2016-01-10 15:20:59 +01:00
ACERTMGR
========
This is an automated certificate manager using ACME/letsencrypt.
Running ACERTMGR
----------------
The main file acertmgr.py is intended to be run regularly (e.g. as daily cron job) as root.
2016-01-11 20:15:31 +01:00
Requirements
------------
2019-03-22 09:52:02 +01:00
* Python (2.7+ and 3.5+ should work)
2019-01-08 08:22:31 +01:00
* cryptography
2019-02-22 11:09:33 +01:00
2019-01-08 08:22:31 +01:00
Optional packages
-----------------
* PyYAML (when using config files in YAML format)
* dnspython (required for the dns.nsupdate mode)
2019-03-21 13:03:09 +01:00
* idna (for automatically translating to the IDNA representation of unicode domain names)
2016-01-11 20:15:31 +01:00
2016-02-13 00:54:28 +01:00
Initial Setup
-------------
2019-01-08 08:22:31 +01:00
You should decide which challenge mode you want to use with acertmgr:
2019-03-22 09:52:02 +01:00
* webdir: In this mode, responses to challenges are put into a directory, to be served by an existing webserver
2016-02-13 00:54:28 +01:00
* standalone: In this mode, challenges are completed by acertmgr directly.
2016-04-14 17:20:15 +02:00
This starts a webserver to solve the challenges, which can be used standalone or together with an existing webserver that forwards request to a specified local port
2019-01-08 08:22:31 +01:00
* webdir/standalone: Make sure that the `webdir` directory exists in both cases (Note: the standalone webserver does not yet serve the files in situation)
* dns.*: This mode puts the challenge into a TXT record for the domain (usually _acme-challenge.< domain > ) where it will be parsed from by the authority
* dns.* (Alias mode): Can be used similar to the above but allows redirection of _acme-challenge.< domain > to any other (updatable domain) defined in dns_updatedomain via CNAME (e.g. _acme-challenge.example.net IN CNAME bla.foo.bar with config dns_updatedomain="bla.foo.bar" in config)
* dns.nsupdate: Updates the TXT record using RFC2136 (with dnspython)
2019-03-22 09:52:02 +01:00
You can optionally provide the private key files to be used with the ACME protocol (if you do not they will be automatically created):
* The account private key is expected at `/etc/acertmgr/account.key` (used to register an account with the authorities server)
* The domain private key is expected at `/etc/acertmgr/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
2019-03-19 10:45:36 +01:00
* If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acertmgr/account.key` and `openssl genrsa 4096 > /etc/acertmgr/server.key` respectively
* Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acertmgr/*.key`
2016-02-13 00:54:28 +01:00
Finally, you need to setup the configuration files, as shown in the next section.
2016-04-14 17:20:15 +02:00
While testing, you can use the acme-staging authority instead, in order to avoid issuing too many certificates.
2016-02-13 00:54:28 +01:00
2019-03-20 10:34:59 +01:00
Authorities (e.g. our default Let's Encrypt) will require you to accept their Terms of Service. This can be done either in the optional global config file and/or via a commandline parameter (see acertmgr.py --help).
2016-01-10 15:20:59 +01:00
Configuration
-------------
2019-02-20 11:57:15 +01:00
Unless specified with a commandline parameter (see acertmgr.py --help) the optional global configuration is read from '/etc/acertmgr/acertmgr.conf'.
2019-03-19 10:45:36 +01:00
Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is always excluded if it is in the same directory).
2016-01-10 15:20:59 +01:00
2019-01-08 08:22:31 +01:00
All configuration files can use yaml (requires PyYAML) or json syntax.
2016-01-10 15:20:59 +01:00
2019-02-20 11:57:15 +01:00
* Example optional global configuration file (YAML syntax):
2019-02-22 11:09:33 +01:00
2016-01-10 15:27:08 +01:00
```yaml
---
2019-03-21 22:12:53 +01:00
2019-03-19 10:45:36 +01:00
# Optional: Authority API endpoint to use
# Legacy ACME v1 API with options:
#api: v1
#authority: "https://acme-v01.api.letsencrypt.org"
2019-01-08 08:22:31 +01:00
#authority: "https://acme-staging.api.letsencrypt.org"
2019-03-20 10:34:59 +01:00
#authority_tos_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
2019-03-21 22:12:53 +01:00
2019-03-19 10:45:36 +01:00
# Current (default) ACME v2 API with options:
#api: v2
#authority: "https://acme-v02.api.letsencrypt.org"
#authority: "https://acme-staging-v02.api.letsencrypt.org"
2019-03-20 10:34:59 +01:00
authority_tos_agreement: "true" # Indicates you agree to the ToS stated by the API provider
2019-03-19 10:45:36 +01:00
#authority_contact_email: "foo@b.ar" # For single addresses
#authority_contact_email: # For multiple addresses
