENABLE_PASSWD_AUTHIf you want to re-enable the use of username and passwords to log innotrue or false
RESET_OPENUEM_USERIf you want to reset the openuem user to get a new passwordnotrue or false

It is possible to only use one domain for all services, but CONSOLE_HOST, OPENUEM_NATS_SERVERS and NATS_HOST should be resolved by your DNS service. If you are just locally deploying a demo instance and don't have access to a DNS, you can override your devices hosts configuration and allow local domain resolution.

  • On Linux: this configuration can be found under /etc/hosts. Add the line {YOUR_LOCAL_IP} {NATS_HOST} {OCSP_HOST} {CONSOLE_HOST}
  • On Windows: the configuration can be found under C:\Windows\System32\drivers\etc\hosts. Add the line {YOUR_LOCAL_IP} {NATS_HOST} {OCSP_HOST} {CONSOLE_HOST}
  • On macOS: the configuration can be found under /private/etc/hosts

You have to replace {YOUR_LOCAL_IP} and {OPENUEM_DOMAIN} with their respective values set in the .env file. It is important that you use your local ip address (e.g. 192.168.1.43) instead of localhost or 127.0.0.1. Docker will copy these overrides into the containers on start. If you use localhost, each container will only try to connect to itself, making proper domain resolution impossible.

warning

The method of editing the hosts file should only be used for a local demo instance

3. Use a reverse proxy (Optional)​

You can run OpenUEM behind a reverse proxy. Caddy can be used and is supported for this deployment with docker compose. If you decide to use Caddy as a reverse proxy, set the variables prefixed REVERSE_PROXY in the .env file (see the table above). Remember that the hosts / domains you set have to be resolvable by a DNS.

4. Launch docker compose command​

Where the compose.yaml file and the .env files are located, launch OpenUEM with the following commands:

Without Caddy support:

# Docker Compose:
docker compose up -d --build

With Caddy support:

# Docker Compose:
docker compose -f compose-caddy.yml up -d --build

On first start all the certificates are generated in the certificates folder:

Certificates folder

warning

The generation of certificates can take some time, don't stop the containers or go to the next step until you check that certificates have been indeed created. This should be automatically done when the ... compose up ... command finishes. If you find two files under the agents folder and one .pfx file inside the users folder, you're good to go.

If you find any error trying to launch the services, run the docker compose down or podman compose down commands shown below, remove the volumes and the certificates folder and start again

If you don't use Caddy:

docker compose down
sudo rm -rf certificates
docker volume rm openuem_jetstream openuem_pgdata

And if you use the Caddy option:

docker compose -f compose-caddy.yml down
sudo rm -rf certificates
docker volume rm openuem_jetstream openuem_pgdata openuem_caddy_config openuem_caddy_data

Open an issue with all the possible information if you can't start OpenUEM with Docker

5. Stopping OpenUEM​

If we want to stop OpenUEM we should run the following commands:

Without Caddy support:

docker compose down

With Caddy support:

docker compose -f compose-caddy.yml down

6. Trust in digital certificates created​

Before we can visit OpenUEM's console, we must import two digital certificates to our browser, the Certificate Authority certificate (ca.cer) and the user's certificate to log in. You have a guide explaining how to import certificates here

Next to the compose.yaml file you’ll find a certificates folder containing all the certificates that OpenUEM has created and that are required to run.

7. Visit OpenUEM's Console​

Now open https://CONSOLE_HOST:CONSOLE_PORT (replace the values that you've set in your .env file) and you should see OpenUEM's console

note

If you've set a reverse proxy the url should be https://REVERSE_PROXY_HOST:REVERSE_PROXY_CONSOLE_PORT

Console LogIn

Finally, log in user your admin certificate and read how to install and add your first agent.

note

If you see any certificates error, please ensure that you've imported the right certificates in the right certificate stores of your browser

8. Update​

To update the Docker containers, use docker compose without the Caddy option:

docker compose up --force-recreate -d --build --pull

And if you use the Caddy option:

docker compose up --force-recreate -d  --pull

9. Legacy docker compose​

Notes for deployments carried out before December 22, 2025

The previous version of this repository contained environment variables that have been replaced or renamed. Additionally, a build folder containing scripts for generating the database and NATS configuration has been removed. If you wish to update your Docker deployment, please use the following information.

danger

Do not delete the volume used by the Postgres container to ensure the database remains intact when updating containers. Do not use the -v option with Docker Compose to prevent the deletion of the Postgres volume.

  1. Remove the old containers. Run the following commands from the folder where your old deployment was created.
docker compose down --profile openuem down
docker compose down --profile init down
  1. Clone the new repository
git clone https://github.com/open-uem/openuem-docker`

  1. Rename the new openuem-docker repository folder to openuem. This is needed to ease the reuse of the previous Docker volumes that contain the database and the NATS streams.

  2. Use the file named .env-example file to create a .env file. Set the new variable values using the following table to help you migrate your old .env definitions:

Old variable nameNew variable name
POSTGRES_PORTDATABASE_PORT
DATABASE_URLDATABASE_USER
DATABASE_URLDATABASE_PASSWORD
DATABASE_URLDATABASE_DB_NAME
ORGNAMEOPENUEM_ORGNAME
ORGPROVINCEOPENUEM_ORGPROVINCE
ORGLOCALITYOPENUEM_ORGLOCALITY
ORGADDRESSOPENUEM_ORGADDRESS
COUNTRYOPENUEM_ORGCOUNTRY
DOMAINOPENUEM_DOMAIN
AUTH_PORTCONSOLE_AUTH_PORT
JWT_KEYCONSOLE_JWT_KEY
SERVER_NAMECONSOLE_HOST
SERVER_NAMEOCSP_HOST
SERVER_NAMENATS_HOST
NATS_SERVERSOPENUEM_NATS_SERVER

The old NATS_SERVERS variable has been replaced with two variables NATS_HOST and NATS_PORT.

The old OCSP variable has been replaced with two variables OCSP_HOST and OCSP_PORT.

The old SERVER_NAME was used to assign the console hostname, the ocsp responder URL, and the NATS_SERVERS variable. You must specify the CONSOLE_HOST, OCSP_HOST, NATS_HOST accordingly.

  1. Create a certificates folder and copy the contents of the old certificates folder where your old deployment was created.

  2. Run docker compose up -d from the new folder. The new images will be pulled and the new services will be started.

10. Troubleshooting and FAQ​

10.1. Why I get 401 | Please provide valid credentials when I try to log into OpenUEM console?​

OpenUEM requires a user's certificate to log in. That certificate must be imported in the user's browser before trying to log-in. You can import the certificates following these steps

10.2. Why I see messages like read certificates/console.cer: is a directory in docker logs?​

That means that certificates were not generated in the initial phase, most probably there's a connection issue with the database container or wrong credentials have been used. Database credentials must match between the DATABASE_URL variable set in the .env file and the file build/postgres/init.sh file.