initial commit
This commit is contained in:
Dhya
commit
6150895b86
9 changed files with 945 additions and 0 deletions
93
README.md
Normal file
93
README.md
Normal file
|
|
@ -0,0 +1,93 @@
|
|||
# Cert Manager
|
||||
|
||||
Cert Manager is a program to manage SSL certificates for multiple domains. It stores information in a PostgreSQL database. It retreives live certificates from the web and updates the database records accordingly. It reports on expiring or expired certificates, and it renews certifcates.
|
||||
|
||||
|
||||
## Requirements
|
||||
|
||||
cryptography
|
||||
psycopg v.3
|
||||
```bash
|
||||
# Install with the virtualenv
|
||||
# remove existing venv:
|
||||
rm -rf venv
|
||||
# setup venv
|
||||
virtualenv venv && source ./venv/bin/activate && pip install -r requirements.txt
|
||||
|
||||
|
||||
# Install without virtualenv (not recommended):
|
||||
pip install cryptography psycopg[binary]
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
- Settings stored in `database.ini`
|
||||
|
||||
|
||||
## cert_manager database
|
||||
|
||||
- Contains master list of all domains
|
||||
- "isActive" to indicate whether a domain is currently active
|
||||
|
||||
|
||||
## Usage
|
||||
```bash
|
||||
--help # show help
|
||||
--check-live # check info for live certficate
|
||||
--checkall # check SSL certficates for all managed domains
|
||||
--list-active # List all active domains
|
||||
--critical # List all expired or soon-to-expire domains
|
||||
--info # Show info about a domain
|
||||
--refresh # Refresh cert info in database for domain
|
||||
--refresh-all # Refresh cert info in database for all domains
|
||||
--renew # Renew certificate for domain
|
||||
```
|
||||
|
||||
## Create database and user
|
||||
|
||||
Add this line to the bottom of /etc/postgresql/15/main/pg_hba.conf:
|
||||
```conf
|
||||
local cert_manager cert_manager peer
|
||||
```
|
||||
Make sure port in /etc/postgresql/17/main/postgresql.conf agrees with port in cert-manager-db-setup
|
||||
|
||||
sudo grep port /etc/postgresql/17/main/postgresql.conf
|
||||
```bash
|
||||
# reload postgresql:
|
||||
sudo systemctl reload postgresql
|
||||
# setup db:
|
||||
/usr/bin/cp -f cert-manager.sql cert-manager-db-setup /tmp/
|
||||
cd /tmp
|
||||
./cert-manager-db-setup
|
||||
# test db access
|
||||
psql --username=cert_manager --host=127.0.0.1 --port=5433 --dbname=cert_manager --command="SELECT * FROM main LIMIT 3"
|
||||
```
|
||||
## Create database (Windows)
|
||||
|
||||
- assumes Windows version of PostgreSQL installed
|
||||
```ps1
|
||||
dropdb -U postgres --echo --if-exists cert_manager
|
||||
dropuser -U postgres --echo --if-exists cert_manager
|
||||
createuser -U postgres --echo --pwprompt cert_manager
|
||||
createdb -U postgres --echo --owner=cert_manager cert_manager
|
||||
psql -U postgres --username=cert_manager --dbname=cert_manager --echo-all --file=cert-manager.sql
|
||||
```
|
||||
|
||||
## certbot output
|
||||
|
||||
- output from subprocess.run() needs to be captured and processed
|
||||
```bash
|
||||
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d 'example.org'
|
||||
```
|
||||
```text
|
||||
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
||||
Requesting a certificate for example.org
|
||||
Waiting 60 seconds for DNS changes to propagate
|
||||
|
||||
Successfully received certificate.
|
||||
Certificate is saved at: /etc/letsencrypt/live/example.org/fullchain.pem
|
||||
Key is saved at: /etc/letsencrypt/live/example.org/privkey.pem
|
||||
This certificate expires on 2023-01-29.
|
||||
These files will be updated when the certificate renews.
|
||||
Certbot has set up a scheduled task to automatically renew this certificate in the background.
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue