Skip to content
Snippets Groups Projects
user avatar
Hahn Axel (hahn) authored
c759966a
History

iml-certman

Wrapper for acme.sh to create Let's Encrypt certificates based on CSR files using DNS authentication. It was written to create/ renew all needed certificates at a central system to deploy it from there (Ansible, Puppet, ...).

source: https://git-repo.iml.unibe.ch/open-source/iml-certman license: GNU GPL 3.0 http://www.gnu.org/licenses/gpl-3.0.html

Installation

  • Install acme.sh client: https://github.com/acmesh-official/acme.sh
  • Clone or extract files of iml-certman
  • Make your changes by copying *dist files to file without ".dist" extension and edit
    • inc_config.sh
      • set credentials for dns api
      • set path to acme.sh script; the default is a relative path for the suggested contellation below.
      • optional: set custom target for generated certificates
      • optional: for testing enable Let's Encrypt stage server to prevent running into weekly limits during tests
    • templates/csr.txt
      • set location, company and department ... remark: (currently?) it is removed by LE

A suggested structure is having acme.sh and this wrapper below the same parent directory, i.e.

/opt/letsenecrypt/
  |
  +-- acms.sh/
  |     |
  |     + acms.sh
  |     + ...
  |
  +-- iml-certman/
        |
        +-- certs/
        +-- csr/
        +-- templates/
        + cm.sh
        + inc_config.sh
        + ...

Usage

Without any parameter it shows a help.

Verify a new setup (or changes in the config) with ./cm.sh selftest.


./cm.sh 
_______________________________________________________________________________


                - - - ---===>>> CERT MANAGER <<<===--- - - -

_______________________________________________________________________________

DEBUG: Using Let's Encrypt STAGE environment ...
DEBUG: You can test and mess around. Do not use certs in production.

HELP

The basic syntax is
cm.sh ACTION [FQDN] [ALIAS_1 [.. ALIAS_N]]

The ACTIONs for SINGLE certificate handlings are:

        add FQDN [.. FQDN-N] 
                create new certificate
                The first FQDN is a hostname to generate the certificate for. 
                Following multiple hostnames will be used as DNS aliases in the 
                same certificate.
                It updates files in ./certs

        add-or-renew FQDN [.. FQDN-N] 
                This param is for automation tools like Ansible or Puppet.
                It checks if the certificate for first (*) FQDN exists.
                If not: add a new cert (see "add").
                If so: call renew action (see "renew")

                (*) it doesn't verify the DNS aliases

        delete FQDN
                delete all files of a given certificate

        renew FQDN
                renew (an already added) certificate
                and update files in ./certs

        show FQDN
                show place of csr + certificate data and show certificate

ACTIONs for ALL certs

        list
                list all certificates including creation and renew date

        renew-all
                renew all certificates (fast mode - without --force)
                and update files in ./certs

other ACTIONs

        selftest
                check of health with current setup and requirements.
                This command is helpful for initial setups.

DEBUG: Using Let's Encrypt STAGE environment ...
DEBUG: You can test and mess around. Do not use certs in production.