mirror of
https://github.com/moepman/acertmgr.git
synced 2025-01-01 03:21:49 +01:00
configuration: unify how ca_file and ca_static are determined
ensure legacy compatibility (also include defaults case) and update README.md
This commit is contained in:
parent
99d9e41322
commit
fa3fc196f3
@ -62,7 +62,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
|
|||||||
| --force-renew | **c** | (or --renew-now) Immediately renew all certificates containing the given domain(s) | |
|
| --force-renew | **c** | (or --renew-now) Immediately renew all certificates containing the given domain(s) | |
|
||||||
| --revoke | **c** | Revoke the certificate at the given path | |
|
| --revoke | **c** | Revoke the certificate at the given path | |
|
||||||
| --revoke-reason | **c** | Provide a reason code for the revocation (see https://tools.ietf.org/html/rfc5280#section-5.3.1 for valid values) | |
|
| --revoke-reason | **c** | Provide a reason code for the revocation (see https://tools.ietf.org/html/rfc5280#section-5.3.1 for valid values) | |
|
||||||
| domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request, will be MD5 hashed as cert_id | |
|
| domain (san-domain...): | **d** | (domainconfig section start) Domains to use in the cert request. This value will be MD5-hashed as cert_id. | |
|
||||||
| api | d,**g** | Determines the API version used | v2 |
|
| api | d,**g** | Determines the API version used | v2 |
|
||||||
| authority | d,**g** | URL to the certificate authorities API | https://acme-v02.api.letsencrypt.org |
|
| authority | d,**g** | URL to the certificate authorities API | https://acme-v02.api.letsencrypt.org |
|
||||||
| authority_tos_agreement | d,**g**,c | Indicates agreement to the ToS of the certificate authority (--authority-tos-agreement on command line) | |
|
| authority_tos_agreement | d,**g**,c | Indicates agreement to the ToS of the certificate authority (--authority-tos-agreement on command line) | |
|
||||||
@ -73,6 +73,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
|
|||||||
| key_length | d,**g** | Key-length for newly generated private keys | 4096 |
|
| key_length | d,**g** | Key-length for newly generated private keys | 4096 |
|
||||||
| csr_static | **d**,g | Whether to re-use a static CSR or generate a new dynamic CSR | false |
|
| csr_static | **d**,g | Whether to re-use a static CSR or generate a new dynamic CSR | false |
|
||||||
| csr_file | **d**,g | Path to store (and load) the certificate CSR file | {cert_dir}/{cert_id}.csr |
|
| csr_file | **d**,g | Path to store (and load) the certificate CSR file | {cert_dir}/{cert_id}.csr |
|
||||||
|
| ca_static | **d**,g | Whether to re-use a static CA or download a CA file | false |
|
||||||
| ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca |
|
| ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca |
|
||||||
| cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt |
|
| cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt |
|
||||||
| cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false |
|
| cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false |
|
||||||
@ -84,7 +85,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
|
|||||||
| port | **d**,g | [standalone] Serve the challenge using a HTTP server on this port | 80 |
|
| port | **d**,g | [standalone] Serve the challenge using a HTTP server on this port | 80 |
|
||||||
| dns_ttl | **d**,g | [dns.*] Write TXT records with this TTL (also determines the update wait time at twice this value | 60 |
|
| dns_ttl | **d**,g | [dns.*] Write TXT records with this TTL (also determines the update wait time at twice this value | 60 |
|
||||||
| dns_updatedomain | **d**,g | [dns.*] Write the TXT records to this domain (you have to create the necessary CNAME on the real challenge domain manually) | |
|
| dns_updatedomain | **d**,g | [dns.*] Write the TXT records to this domain (you have to create the necessary CNAME on the real challenge domain manually) | |
|
||||||
| nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | <determine from zone SOA> |
|
| nsupdate_server | **d**,g | [dns.nsupdate] DNS Server to delegate the update to | {determine from zone SOA} |
|
||||||
| nsupdate_keyfile | **d**,g | [dns.nsupdate] Bind-formatted TSIG key file to use for updates (may be used instead of nsupdate_key*) | |
|
| nsupdate_keyfile | **d**,g | [dns.nsupdate] Bind-formatted TSIG key file to use for updates (may be used instead of nsupdate_key*) | |
|
||||||
| nsupdate_keyname | **d**,g | [dns.nsupdate] TSIG key name to use for updates | |
|
| nsupdate_keyname | **d**,g | [dns.nsupdate] TSIG key name to use for updates | |
|
||||||
| nsupdate_keyvalue | **d**,g | [dns.nsupdate] TSIG key value to use for updates | |
|
| nsupdate_keyvalue | **d**,g | [dns.nsupdate] TSIG key value to use for updates | |
|
||||||
|
@ -59,7 +59,8 @@ def cert_get(settings):
|
|||||||
if tools.is_cert_valid(crt, settings['ttl_days']):
|
if tools.is_cert_valid(crt, settings['ttl_days']):
|
||||||
print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after))
|
print("Certificate '{}' renewed and valid until {}".format(crt, crt.not_valid_after))
|
||||||
tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)
|
tools.write_pem_file(crt, settings['cert_file'], stat.S_IREAD)
|
||||||
if "static_ca" in settings and not settings['static_ca'] and ca is not None:
|
if (not str(settings.get('ca_static')).lower() == 'true' or not os.path.exists(settings['ca_file'])) \
|
||||||
|
and ca is not None:
|
||||||
tools.write_pem_file(ca, settings['ca_file'])
|
tools.write_pem_file(ca, settings['ca_file'])
|
||||||
|
|
||||||
|
|
||||||
|
@ -154,18 +154,14 @@ def parse_config_entry(entry, globalconfig, runtimeconfig):
|
|||||||
update_config_value(config, 'key_length', localconfig, globalconfig, DEFAULT_KEY_LENGTH)
|
update_config_value(config, 'key_length', localconfig, globalconfig, DEFAULT_KEY_LENGTH)
|
||||||
config['key_length'] = int(config['key_length'])
|
config['key_length'] = int(config['key_length'])
|
||||||
|
|
||||||
# SSL CA location
|
# SSL CA location / use static
|
||||||
ca_files = [x for x in entry if 'ca_file' in x]
|
update_config_value(config, 'ca_file', localconfig, globalconfig,
|
||||||
if len(ca_files) > 0:
|
globalconfig.get('server_ca', config['defaults'].get('server_ca',
|
||||||
config['static_ca'] = True
|
os.path.join(config['cert_dir'], "{}.ca".format(config['id'])))))
|
||||||
config['ca_file'] = ca_files[0]
|
update_config_value(config, 'ca_static', localconfig, globalconfig, "false")
|
||||||
elif 'server_ca' in globalconfig:
|
if 'server_ca' in globalconfig or 'server_ca' in config['defaults']:
|
||||||
|
config['ca_static'] = "true"
|
||||||
print("WARNING: Legacy configuration directive 'server_ca' used. Support will be removed in 1.0")
|
print("WARNING: Legacy configuration directive 'server_ca' used. Support will be removed in 1.0")
|
||||||
config['static_ca'] = True
|
|
||||||
config['ca_file'] = globalconfig['server_ca']
|
|
||||||
else:
|
|
||||||
config['static_ca'] = False
|
|
||||||
config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id']))
|
|
||||||
|
|
||||||
# Domain action configuration
|
# Domain action configuration
|
||||||
config['actions'] = list()
|
config['actions'] = list()
|
||||||
|
Loading…
Reference in New Issue
Block a user