1
0
mirror of https://github.com/moepman/acertmgr.git synced 2025-01-01 05:31:51 +01:00
Commit Graph

223 Commits

Author SHA1 Message Date
Kishi85
88d4a52ab9 tools: use cryptography conversion instead of custom function
Use cryptography's int_to_bytes consistently instead of our own number
to byte conversion function
2019-04-16 19:12:15 +02:00
Kishi85
4df74d67d5 tools: add support for EC account keys
Allows usage of pre-generated EC account keys (P-256, P-384, P-521)
in addition to already supported RSA keys.
2019-04-16 19:12:05 +02:00
Kishi85
1f5ef9322b tools: remove six dependency
Always decode string if the functions is available, assume normal string
otherwise
2019-04-07 15:31:07 +02:00
Kishi85
b5bac4870a authority.v1: add deprecation warning
ACMEv1 will be deprecated by letsencrypt.org in 2021* therefore add a
deprecation warning on object creation

* https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
2019-04-07 15:31:07 +02:00
Kishi85
89be66dc87 acertmgr: implement deployment error handling
Remove the long-standing todo from cert_put and implement useful
error handling and defaults for certificate deployment. Also do
a separate try/expect for each deployed file on every single
certificate.
2019-04-07 15:31:07 +02:00
Kishi85
7c9e7f7d0c authority.v2: use POST-as-GET to remove unauthenticated GET requests
As unauthenticated GET requests are soon to be deprecated,
remove all unacceptable usages and replace with POST-as-GET.
See also https://tools.ietf.org/html/rfc8555#section-6.3
2019-04-07 15:31:07 +02:00
Kishi85
b86d8b6e0a setup: update dependencies and requirements 2019-04-07 15:31:07 +02:00
Kishi85
4510aaf393 acertmgr: properly format action output 2019-04-07 15:31:07 +02:00
Kishi85
79b625619a acertmgr: try using a fallback configuration for revoke
If no configuration matching the domains in the given certificate exist
use the globalconfig/default settings for an authority to revoke the
certificate (which might still fail if things do not match up, but the
authority will decide on that)

Configuration parsing for the authority settings is therefore split into
a seperate function which will be called for the 'fallback_authority'
element in runtimeconfig.
2019-04-07 15:31:07 +02:00
Kishi85
762037c42d standalone: cleanup start/stop challenge
stop_challenge should only stop the server if the thread is still alive
2019-04-07 15:31:07 +02:00
Kishi85
e12abbc3cb authority.v1/2: call stop_challenge even if start_challenge fails
start_challenge may raise an exception at any point. to not just destroy
the challenge but also try to stop it in order to clean up anything done
by start_challenge already properly
2019-04-07 15:31:07 +02:00
Kishi85
989d3b585a authority.v1/2: do not re-authorize already valid domains
Skipping re-authorization when not necessary speeds up cert renewal.
2019-04-07 15:31:07 +02:00
Kishi85
fd8c4ec443 authority.v2: cleanup error- and encoding-handling 2019-04-07 15:31:07 +02:00
Kishi85
df6e3a743e authority.v1: Add missing resource to revoke_crt
Add missing resource: revoke-cert to the request payload
2019-04-07 15:31:07 +02:00
Kishi85
79791c53bc tools: update the get_cert_domain function
Add all domains for SAN certificates and convert IDNA values to the
correct representation
2019-04-07 15:31:07 +02:00
Kishi85
b63a0bc424 tools: add log function, update log messages mentioning certificates
This simple implementation writes log messages to stdout/err and flushes
the buffers immediately after the message has been written.

