Certbot plugin for interaction with HashiCorp Vault
Project description
Certbot-Vault
Running
Create file with credentials (e.g. /etc/letsencrypt/.hashicorp-vault-creds):
vault-addr=https://vault.example.com:8200/
vault-token=s.AADSFSDHJGJHGDFGSERWETTRHTT
Or define ENV files:
export VAULT_ADDR=https://vault.example.com:8200/
export VAULT_TOKEN=s.AADSFSDHJGJHGDFGSERWETTRHTT
Run installer plugin separately (skip --vault-credentials
if creds were provided via ENV variables):
certbot install -i vault --vault-credentials=/etc/letsencrypt/.hashicorp-vault-creds --vault-path='secret/le-certs' --vault-single --cert-name example.com
Or as a part or certbot run:
certbot run -a ..... -i vault ... -d example.com,www.example.com
CLI arguments
--vault-credentials
- INI file withvault-addr=XYZ
andvault-token=XYZ
key pairs. If not provided, script will attempt to read ENV variablesVAULT_ADDR
andVAULT_TOKEN
.--vault-path
- path in Vault where to store certificates, first component is expected to be engine mount point (e.g. secret, kv, etc...).--vault-dpath
- last component of path is always taken from certificate's SAN (e.g. kv/*.example.com). This option can override the domain to something else.--vault-single
- upload certs only once if provided multiple SANs via-d example.com,www.example.com
- in this case only kv/letsencrypt/example.com will be created.
Developing
How to setup test env documented here. Tl;dr version below:
# clone upstream certbot
git clone https://github.com/certbot/certbot.git
cd certbot
# setup virtualenv and install our plugin
python3 tools/venv.py
source venv/bin/activate
pip install -e ../certbot-vault
# run testing ACME server
run_acme_server &
# start Vault dev server and copy root token
vault server -dev &
# generate credentials file for certbot-vault plugin
echo -e 'vault-addr=http://127.0.0.1:8200\nvault-token=ABCDEFG' > ~/dev-hashi-certbot
# issue test certficate
certbot_test run --standalone -d test.example.com -i vault --vault-credentials ~/dev-hashi-certbot --vault-path secret/
# now it should be present in Vault, after checking it, you can try to renew for example
certbot_test renew
Currently supports only kv store.
Generate test cert:
certbot_test certonly --standalone -d test.example.com
Install cert:
certbot_test install -i vault --cert-name test.example.com
This is rather a PoC for newer versions of certbot, but it can be easily modified to support other features in Vault.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for certbot-vault-installer-0.4.3.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 68555a556e531d5afb15ca06ccb0577fb5ccba23a7603f1bd2490f94a9ed3569 |
|
MD5 | d1b4dddb287a0f7fd35c1a92ff989ef5 |
|
BLAKE2b-256 | 0ed729ac5dd2911bad747238abdd7849b6f7807c839862b58dcfcfa8e96896a0 |
Close
Hashes for certbot_vault_installer-0.4.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b2da9699a7464be72f5d4e661571d985924ab542856fd7fe1ececfb99035506d |
|
MD5 | 369f1761bb3b9ac3b7d66890afd081ce |
|
BLAKE2b-256 | 25e17985fd678e188c1ed03cdf5254f3e7d68670267537d849fc52acc3dfb9b5 |