acertmgr/README.md

ACERTMGR
========

This is an automated certificate manager using ACME/letsencrypt.

Running ACERTMGR
----------------

The main file acertmgr.py is intended to be run regularly (e.g. as daily cron job) as root.

Requirements
------------

  * Python (2.7+ and 3.4+ should work)
  * python-dateutil
  * PyYAML
  * pyopenssl

Initial Setup
-------------

First, you need to provide two key files for acme-tiny:
  * The account key is expected at `/etc/acme/account.key`
  * The domain key is expected at `/etc/acme/server.key` (note: only one domain key is required for all domains used in the same instance of acertmgr)
If you are missing these keys, you can create them using `openssl genrsa 4096 > /etc/acme/account.key` and `openssl genrsa 4096 > /etc/acme/server.key` respectively.
Otherwise refer to the acme-timy documentation for how to reuse your existing keys.

Second, you should decide which challenge mode you want to use with acertmgr
  * webdir: In this mode, challenges are put into a directory, and served by an existing webserver. Make sure the target directory exists!
  * standalone: In this mode, challenges are completed by acertmgr directly.
    This starts a webserver to solve the challenges, which can be used standalone or together with an existing webserver that forwards request to a specified local port.

Finally, you need to setup the configuration files, as shown in the next section.

Configuration
-------------

The main configuration is read from `/etc/acme/acme.conf`, domains for which certificates should be obtained/renewed should be configured in `/etc/acme/domains.d/{fqdn}.conf`.

All configuration files use yaml syntax.

  * Example global configuration file:
```yaml
---

mode: webdir
#mode: standalone
#port: 13135
webdir: /var/www/acme-challenge/
cafile: /etc/acme/letencrypt_ca.crt

defaults:
  format: crt
```

  * Example domain configuration file:

```yaml
---

mail.example.com:
- path: /etc/postfix/ssl/mail.key
  user: postfix
  group: postfix
  perm: '400'
  format: key
  action: '/etc/init.d/postfix reload'
- path: /etc/postfix/ssl/mail.crt
  user: postfix
  group: postfix
  perm: '400'
  format: crt
  action: '/etc/init.d/postfix reload'
- path: /etc/dovecot/ssl/mail.crt
  user: dovecot
  group: dovecot
  perm: '400'
  action: '/etc/init.d/dovecot reload'
```

Security
--------

Please keep the following in mind when using this software:

  * DO read the source code, since it is intended to be run as root
  * Make sure that your configuration files are NOT writable by other users - arbitrary commands can be executed after updating certificates
Add README 2016-01-10 15:20:59 +01:00			`ACERTMGR`
			`========`

			`This is an automated certificate manager using ACME/letsencrypt.`

			`Running ACERTMGR`
			`----------------`

			`The main file acertmgr.py is intended to be run regularly (e.g. as daily cron job) as root.`

More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00			`Requirements`
			`------------`

Fix markdown in README 2016-01-11 20:22:36 +01:00			`* Python (2.7+ and 3.4+ should work)`
Improve README 2016-01-21 16:43:05 +01:00			`* python-dateutil`
Fix markdown in README 2016-01-11 20:22:36 +01:00			`* PyYAML`
replace acme-tiny using a pyopenssl implementation of the same functionality instead 2016-04-04 01:12:50 +02:00			`* pyopenssl`
More checks (e.g. for acme_tiny) 2016-01-11 20:15:31 +01:00
Initial setup documentation Adds a section for the initial motions required to get a acertmgr running 2016-02-13 00:54:28 +01:00			`Initial Setup`
			`-------------`

			`First, you need to provide two key files for acme-tiny:`
			* The account key is expected at `/etc/acme/account.key`
			* The domain key is expected at `/etc/acme/server.key` (note: only one domain key is required for all domains used in the same instance of acertmgr)
			If you are missing these keys, you can create them using `openssl genrsa 4096 > /etc/acme/account.key` and `openssl genrsa 4096 > /etc/acme/server.key` respectively.
			`Otherwise refer to the acme-timy documentation for how to reuse your existing keys.`

			`Second, you should decide which challenge mode you want to use with acertmgr`
			`* webdir: In this mode, challenges are put into a directory, and served by an existing webserver. Make sure the target directory exists!`
			`* standalone: In this mode, challenges are completed by acertmgr directly.`
			`This starts a webserver to solve the challenges, which can be used standalone or together with an existing webserver that forwards request to a specified local port.`

			`Finally, you need to setup the configuration files, as shown in the next section.`

Add README 2016-01-10 15:20:59 +01:00			`Configuration`
			`-------------`

			The main configuration is read from `/etc/acme/acme.conf`, domains for which certificates should be obtained/renewed should be configured in `/etc/acme/domains.d/{fqdn}.conf`.

			`All configuration files use yaml syntax.`

			`* Example global configuration file:`
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			```yaml
			`---`
Add README 2016-01-10 15:20:59 +01:00
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			`mode: webdir`
Minor code and documentation improvements 2016-01-10 15:48:16 +01:00			`#mode: standalone`
Initial setup documentation Adds a section for the initial motions required to get a acertmgr running 2016-02-13 00:54:28 +01:00			`#port: 13135`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00			`webdir: /var/www/acme-challenge/`
New format: ca to be able to create cert-chains. 2016-02-21 15:27:46 +01:00			`cafile: /etc/acme/letencrypt_ca.crt`
Split cert_get into cert_get and cert_put 2016-01-10 17:29:26 +01:00
			`defaults:`
Improve README 2016-01-21 16:43:05 +01:00			`format: crt`
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			```
Add README 2016-01-10 15:20:59 +01:00
			`* Example domain configuration file:`

Fix README mardown syntax 2016-01-10 15:27:08 +01:00			```yaml
			`---`

			`mail.example.com:`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`- path: /etc/postfix/ssl/mail.key`
			`user: postfix`
			`group: postfix`
			`perm: '400'`
			`format: key`
			`action: '/etc/init.d/postfix reload'`
Improve README 2016-01-21 16:43:05 +01:00			`- path: /etc/postfix/ssl/mail.crt`
			`user: postfix`
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			`group: postfix`
			`perm: '400'`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`format: crt`
			`action: '/etc/init.d/postfix reload'`
Improve README 2016-01-21 16:43:05 +01:00			`- path: /etc/dovecot/ssl/mail.crt`
			`user: dovecot`
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			`group: dovecot`
			`perm: '400'`
Rename notify to action and execute them only once. 2016-02-21 11:18:32 +01:00			`action: '/etc/init.d/dovecot reload'`
Fix README mardown syntax 2016-01-10 15:27:08 +01:00			```
Add a security section to README 2016-01-10 15:56:04 +01:00
			`Security`
			`--------`

			`Please keep the following in mind when using this software:`

			`* DO read the source code, since it is intended to be run as root`
			`* Make sure that your configuration files are NOT writable by other users - arbitrary commands can be executed after updating certificates`