1
0
mirror of https://github.com/moepman/acertmgr.git synced 2024-11-16 07:39:15 +01:00
Commit Graph

52 Commits

Author SHA1 Message Date
Kishi85
2d230e30d9 Clarify expected authority format (at least for v2) and add an example 2021-10-31 09:57:31 +01:00
Kishi85
460b0119ac configuration: Simplify too complex IDNA conversion 2021-09-13 09:00:59 +02:00
David Klaftenegger
e2f7b09b18 certs already contain idna domain names
The idna_convert call here does nothing: when reading a certificate, it
already contains idna domain names. Converting them to idna is
equivalent to the identity function, and can thus be removed.
2021-05-30 16:21:54 +02:00
Kishi85
b37d0cad94 acertmgr: Add a OCSP validation to certificate verification 2020-03-04 14:50:05 +01:00
Kishi85
6e52dd41b0 docs: Update README 2019-05-06 21:24:35 +02:00
Kishi85
6a07ab1188 tools/configuration: Add support for EC/Ed25519/Ed448 generation 2019-04-19 15:29:44 +02:00
Kishi85
4f0fe2c74a tools: Add support for Ed25519 and Ed448 account keys
Add support for Ed25519 and Ed448 account keys in addition
to already supported algorithms
2019-04-16 19:12:25 +02:00
Kishi85
4df74d67d5 tools: add support for EC account keys
Allows usage of pre-generated EC account keys (P-256, P-384, P-521)
in addition to already supported RSA keys.
2019-04-16 19:12:05 +02:00
Kishi85
1f5ef9322b tools: remove six dependency
Always decode string if the functions is available, assume normal string
otherwise
2019-04-07 15:31:07 +02:00
Kishi85
89be66dc87 acertmgr: implement deployment error handling
Remove the long-standing todo from cert_put and implement useful
error handling and defaults for certificate deployment. Also do
a separate try/expect for each deployed file on every single
certificate.
2019-04-07 15:31:07 +02:00
Kishi85
b86d8b6e0a setup: update dependencies and requirements 2019-04-07 15:31:07 +02:00
Kishi85
47e3312aad dns: Add additional TXT record verifications to reduce wait time
This may also be used to guarantee a correct TXT record lookup by setting
dns_verify_all_ns=true, a dns_verify_failtime < dns_verify_waittime and
a high enough value of dns_verify_failtime (like 300 seconds)
2019-04-04 13:39:34 +02:00
Kishi85
1aae651d98 modes: unify and optimize challenge handler workflow
- Remove wait times returned by create_challenge
- Remove wait loops from authorities
- Add the wait for valid DNS TXT records in the abstract
  DNSChallengeHandler start_challenge function.
- Move challenge verification to start_challenge in general
2019-04-04 13:39:34 +02:00
Kishi85
54cb334600 acertmgr: add support for the ocsp must-staple extension
Introduces a new config directive and requires at least cryptography 2.1
2019-04-04 13:39:05 +02:00
Kishi85
fa3fc196f3 configuration: unify how ca_file and ca_static are determined
ensure legacy compatibility (also include defaults case) and update README.md
2019-03-28 13:41:27 +01:00
Kishi85
45ccb6b0d6 docs: update readme with new command-line parameters 2019-03-28 11:13:54 +01:00
Kishi85
f01140e89b acertmgr: Add option to supersede previous cert on renewal
Add option to automatically revoke the previous certificate with reason
superseded after deployment and all actions have been successful.
2019-03-28 09:48:54 +01:00
Kishi85
44aeda6915 webdir: add config option for verification 2019-03-27 14:22:16 +01:00
Kishi85
ff3a57eaff standalone: remove dependency to webdir and add ipv6 support
- Serve the challenge authorizations from in-memory instead of files
- Try to establish a dual-stack IPv6 HTTPServer before falling back
2019-03-27 14:22:09 +01:00
Kishi85
8cfcdf9385 docs: update and refine readme 2019-03-27 13:29:41 +01:00
Kishi85
68d4d19f5f docs: Update documentation and README 2019-03-25 18:25:06 +01:00
2ed50e032d README: sync with docs 2019-03-22 10:23:21 +01:00
d5eba22ad8 docs: clarify (also: Python 3.4 has reached EoL) 2019-03-22 09:52:02 +01:00
92337436bc docs: cleanup whitespace and remove "---" from json examples 2019-03-21 22:25:08 +01:00
Kishi85
17dfaa08f0 configuration: Translate unicode names to IDNA (fixes #24) 2019-03-21 18:43:41 +01:00
Kishi85
316ecdba2e configuration: Force user to agree to the authorities Terms of Service
Authorities (e.g. Let's Encrypt) usually have Terms of Serivce (ToS)
that have to be agreed to. Up until this point we automatically
indicated agreement to those ToS and sent the necessary value.

