Skip to main content

Provision TLS *Cer*tificates for your *LAN*, using the ACME DNS challenge.

Project description

LAN-Cer: Certificates For Your LAN

lancer is a tool which will quickly and simply provision certificates for any number of hosts in a domain, using Let's Encrypt, assuming that you have an API-controlled DNS service.

The Problem

You have too many computers. Too many (all) of them have to talk to the Internet. And, as we all know, any computer on the internet needs a TLS certificate and the lock icon that comes with it if you want to be able to talk to it.

For example:

  1. Maybe you need to test some web APIs that don't work without HTTPS, so you need a development certificate for localhost.
  2. Maybe you have an OpenWRT router and you need to administer it via its web interface; you don't want every compromised IoT device or bored teenager on your WiFi to be able to read your administrator password.

The Bad Old Days

Previously the way you'd address problems like this would be to:

  • ⚠️😡⚠️ use a garbage self-signed root and click through annoying warnings all the time
  • 🔒️🗑️🔒️ add a garbage self-signed root to your trust store
  • 🔥😱🔥 turn off certificate validation entirely in your software

These are all bad in similar ways: they decrease your security and they require fiddly, machine-specific configuration that has to be repeated on every new machine that needs to talk to such endpoints.

The Solution

Let's Encrypt is 99% of the solution here. And, for public-facing internet services, it's almost trivially easy to use; many web servers provide built-in support for it. But you don't want to use production certificates for your main website on your development box: you want to put an entry in /etc/hosts under a dedicated test domain name, and you shouldn't have to figure out how to route inbound public traffic to a web server on that host name in order to respond to a challenge.

Luckily, Let's Encrypt offers DNS-01 validation, so all you need to do is update a DNS record. Lancer uses this challenge.

What You Need

Your DNS needs to be hosted on a platform that supports libcloud (Rackspace DNS and CloudFlare are two that I have tested with), or Gandi's' V5 API which Lancer has specific support for. You will need an API key.

How To Use It

  1. pip install lancer
  2. mkdir certificates-for-mydomain.com
  3. Create empty files for the certificates you want to provision: touch certificates-for-mydomain.com/myhost1.lan.mydomain.com.pem certificates-for-mydomain.com/myhost2.lan.mydomain.com.pem .
  4. lancer certificates-for-mydomain.com

Upon first run, lancer will ask you 4 questions:

  1. what driver do you want to use? this should be the libcloud driver name, or 'gandi' for the Gandi V5 API.
  2. what is your username?
  3. what is the DNS zone that you will be provisioning certificates under? (usually this is the registrable part of the domain name; if you want certificates for lan.somecompany.com then your zone is usually somecompany.com)
  4. what is your API key? This will be prompted for and stored with Secretly, which uses Keyring to securely store secrets; this may mean that in certain unattended configurations you might need keyrings.alt to store your API key in a configuration file rather than something like Keychain or GnomeKeyring.

It will store the answers to the first three questions in certificates-for-mydomain.com/lancer.json and the secrets depending upon your keyring configuration, so you shouldn't need to answer them again (although you may need to click through a security confirmation on subsequent attempts to allow access to your API key).

Wait for lancer to log that it has successfully provisioned your certificates, and copy your now-no-longer-empty .pem files (which will each contain a certificate, chain certificates, and a private key) to wherever you need them on your LAN. You can kill it with ^C or you can just leave it running in the background and let it auto-renew every 90 days or so.

If you don't leave it running, to renew your certificates when they've expired, simply run lancer certificates-for-mydomain.com again, and any expired or soon-to-expire .pem files in that directory will be renewed and replaced. You can add new certificates at any time by creating new, empty fully-qualified-domain-name.pem files,

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lancer-0.4.0.tar.gz (7.1 kB view details)

Uploaded Source

Built Distribution

lancer-0.4.0-py2.py3-none-any.whl (17.0 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file lancer-0.4.0.tar.gz.

File metadata

  • Download URL: lancer-0.4.0.tar.gz
  • Upload date:
  • Size: 7.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.1 setuptools/40.5.0 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/3.6.6

File hashes

Hashes for lancer-0.4.0.tar.gz
Algorithm Hash digest
SHA256 e87fa0a7b03f50730d84378f5cd78b356fd32833b00eacfc77b92283c807fb61
MD5 899fe70a0fdfe3f5ed9cf9adc9138588
BLAKE2b-256 a9e470887c300054fd48f44739b4b1128ff2e7bb9a50195d50835516c6358dc8

See more details on using hashes here.

File details

Details for the file lancer-0.4.0-py2.py3-none-any.whl.

File metadata

  • Download URL: lancer-0.4.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 17.0 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.1 setuptools/40.5.0 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/3.6.6

File hashes

Hashes for lancer-0.4.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 2024b2495812e3772caa6b22a28716f52761677e16459af247b99f79918a4369
MD5 ee6f3d87626931b2a17d7d216fd017ef
BLAKE2b-256 6e1c9a1dbafa436d79208e4a0203904b4f3f800720f332f9ebac4634bfdb2fa8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page