Tools for distributing ssl certificates
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
images
LICENSE
README.md
cert-puller
cert-shifter

README.md

anvil

Tools for distributing ssl certificates

Designed on FreeBSD, it uses fetch by default, but can also use wget or curl. Set FETCH_TOOL in the configuration file to either wget or curl. Any other value will invoke fetch.

It also uses sudo, with the goal of this running as non-root and only allowing the cp & mv via sudo.

These tools were designed with acme.sh & Let's Encrypt in mind, but they should with with any certificates generated by any means.

Relevant background:

  • The certificates are being generated via acme.sh in a centralized location.
  • certs are not generated where they are used.
  • Distribution of private keys is outside scope.
  • New certs are pulled by the servers/VMs/jails/etc which need them.

The steps to use this stuff:

The distribution of private keys is outside scope.

Overview of anvil use

Overview of anvil use

Before using:

mkdir /var/db/anvil && chown USER:GROUP /var/db/anvil

Where USER & GROUP is the user which will be invoking this script. We suggest anvil:anvil

Said user will also need sudo rights to cp and mv within CERT_DST.

Default configuration files are in /usr/local/etc/anvil/

Variables which can be set in cert-shifter.conf:

CERT_SRC="/var/db/acme/certs"
CERT_DST_ROOT="/var/db/certs-for-rsync"
CERT_DST_CERTS="${CERT_DST_ROOT}/certs"
TMP="${CERT_DST_ROOT}/tmp"

Variables which can be set in cert-puller.conf:

CERT_DST="/usr/local/etc/ssl"
CERT_SERVER="https://certs.example.org/certs"
MYCERTS="example.com"
SERVICES="apache24"
DOWNLOAD_DIR="/var/db/check-for-new-certs"
USER_AGENT="--user-agent='anvil-cert-puller'"
FETCH="/usr/bin/fetch --mirror --quiet --user-agent=${USER_AGENT}'"
CURL="/usr/local/bin/curl --silent --user-agent '${USER_AGENT}' --remote-time"
WGET="/usr/local/bin/wget --quiet --user-agent='${USER_AGENT}'"

Services which can be restarted by this code: apache24, dovecot, mosquitto, postfix.

To use wget, set FETCH_TOOL="wget" in cert-puller.conf To use curl, set FETCH_TOOL="curl" in cert-puller.conf To use fetch, set FETCH_TOOL to any other value, or remove it from the file.

Yep, lots to work on here.