This commit changes the behaviour to be in line with recommendations
from Let's Encrypt that the user themselves have to indicate their
agreement by no longer automatically doing so (except for cases of
legacy configuration files to provide compatibility).

The user can now indicate ToS agreement by either setting the associated
configuration variable (authority_tos_agreement) to the required value
and/or providing the required value via a command-line parameter
(--authority-tos-agreement=<value>/--tos-agreement=<value>/--tos=<value>)
2019-03-20 15:31:53 +01:00
Kishi85
784badf54b docs: Update examples and README for ACMEv2 API and other changes 2019-03-20 15:31:53 +01:00
567b1feb4b README: fix whitespace 2019-02-22 11:09:33 +01:00
Kishi85
67c83d8fce configuration: cleanup handling+defaults and add commandline options
This adds a few basic command line parameters to allow further
customization of the configuration locations. As well as defining new
default locations for the acertmgr config files and updating the parser
with missing values, so that the config dictionary provided to the
acertmgr process after parsing is complete and no cross reference to the
configuration module is necessary. The parser error handling is also
improved.
2019-02-20 12:03:40 +01:00
Kishi85
02036f5617 Update README 2019-01-22 16:03:08 +01:00
Ralf Ramsauer
35d9d39b26 Make key location dynamic
Besides the fact that this removes redundant code, hard coded location
of file is generally no good idea

Also adapt README.md and provide a default location for key files.

Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
2016-04-15 12:49:33 +02:00
f6f3180617 Improve and clean up the documentation 2016-04-14 18:52:40 +02:00
Ralf Ramsauer
b3db2029e0 Readme: Add hint for proper permission setting of keys
openssl genrsa > foo will allow group and world read. Add a hint that
these permissions should be adjusted.

Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
2016-04-12 11:55:06 +02:00
David Klaftenegger
2dbae6673a Make it a configuration option which ACME authority is used 2016-04-12 11:54:37 +02:00
a8205c47cb Improve documentation 2016-04-12 11:54:15 +02:00
David Klaftenegger
db0afbf0b7 Add example for multiple domain names per certificate
The first name will be the Common Name.
All names will be listed as subject alternate names.
2016-04-12 11:54:03 +02:00
David Klaftenegger
5ff9f60cdb Documentation: add more examples 2016-04-12 11:53:58 +02:00
David Klaftenegger
625ae67f47 Documentation changes
acme-tiny is no longer required
ca-file needs to be downloaded

minor fixes of inaccuracies
2016-04-12 11:53:53 +02:00
David Klaftenegger
661115a508 replace acme-tiny
using a pyopenssl implementation of the same functionality instead
2016-04-12 11:53:32 +02:00
23b70c798c New format: ca to be able to create cert-chains. 2016-04-12 11:52:23 +02:00
2500b044f1 Rename notify to action and execute them only once. 2016-04-12 11:52:12 +02:00
David Klaftenegger
d7ea460ce6 Initial setup documentation
Adds a section for the initial motions required to get a acertmgr running
2016-04-12 11:51:48 +02:00
554b96cea8 Improve README 2016-04-12 11:51:16 +02:00
David Klaftenegger
23f9af7c3f Document python search paths 2016-04-12 11:49:17 +02:00
0ab3919d73 Acutally invoke acme_tiny (using the staging API) 2016-04-12 11:48:38 +02:00
b1d25d1821 Fix markdown in README 2016-04-12 11:48:29 +02:00
1e745b94ea More checks (e.g. for acme_tiny) 2016-04-12 11:48:21 +02:00
c7efda7b61 Split cert_get into cert_get and cert_put 2016-04-12 11:46:50 +02:00
c494fc3ba7 Add a security section to README 2016-01-10 15:56:04 +01:00
933c2e8ed1 Minor code and documentation improvements 2016-01-10 15:48:16 +01:00