/autocert

DEPRECATED - flask app and cli to do cert renewals

Primary LanguagePythonMIT LicenseMIT

mozilla-it/autocert Build Status

DigiCert info here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm

autocert

The autocert application is a two part (cli|api) solution to managing SSL certs. The source code can be found here: https://github.com/mozilla-it/autocert

cli

The cli, or commandline of autocert is simply an argparse interface that calls the api via the aiohttp library. The config file for autocert is located in ~/.config/autocert/config.yml

api

The api, or application program interface, is a RESTful service hosted via flask and nginx inside of a docker container. The cli communiates with the api vai RESTful calls, which in turn handles talking to the CA (DigiCert) as well as the Zeus load balancers.

modhash

The modhash is a md5 hash of the modulus of the any|all of the SSL files. It is stored as a key in the .yml file included in the tarfile.

The modhash can be generated from any SSL file with one of the commands below:

openssl rsa -in name-of-file.key -noout -modulus | md5sum
openssl req -in name-of-file.csr -noout -modulus | md5sum
openssl x509 -in name-of-file.crt -noout -modulus | md5sum

tarfile

The tarfile is a .tar.gz file located at /data/autocert/bundles. It is comprised of five files: .key, .csr, .crt, .yml and this README.

.key (rsa)

The key is an rsa private key, generated by the pyca/cryptography library.

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvwNAbvcHw1j1tGopPDTrJ+s9EDwv0SyEW46uvprmkeAiopzb
a4KsUwS9pbArkdsGE97nhFS9+BGC+n3AVaIMMh6aNQkJcpD7u+f8xQFO3rU1MDk4
v+CzJ4TY0ZfrHhAly82DNWLrEz5Dhz+jvW8K7hmjYct1Un//Ho4rPiVtU+a+R76s
+1aC/Y8iX305pYNJDfZlbeGvmQ8njz0aHwisOzykfGupgMVAB5FlfNuCytgP0dwy
PeY/yA1jkZDqAMA97WwREFoh+yyCvpyFyBN59tYbhmgcDmR6d69y0UVZm3XSbYEv
3WfNtesDOEfnyl3BGo7zrrMvQBOvsGaCvlp/fwIDAQABAoIBAQCThXhi+wiU14TT
9NWp+RjQuL5tZn5rp10FtTnCXbHLYfZ97nUMIFzktRme+GN9/1E/UX0u15/sEeI9
gZdky4Vtw/LHGRah09WHt1Ch+jOmjv7oIplwn6Ld15z4qsLccg4uy6cVOTNipkjT
ENRt/m/LmiNz6QXQVKh9OcGt+ovoKkuSw5DzV6vanqKtE/zn8R7Rln9fh4zEb/zb
0cVbzRPzpdxIHikeS3VNivMPwi6vXC5QqzE4GsgHfLE1uEKBMk0pO5X+nXKYdOQY
or3iLl1fj9OR0IVSVMvbouDvpdoE018CdfXoe/NEPyg8Pm4pS4F9Ox4QkPJ1Zma1
lEL6IPVBAoGBAO9HYAnoBbWd2KqAGw0U/Iulzh88+GGcvNkG9DWyc0KCoGevrI0V
hxrR2Jt85jyL2pFnGFLc+EtzTfaXEwFAD8+NMbvTIiyM/qe2y3M4VMVzxzvDo2zw
NSE0sT6v7pDSbjezJUyDu4SfCLzrgba5DuBsgbcGtwJbIJrHp4nqFg+hAoGBAMxc
aR5CJH65Se6BJgG3H0do/YF2kU7GU2cehzqHth95Y44iW4RS5tmV9c2c0bNipfch
zxtC6A5tiZJnbyojMhdAtYEQWUSr11q/Rg0uLxoAfYHqVHIq0Evz1G2vadLSUaLX
bRulcxKztWeO0guKSsgtHY/eWJs5IxwhvL+xxLsfAoGAEIgt6oFNY670OVOAivbY
PA3In//maVga9CO2277ol7/OtVs94MGMBB5biOKoRaakA0fMNm1t+kiNKmxls8Bp
Vz26IfAEfG+BaLUIeX163emR6l8p+2zdPt4VIO+m2/quAsst2IuBeThDsknTPHys
unTEwZCFNHR3XDpPKQgzXgECgYAaRwuxO1oL/XFXPL4RXGWmPgbS3dcjZPcWfGNx
EEBH3ckCXsKbyjkq41B/BtokEdw7YdqKq9jA+i7FZ41wwqPPP5/XH64K2XnQjmXI
jha6ZjO9P89p+r1b9tdq3zJhTG/423CJLIYWcosx7LhviXHCOaLie/myw+8Sz/fA
QnCEiwKBgQDF8UB7a9vNAl2KYE6+priCrNsXQviG0BF2OkCPD/w5UHnh73Q3ZopS
s4HyKh/86nhEFe4WW2AMLwvbmHukh6k2zw7I4O5VxqivUoQtsUYDAcXqoD93crzG
2Jd68lqAuVw0Sid8UKXZHOtlwCAJdjrkcUOe2bZUItHrD2M0fXVYNg==
-----END RSA PRIVATE KEY-----

.csr (req)

The csr is a request, generated by the pyca/cryptography library.

