Skip to main content

Software managing certificate, dkim and domain updates automagically.

Project description

Build Status

Crypto Domain Manager

Automate all your cryptographic needs!

Goals

  • Zero downtime
  • Automatic certificate renewal
  • Spam protection
  • Updated DNS records

Configure once and always stay up to date.

Use cases

  • Renew letsencrypt certicates
  • Derive all kinds of data from the signature
  • Ensure everything is secure

External Service APIs

Linux Services

  • DKIM signatures:
    • rspamd
  • Reload systemd services:
    • apache2
    • postfix
    • dovecot
    • rspamd
    • traefik in Docker

Managed DNS Records

No downtime strategy

Updating keys, certifcates and other needs 3 steps to prevent gaps in availabillity:

  1. Prepare: Create certificates, keys etc. and publish corresponding records to DNS.
  2. Rollover: Apply new certificates and keys, because now negative cache TTL on DNS is reached.
  3. Cleanup: Delete all no more needed stuff from disk and DNS.

Needed Plugins and Dependencies

  • dnsuptools: to interface with DNS API -- updating DNS entries
  • dehydrated: to get new certificate (included with cryptdomainmgr)
  • rspamd: to create (and use) DKIM keys

Installation

These libraries are needed for pycurl used by dnsuptools for automatic ip retrieving:

apt install -y libcurl4-openssl-dev libssl-dev

This comman is used by dehydrated to communicate with letsencrypt for certificate renewal:

apt install -y curl

For DKIM we need rspamd:

apt install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
apt update
apt install -y rspamd

Now install the cryptdomainmgr. This pulls all need dependencies.

python2 -m pip install cryptdomainmgr

Feel free to try python3, but inwx client doesn't support it.

python3 -m pip install cryptdomainmgr

Documentation

We need help here!

For now please look at:

hints:

  • Multiple Configfiles with priority allowed
  • Specify content of config file content as argument

Next goals

  • improve documentation
  • docker support - partly done, ToDo: label handling needed, daemon mode without external shell stript needed
  • website
  • automated tests - partly done
  • nsupdate for DNS updates

Long term goals:

  • ARC key renewal
  • WPIA integration
  • DNSSEC key renewal
  • TXT record (may collide with SPF and other TXT based records)
  • multi server support for one domain: TLSA delete by timeout
  • constrain minimum renewal/phase time interval
  • validations - ensure signatures are used correctly
  • run as service
  • PowerDNS support

Contributions

If you like the project feel free to give me a star. Please let us know if you use this project.

All kind of contributions are welcome.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cryptdomainmgr-0.2.7.tar.gz (62.8 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page