/htools-dane-ca

An ACME server for use with DANE on Handshake domains.

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Handshake Tools DANE CA

Live: https://acme.htools.work/

This is a fork of dvtirol/serles-acme, modified to issue certificates for use with DANE (on Handshake domains).

Features

  • Use with any ACME client (certbot, etc.)
  • Generate certificates for Handshake domains
  • New CA keys are generated (and destroyed) while signing every certificate

Customization options

Requests are flexible and options are passed by appending keywords to the email address:

  • +email - opt into receiving emails with TLSA records after every cert issue.
  • +nohip17 - opt out of HIP-17 (Stateless DANE) extensions
  • +longttl - request for long-lived certificates (1 year) - only applies if no HIP-17

Options can be combined. Example:

  • myvalidaddress+email+longttl+nohip17@gmail.com - get emails and long-lived certs without HIP-17 extensions

Usage

Use an ACME client like you would for any regular website, along with a new arg --server:

sudo certbot --nginx -d your_tld.or_sld --server https://acme.htools.work/directory --reuse-key

Documentation

Check out the original project this is forked from: dvtirol/serles-acme

Run Locally

Clone the project:

git clone https://github.com/htools-org/htools-dane-ca
cd htools-dane-ca

Set up a virtual env with venv or pyenv and activate it.

Then install dependencies:

pip install serles-acme

Create a config file from the example:

cp config.ini.example config.ini
# and then fill in values as needed.

Finally, tart the server with:

CONFIG=./config.ini python -m serles

Any client can connect to it now:

# either edit values in this script, or run certbot as usual
./examples-clients/certbot.sh

Support

For any support/help, feel free to join Handshake's Telegram or Discord groups and we'll do our best to find out what's wrong.

If there's any problem with the code or have suggestions, create a new issue.

License

GPL-3.0 License

Credit

Thanks to

  • @dvtirol for dvtirol/serles-acme this project is forked from (backend modularity was very useful!)
  • @brandondees for the idea of using CA this way
  • @buffrr for advice on certificates