1
0
mirror of https://github.com/moepman/acertmgr.git synced 2024-12-28 20:41:52 +01:00
Commit Graph

128 Commits

Author SHA1 Message Date
Kishi85
084d162361 acertmgr: Run actions in a shell environment to allow shell syntax 2019-03-25 15:09:24 +01:00
Kishi85
a71ab0f31a configuration: fix specific domain config not overriding global+defaults 2019-03-25 15:09:19 +01:00
Kishi85
ed96f2bbf2 acertmgr: store CSR and support static CSR usage
Store the generated CSR for later review/usage and allow the stored
CSR to be used for future request. Configuration directives csr_file
(path) and csr_static (=true) have been added for this.

This allows simplified deployment of DANE/TLSA due the former requiring
updates to DNS with every public key change, which will not be the case
with a static CSR. A new CSR can be triggered manually by deleting the
CSR file upon which the next certificate will require an update of any
TLSA records in DNS.

This may also be used to specify a custom CSR to use, as long as the
csr_file path and the domains in the CSR match the ones given in the
acertmgr configuration.
2019-03-25 10:13:02 +01:00
Kishi85
5171a93608 setup: Add a single space for PEP-8 2019-03-25 10:13:02 +01:00
Kishi85
7ee34912c1 acertmgr: rework how files are handled in general
- Remove unnecessary tempfiles and keep as much in memory as possible
- Unify the way PEM files are written and read
2019-03-25 10:12:59 +01:00
Kishi85
46efc1038c acertmgr: always check certificate destinations for update + actions 2019-03-24 18:18:53 +01:00
Kishi85
fd2134753a tools: cleanup function names and add crypto wrappers 2019-03-24 16:49:03 +01:00
Kishi85
710c42c805 standalone: do not attempt webdir challenge verification
webdir challenge verfication will always fail with standalone due to the
server not being started immediately at the point of challenge creation.
2019-03-23 11:01:32 +01:00
Kishi85
1e5b1defa7 configuration: fixes and print warnings on certain options (prepares #30)
- Print warnings when certain configuration options are used
- Print warnings when old file/directory paths are used
- Fix compatibility with old configurations expecting v1 API for now
2019-03-23 10:12:17 +01:00
Kishi85
cda4be09f4 acertmgr: don't fail when no issuer CA can be retrieved
Do not fail if there is no issuer CA download possible in any way. Just
let the user provide the (static) CA certifiate at ca_file or fail during
certificate deployment.
2019-03-23 08:31:27 +01:00
Kishi85
c0d23631b6 tools: add wrapper for urlopen and use it throughout acertmgr 2019-03-22 16:09:21 +01:00
Kishi85
985bc46f39 authority.v2: always cache next nonce if it is present 2019-03-22 15:54:48 +01:00
Kishi85
83f31bf91d acertmgr: cleanup code (PEP-8 + replace assertions) 2019-03-22 12:45:34 +01:00
Kishi85
d62afac9d6 authority.v2: Guess directory data if retrieval fails 2019-03-22 12:22:17 +01:00
Kishi85
53f61f19d1 setup: rework version determination for release bundles and update values 2019-03-22 12:15:59 +01:00
2ed50e032d README: sync with docs 2019-03-22 10:23:21 +01:00
f59285f8ff Provide sample for nsupdate_keyalgorithm 2019-03-22 10:21:32 +01:00
d5eba22ad8 docs: clarify (also: Python 3.4 has reached EoL) 2019-03-22 09:52:02 +01:00
92337436bc docs: cleanup whitespace and remove "---" from json examples 2019-03-21 22:25:08 +01:00
5b3993e9ef tools: optimize imports (remove unused import) 2019-03-21 22:03:58 +01:00
Kishi85
17dfaa08f0 configuration: Translate unicode names to IDNA (fixes #24) 2019-03-21 18:43:41 +01:00
Kishi85
c054ecebe9 acertmgr: change the way the issuer CA is fetched
This changes the way the issuer CA is retrieved if no static_ca file is
used. Previously we would always download the CA using the AIA Info but
API v2 provides normally the full chain PEM upon certificate retrieval
and does not need this step. For the APIv2 case we now use the CA
provided with the certificate which required some changes to the basic
handling of CA files. APIv1 has been adapted to this new handling.
APIv2 has a fallback option to the way APIv1 handles it in case no CA
has been provided.
2019-03-21 12:26:32 +01:00
Kishi85
316ecdba2e configuration: Force user to agree to the authorities Terms of Service
Authorities (e.g. Let's Encrypt) usually have Terms of Serivce (ToS)
that have to be agreed to. Up until this point we automatically
indicated agreement to those ToS and sent the necessary value.

