1
0
mirror of https://github.com/moepman/acertmgr.git synced 2025-01-04 00:15:23 +01:00

configuration: unify how ca_file and ca_static are determined

ensure legacy compatibility (also include defaults case) and update README.md
This commit is contained in:
Kishi85 2019-03-28 12:33:59 +01:00
parent 99d9e41322
commit fa3fc196f3
3 changed files with 12 additions and 14 deletions

View File

@ -62,7 +62,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
| --force-renew | **c** | (or --renew-now) Immediately renew all certificates containing the given domain(s) | | | --force-renew | **c** | (or --renew-now) Immediately renew all certificates containing the given domain(s) | |
| --revoke | **c** | Revoke the certificate at the given path | | | --revoke | **c** | Revoke the certificate at the given path | |
| --revoke-reason | **c** | Provide a reason code for the revocation (see https://tools.ietf.org/html/rfc5280#section-5.3.1 for valid values) | | | --revoke-reason | **c** | Provide a reason code for the revocation (see https://tools.ietf.org/html/rfc5280#section-5.3.1 for valid values) | |
| domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request, will be MD5 hashed as cert_id | | | domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request. This value will be MD5-hashed as cert_id. | |
| api | d,**g** | Determines the API version used | v2 | | api | d,**g** | Determines the API version used | v2 |
| authority | d,**g** | URL to the certificate authorities API | https://acme-v02.api.letsencrypt.org | | authority | d,**g** | URL to the certificate authorities API | https://acme-v02.api.letsencrypt.org |
| authority_tos_agreement | d,**g**,c | Indicates agreement to the ToS of the certificate authority (--authority-tos-agreement on command line) | | | authority_tos_agreement | d,**g**,c | Indicates agreement to the ToS of the certificate authority (--authority-tos-agreement on command line) | |
@ -73,6 +73,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
| key_length | d,**g** | Key-length for newly generated private keys | 4096 | | key_length | d,**g** | Key-length for newly generated private keys | 4096 |
| csr_static | **d**,g | Whether to re-use a static CSR or generate a new dynamic CSR | false | | csr_static | **d**,g | Whether to re-use a static CSR or generate a new dynamic CSR | false |
| csr_file | **d**,g | Path to store (and load) the certificate CSR file | {cert_dir}/{cert_id}.csr | | csr_file | **d**,g | Path to store (and load) the certificate CSR file | {cert_dir}/{cert_id}.csr |
| ca_static | **d**,g | Whether to re-use a static CA or download a CA file | false |
| ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca | | ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca |
| cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt | | cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt |
| cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false | | cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false |
@ -84,7 +85,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
| port | **d**,g | [standalone] Serve the challenge using a HTTP server on this port | 80 | | port | **d**,g | [standalone] Serve the challenge using a HTTP server on this port | 80 |
| dns_ttl | **d**,g | [dns.*] Write TXT records with this TTL (also determines the update wait time at twice this value | 60 | | dns_ttl | **d**,g | [dns.*] Write TXT records with this TTL (also determines the update wait time at twice this value | 60 |
| dns_updatedomain | **d**,g | [dns.*] Write the TXT records to this domain (you have to create the necessary CNAME on the real challenge domain manually) | | | dns_updatedomain | **d**,g | [dns.*] Write the TXT records to this domain (you have to create the necessary CNAME on the real challenge domain manually) | |
| nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | <determine from zone SOA> | | nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | {determine from zone SOA} |
| nsupdate_keyfile | **d**,g | [dns.nsupdate] Bind-formatted TSIG key file to use for updates (may be used instead of nsupdate_key*) | | | nsupdate_keyfile | **d**,g | [dns.nsupdate] Bind-formatted TSIG key file to use for updates (may be used instead of nsupdate_key*) | |
| nsupdate_keyname | **d**,g | [dns.nsupdate] TSIG key name to use for updates | | | nsupdate_keyname | **d**,g | [dns.nsupdate] TSIG key name to use for updates | |
| nsupdate_keyvalue | **d**,g | [dns.nsupdate] TSIG key value to use for updates | | | nsupdate_keyvalue | **d**,g | [dns.nsupdate] TSIG key value to use for updates | |

View File

@ -59,7 +59,8 @@ def cert_get(settings):
if tools.is_cert_valid(crt, settings['ttl_days']): if tools.is_cert_valid(crt, settings['ttl_days']):
print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after)) print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after))
tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD) tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)
if "static_ca" in settings and not settings['static_ca'] and ca is not None: if (not str(settings.get('ca_static')).lower() == 'true' or not os.path.exists(settings['ca_file'])) \
and ca is not None:
tools.write_pem_file(ca, settings['ca_file']) tools.write_pem_file(ca, settings['ca_file'])

View File

@ -154,18 +154,14 @@ def parse_config_entry(entry, globalconfig, runtimeconfig):
update_config_value(config, 'key_length', localconfig, globalconfig, DEFAULT_KEY_LENGTH) update_config_value(config, 'key_length', localconfig, globalconfig, DEFAULT_KEY_LENGTH)
config['key_length'] = int(config['key_length']) config['key_length'] = int(config['key_length'])
# SSL CA location # SSL CA location / use static
ca_files = [x for x in entry if 'ca_file' in x] update_config_value(config, 'ca_file', localconfig, globalconfig,
if len(ca_files) > 0: globalconfig.get('server_ca', config['defaults'].get('server_ca',
config['static_ca'] = True os.path.join(config['cert_dir'], "{}.ca".format(config['id'])))))
config['ca_file'] = ca_files[0] update_config_value(config, 'ca_static', localconfig, globalconfig, "false")
elif 'server_ca' in globalconfig: if 'server_ca' in globalconfig or 'server_ca' in config['defaults']:
config['ca_static'] = "true"
print("WARNING: Legacy configuration directive 'server_ca' used. Support will be removed in 1.0") print("WARNING: Legacy configuration directive 'server_ca' used. Support will be removed in 1.0")
config['static_ca'] = True
config['ca_file'] = globalconfig['server_ca']
else:
config['static_ca'] = False
config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id']))
# Domain action configuration # Domain action configuration
config['actions'] = list() config['actions'] = list()