-----BEGIN CERTIFICATE REQUEST-----
MIIDLzCCAhcCAQAwgdgxJDAiBgNVBAMMG2Rlc3Ryb3lzLW9sc29uLnRlcmNvdHVh
Lm9yZzEQMA4GA1UECgwHTW96aWxsYTEZMBcGA1UECQwQMzMxIEUgRXZlbHluIEF2
ZTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzELMAkGA1UECAwCQ0ExDjAMBgNVBBEM
BTk0MDQxMQswCQYDVQQGEwJVUzEOMAwGA1UEKgwFU2NvdHQxDjAMBgNVBAQMBUlk
bGVyMSEwHwYJKoZIhvcNAQkBFhJzaWRsZXJAbW96aWxsYS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/A0Bu9wfDWPW0aik8NOsn6z0QPC/RLIRb
jq6+muaR4CKinNtrgqxTBL2lsCuR2wYT3ueEVL34EYL6fcBVogwyHpo1CQlykPu7
5/zFAU7etTUwOTi/4LMnhNjRl+seECXLzYM1YusTPkOHP6O9bwruGaNhy3VSf/8e
jis+JW1T5r5Hvqz7VoL9jyJffTmlg0kN9mVt4a+ZDyePPRofCKw7PKR8a6mAxUAH
kWV824LK2A/R3DI95j/IDWORkOoAwD3tbBEQWiH7LIK+nIXIE3n21huGaBwOZHp3
r3LRRVmbddJtgS/dZ8216wM4R+fKXcEajvOusy9AE6+wZoK+Wn9/AgMBAAGgETAP
BgkqhkiG9w0BCQ4xAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCgUHLXFbWPasB1Nba7
1gJDmz7/HF5DI2WUYWqJ3ph7DDk+5nB0KOn65ZSw0fkbGBHgK1dh5p8m1sg0yYrS
niGZHlcDuyVjPOqEKbuBNNxXPuJx0Y6bflPytzubRTGV8b5+UK1EDBksJJ1xXbDl
F/KyHce+ULQo2DZbbOXdmYwmE0FbUfWu/yM8VzuojcDIKGlqzxyo1JG3XXVzc7zk
4fn4OLkelOpeTFOMfp2fRxwlneuXQvGo458X+yd0Lbd0uVt/S4jimG6PIrGld3Uz
CDPGZrkjRIatxU2E3q1ode6wQv3wcvJTsmCdszGcBOUcdDck7MqHkBi4RNHoaeas
9AtD
-----END CERTIFICATE REQUEST-----

.crt (x509)

Is a PEM format certificate (usually from DigiCert CA) bundled together with the intermediate certificate, but excluding the root certificate. These two files are concatenated in the same file one after another, and easily seprated if needed.