# - "foo@b.ar"
# - "c4f3@b.ar"
# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
#account_key: "/etc/acertmgr/account.key"
2016-01-10 17:29:26 +01:00
2019-01-08 08:22:31 +01:00
# Optional: global server_key location. Otherwise separate key per server
2019-03-19 10:45:36 +01:00
#server_key: "/etc/acertmgr/server.key"
2016-04-04 01:44:21 +02:00
2019-01-08 08:22:31 +01:00
# Optional: global challenge handling mode with parameters
#mode: webdir
#webdir: /var/www/acme-challenge/
#mode: standalone
#port: 13135
2016-01-10 15:27:08 +01:00
```
2016-01-10 15:20:59 +01:00
2019-01-08 08:22:31 +01:00
* Example domain configuration file (YAML syntax):
2016-01-10 15:20:59 +01:00
2016-01-10 15:27:08 +01:00
```yaml
---
2019-03-22 09:52:02 +01:00
# this will save the the key and certificate chain seperately
2016-01-10 15:27:08 +01:00
mail.example.com:
2016-02-21 11:18:32 +01:00
- path: /etc/postfix/ssl/mail.key
2016-04-14 17:20:15 +02:00
user: root
group: root
2016-02-21 11:18:32 +01:00
perm: '400'
format: key
action: '/etc/init.d/postfix reload'
2016-01-21 16:43:05 +01:00
- path: /etc/postfix/ssl/mail.crt
2016-04-14 17:20:15 +02:00
user: root
group: root
2016-01-10 15:27:08 +01:00
perm: '400'
2016-04-14 17:20:15 +02:00
format: crt,ca
2016-02-21 11:18:32 +01:00
action: '/etc/init.d/postfix reload'
2016-04-04 01:45:12 +02:00
2019-03-22 09:52:02 +01:00
# this will combine the key and certificate chain into a single file
2016-04-04 01:45:12 +02:00
jabber.example.com:
- path: /etc/ejabberd/server.pem
user: jabber
group: jabber
perm: '400'
format: key,crt,ca
2016-04-04 09:11:04 +02:00
action: '/etc/init.d/ejabberd restart'
2016-04-04 01:45:12 +02:00
2016-04-14 17:20:15 +02:00
# this will create a certificate with subject alternative names
2016-04-04 01:49:23 +02:00
www.example.com example.com:
2016-04-04 01:45:12 +02:00
- path: /var/www/ssl/cert.pem
user: apache
group: apache
perm: '400'
action: '/etc/init.d/apache2 reload'
format: crt,ca
- path: /var/www/ssl/key.pem
user: apache
group: apache
perm: '400'
action: '/etc/init.d/apache2 reload'
format: key
2019-01-08 08:22:31 +01:00
# this will create a certificate with subject alternative names
# using a different challenge handler for one domain
2019-03-19 10:45:36 +01:00
# wildcards are possible with api v2 and dns challenge modes only!
mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
2019-01-08 08:22:31 +01:00
- mode: dns.nsupdate
nsupdate_server: ns1.example.com
nsupdate_keyname: mail
nsupdate_keyvalue: Test1234512359==
2019-03-22 10:23:21 +01:00
nsupdate_keyalgorithm: HMAC-MD5.SIG-ALG.REG.INT
2019-01-08 08:22:31 +01:00
- domain: webmail.example.net
mode: dns.nsupdate
nsupdate_server: ns1.example.net
nsupdate_keyname: webmail.
nsupdate_keyfile: /etc/nsupdate.key
dns_updatedomain: webmail.example.net
- path: /etc/postfix/ssl/mail.key
user: root
group: root
perm: '400'
format: key
action: '/etc/init.d/postfix reload'
- path: /etc/postfix/ssl/mail.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/etc/init.d/postfix reload'
```
2019-02-22 11:09:33 +01:00
* Example optional global configuration file (JSON syntax):
2019-01-08 08:22:31 +01:00
```json
{
"mode": "standalone",
"port": "80",
2019-03-19 10:45:36 +01:00
"account_key": "/etc/acertmgr/acc.key",
"server_key": "/etc/acertmgr/serv.key",
2019-01-08 08:22:31 +01:00
"webdir": "/var/www/acme-challenge/",
"authority": "https://acme-v01.api.letsencrypt.org",
}
```
* Example domain configuration file (JSON syntax):
```json
{
"mail.example.com": [
{ "path": "/etc/postfix/ssl/mail.key",
"user": "root",
"group": "root",
"perm": "400",
"format": "key",
"action": "/etc/init.d/postfix reload" },
{ "path": "/etc/postfix/ssl/mail.crt",
"user": "root",
"group": "root",
"perm": "400",
"format": "crt,ca",
"action": "/etc/init.d/postfix reload" }
],
"jabber.example.com": [
{ "path": "/etc/ejabberd/server.pem",
"user": "jabber",
"group": "jabber",
"perm": "400",
"format": "key,crt,ca",
"action": "/etc/init.d/ejabberd restart" }
],
"www.example.com example.com": [
{ "path": "/var/www/ssl/cert.pem",
"user": "apache",
"group": "apache",
"perm": "400",
"action": "/etc/init.d/apache2 reload",
"format": "crt,ca" },
{ "path": "/var/www/ssl/key.pem",
"user": "apache",
"group": "apache",
"perm": "400",
"action": "/etc/init.d/apache2 reload",
"format": "key" }
]
}
2016-01-10 15:27:08 +01:00
```
2016-01-10 15:56:04 +01:00
Security
--------
Please keep the following in mind when using this software:
2016-04-14 17:20:15 +02:00
* DO read the source code, since it has to be run as root
2016-01-10 15:56:04 +01:00
* Make sure that your configuration files are NOT writable by other users - arbitrary commands can be executed after updating certificates
