# Cert Manager Cert Manager is a program to manage SSL certificates for multiple domains. It stores information in a PostgreSQL database. It retreives live certificates from the web and updates the database records accordingly. It reports on expiring or expired certificates, and it renews certifcates. ## Requirements cryptography psycopg v.3 ```bash # Install with the virtualenv # remove existing venv: rm -rf venv # setup venv virtualenv venv && source ./venv/bin/activate && pip install -r requirements.txt # Install without virtualenv (not recommended): pip install cryptography psycopg[binary] ``` ## Configuration - Settings stored in `database.ini` ## cert_manager database - Contains master list of all domains - "isActive" to indicate whether a domain is currently active ## Usage ```bash --help # show help --check-live # check info for live certficate --checkall # check SSL certficates for all managed domains --list-active # List all active domains --critical # List all expired or soon-to-expire domains --info # Show info about a domain --refresh # Refresh cert info in database for domain --refresh-all # Refresh cert info in database for all domains --renew # Renew certificate for domain ``` ## Create database and user Add this line to the bottom of /etc/postgresql/15/main/pg_hba.conf: ```conf local cert_manager cert_manager peer ``` Make sure port in /etc/postgresql/17/main/postgresql.conf agrees with port in cert-manager-db-setup sudo grep port /etc/postgresql/17/main/postgresql.conf ```bash # reload postgresql: sudo systemctl reload postgresql # setup db: /usr/bin/cp -f cert-manager.sql cert-manager-db-setup /tmp/ cd /tmp ./cert-manager-db-setup # test db access psql --username=cert_manager --host=127.0.0.1 --port=5433 --dbname=cert_manager --command="SELECT * FROM main LIMIT 3" ``` ## Create database (Windows) - assumes Windows version of PostgreSQL installed ```ps1 dropdb -U postgres --echo --if-exists cert_manager dropuser -U postgres --echo --if-exists cert_manager createuser -U postgres --echo --pwprompt cert_manager createdb -U postgres --echo --owner=cert_manager cert_manager psql -U postgres --username=cert_manager --dbname=cert_manager --echo-all --file=cert-manager.sql ``` ## certbot output - output from subprocess.run() needs to be captured and processed ```bash certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d 'example.org' ``` ```text Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for example.org Waiting 60 seconds for DNS changes to propagate Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/example.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/example.org/privkey.pem This certificate expires on 2023-01-29. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. ```