Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/soerenschneider/acmevault

Receive x509 certs via ACME protocol and distribute them using Hashicorp Vault
https://github.com/soerenschneider/acmevault

acme acme-challenge acme-client acme-protocol acme-v2 certificate certificate-management letsencrypt tls vault x509

Last synced: 6 days ago
JSON representation

Receive x509 certs via ACME protocol and distribute them using Hashicorp Vault

Host: GitHub
URL: https://github.com/soerenschneider/acmevault
Owner: soerenschneider
License: apache-2.0
Created: 2021-06-16T20:09:28.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-10-28T00:58:43.000Z (18 days ago)
Last Synced: 2024-11-02T14:33:38.325Z (13 days ago)
Topics: acme, acme-challenge, acme-client, acme-protocol, acme-v2, certificate, certificate-management, letsencrypt, tls, vault, x509
Language: Go
Homepage:
Size: 917 KB
Stars: 4
Watchers: 3
Forks: 1
Open Issues: 10
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md

Awesome Lists containing this project

README

# acmevault
[![Go Report Card](https://goreportcard.com/badge/github.com/soerenschneider/acmevault)](https://goreportcard.com/report/github.com/soerenschneider/acmevault)
![test-workflow](https://github.com/soerenschneider/acmevault/actions/workflows/test.yaml/badge.svg)
![release-workflow](https://github.com/soerenschneider/acmevault/actions/workflows/release-container.yaml/badge.svg)
![golangci-lint-workflow](https://github.com/soerenschneider/acmevault/actions/workflows/golangci-lint.yaml/badge.svg)

## Features

🔐 Issues certificates from any [ACME provider](https://datatracker.ietf.org/doc/html/rfc8555), such as Let's Encrypt

⏰ Automatically renews certificates before they expire

🔌 Stores all data inside Vault and thus decouples from clients

## Why would I need this?

## Problem Statement

Rolling out TLS encryption shouldn't need to be pitched anymore (even for internal services). Using the DNS01 ACME challenge is proven and allows issuing certs non-public routable machines. On the other hand, you need to have access to either highly-privileged/narrowly-scoped credentials of your DNS provider to solve these DNS01 challenges.

In the case of Route53, if you don't want to end up creating dozens of hosted zones, one for each of your subdomains, you're at risk of leaking highly-privileged IAM credentials.

Acmevault requests short-lived IAM credentials for Route53 and uses them to perform DNS01 challenges for the configured domains and writes the issued X509 certificates to Hashicorp Vault's K/V secret store - only readable by the appropriate AppRole.

Its client mode reads the respective written certificates from Vault and installs them to a preconfigured location, optionally invoking post-installation hooks.

## Overview
![Overview](docs/diagrams/sequence.svg)

## Installation

### Docker / Podman
```
$ git clone https://github.com/soerenschneider/acmevault
$ cd acmevault
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/acmevault -conf /config/server.json
```
### Binaries
Download a prebuilt binary from the [releases section](https://github.com/soerenschneider/acmevault/releases) for your system.

### From Source
As a prerequisite, you need to have [Golang SDK](https://go.dev/dl/) installed. Then you can install acmevault from source by invoking:
```shell
$ go install github.com/soerenschneider/acmevault@latest
```

## Configuration
See the [configuration section](docs/configuration.md) for examples and configuration reference.

## Observability
See the [metrics section](docs/configuration.md) for an overview of exposed metrics.

## Changelog
See the full changelog [here](CHANGELOG.md)