-----BEGIN CERTIFICATE-----                                          ---
MIIFbzCCBFegAwIBAgIQDdOLHoK0Q6pcnyxzg+GRNDANBgkqhkiG9w0BAQsFADBx      |
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3      |
d3cuZGlnaWNlcnQuY29tMTAwLgYDVQQDEydEaWdpQ2VydCBUZXN0IEludGVybWVk      |
aWF0ZSBSb290IENBIFNIQTIwHhcNMTcwNDExMDAwMDAwWhcNMTcwNDE0MTIwMDAw      |
WjCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFp      |
biBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMQ8wDQYDVQQLEwZX      |
ZWJPcHMxJDAiBgNVBAMTG2Rlc3Ryb3lzLW9sc29uLnRlcmNvdHVhLm9yZzCCASIw      |
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8DQG73B8NY9bRqKTw06yfrPRA8      |
L9EshFuOrr6a5pHgIqKc22uCrFMEvaWwK5HbBhPe54RUvfgRgvp9wFWiDDIemjUJ      |
CXKQ+7vn/MUBTt61NTA5OL/gsyeE2NGX6x4QJcvNgzVi6xM+Q4c/o71vCu4Zo2HL      |
dVJ//x6OKz4lbVPmvke+rPtWgv2PIl99OaWDSQ32ZW3hr5kPJ489Gh8IrDs8pHxr      |
qYDFQAeRZXzbgsrYD9HcMj3mP8gNY5GQ6gDAPe1sERBaIfssgr6chcgTefbWG4Zo      |
HA5kenevctFFWZt10m2BL91nzbXrAzhH58pdwRqO866zL0ATr7Bmgr5af38CAwEA      |
AaOCAeowggHmMB8GA1UdIwQYMBaAFIlV/Ym84hA8+21OHzD5+YKLXGHiMB0GA1Ud      |
DgQWBBQV/u57OsMD6gfPQ44Czm532VyFZTAmBgNVHREEHzAdghtkZXN0cm95cy1v certificate
bHNvbi50ZXJjb3R1YS5vcmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG      |
AQUFBwMBBggrBgEFBQcDAjCBlQYDVR0fBIGNMIGKMEOgQaA/hj1odHRwOi8vY3Js      |
M3Rlc3QuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VGVzdEludGVybWVkaWF0ZVNIQTIu      |
Y3JsMEOgQaA/hj1odHRwOi8vY3JsM3Rlc3QuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0      |
VGVzdEludGVybWVkaWF0ZVNIQTIuY3JsMCEGA1UdIAQaMBgwDAYKYIZIAYb9bGMB      |
ATAIBgZngQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAoBggrBgEFBQcwAYYcaHR0cDov      |
L29jc3B0ZXN0LmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2Vy      |
dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VGVzdEludGVybWVkaWF0ZS1TSEEyLmNy      |
dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBe79+nr+2RjEjbKrLM      |
L/h8Il8JeMsyE2rvFbumSmNs6ksCNiX/ADzr7do9zb3PcR4OwkG3qtDz8mks67gz      |
mrBWX3b1Y+sTPGQxdRefvkXVPYsFxgKQZFdyaDekPXJn3XtQNnZu8HLj1twncRCR      |
ZC27UC6nBN8sNUR0VU1QS9WnNj4a+aUmdX055N1RS9AirBhHLYizJbif/GFl0X+q      |
/eGkmOReHY0RbmkwnjzwLO+sU5orm/iBR8e0soTNMVcekF3vfAulP7LlVmY3LsrQ      |
mYGhfeWrefIttVXHoZOdBbh5gcALAQ/WX2MRDcNBnXeTyJRLFmeKtZi4FdB9NJbk      |
yTs7                                                                  |
-----END CERTIFICATE-----                                            ---
-----BEGIN CERTIFICATE-----                                          ---
MIIGSTCCBTGgAwIBAgIEM6qqqjANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV      |
UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu      |
Y29tMSMwIQYDVQQDExpEaWdpQ2VydCBUZXN0IFJvb3QgQ0EgU0hBMjAeFw0wNjEx      |
MTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMHExCzAJBgNVBAYTAlVTMRUwEwYDVQQK      |
EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMDAuBgNV      |
BAMTJ0RpZ2lDZXJ0IFRlc3QgSW50ZXJtZWRpYXRlIFJvb3QgQ0EgU0hBMjCCASIw      |
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJiahU+gQ8Brmcov1LwvynLKgxMc      |
buqjeyYeiDEUXtTEJKoPm1Pc5YE39fBY1ydwaBJ6k3LbLZM+zqw2pCXwaf4LBhLv      |
t4ppHMfXlgI2IVpWibSYVcvJ4waD09AQ47u/SQhDHSVf17HRUIs1tIw+MMpMyGH0      |
9YzgI/ZI5KTWBY+nlnz9t1/RpPdcJfAWin3T/s7xNu364OFDURX+3Rxb7bVnV1xI      |
GZUwQx23GGcSnypsflr1rBc2yvXaUnwl4DbQMUo10tdZtd1wZNQE3C1L3MXndvn0      |
WdFB4cM6kQlSky0RFW+TJqQIMmb29n09P/ez7Ipo0cpV3vlBAC0DWm2z/FMCAwEA      |
AaOCAvQwggLwMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0wggG5MIIBtQYL      |
YIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0      |
LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIB      |
UgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkA      |
YwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEA    inter-
bgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMA    mediate
UABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkA      |
IABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwA      |
aQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8A      |
cgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMA      |
ZQAuMA8GA1UdEwEB/wQFMAMBAf8wOAYIKwYBBQUHAQEELDAqMCgGCCsGAQUFBzAB      |
hhxodHRwOi8vb2NzcHRlc3QuZGlnaWNlcnQuY29tMIGIBgNVHR8EgYAwfjA9oDug      |
OYY3aHR0cDovL2NybDN0ZXN0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRlc3RSb290      |
Q0FTSEEyLmNybDA9oDugOYY3aHR0cDovL2NybDR0ZXN0LmRpZ2ljZXJ0LmNvbS9E      |
aWdpQ2VydFRlc3RSb290Q0FTSEEyLmNybDAdBgNVHQ4EFgQUiVX9ibziEDz7bU4f      |
MPn5gotcYeIwHwYDVR0jBBgwFoAU9kZ+Gxa7N5lj9z/YhSzkyepYDx4wDQYJKoZI      |
hvcNAQELBQADggEBALFxPxkcHgaXBuoZ10FGWsq3bybGnxC6llfDETcWVrPajudx      |
asm8EXOTSVnqKNIXZTlm1BY0chhnVGA3YyNN7XF7XrT1HtRH5NDhWO2lzFEGSFLw      |
hlCiGQBuzKOelbBWDhpN7icm+Y/u+DPaK6oFu0tX/u9kPzoc8OYSBe412sHAD1/l      |
kUDPAEO4yHSXDnoe0fhk24/yCuO6Wc+mMe7YXzEkq8pOEWjNw/9E1dsP20L7jD3F      |
97q5uVNe1wEaeE3U5Eq1xKUBdyQqitinpTv/yo/UPTDLpfjBmK2nh2HK6r0RH+YC      |
OicqQ99N+q6YeAlhejLa7+7FkKYKK1YEAbE1Icc=                              |
-----END CERTIFICATE-----                                            ---