Skip to content
library implementing ACME server functionality
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
acme
docs
examples
test
.gitattributes
.gitignore
LICENSE
README.md
requirements.txt
setup.py

README.md

acme2certifier

GitHub release GitHub last commit (branch) GitHub last commit (branch)

acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries:

  • acme/*.py - a bunch of classes implementing ACME server functionality based on rfc8555
  • ca_handler.py - interface towards CA server. I am connecting to Insta Certifier by using REST to test the implementation. However, the intention of this library is to be modular that an adaption to other CA servers should be straight forward.

Disclaimer

I am running this project as my RnD guys told me that it won’t be possible :-)

I am using acme.sh and Certbot to test the server functionality. Other clients are on my list for later testing. In case you are bored, feel free to test other came ACME clients and raise issues if something does not work as expected.

Command-line parameters used for testing

I am not a professional developer. Keep this in mind while laughing about my code and don’t forget to send patches.

Project status

So far, the library is far from being useful for either lab or production usage as only the below ACME functions are supported

acme2certifer includes experimental support for TNAuthList identifers and tkauth-01 challenges. Check tnauthlist.md for further information.

IMPORTANT: The current version does NOT perform Identifier validation. In the current version the acme server will change the status of each challenge to "valid" forcing an acme client to send the CSR immediately.

Additional functionality will be added over time. If you are badly missing a certain feature please raise an issue to let me know.

Installation

The proxy can run either as Django project or as plain wsgi-script

Installation as wsgi script

Installation on apache2 running on Ubuntu 18.04

  1. check of the wsgi module is running on your apache2
root@rlh:~# apache2ctl -M | grep -i wsgi
 wsgi_module (shared)
root@rlh:~#

if the wsgi_module is not enabled please check the internet how to do this.

  1. download the archive and unpack it.

  2. install the missing modules via pip

root@rlh:~# pip3 install -r requirements.txt
  1. copy the file "example/apache_acme.conf" to "/etc/apache2/sites-available" and modify it according to you needs.

  2. activate the virtual server

root@rlh:~# a2ensite acme_acme.conf
  1. create a directory /var/www/acme

  2. copy the file acme2certifier_wsgi.py to /var/www/acme

  3. create a directory /var/www/acme/acme

  4. copy the content of the acme -directory to /var/www/acme/acme

  5. create a configuration file 'acme_srv.cfg' in /var/www/acme/acme or use the example stored in the example directory

  6. modify the configuration file according to you needs

  7. pick the correct ca handler from the examples/ca_handler directory and copy it to /var/www/acme/acme/ca_handler.py

  8. configure the connection to your ca server. Example for Insta Certifier

  9. activate the wsgi database handler

root@rlh:~# cp /var/www/acme/examples/db_handler/wsgi_handler.py /var/www/acme/acme/db_handler.py
  1. ensure that the all files and directories under /var/www/acme are owned by the user running the webserver (www-data is just an example!)
root@rlh:~# chown -R www-data.www-data /var/www/acme/
  1. set correct permissions to acme subdirectory
root@rlh:~# chmod a+x /var/www/acme/acme
  1. Check access to the directory ressource to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1/directory
{"newAccount": "http://127.0.0.1/acme/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1/acme/key-change", "newNonce": "http://127.0.0.1/acme/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1/acme/neworders", "revokeCert": "http://127.0.0.1/acme/revokecert"}[root@srv ~]#

Installation on NGIX runnig on CentOS 7

I barely know NGIX. Main input has been taken from here. If you see room for improvement let me know.

Setup is done in a way that uWSGI will serve acme2certifier while NGIX will act as reverse proxy to provide better connection handling.

  1. setup your project directory
[root@srv ~]# mkdir /opt/acme2certifier
  1. download the archive and unpack it into /opt/acme2certifier.

  2. create a configuration file 'acme_srv.cfg' in /opt/acme2certifier/acme/ or use the example stored in the examples directory

  3. modify the configuration file according to you needs

  4. pick the correct ca handler from the /opt/acme2certifier/examples/ca_handler directory and copy it to /opt/acme2certifier/acme/ca_handler.py

  5. configure the connection to your ca server. Example for Insta Certifier

  6. activate the wsgi database handler

root@rlh:~# cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme/db_handler.py
  1. copy the application file "acme2certifer_wsgi.py" from examples directory
root@rlh:~# cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
  1. set the correct permmissions to the acme-subdirectory
[root@srv ~]# chmod a+x /opt/acme2certifier/acme
  1. set the onwership of the acme subdirectory to the user running nginx
[root@srv ~]# chown -R nginx /opt/acme2certifier/acme
  1. install the missing python modules
[root@srv ~]# pip install -r requirements.txt
  1. Install uswgi by using pip
[root@srv ~]# pip install uwsgi
  1. Test acme2certifier by starting the application
[root@srv ~]# uwsgi --socket 0.0.0.0:8000 --protocol=http -w acme2certifier_wsgi
  1. Check access to directory ressource in a parallel session to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1:8000/directory
{"newAccount": "http://127.0.0.1:8000/acme/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme/key-change", "newNonce": "http://127.0.0.1:8000/acme/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1:8000/acme/neworders", "revokeCert": "http://127.0.0.1:8000/acme/revokecert"}[root@srv ~]#
  1. create an uWSGI config file or use the one stored in excample/nginx directory
[root@srv ~]# cp examples/nginx/acme2certifier.ini /opt/acme2certifier
  1. Create a Systemd Unit File for uWSGI or use the one stored in excample/nginx directory
[root@srv ~]# cp examples/nginx/uwsgi.service /etc/systemd/system/
[root@srv ~]# systemctl enable uwsgi.service
  1. start uWSGI as service
[root@srv ~]# systemctl start uwsgi
  1. configure NGINX as reverse proxy or use example stored in example/nginx directory and modify it according to your needs
[root@srv ~]# cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
  1. restart nginx
[root@srv ~]# systemctl restart nginx
  1. test the server by accessing the directory ressource
[root@srv ~]# curl http://<your server name>/directory
you should get your ressource overview now

Installation as Django project

  1. create a new Django project called acme2certier
missing
  1. create a new app inside your project called "acme"
missing
  1. copy the content of the folder "examples/django/acme2certifier" into the "acme2certifer" folder of your project
  2. copy the content of the folder "example/django/acme" into the "acme" folder created in step 2

Contributing

Please read CONTRIBUTING.md for details on my code of conduct, and the process for submitting pull requests. Please note that I have a life besides programming. Thus, expect a delay in answering.

Versioning

I use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the MIT license - see the LICENSE file for details

You can’t perform that action at this time.