ixlo/cert-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Manage and maintain info on SSL certificates for domains. Info is stored in PostgreSQL.
1 commit 1 branch 0 tags 35 KiB
Find a file
Exact
Dhya 6150895b86 initial commit
2024-10-03 14:35:12 -07:00
__pycache__ initial commit 2024-10-03 14:35:12 -07:00
.gitignore initial commit 2024-10-03 14:35:12 -07:00
CertInfo.py initial commit 2024-10-03 14:35:12 -07:00
certmanager.py initial commit 2024-10-03 14:35:12 -07:00
config.py initial commit 2024-10-03 14:35:12 -07:00
database.ini.EXAMPLE initial commit 2024-10-03 14:35:12 -07:00
README.md initial commit 2024-10-03 14:35:12 -07:00
requirements.txt initial commit 2024-10-03 14:35:12 -07:00
testconn.py initial commit 2024-10-03 14:35:12 -07:00

README.md

Cert Manager

Cert Manager is a program to manage SSL certificates for multiple domains. It stores information in a PostgreSQL database. It retreives live certificates from the web and updates the database records accordingly. It reports on expiring or expired certificates, and it renews certifcates.

Requirements

cryptography psycopg v.3

# Install with the virtualenv
# remove existing venv:
rm -rf venv
# setup venv
virtualenv venv && source ./venv/bin/activate && pip install -r requirements.txt


# Install without virtualenv (not recommended):
pip install cryptography psycopg[binary]

Configuration

  • Settings stored in database.ini

cert_manager database

  • Contains master list of all domains
  • "isActive" to indicate whether a domain is currently active

Usage

--help # show help
--check-live  # check info for live certficate
--checkall  # check SSL certficates for all managed domains
--list-active  # List all active domains
--critical  # List all expired or soon-to-expire domains
--info # Show info about a domain
--refresh  # Refresh cert info in database for domain
--refresh-all  # Refresh cert info in database for all domains
--renew  # Renew certificate for domain

Create database and user

Add this line to the bottom of /etc/postgresql/15/main/pg_hba.conf:

local   cert_manager    cert_manager                            peer

Make sure port in /etc/postgresql/17/main/postgresql.conf agrees with port in cert-manager-db-setup

sudo grep port /etc/postgresql/17/main/postgresql.conf

# reload postgresql:
sudo systemctl reload postgresql
# setup db:
/usr/bin/cp -f cert-manager.sql cert-manager-db-setup /tmp/
cd /tmp
./cert-manager-db-setup
# test db access
psql --username=cert_manager --host=127.0.0.1 --port=5433 --dbname=cert_manager --command="SELECT * FROM main LIMIT 3"

Create database (Windows)

  • assumes Windows version of PostgreSQL installed
dropdb -U postgres --echo --if-exists cert_manager
dropuser -U postgres --echo --if-exists cert_manager
createuser -U postgres --echo --pwprompt cert_manager
createdb -U postgres --echo --owner=cert_manager cert_manager
psql -U postgres --username=cert_manager --dbname=cert_manager --echo-all --file=cert-manager.sql

certbot output

  • output from subprocess.run() needs to be captured and processed
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d 'example.org'

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.org
Waiting 60 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.org/privkey.pem
This certificate expires on 2023-01-29.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.