Tool to automatically replace TLS certificates maintained by acmetool.

Helmut Pozimski e43cb383ab Update license headers to use SPDX format 1 year ago
amulib e43cb383ab Update license headers to use SPDX format 1 year ago
example 919deaa5ad add configuration parameter to configure the address of the DNS server (closes #1) 7 years ago
.gitignore 4c6bcc9273 implement and document the apache module 7 years ago
COPYING 87d13a9d2d Initial commit, create directory structure 7 years ago
README.md 919deaa5ad add configuration parameter to configure the address of the DNS server (closes #1) 7 years ago
acme-updater 4c6bcc9273 implement and document the apache module 7 years ago
setup.py a8c7d1566b specify and document dependencies 7 years ago

README.md

About

acme-updater is a tool that takes care of automatically replacing Let's Encrypt SSL certificates maintained by acmetool. It replaces the certificates, takes care of restarting the services and optionally writes TLSA records. The following services are currently supported:

  • apache2
  • postfix
  • dovecot
  • ejabberd

Current development is focused on Debian 8 jessie with sysvinit because that's what I use mysel. It might be extended to support other distributions or init systems in the future.

Usage

acme-updater can be called with the following command line arguments:

  • --apache
  • --postfix
  • --dovecot
  • --ejabberd
  • --config / -C
  • --verbose / -V

The ones corresponding to service names enable the module for the service to take care of maintaining the certificates for it. The config argument expects a path to the configuration file as parameter. Verbose overrides any log level set in the configuration file and enables debug logging.

Dependencies

acme-updater is developed for python 3.x. It might work on older versions but this is not supported. Additionally, the following python modules are required:

  • pyOpenSSL
  • dnspython

COPYING

This software is published under the GNU GENERAL PUBLIC LICENSE, version 2.

CONFIGURATION

The configuration file is a json file which contains a json object with the keys "loglevel", "acme_dir", "dns_server" and "named_key_path". The first one defines the loglevel to use. The second one defines the acme state dir which can be used to obtain the current certificates, the third one the DNS server to talk to and the last one the path to the named session key which is needed to write TLSA records via nsupdate. The other keys in the object correspond to the names of the services and their modules. Each service configuration is another json object and the structure of these might differ by service. They are documented in the section for the modules.

An example configuration file with all parameters in provided in example/config.json.

Apache

This module accepts the following configuration parameters:

  • vhosts_dir: the directory the active vhosts can be found in
  • tlsa: whether to write tlsa records for the domains
  • exclude_vhosts: vhosts that should be excluded from management
  • tlsa_exclude: domains that should not receive a TLSA record

The module will parse all vhosts, determine if they use a Let's encrypt certificate and manage it if this is the case and the vhost isn't excluded.

Postfix

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

Dovecot

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

ejabberd

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

INSTALLATION

Use the setup.py to perform the installation, this requires the setuptools module.