Skip to main content

Tool to manage Lets Encrypt certificates from configuration file

Project description

========================================
lecm: Let's Encrypt Certificates Manager
========================================

|buildstatus|_ |release|_


`Let's Encrypt`_ Certificates Manager (lecm) is an
utility that allows one to manage (generate and renew) Let's Encrypt SSL
certificates.

Goal
----

The goal of ``lecm`` is to be able to generate and renew
`Let's Encrypt`_ SSL certificates automatically.

``lecm`` is configuration driven. Each certificate that needs to be managed
is described in the configuration file.


How to run it
-------------

``lecm`` is configuration driven. The configuration file is (by order of
priority):

1. The one specified on the command line (``lecm --conf /path/to/conf.yml``)
2. The one specified in the environment variable ``$LECM_CONFIGURATION``
3. The ``/etc/lecm.conf``

``lecm`` supports various commands:


``--generate``
^^^^^^^^^^^^^^

``lecm --generate`` will generate SSL certificates for items listed in the
configuration file that are not present in the filesystem.


``--renew``
^^^^^^^^^^^

``lecm --renew`` will renew SSL certificates already present on the filesystem
if its expiry date is lower than the ``remainin_days`` value.

``--list``
^^^^^^^^^^

``lecm --list`` will display basic informations about currently configured items.


.. code-block::

+----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+
| Item | Status | subjectAltName | Location | Days |
+----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+
| lecm-test.distributed-ci.io | Generated | DNS:lecm-test.distributed-ci.io | /etc/letsencrypt/pem/lecm-test.distributed-ci.io.pem | 89 |
| lecm-test-test.distributed-ci.io | Not-Generated | DNS;lecm-test-test.distributed-ci.io,DNS:lecm.distributedi-ci.io | /etc/letsencrypt/pem/lecm-test-test.distributed-ci.io.pem | N/A |
+----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+


``--list-details``
^^^^^^^^^^^^^^^^

``lecm --list-details`` will display details informations about currently configured items.

.. code-block::

+----------------------------------+---------------+------------------------------------------------------------------+---------------------------+-----------------------------------------------------------+------+------+--------+------+
| Item | Status | subjectAltName | emailAddress | Location | Type | Size | Digest | Days |
+----------------------------------+---------------+------------------------------------------------------------------+---------------------------+-----------------------------------------------------------+------+------+--------+------+
| lecm-test.distributed-ci.io | Generated | DNS:lecm-test.distributed-ci.io | distributed-ci@redhat.com | /etc/letsencrypt/pem/lecm-test.distributed-ci.io.pem | RSA | 4096 | sha256 | 89 |
| lecm-test-test.distributed-ci.io | Not-Generated | DNS;lecm-test-test.distributed-ci.io,DNS:lecm.distributedi-ci.io | distributed-ci@redhat.com | /etc/letsencrypt/pem/lecm-test-test.distributed-ci.io.pem | RSA | 2048 | sha256 | N/A |
+----------------------------------+---------------+------------------------------------------------------------------+---------------------------+-----------------------------------------------------------+------+------+--------+------+


Configuration
-------------

Every parameters are either applicable globally or within the scope of a certificate. The finest specification wins.

+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| Parameter | Scope | Default | Description |
+========================+================+=========+===============================================================================+
| path | global, backup | None | Foler where will reside all the relevant files |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| type | global, backup | RSA | Type of the key to generate (Possible: RSA, DSA) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| size | global, backup | 4096 | Size of the key to generate |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| digest | global, backup | sha256 | Digest of the key to generate |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| version | global, backup | 3 | Version of the SSL Certificate to generate |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| subjectAltName | global, backup | None | subjectAltName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| countryName | global, backup | None | countryName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| stateOrProvinceName | global, backup | None | stateOrProvinceName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| localityName | global, backup | None | localityName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| organizationName | global, backup | None | organizationName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| organizationalUnitName | global, backup | None | organizationalUnitName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| commonName | global, backup | None | commonName value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| emailAddress | global, backup | None | emailAddress value of the Certificate Signing Request (csr) |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| account_key_name | global, backup | None | Name of the account key to generate |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| remaining_days | global, backup | 10 | Number of days of validity below which the SSL Certificate should be renewed |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+
| service_name | global, backup | None | Service that needs to be reloaded for the change to be taken in consideration |
+------------------------+----------------+---------+-------------------------------------------------------------------------------+


Configuration file example
--------------------------

.. code-block::

---
path: /etc/letsencrypt
type: RSA
size: 4096
digest: sha256
version: 3
service_name: httpd
remaining_days: 10
emailAddress: admin@example.com
account_key_name: myhost.key

certificates:
my.example.com:
app.example.com:
subjectAltName:
- app.example.com
- app1.example.com
- app2.example.com
emailAddress: app-admin@example.com
size: 2048
service_name: nginx


Httpd and Nginx
---------------

``lecm`` does not configure the webservers, they have to be previously
configured to be able to answer the challenges.

httpd
^^^^^

.. code-block::

Alias /.well-known/acme-challenge /etc/letsencrypt/challenges/my.example.com
<Directory /etc/letsencrypt/challenges/my.example.com>
Require all granted
</Directory>


nginx
^^^^^

.. code-block::

location /.well-known/acme-challenge/ {
alias /etc/letsencrypt/challenges/my.example.com;
try_files $uri =404;
}


.. |buildstatus| image:: https://img.shields.io/travis/Spredzy/lecm/master.svg
.. _buildstatus: https://travis-ci.org/Spredzy/lecm

.. |release| image:: https://img.shields.io/pypi/v/lecm.svg
.. _release: https://pypi-hypernode.com/pypi/lecm

.. _Let's Encrypt: https://letsencrypt.org/

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lecm-0.0.2.tar.gz (9.7 kB view details)

Uploaded Source

File details

Details for the file lecm-0.0.2.tar.gz.

File metadata

  • Download URL: lecm-0.0.2.tar.gz
  • Upload date:
  • Size: 9.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for lecm-0.0.2.tar.gz
Algorithm Hash digest
SHA256 608dbb8f5c479b0d39521d8db6291ea517c3038b4338db3c3cd31abd4bb83e3a
MD5 5ea581b23978ffcbcb8387fc7e5f16eb
BLAKE2b-256 42216374b5a3201fa058ed5e879a575af4b69d37023ae7f497510c6043727bf0

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page