1
0
mirror of https://github.com/moepman/acertmgr.git synced 2024-12-28 18:21:51 +01:00
Commit Graph

206 Commits

Author SHA1 Message Date
Kishi85
47e3312aad dns: Add additional TXT record verifications to reduce wait time
This may also be used to guarantee a correct TXT record lookup by setting
dns_verify_all_ns=true, a dns_verify_failtime < dns_verify_waittime and
a high enough value of dns_verify_failtime (like 300 seconds)
2019-04-04 13:39:34 +02:00
Kishi85
1aae651d98 modes: unify and optimize challenge handler workflow
- Remove wait times returned by create_challenge
- Remove wait loops from authorities
- Add the wait for valid DNS TXT records in the abstract
  DNSChallengeHandler start_challenge function.
- Move challenge verification to start_challenge in general
2019-04-04 13:39:34 +02:00
Kishi85
54cb334600 acertmgr: add support for the ocsp must-staple extension
Introduces a new config directive and requires at least cryptography 2.1
2019-04-04 13:39:05 +02:00
07696f5721 version: bump to 0.9.5 2019-04-01 12:31:44 +02:00
Kishi85
0a5356a302 configuration: fix broken idna handling 2019-03-31 23:17:02 +02:00
Kishi85
fe7a064604 acertmgr: log exceptions during processing, raise afterward
If anything goes wrong during cert_get/cert_put/running
actions/cert_revoke superseded do not fail completely and continue with
the remaining domains to process. Print all exceptions and after
processing raise a RuntimeError
2019-03-28 21:15:46 +01:00
Kishi85
7e4c350a4f configuration: remove redundant 'domains' parameter, just use domainlist 2019-03-28 14:52:18 +01:00
Kishi85
fa3fc196f3 configuration: unify how ca_file and ca_static are determined
ensure legacy compatibility (also include defaults case) and update README.md
2019-03-28 13:41:27 +01:00
Kishi85
99d9e41322 configuration: cleanup for legacy removal and improve readability 2019-03-28 12:38:53 +01:00
Kishi85
45ccb6b0d6 docs: update readme with new command-line parameters 2019-03-28 11:13:54 +01:00
Kishi85
ba9e206423 authority.v[12]: skip subsequent account registration 2019-03-28 09:48:54 +01:00
Kishi85
735c986f0d acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:48:54 +01:00
Kishi85
75f597ac36 configuration: put all authority related directives into sub-dict 2019-03-28 09:48:54 +01:00
Kishi85
f01140e89b acertmgr: Add option to supersede previous cert on renewal
Add option to automatically revoke the previous certificate with reason
superseded after deployment and all actions have been successful.
2019-03-28 09:48:54 +01:00
Kishi85
39aa7db24c acertmgr: deploy certificates after all are renewed
as certificate renewal might take some time (on DNS-01 especially) it is
a good idea to wait with deployment until all certificates are finished
renewing and copy them to their destinations then + run actions
2019-03-28 09:48:45 +01:00
Kishi85
737578159b acertmgr: Add support for account.key based certificate revocation 2019-03-28 00:53:54 +01:00
Kishi85
bd27db4ebd acertmgr: add force renew option to immediately renew a cert 2019-03-27 18:37:03 +01:00
Kishi85
dfaca3b58f configuration: put idna handling into function 2019-03-27 18:34:48 +01:00
Kishi85
52f5584dc0 configuration: add seperate configuration for runtime options 2019-03-27 15:32:49 +01:00
Kishi85
7da3c266a7 authority.v2: optimize code paths (raw_result, nonce)
raw_result does not need an extra return, dicarding the nonce at that
point would discard the newer nonce from the response and also the first
nonce is gotten implicitly with the first request acme anyway
2019-03-27 14:22:16 +01:00
Kishi85
44aeda6915 webdir: add config option for verification 2019-03-27 14:22:16 +01:00
Kishi85
ff3a57eaff standalone: remove dependency to webdir and add ipv6 support
- Serve the challenge authorizations from in-memory instead of files
- Try to establish a dual-stack IPv6 HTTPServer before falling back
2019-03-27 14:22:09 +01:00
Kishi85
8cfcdf9385 docs: update and refine readme 2019-03-27 13:29:41 +01:00
58beca0914 version: bump to 0.9.4 2019-03-25 20:56:54 +01:00
Kishi85
a4daec3fc1 acertmgr: fix initial certificate validity check 2019-03-25 20:56:44 +01:00
0defe1990d version: bump to 0.9.3 2019-03-25 18:38:54 +01:00
Kishi85
68d4d19f5f docs: Update documentation and README 2019-03-25 18:25:06 +01:00
Kishi85
5e63fd89c0 setup: Update packaging and runtime options 2019-03-25 15:09:24 +01:00
Kishi85
084d162361 acertmgr: Run actions in a shell environment to allow shell syntax 2019-03-25 15:09:24 +01:00
Kishi85
a71ab0f31a configuration: fix specific domain config not overriding global+defaults 2019-03-25 15:09:19 +01:00
Kishi85
ed96f2bbf2 acertmgr: store CSR and support static CSR usage
Store the generated CSR for later review/usage and allow the stored
CSR to be used for future request. Configuration directives csr_file
(path) and csr_static (=true) have been added for this.

