https://github.com/dlangille/anvil
Tools for distributing ssl certificates
https://github.com/dlangille/anvil
acme anvil cert certificate distributing-ssl-certificates lets-encrypt letsencrypt-cert letsencrypt-cli letsencrypt-sh letsencrypt-utils ssl-certificates
Last synced: 26 days ago
JSON representation
Tools for distributing ssl certificates
- Host: GitHub
- URL: https://github.com/dlangille/anvil
- Owner: dlangille
- License: bsd-2-clause
- Created: 2017-07-12T21:28:02.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2023-10-09T18:06:17.000Z (over 2 years ago)
- Last Synced: 2023-10-09T19:26:45.833Z (over 2 years ago)
- Topics: acme, anvil, cert, certificate, distributing-ssl-certificates, lets-encrypt, letsencrypt-cert, letsencrypt-cli, letsencrypt-sh, letsencrypt-utils, ssl-certificates
- Language: Shell
- Homepage:
- Size: 132 KB
- Stars: 30
- Watchers: 5
- Forks: 0
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# anvil
Tools for distributing ssl certificates
Designed on FreeBSD, it uses fetch by default, but can also use wget or curl.
Set FETCH_TOOL in the configuration file to either wget or curl. Any other
value will invoke fetch.
It also uses sudo, with the goal of this running as non-root and only allowing the cp & mv via sudo.
These tools were designed with acme.sh & Let's Encrypt in mind, but they
should work with with any certificates generated by any means.
Relevant background:
* The certificates are being generated via acme.sh in a centralized location.
* certs are not generated where they are used.
* Distribution of private keys is outside scope.
* New certs are pulled by the servers/VMs/jails/etc which need them.
The steps to use this stuff:
* create certs in /var/db/acme
* run cert-shifter (see https://github.com/dlangille/anvil-certs/blob/master/collect-certs)
* rsync from /var/db/certs-for-rsync to https://example.org/certs
* run cert-puller to download and install new certs
The distribution of private keys is outside scope.
Overview of anvil use
Before using:
```
mkdir /var/db/anvil && chown USER:GROUP /var/db/anvil
```
Where USER & GROUP is the user which will be invoking this script. We
suggest anvil:anvil
Said user will also need sudo rights to cp and mv within CERT_DST.
Default configuration files are in /usr/local/etc/anvil/
Variables which can be set in cert-shifter.conf:
```
CERT_SRC="/var/db/acme/certs"
CERT_DST_ROOT="/var/db/certs-for-rsync"
CERT_DST_CERTS="${CERT_DST_ROOT}/certs"
TMP="${CERT_DST_ROOT}/tmp"
```
Variables which can be set in cert-puller.conf:
```
CERT_DST="/usr/local/etc/ssl"
CERT_SERVER="https://certs.example.org/certs"
MYCERTS="example.com"
SERVICES="apache24"
SERVICES_RELOAD="postgresql"
SERVICES_RESTART="postfix"
DOWNLOAD_DIR="/var/db/check-for-new-certs"
USER_AGENT="--user-agent='anvil-cert-puller'"
FETCH="/usr/bin/fetch --mirror --quiet --user-agent=${USER_AGENT}'"
CURL="/usr/local/bin/curl --silent --user-agent '${USER_AGENT}' --remote-time"
WGET="/usr/local/bin/wget --quiet --user-agent='${USER_AGENT}'"
FETCH_OPTIONS="-4"
CURL_OPTIONS="-4"
WGET_OPTIONS="-4"
```
After getting new certs, services need to be restarted/reloaded.
* Services which can be restarted/reloaded by SERVICES: apache22, apache24, dovecot, mosquitto,
nginx, postfix, postgresql
* Services which can be restarted by SERVICES_RESTART: unlimited, anything you
want.
* Services which can be reloaded by SERVICES_RELOAD: unlimited, anything you
want.
To use wget, set FETCH_TOOL="wget" in cert-puller.conf
To use curl, set FETCH_TOOL="curl" in cert-puller.conf
To use fetch, set FETCH_TOOL to any other value, or remove it from the file.
Yep, lots to work on here.
## Certificate fingerprints for Postfix
If you need certificate fingerprints, say for Postfix, see also https://github.com/dlangille/fingerprint-shifter