Tool to manage Lets Encrypt certificates from configuration file
Project description
Let’s Encrypt Certificates Manager (lecm) is an utility that allows one to manage (generate and renew) Let’s Encrypt SSL certificates.
Goal
The goal of lecm is to be able to generate and renew Let’s Encrypt SSL certificates automatically.
lecm is configuration driven. Each certificate that needs to be managed is described in the configuration file.
Installation
Using pypi
You just need to
$ pip install lecm
Debian-based distro (Debian, Ubuntu, …)
There is an official Debian package for lecm
$ sudo apt-get install lecm
How to run it
lecm is configuration driven. The configuration file is (by order of priority):
The one specified on the command line (lecm --conf /path/to/conf.yml)
The one specified in the environment variable $LECM_CONFIGURATION
The /etc/lecm.conf
lecm supports various commands:
--generate
lecm --generate will generate SSL certificates for items listed in the configuration file that are not present in the filesystem.
--renew
lecm --renew will renew SSL certificates already present on the filesystem if its expiry date is lower than the remaining_days value.
--force
lecm --force will force the regeneration or renewal of SSL certificates, even if its expiry date is not lower than the remainin_days value.
--list
lecm --list will display basic informations about currently configured items.
+--------- +----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+
| In Sync | Item | Status | subjectAltName | Location | Days |
+--------- +----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+
| True | lecm-test.distributed-ci.io | Generated | DNS:lecm-test.distributed-ci.io | /etc/letsencrypt/pem/lecm-test.distributed-ci.io.pem | 89 |
| False | lecm-test-test.distributed-ci.io | Not-Generated | DNS;lecm-test-test.distributed-ci.io,DNS:lecm.distributedi-ci.io | /etc/letsencrypt/pem/lecm-test-test.distributed-ci.io.pem | N/A |
+----------+----------------------------------+---------------+------------------------------------------------------------------+-----------------------------------------------------------+------+--list-details
lecm --list-details will display details informations about currently configured items.
+--------- +----------------------------------+---------------+------------------------------------------------------------------+---------------------------+--------------+-----------------------------------------------------------+------+------+--------+------+
| In Sync | Item | Status | subjectAltName | emailAddress | Environment | Location | Type | Size | Digest | Days |
+--------- +----------------------------------+---------------+------------------------------------------------------------------+---------------------------+--------------+-----------------------------------------------------------+------+------+--------+------+
| True | lecm-test.distributed-ci.io | Generated | DNS:lecm-test.distributed-ci.io | distributed-ci@redhat.com | production | /etc/letsencrypt/pem/lecm-test.distributed-ci.io.pem | RSA | 4096 | sha256 | 89 |
| False | lecm-test-test.distributed-ci.io | Not-Generated | DNS;lecm-test-test.distributed-ci.io,DNS:lecm.distributedi-ci.io | distributed-ci@redhat.com | staging | /etc/letsencrypt/pem/lecm-test-test.distributed-ci.io.pem | RSA | 2048 | sha256 | N/A |
+----------+----------------------------------+---------------+------------------------------------------------------------------+---------------------------+--------------|-----------------------------------------------------------+------+------+--------+------+Configuration
Every parameters are either applicable globally or within the scope of a certificate. The finest specification wins.
Parameter |
Scope |
Default |
Description |
|---|---|---|---|
path |
global, certificate |
None |
Folder where will reside all the relevant files |
type |
global, certificate |
RSA |
Type of the key to generate (Possible: RSA, DSA) |
size |
global, certificate |
4096 |
Size of the key to generate |
digest |
global, certificate |
sha256 |
Digest of the key to generate |
version |
global, certificate |
3 |
Version of the SSL Certificate to generate |
subjectAltName |
global, certificate |
None |
subjectAltName value of the Certificate Signing Request (csr) |
countryName |
global, certificate |
None |
countryName value of the Certificate Signing Request (csr) |
stateOrProvinceName |
global, certificate |
None |
stateOrProvinceName value of the Certificate Signing Request (csr) |
localityName |
global, certificate |
None |
localityName value of the Certificate Signing Request (csr) |
organizationName |
global, certificate |
None |
organizationName value of the Certificate Signing Request (csr) |
organizationalUnitName |
global, certificate |
None |
organizationalUnitName value of the Certificate Signing Request (csr) |
commonName |
global, certificate |
None |
commonName value of the Certificate Signing Request (csr) |
emailAddress |
global, certificate |
None |
emailAddress value of the Certificate Signing Request (csr) |
account_key_name |
global, certificate |
account_$fqdn.key |
Name of the account key to generate |
remaining_days |
global, certificate |
10 |
Number of days of validity below which the SSL Certificate should be renewed |
service_name |
global, certificate |
httpd |
Service that needs to be reloaded for the change to be taken in consideration |
service_provider |
global, certificate |
systemd |
Service management system (Possible: systemd, sysv) |
environment |
global, certificate |
production |
Let’s Encrypt environment to use (Possible: production, staging) |
Configuration file example
---
path: /etc/letsencrypt
certificates:
my.example.com:
app.example.com:
subjectAltName:
- app.example.com
- app1.example.com
- app2.example.comMore example can be found in the sample/ directory.
Httpd and Nginx
lecm does not configure the webservers, they have to be previously configured to be able to answer the challenges. NOTE: Let’s Encrypt will perform a plain HTTP request to port 80 on your server, so you must serve the challenge files via HTTP. See the HTTP Challenge section of the ACME specification for more details.
httpd
Alias /.well-known/acme-challenge /etc/letsencrypt/challenges/my.example.com
<Directory /etc/letsencrypt/challenges/my.example.com>
Require all granted
</Directory>nginx
location /.well-known/acme-challenge/ {
alias /etc/letsencrypt/challenges/my.example.com/;
try_files $uri =404;
}
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file lecm-0.0.9.tar.gz.
File metadata
- Download URL: lecm-0.0.9.tar.gz
- Upload date:
- