Tool to automatically replace TLS certificates maintained by acmetool.

Helmut Pozimski 027f3a7b32 main: correct service calls 8 months ago
amulib 027f3a7b32 main: correct service calls 8 months ago
example ea8300a16d Refactor certificate path determination to allow support for tools other than acmetool 9 months ago
.gitignore 939e68f5f6 Add dist directory to .gitignore 9 months ago
COPYING 87d13a9d2d Initial commit, create directory structure 7 years ago
README.md ea8300a16d Refactor certificate path determination to allow support for tools other than acmetool 9 months ago
acme-updater 4c6bcc9273 implement and document the apache module 7 years ago
setup.py a8c7d1566b specify and document dependencies 7 years ago

README.md

About

acme-updater is a tool that takes care of automatically replacing Let's Encrypt SSL certificates maintained by acmetool. It replaces the certificates, takes care of restarting the services and optionally writes TLSA records. The following services are currently supported:

  • apache2
  • postfix
  • dovecot
  • ejabberd

Current development is focused on current Debian and Gentoo versions because that's what I use myself. It might be extended to support other distributions in the future.

Usage

acme-updater can be called with the following command line arguments:

  • --apache
  • --postfix
  • --dovecot
  • --ejabberd
  • --config / -C
  • --verbose / -V

The ones corresponding to service names enable the module for the service to take care of maintaining the certificates for it. The config argument expects a path to the configuration file as parameter. Verbose overrides any log level set in the configuration file and enables debug logging.

Dependencies

acme-updater is developed for python 3.x. It might work on older versions but this is not supported. Additionally, the following python modules are required:

  • pyOpenSSL
  • dnspython

COPYING

This software is published under the GNU GENERAL PUBLIC LICENSE, version 2.

CONFIGURATION

The configuration file is a json file which contains a json object with the keys "loglevel", "acme_dir", "dns_server" and "named_key_path". The first one defines the loglevel to use. The second one defines the acme state dir which can be used to obtain the current certificates, the third one the DNS server to talk to and the last one the path to the named session key which is needed to write TLSA records via nsupdate. The other keys in the object correspond to the names of the services and their modules. Each service configuration is another json object and the structure of these might differ by service. They are documented in the section for the modules.

An example configuration file with all parameters in provided in example/config.json.

Apache

This module accepts the following configuration parameters:

  • vhosts_dir: the directory the active vhosts can be found in
  • tlsa: whether to write tlsa records for the domains
  • exclude_vhosts: vhosts that should be excluded from management
  • tlsa_exclude: domains that should not receive a TLSA record

The module will parse all vhosts, determine if they use a Let's encrypt certificate and manage it if this is the case and the vhost isn't excluded.

Postfix

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

Dovecot

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

ejabberd

This module accepts the following configuration parameters:

  • certificate_path: path of the certificate file (public key and chain)
  • key_path: path of the private key file
  • tlsa: whether to write tlsa records for the domain
  • tlsa_ports: ports that should receive a TLSA record

INSTALLATION

Use the setup.py to perform the installation, this requires the setuptools module.