93 lines
2.9 KiB
Markdown
93 lines
2.9 KiB
Markdown
# Cert Manager
|
|
|
|
Cert Manager is a program to manage SSL certificates for multiple domains. It stores information in a PostgreSQL database. It retreives live certificates from the web and updates the database records accordingly. It reports on expiring or expired certificates, and it renews certifcates.
|
|
|
|
|
|
## Requirements
|
|
|
|
cryptography
|
|
psycopg v.3
|
|
```bash
|
|
# Install with the virtualenv
|
|
# remove existing venv:
|
|
rm -rf venv
|
|
# setup venv
|
|
virtualenv venv && source ./venv/bin/activate && pip install -r requirements.txt
|
|
|
|
|
|
# Install without virtualenv (not recommended):
|
|
pip install cryptography psycopg[binary]
|
|
```
|
|
|
|
## Configuration
|
|
|
|
- Settings stored in `database.ini`
|
|
|
|
|
|
## cert_manager database
|
|
|
|
- Contains master list of all domains
|
|
- "isActive" to indicate whether a domain is currently active
|
|
|
|
|
|
## Usage
|
|
```bash
|
|
--help # show help
|
|
--check-live # check info for live certficate
|
|
--checkall # check SSL certficates for all managed domains
|
|
--list-active # List all active domains
|
|
--critical # List all expired or soon-to-expire domains
|
|
--info # Show info about a domain
|
|
--refresh # Refresh cert info in database for domain
|
|
--refresh-all # Refresh cert info in database for all domains
|
|
--renew # Renew certificate for domain
|
|
```
|
|
|
|
## Create database and user
|
|
|
|
Add this line to the bottom of /etc/postgresql/15/main/pg_hba.conf:
|
|
```conf
|
|
local cert_manager cert_manager peer
|
|
```
|
|
Make sure port in /etc/postgresql/17/main/postgresql.conf agrees with port in cert-manager-db-setup
|
|
|
|
sudo grep port /etc/postgresql/17/main/postgresql.conf
|
|
```bash
|
|
# reload postgresql:
|
|
sudo systemctl reload postgresql
|
|
# setup db:
|
|
/usr/bin/cp -f cert-manager.sql cert-manager-db-setup /tmp/
|
|
cd /tmp
|
|
./cert-manager-db-setup
|
|
# test db access
|
|
psql --username=cert_manager --host=127.0.0.1 --port=5433 --dbname=cert_manager --command="SELECT * FROM main LIMIT 3"
|
|
```
|
|
## Create database (Windows)
|
|
|
|
- assumes Windows version of PostgreSQL installed
|
|
```ps1
|
|
dropdb -U postgres --echo --if-exists cert_manager
|
|
dropuser -U postgres --echo --if-exists cert_manager
|
|
createuser -U postgres --echo --pwprompt cert_manager
|
|
createdb -U postgres --echo --owner=cert_manager cert_manager
|
|
psql -U postgres --username=cert_manager --dbname=cert_manager --echo-all --file=cert-manager.sql
|
|
```
|
|
|
|
## certbot output
|
|
|
|
- output from subprocess.run() needs to be captured and processed
|
|
```bash
|
|
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d 'example.org'
|
|
```
|
|
```text
|
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
|
Requesting a certificate for example.org
|
|
Waiting 60 seconds for DNS changes to propagate
|
|
|
|
Successfully received certificate.
|
|
Certificate is saved at: /etc/letsencrypt/live/example.org/fullchain.pem
|
|
Key is saved at: /etc/letsencrypt/live/example.org/privkey.pem
|
|
This certificate expires on 2023-01-29.
|
|
These files will be updated when the certificate renews.
|
|
Certbot has set up a scheduled task to automatically renew this certificate in the background.
|
|
```
|