- Description
- Setup - The basics of getting started with acme_vault
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module uses acme.sh to request letsencrypt certificates using the DNS-01 challenge. Once valid certificates are recieved, they are stored in Hashicorp vault where they can be retrieved by any appropriate machine.
This module consists of a common class, a request class, and a deploy class. The request class is intended to be enabled on a single machine that will handle all the certificate request and validation. The deploy class is then enabled on any machine that requires the requested certificates.
This module will create a new system user that is used to request and deploy certificates.
This module also assumes a working installation of vault.
Just include the appropriate modules for the appropriate machines, and make sure the required values are provided via hiera or class. Note: the common module must be included before either.
Typically this would involve a profile like:
class profiles::acme_request {
include ::acme_vault::common
include ::acme_vault::request
}
This section is where you describe how to customize, configure, and do the fancy stuff with your module here. It's especially helpful if you include usage examples and code samples for doing things with your module.
Classes:
This class needs to be included before acme_vault::request or acme_vault::deploy and contains configurations common to both. The user, vault, vault vars, and cron mailto are needed for both request and deploy
user to be created to request/deploy certs
Default value: acme_vault
group that owns the created certificates
members of the above group that will have access to created certificates. In most cases this will be the webserver group, or any other services that require reading the certs.
Default value: acme_vault
home dir of the above user, where scripts and config will be stored.
Default value: /home/$user
contact email used for cert registration, also used as MAILTO variable for cron jobs
Default value: ''
mapping of domains to be included in the cert. The key is the "main" domain, and the value is the list of extra names to be requested. Both the main domain and the list of domains are included.
REQUIRED
Vault token for authenticating to vault. This should have appropriate permissions applied in vault. A demo script is provided here
REQUIRED
Address of vault server
REQUIRED
Path to the vault binary.
Default value: /usr/local/bin/vault"
The path within vault where the certificates will be stored and retrieved.
Default value: /secret/letsencrypt/
This class uses acme.sh, and pulls down the git repo for it. It uses the namecheap provider in acme.sh to do the dns updating for the dns-01 challenge. It configures a cron job to periodically check if a cert needs renewal.
Note: it does not automatically trigger requesting certs, but relies on cron coordination to eventually reach the desired end state. Since certificate renewal has a large time window, this is acceptable. Any urgent issue/renewals can be triggered by running the cron job manually as needed.
user to be created to request/deploy certs
Default value: acme_vault
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: acme_vault
home dir of the above user, where scripts and config will be stored.
Default value: /home/$user
contact email used for cert registration, also used as MAILTO variable for cron jobs
Default value: ''
mapping of domains to be included in the cert. The key is the "main" domain, and the value is the list of extra names to be requested. Both the main domain and the list of domains are included.
REQUIRED
whether to use the acme staging endpoint
Valid values: true, false
Default value: false
url to acme staging endpoint
Default value: https://acme-staging-v02.api.letsencrypt.org/directory
url to the acme prod endpoint
Default value: https://acme-v02.api.letsencrypt.org/directory
git revision/tag to be used to checkout acme.sh repository.
Default value: HEAD
where the repo should be checked out.
Default value: $home_dir/acme.sh
path the the acme.sh script itself
Default value: $acme_repo_path/acme.sh
sourceip for namecheap requests (it is well known that this is ignored by their api)
Default value: 127.0.0.1
REQUIRED
username for namecheap dns api.
REQUIRED
token for namecheap api user.
REQUIRED
This class handles taking a cert/key out of vault, and placing it in a configured path on the filesystem. It will also accept a restart command to restart any appropriate services to take advantage of the new cert.
It employs a script, check_cert.sh, to validate the cert in vault exists, and is appropriate to replace the existing one
user to be created to request/deploy certs
Default value: acme_vault
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: acme_vault
home dir of the above user, where scripts and config will be stored.
Default value: /home/$user
mapping of domains to be included in the cert. The key is the "main" domain, and the value is the list of extra names to be requested. Both the main domain and the list of domains are included.
REQUIRED
where the cert should be deployed to. cert will end up in $cert_destination_path/$domain/.
Default value: /etc/acme
location for arbitrary scripts to reload certificates for applications. scripts will end up in $cert_destination_path/deploy.d/
Default value: /etc/acme/deploy.d
shell that is run after successful deployment. runs scripts in $deploy_scripts
Default value: for f in /etc/acme/deploy.d/*.sh; do "$f"; done
Has only been tested on Centos 7
Contributions are welcome!