Also update log messages with the certificate CN to a better readable format
Introduce functions for get_cert_cn and get_cert_valid_until to
encapsulate all cryptographic functions consistently in tools.
2019-04-07 15:31:06 +02:00
Kishi85
2046215e37 tools: encapsulate key parameter determination in tools function
This is will isolate more cryptographic functions in the tools module
and allow for easier replacement of any cryptographic function should
the need ever arise
2019-04-07 15:31:02 +02:00
Kishi85
47e3312aad dns: Add additional TXT record verifications to reduce wait time
This may also be used to guarantee a correct TXT record lookup by setting
dns_verify_all_ns=true, a dns_verify_failtime < dns_verify_waittime and
a high enough value of dns_verify_failtime (like 300 seconds)
2019-04-04 13:39:34 +02:00
Kishi85
1aae651d98 modes: unify and optimize challenge handler workflow
- Remove wait times returned by create_challenge
- Remove wait loops from authorities
- Add the wait for valid DNS TXT records in the abstract
  DNSChallengeHandler start_challenge function.
- Move challenge verification to start_challenge in general
2019-04-04 13:39:34 +02:00
Kishi85
54cb334600 acertmgr: add support for the ocsp must-staple extension
Introduces a new config directive and requires at least cryptography 2.1
2019-04-04 13:39:05 +02:00
07696f5721 version: bump to 0.9.5 2019-04-01 12:31:44 +02:00
Kishi85
0a5356a302 configuration: fix broken idna handling 2019-03-31 23:17:02 +02:00
Kishi85
fe7a064604 acertmgr: log exceptions during processing, raise afterward
If anything goes wrong during cert_get/cert_put/running
actions/cert_revoke superseded do not fail completely and continue with
the remaining domains to process. Print all exceptions and after
processing raise a RuntimeError
2019-03-28 21:15:46 +01:00
Kishi85
7e4c350a4f configuration: remove redundant 'domains' parameter, just use domainlist 2019-03-28 14:52:18 +01:00
Kishi85
fa3fc196f3 configuration: unify how ca_file and ca_static are determined
ensure legacy compatibility (also include defaults case) and update README.md
2019-03-28 13:41:27 +01:00
Kishi85
99d9e41322 configuration: cleanup for legacy removal and improve readability 2019-03-28 12:38:53 +01:00
Kishi85
45ccb6b0d6 docs: update readme with new command-line parameters 2019-03-28 11:13:54 +01:00
Kishi85
ba9e206423 authority.v[12]: skip subsequent account registration 2019-03-28 09:48:54 +01:00
Kishi85
735c986f0d acertmgr: Move factories to their packages and reuse objects with same config 2019-03-28 09:48:54 +01:00
Kishi85
75f597ac36 configuration: put all authority related directives into sub-dict 2019-03-28 09:48:54 +01:00
Kishi85
f01140e89b acertmgr: Add option to supersede previous cert on renewal
Add option to automatically revoke the previous certificate with reason
superseded after deployment and all actions have been successful.
2019-03-28 09:48:54 +01:00
Kishi85
39aa7db24c acertmgr: deploy certificates after all are renewed
as certificate renewal might take some time (on DNS-01 especially) it is
a good idea to wait with deployment until all certificates are finished
renewing and copy them to their destinations then + run actions
2019-03-28 09:48:45 +01:00
Kishi85
737578159b acertmgr: Add support for account.key based certificate revocation 2019-03-28 00:53:54 +01:00
Kishi85
bd27db4ebd acertmgr: add force renew option to immediately renew a cert 2019-03-27 18:37:03 +01:00
Kishi85
dfaca3b58f configuration: put idna handling into function 2019-03-27 18:34:48 +01:00
Kishi85
52f5584dc0 configuration: add seperate configuration for runtime options 2019-03-27 15:32:49 +01:00
Kishi85
7da3c266a7 authority.v2: optimize code paths (raw_result, nonce)
raw_result does not need an extra return, dicarding the nonce at that
point would discard the newer nonce from the response and also the first
nonce is gotten implicitly with the first request acme anyway
2019-03-27 14:22:16 +01:00
Kishi85
44aeda6915 webdir: add config option for verification 2019-03-27 14:22:16 +01:00
Kishi85
ff3a57eaff standalone: remove dependency to webdir and add ipv6 support
- Serve the challenge authorizations from in-memory instead of files
- Try to establish a dual-stack IPv6 HTTPServer before falling back
2019-03-27 14:22:09 +01:00
Kishi85
8cfcdf9385 docs: update and refine readme 2019-03-27 13:29:41 +01:00
58beca0914 version: bump to 0.9.4 2019-03-25 20:56:54 +01:00
Kishi85
a4daec3fc1 acertmgr: fix initial certificate validity check 2019-03-25 20:56:44 +01:00
0defe1990d version: bump to 0.9.3 2019-03-25 18:38:54 +01:00
Kishi85
68d4d19f5f docs: Update documentation and README 2019-03-25 18:25:06 +01:00
Kishi85
5e63fd89c0 setup: Update packaging and runtime options 2019-03-25 15:09:24 +01:00
Kishi85
084d162361 acertmgr: Run actions in a shell environment to allow shell syntax 2019-03-25 15:09:24 +01:00
Kishi85
a71ab0f31a configuration: fix specific domain config not overriding global+defaults 2019-03-25 15:09:19 +01:00
Kishi85
ed96f2bbf2 acertmgr: store CSR and support static CSR usage
Store the generated CSR for later review/usage and allow the stored
CSR to be used for future request. Configuration directives csr_file
(path) and csr_static (=true) have been added for this.

This allows simplified deployment of DANE/TLSA due the former requiring
updates to DNS with every public key change, which will not be the case
with a static CSR. A new CSR can be triggered manually by deleting the
CSR file upon which the next certificate will require an update of any
TLSA records in DNS.

This may also be used to specify a custom CSR to use, as long as the
csr_file path and the domains in the CSR match the ones given in the
acertmgr configuration.
2019-03-25 10:13:02 +01:00
Kishi85
5171a93608 setup: Add a single space for PEP-8 2019-03-25 10:13:02 +01:00
Kishi85
7ee34912c1 acertmgr: rework how files are handled in general
- Remove unnecessary tempfiles and keep as much in memory as possible
- Unify the way PEM files are written and read
2019-03-25 10:12:59 +01:00