{"id":27185074,"url":"https://github.com/threefoldtech/acme2cert-exp","last_synced_at":"2025-04-09T17:10:28.823Z","repository":{"id":68973207,"uuid":"304053128","full_name":"threefoldtech/acme2cert-exp","owner":"threefoldtech","description":"ACME to ZeroSSL.com REST API, based on acme2certifier.","archived":false,"fork":false,"pushed_at":"2023-10-12T08:56:30.000Z","size":384,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2023-10-13T02:49:38.392Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/threefoldtech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-10-14T15:12:34.000Z","updated_at":"2022-11-10T16:25:54.000Z","dependencies_parsed_at":"2023-06-08T19:45:27.879Z","dependency_job_id":null,"html_url":"https://github.com/threefoldtech/acme2cert-exp","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threefoldtech%2Facme2cert-exp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threefoldtech%2Facme2cert-exp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threefoldtech%2Facme2cert-exp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/threefoldtech%2Facme2cert-exp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/threefoldtech","download_url":"https://codeload.github.com/threefoldtech/acme2cert-exp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248074976,"owners_count":21043490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-09T17:10:26.937Z","updated_at":"2025-04-09T17:10:28.815Z","avatar_url":"https://github.com/threefoldtech.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tf-acmeserver\n- [tf-acmeserver](#tf-acmeserver)\n  - [Setup](#setup)\n    - [Configuration](#configuration)\n  - [Installation](#installation)\n  - [Running the development server](#running-the-development-server)\n  - [Configuring the server](#configuring-the-server)\n  - [Deployment](#deployment)\n    - [Django settings](#django-settings)\n    - [Gunicorn and nginx](#gunicorn-and-nginx)\n    - [Docker](#docker)\n  - [Testing with certbot (client)](#testing-with-certbot-client)\n  - [What's different from acme2certifier?](#whats-different-from-acme2certifier)\n    - [List of changes](#list-of-changes)\n\n\nACME to ZeroSSL.com REST API, based on [acme2certifier](https://github.com/grindsa/acme2certifier).\n\nThis server will enable normal ACME clients to issue certificates from non-acme servers, the main goal is to issue certificates from ZeroSSL (via REST API) for normal ACME clients. This will enable us to have ZeroSSL account key under one place, instead of distributing it to all clients.\n\n## Setup\n\nBecause ACME and ZeroSSL.com require domain verification, a custom setup need to be set with a name server (name.com API).\n\n![diagram](diagram/block.png)\n\nCertificates will be issued for sub-domains under a configured main domain, A [CA handler](https://github.com/grindsa/acme2certifier/blob/master/docs/ca_handler.md) is implemented for `acme2certifier` in [zerossl_ca_handler.py](zerossl_ca_handler.py), where it tries to issue certificates from ZeroSSL via rest API.\n\nThe full **flow** is as follows:\n\n* Clients (e.g certbot) sends a request to the ACME server\n* The custom CA handler with the ACME server will:\n  * Take the client's CSR and [creates a new certificate](https://zerossl.com/documentation/api/create-certificate/).\n  * Register the DNS challenge returned from the previous step in `cname_validation_p1` and `cname_validation_p2` fields as a `CNAME` record.\n  * Ask ZeroSSL to [verify the domains](https://zerossl.com/documentation/api/verify-domains/), and waits for the result.\n  * If the verification is done, it will wait for the certificate to be issued for sometime, by [polling the certificate information](https://zerossl.com/documentation/api/get-certificate/) and checking for the `status`.\n  * If the certificate is issued successfully, it will be returned to the user.\n\n### Configuration\n\n1 - [Name server](#nameserver): zerossl.com needs to verify domains, we need access to name server where we can register required DNS records.