{"id":39862069,"url":"https://github.com/dlangille/anvil","last_synced_at":"2026-01-18T14:01:21.622Z","repository":{"id":147740194,"uuid":"97053448","full_name":"dlangille/anvil","owner":"dlangille","description":"Tools for distributing ssl certificates","archived":false,"fork":false,"pushed_at":"2023-10-09T18:06:17.000Z","size":135,"stargazers_count":30,"open_issues_count":8,"forks_count":0,"subscribers_count":5,"default_branch":"master","last_synced_at":"2023-10-09T19:26:45.833Z","etag":null,"topics":["acme","anvil","cert","certificate","distributing-ssl-certificates","lets-encrypt","letsencrypt-cert","letsencrypt-cli","letsencrypt-sh","letsencrypt-utils","ssl-certificates"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dlangille.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-07-12T21:28:02.000Z","updated_at":"2023-10-09T19:26:48.184Z","dependencies_parsed_at":"2023-05-27T09:15:28.629Z","dependency_job_id":null,"html_url":"https://github.com/dlangille/anvil","commit_stats":null,"previous_names":[],"tags_count":20,"template":null,"template_full_name":null,"purl":"pkg:github/dlangille/anvil","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dlangille%2Fanvil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dlangille%2Fanvil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dlangille%2Fanvil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dlangille%2Fanvil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dlangille","download_url":"https://codeload.github.com/dlangille/anvil/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dlangille%2Fanvil/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28537484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T13:04:05.990Z","status":"ssl_error","status_checked_at":"2026-01-18T13:01:44.092Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","anvil","cert","certificate","distributing-ssl-certificates","lets-encrypt","letsencrypt-cert","letsencrypt-cli","letsencrypt-sh","letsencrypt-utils","ssl-certificates"],"created_at":"2026-01-18T14:01:20.738Z","updated_at":"2026-01-18T14:01:21.610Z","avatar_url":"https://github.com/dlangille.png","language":"Shell","readme":"# anvil\n\nTools for distributing ssl certificates\n\nDesigned on FreeBSD, it uses fetch by default, but can also use wget or curl.\nSet FETCH_TOOL in the configuration file to either wget or curl. Any other\nvalue will invoke fetch.\n\nIt also uses sudo, with the goal of this running as non-root and only allowing the cp \u0026 mv via sudo.\n\nThese tools were designed with acme.sh \u0026 Let's Encrypt in mind, but they\nshould work with with any certificates generated by any means.\n\nRelevant background:\n\n* The certificates are being generated via acme.sh in a centralized location.\n* certs are not generated where they are used.\n* Distribution of private keys is outside scope.\n* New certs are pulled by the servers/VMs/jails/etc which need them.\n\nThe steps to use this stuff:\n\n* create certs in /var/db/acme\n* run cert-shifter (see https://github.com/dlangille/anvil-certs/blob/master/collect-certs)\n* rsync from /var/db/certs-for-rsync to https://example.org/certs\n* run cert-puller to download and install new certs\n\nThe distribution of private keys is outside scope.\n\n\u003cp align=\"center\"\u003eOverview of anvil use\u003c/p\u003e\n\u003cimg src =\"https://github.com/dlangille/anvil/blob/master/images/anvil-overiew.png?raw=true\" title=\"Overview of anvil use\" alt=\"Overview of anvil use\"/\u003e\n\n\nBefore using: \n\n```\nmkdir /var/db/anvil \u0026\u0026 chown USER:GROUP /var/db/anvil\n```\n\nWhere USER \u0026 GROUP is the user which will be invoking this script. We\nsuggest anvil:anvil\n\nSaid user will also need sudo rights to cp and mv within CERT_DST.\n\nDefault configuration files are in /usr/local/etc/anvil/\n\nVariables which can be set in cert-shifter.conf:\n\n```\nCERT_SRC=\"/var/db/acme/certs\"\nCERT_DST_ROOT=\"/var/db/certs-for-rsync\"\nCERT_DST_CERTS=\"${CERT_DST_ROOT}/certs\"\nTMP=\"${CERT_DST_ROOT}/tmp\"\n```\n\nVariables which can be set in cert-puller.conf:\n\n```\nCERT_DST=\"/usr/local/etc/ssl\"\nCERT_SERVER=\"https://certs.example.org/certs\"\nMYCERTS=\"example.com\"\nSERVICES=\"apache24\"\nSERVICES_RELOAD=\"postgresql\"\nSERVICES_RESTART=\"postfix\"\nDOWNLOAD_DIR=\"/var/db/check-for-new-certs\"\nUSER_AGENT=\"--user-agent='anvil-cert-puller'\"\nFETCH=\"/usr/bin/fetch --mirror --quiet --user-agent=${USER_AGENT}'\"\nCURL=\"/usr/local/bin/curl --silent --user-agent '${USER_AGENT}' --remote-time\"\nWGET=\"/usr/local/bin/wget --quiet --user-agent='${USER_AGENT}'\"\nFETCH_OPTIONS=\"-4\"\nCURL_OPTIONS=\"-4\"\nWGET_OPTIONS=\"-4\"\n```\n\nAfter getting new certs, services need to be restarted/reloaded.\n\n\n* Services which can be restarted/reloaded by SERVICES: apache22, apache24, dovecot, mosquitto,\n  nginx, postfix, postgresql\n\n* Services which can be restarted by SERVICES_RESTART: unlimited, anything you\n  want.\n\n* Services which can be reloaded by SERVICES_RELOAD: unlimited, anything you\n  want.\n\nTo use wget, set FETCH_TOOL=\"wget\" in cert-puller.conf\nTo use curl, set FETCH_TOOL=\"curl\" in cert-puller.conf\nTo use fetch, set FETCH_TOOL to any other value, or remove it from the file.\n\nYep, lots to work on here.\n\n## Certificate fingerprints for Postfix\n\nIf you need certificate fingerprints, say for Postfix, see  also https://github.com/dlangille/fingerprint-shifter\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdlangille%2Fanvil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdlangille%2Fanvil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdlangille%2Fanvil/lists"}