iml-certman
Wrapper for acme.sh to create Let's Encrypt certificates based on CSR files using DNS authentication. It was written to create/ renew all needed certificates at a central system to deploy it from there (Ansible, Puppet, ...).
source: https://git-repo.iml.unibe.ch/open-source/iml-certman license: GNU GPL 3.0 http://www.gnu.org/licenses/gpl-3.0.html
Installation
- Install acme.sh client: https://github.com/acmesh-official/acme.sh
- Clone or extract files of iml-certman
- Make your changes by copying *dist files to file without ".dist" extension and edit
- inc_config.sh
- set credentials for dns api
- set path to acme.sh script; the default is a relative path for the suggested contellation below.
- optional: set custom target for generated certificates
- optional: for testing enable Let's Encrypt stage server to prevent running into weekly limits during tests
- templates/csr.txt
- set location, company and department ... remark: (currently?) it is removed by LE
- inc_config.sh
A suggested structure is having acme.sh and this wrapper below the same parent directory, i.e.
/opt/letsenecrypt/
|
+-- acms.sh/
| |
| + acms.sh
| + ...
|
+-- iml-certman/
|
+-- certs/
+-- csr/
+-- templates/
+ cm.sh
+ inc_config.sh
+ ...
Usage
Without any parameter it shows a help.
Verify a new setup (or changes in the config) with ./cm.sh selftest
.
./cm.sh
_______________________________________________________________________________
- - - ---===>>> CERT MANAGER <<<===--- - - -
_______________________________________________________________________________
DEBUG: Using Let's Encrypt STAGE environment ...
DEBUG: You can test and mess around. Do not use certs in production.
HELP
The basic syntax is
cm.sh ACTION [FQDN] [ALIAS_1 [.. ALIAS_N]]
The ACTIONs for SINGLE certificate handlings are:
add FQDN [.. FQDN-N]
create new certificate
The first FQDN is a hostname to generate the certificate for.
Following multiple hostnames will be used as DNS aliases in the
same certificate.
It updates files in ./certs
add-or-renew FQDN [.. FQDN-N]
This param is for automation tools like Ansible or Puppet.
It checks if the certificate for first (*) FQDN exists.
If not: add a new cert (see "add").
If so: call renew action (see "renew")
(*) it doesn't verify the DNS aliases
delete FQDN
delete all files of a given certificate
renew FQDN
renew (an already added) certificate
and update files in ./certs
show FQDN
show place of csr + certificate data and show certificate
ACTIONs for ALL certs
list
list all certificates including creation and renew date
renew-all
renew all certificates (fast mode - without --force)
and update files in ./certs
other ACTIONs
selftest
check of health with current setup and requirements.
This command is helpful for initial setups.
DEBUG: Using Let's Encrypt STAGE environment ...
DEBUG: You can test and mess around. Do not use certs in production.