This commit changes the behaviour to be in line with recommendations
from Let's Encrypt that the user themselves have to indicate their
agreement by no longer automatically doing so (except for cases of
legacy configuration files to provide compatibility).

The user can now indicate ToS agreement by either setting the associated
configuration variable (authority_tos_agreement) to the required value
and/or providing the required value via a command-line parameter
(--authority-tos-agreement=<value>/--tos-agreement=<value>/--tos=<value>)
2019-03-20 15:31:53 +01:00
Kishi85
784badf54b docs: Update examples and README for ACMEv2 API and other changes 2019-03-20 15:31:53 +01:00
Kishi85
f2567da7fa configuration: Change default API to v2 with Let's Encrypt Endpoint 2019-03-20 15:31:53 +01:00
Kishi85
530256ecec authority.v2: Add ACMEv2 API implementation 2019-03-20 15:31:48 +01:00
Kishi85
d272f9ada3 configuration: fix global config file detection 2019-03-19 12:08:53 +01:00
Kishi85
a93b047275 configuration: use legacy workdir with legacy configuration only 2019-03-19 12:08:53 +01:00
Kishi85
6440ef204a dns.nsupdate: Fix TTL screen output and move TTL to generic dns module 2019-03-19 12:08:53 +01:00
Kishi85
1b95f512ed dns.nsupdate: Simplify key_file key_name lookup 2019-03-18 13:20:45 +01:00
Kishi85
57e955d1f0 configuration: Change default TTL to Let's Encrypt recommendation 2019-03-18 13:13:22 +01:00
Kishi85
53fcc0b2a6 dns.nsupdate: add additional validation for nameserver ip lookup 2019-03-11 19:52:33 +01:00
Kishi85
3f59bb4061 configuration: unify config value parsing 2019-03-07 13:51:08 +01:00
Kishi85
ad70e1abd4 PEP-8 cleanup 2019-02-27 11:36:00 +01:00
Kishi85
b99014c7c3 setup: Add config examples, deploy readme and arch PKGBUILD 2019-02-25 20:31:05 +01:00
Kishi85
dc2144b0d3 setup: add excludes to gitignore 2019-02-25 18:50:52 +01:00
Kishi85
8e0639f62c authority.v1: remove hardcoded agreement data 2019-02-24 19:48:24 +01:00
Kishi85
3562a6a5a3 setup: change long_description content type to markdown 2019-02-23 17:36:27 +01:00
567b1feb4b README: fix whitespace 2019-02-22 11:09:33 +01:00
f853001aea abstract: use NotImplementedError instead of NotImplemented 2019-02-22 10:32:36 +01:00
d6f8f29e82 configuration: use yaml.safe_load instead of load 2019-02-22 10:31:28 +01:00
Kishi85
67c83d8fce configuration: cleanup handling+defaults and add commandline options
This adds a few basic command line parameters to allow further
customization of the configuration locations. As well as defining new
default locations for the acertmgr config files and updating the parser
with missing values, so that the config dictionary provided to the
acertmgr process after parsing is complete and no cross reference to the
configuration module is necessary. The parser error handling is also
improved.
2019-02-20 12:03:40 +01:00
Kishi85
33678aac8e add setup.py to support setuptools (easy_install/pip/etc.) 2019-02-20 11:50:36 +01:00
Kishi85
5d8b0134ea fix broken references from move and add legacy run script 2019-02-20 11:49:30 +01:00
Kishi85
f1f2d5c7cd move everything to package 'acertmgr' 2019-02-20 11:43:44 +01:00
Kishi85
8808dadbaf Optimize imports 2019-02-18 20:45:28 +01:00
Kishi85
da3dc4261f acertmgr: Fix wrong variable (works due to global var at this point) 2019-02-18 20:43:13 +01:00
Kishi85
2dbc7302eb dns.nsupdate: Verify added DNS record 2019-02-15 14:19:15 +01:00
Kishi85
dedb08b759 dns.nsupdate: correctly delete a specific TXT value from DNS 2019-02-15 13:44:12 +01:00
Kishi85
5418a25c1e dns.nsupdate: Change status output order for better debugging 2019-02-15 13:05:19 +01:00