\n\nThe following options are available for now:\n\n* name.com\n\n2 - [This ACME server configured with](#configuring-the-server):\n  * Current domains and prefixes\n  * name.com client configurations\n  * ZeroSSL access key\n\n## Installation\n\n```\npython3 -m pip install virtualenv --user\npython3 -m virtualenv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\n```\n\nThen run this only once:\n\n```\npython django_update.py\n```\n\n## Running the development server\n\nServer is configured by `acme_srv.cfg` configuration file in the [acme](/acme) directory, before starting, check current example files at [config](/config) directory, you can copy any of them:\n\n```bash\ncp config/acme_srv.zerossl.cfg acme/acme_srv.cfg\n```\n\nThen update it with [correct configuration](#configuring-the-server) and start the development server as:\n\n```bash\npython manage.py runserver\n```\n\n## Configuring the server\n\nTo configure the ACME server with ZeroSSL handler, `acme_srv.cfg` need to be placed into [acme](/acme) directory with the the following sections:\n\n```conf\n[CAhandler]\n# CA specific options\nhandler_file: zerossl_ca_handler.py\ncert_validity_days: 90\naccess_key: \u003czerossl api access key\u003e\n\n[domains]\ngrid.tf: test1, test2\n3bots.tf: testnet, devnet\ngateway.tf: gw1, gw2, gw3\n\n[namecom]\nusername: foo\ntoken: bar\n\n[redis]\nhost: localhost\nport: 6379\n```\n\nSections:\n* `domains` (required): allowed domains and prefixes (hosts) (comma separated).\n  * For example, `grid.tf: test1, test2` will allow issuing certificate for subdomains of `test1.grid.tf` and `test2.grid.tf`, e.g. `a.test1.grid.tf`, `xyz.test2.grid.tf`.\n* `namecom` (required): name.com API credentials\n* `redis` (optional): redis redis configuration for caching of prefetched certs\n\n`namecom` must be configured in order to verify domains for now. Note that the IP of the server must be whitelisted in at name.com side to use the configured credentials.\n\nIf `dev` flag is used with `namecom`, it will use [development api endpoints](https://www.name.com/api-docs).\n\nSee [acme_srv_zerossl.cf](/config/acme_srv.zerossl.cfg) for full configuration example.\n\n## Deployment\n\n### Django settings\n\nFirst, you need to have a [django settings.py](/acme2certifier/settings.py) for production, it should be configured with other databases than `sqlite` in `DATABASES`, e.g. `mysql`. Also `ALLOWED_HOSTS` need to include all possible hosts.\n\nTo use a production settings module in e.g. `acme2certifier/production_settings.py`, just set it in `DJANGO_SETTINGS_MODULE` like:\n\n```\nexport DJANGO_SETTINGS_MODULE=acme2certifier.production_settings\n```\n\n### Gunicorn and nginx\n\nIt's better to use [gunicorn](https://docs.gunicorn.org/) to run the server for production environments, with other options, you just need to pass the `wsgi` app as:\n\n```bash\nsource .venv/bin/activate # activate the environment first\ngunicorn acme2certifier.wsgi #...other options\n```\n\nAlso, `gunicorn` should run behind nginx, see [deploying gunicorn](https://docs.gunicorn.org/en/stable/deploy.html) for more details about the setup and configuration.\n\n### Docker\n\nWe will try to create a full docker setup for this server, database engine and `redis`.\n\n## Testing with certbot (client)\n\nYou need to make sure to pass `--server` pointing to the current ACME server address, for example to get the certificate only from a local setup, where the server is running on `127.0.0.1:8000`\n\n```\ncertbot certonly --server http://127.0.0.1:8000/ --standalone -d tt.example.com --cert-name tt --agree-tos -m abdo@gmail.com\n```\n\n\n## What's different from acme2certifier?\n\nNearly all code is from acme2certifier repository, with acme implementation with django database store (db_handler)  + django server and scripts, all in one place for the ease of development/experimenting.\n\n### List of changes\n\n* Copied django [db_handler.py](https://github.com/grindsa/acme2certifier/blob/master/examples/db_handler/django_handler.py) inside [acme](/acme) as `db_handler`.\n* Renamed the django app module [acme](https://github.com/grindsa/acme2certifier/tree/master/examples/django/acme) to be `app` inn all relevant places to avoid import conflicts with acme implementation module.\n* Updated [settings.py](/acme2certifier/settings.py) of django app to work with sqlite database instead of mysql.\n* Generated keys and certificates to run the [openssl ca handler](https://github.com/grindsa/acme2certifier/blob/master/docs/openssl.md) at [acme_ca](/acme_ca) and added the configuration for it in example configuration at [acme_srv.local_ssl.cfg](config/acme_srv.local_ssl.cfg).\n* Used virtualenv and generated `requirements.txt` to be easier to install and run the server without complex setup.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreefoldtech%2Facme2cert-exp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthreefoldtech%2Facme2cert-exp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthreefoldtech%2Facme2cert-exp/lists"}