This allows simplified deployment of DANE/TLSA due the former requiring
updates to DNS with every public key change, which will not be the case
with a static CSR. A new CSR can be triggered manually by deleting the
CSR file upon which the next certificate will require an update of any
TLSA records in DNS.

This may also be used to specify a custom CSR to use, as long as the
csr_file path and the domains in the CSR match the ones given in the
acertmgr configuration.
2019-03-25 10:13:02 +01:00
Kishi85
5171a93608 setup: Add a single space for PEP-8 2019-03-25 10:13:02 +01:00
Kishi85
7ee34912c1 acertmgr: rework how files are handled in general
- Remove unnecessary tempfiles and keep as much in memory as possible
- Unify the way PEM files are written and read
2019-03-25 10:12:59 +01:00
Kishi85
46efc1038c acertmgr: always check certificate destinations for update + actions 2019-03-24 18:18:53 +01:00
Kishi85
fd2134753a tools: cleanup function names and add crypto wrappers 2019-03-24 16:49:03 +01:00
Kishi85
710c42c805 standalone: do not attempt webdir challenge verification
webdir challenge verfication will always fail with standalone due to the
server not being started immediately at the point of challenge creation.
2019-03-23 11:01:32 +01:00
Kishi85
1e5b1defa7 configuration: fixes and print warnings on certain options (prepares #30)
- Print warnings when certain configuration options are used
- Print warnings when old file/directory paths are used
- Fix compatibility with old configurations expecting v1 API for now
2019-03-23 10:12:17 +01:00
Kishi85
cda4be09f4 acertmgr: don't fail when no issuer CA can be retrieved
Do not fail if there is no issuer CA download possible in any way. Just
let the user provide the (static) CA certifiate at ca_file or fail during
certificate deployment.
2019-03-23 08:31:27 +01:00
Kishi85
c0d23631b6 tools: add wrapper for urlopen and use it throughout acertmgr 2019-03-22 16:09:21 +01:00
Kishi85
985bc46f39 authority.v2: always cache next nonce if it is present 2019-03-22 15:54:48 +01:00
Kishi85
83f31bf91d acertmgr: cleanup code (PEP-8 + replace assertions) 2019-03-22 12:45:34 +01:00
Kishi85
d62afac9d6 authority.v2: Guess directory data if retrieval fails 2019-03-22 12:22:17 +01:00
Kishi85
53f61f19d1 setup: rework version determination for release bundles and update values 2019-03-22 12:15:59 +01:00
2ed50e032d README: sync with docs 2019-03-22 10:23:21 +01:00
f59285f8ff Provide sample for nsupdate_keyalgorithm 2019-03-22 10:21:32 +01:00
d5eba22ad8 docs: clarify (also: Python 3.4 has reached EoL) 2019-03-22 09:52:02 +01:00
92337436bc docs: cleanup whitespace and remove "---" from json examples 2019-03-21 22:25:08 +01:00
5b3993e9ef tools: optimize imports (remove unused import) 2019-03-21 22:03:58 +01:00
Kishi85
17dfaa08f0 configuration: Translate unicode names to IDNA (fixes #24) 2019-03-21 18:43:41 +01:00
Kishi85
c054ecebe9 acertmgr: change the way the issuer CA is fetched
This changes the way the issuer CA is retrieved if no static_ca file is
used. Previously we would always download the CA using the AIA Info but
API v2 provides normally the full chain PEM upon certificate retrieval
and does not need this step. For the APIv2 case we now use the CA
provided with the certificate which required some changes to the basic
handling of CA files. APIv1 has been adapted to this new handling.
APIv2 has a fallback option to the way APIv1 handles it in case no CA
has been provided.
2019-03-21 12:26:32 +01:00