Certbot plugin for interaction with HashiCorp Vault
Project description
Certbot-Vault
Running
Create file with credentials (e.g. /etc/letsencrypt/.hashicorp-vault-creds):
vault-addr=https://vault.example.com:8200/
vault-token=s.AADSFSDHJGJHGDFGSERWETTRHTT
Or define ENV files:
export VAULT_ADDR=https://vault.example.com:8200/
export VAULT_TOKEN=s.AADSFSDHJGJHGDFGSERWETTRHTT
Run installer plugin separately (skip --vault-credentials if creds were provided via ENV variables):
certbot install -i vault --vault-credentials=/etc/letsencrypt/.hashicorp-vault-creds --vault-path='secret/le-certs' --vault-single --cert-name example.com
Or as a part or certbot run:
certbot run -a ..... -i vault ... -d example.com,www.example.com
CLI arguments
--vault-credentials- INI file withvault-addr=XYZandvault-token=XYZkey pairs. If not provided, script will attempt to read ENV variablesVAULT_ADDRandVAULT_TOKEN.--vault-path- path in Vault where to store certificates, first component is expected to be engine mount point (e.g. secret, kv, etc...).--vault-dpath- last component of path is always taken from certificate's SAN (e.g. kv/*.example.com). This option can override the domain to something else.--vault-single- upload certs only once if provided multiple SANs via-d example.com,www.example.com- in this case only kv/letsencrypt/example.com will be created.
Developing
How to setup test env documented here. Tl;dr version below:
# clone upstream certbot
git clone https://github.com/certbot/certbot.git
cd certbot
# setup virtualenv and install our plugin
python3 tools/venv.py
source venv/bin/activate
pip install -e ../certbot-vault
# run testing ACME server
run_acme_server &
# start Vault dev server and copy root token
vault server -dev &
# generate credentials file for certbot-vault plugin
echo -e 'vault-addr=http://127.0.0.1:8200\nvault-token=ABCDEFG' > ~/dev-hashi-certbot
# issue test certficate
certbot_test run --standalone -d test.example.com -i vault --vault-credentials ~/dev-hashi-certbot --vault-path secret/
# now it should be present in Vault, after checking it, you can try to renew for example
certbot_test renew
Currently supports only kv store.
Generate test cert:
certbot_test certonly --standalone -d test.example.com
Install cert:
certbot_test install -i vault --cert-name test.example.com
This is rather a PoC for newer versions of certbot, but it can be easily modified to support other features in Vault.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file certbot-vault-installer-0.4.3.tar.gz.
File metadata
- Download URL: certbot-vault-installer-0.4.3.tar.gz
- Upload date:
- Size: 8.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 68555a556e531d5afb15ca06ccb0577fb5ccba23a7603f1bd2490f94a9ed3569 |
|
| MD5 | d1b4dddb287a0f7fd35c1a92ff989ef5 |
|
| BLAKE2b-256 | 0ed729ac5dd2911bad747238abdd7849b6f7807c839862b58dcfcfa8e96896a0 |
File details
Details for the file certbot_vault_installer-0.4.3-py3-none-any.whl.
File metadata
- Download URL: certbot_vault_installer-0.4.3-py3-none-any.whl
- Upload date:
- Size: 9.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b2da9699a7464be72f5d4e661571d985924ab542856fd7fe1ececfb99035506d |
|
| MD5 | 369f1761bb3b9ac3b7d66890afd081ce |
|
| BLAKE2b-256 | 25e17985fd678e188c1ed03cdf5254f3e7d68670267537d849fc52acc3dfb9b5 |
