Tool to automatically replace TLS certificates maintained by acmetool.
Helmut Pozimski
919deaa5ad
add configuration parameter to configure the address of the DNS server (closes #1)
|
7 years ago | |
|---|---|---|
| amulib | 7 years ago | |
| example | 7 years ago | |
| .gitignore | 7 years ago | |
| COPYING | 7 years ago | |
| README.md | 7 years ago | |
| acme-updater | 7 years ago | |
| setup.py | 7 years ago |
README.md
About
acme-updater is a tool that takes care of automatically replacing Let's Encrypt SSL certificates maintained by acmetool. It replaces the certificates, takes care of restarting the services and optionally writes TLSA records. The following services are currently supported:
- apache2
- postfix
- dovecot
- ejabberd
Current development is focused on Debian 8 jessie with sysvinit because that's what I use mysel. It might be extended to support other distributions or init systems in the future.
Usage
acme-updater can be called with the following command line arguments:
- --apache
- --postfix
- --dovecot
- --ejabberd
- --config / -C
- --verbose / -V
The ones corresponding to service names enable the module for the service to take care of maintaining the certificates for it. The config argument expects a path to the configuration file as parameter. Verbose overrides any log level set in the configuration file and enables debug logging.
Dependencies
acme-updater is developed for python 3.x. It might work on older versions but this is not supported. Additionally, the following python modules are required:
- pyOpenSSL
- dnspython
COPYING
This software is published under the GNU GENERAL PUBLIC LICENSE, version 2.
CONFIGURATION
The configuration file is a json file which contains a json object with the keys "loglevel", "acme_dir", "dns_server" and "named_key_path". The first one defines the loglevel to use. The second one defines the acme state dir which can be used to obtain the current certificates, the third one the DNS server to talk to and the last one the path to the named session key which is needed to write TLSA records via nsupdate. The other keys in the object correspond to the names of the services and their modules. Each service configuration is another json object and the structure of these might differ by service. They are documented in the section for the modules.
An example configuration file with all parameters in provided in example/config.json.
Apache
This module accepts the following configuration parameters:
- vhosts_dir: the directory the active vhosts can be found in
- tlsa: whether to write tlsa records for the domains
- exclude_vhosts: vhosts that should be excluded from management
- tlsa_exclude: domains that should not receive a TLSA record
The module will parse all vhosts, determine if they use a Let's encrypt certificate and manage it if this is the case and the vhost isn't excluded.
Postfix
This module accepts the following configuration parameters:
- certificate_path: path of the certificate file (public key and chain)
- key_path: path of the private key file
- tlsa: whether to write tlsa records for the domain
- tlsa_ports: ports that should receive a TLSA record
Dovecot
This module accepts the following configuration parameters:
- certificate_path: path of the certificate file (public key and chain)
- key_path: path of the private key file
- tlsa: whether to write tlsa records for the domain
- tlsa_ports: ports that should receive a TLSA record
ejabberd
This module accepts the following configuration parameters:
- certificate_path: path of the certificate file (public key and chain)
- key_path: path of the private key file
- tlsa: whether to write tlsa records for the domain
- tlsa_ports: ports that should receive a TLSA record
INSTALLATION
Use the setup.py to perform the installation, this requires the setuptools module.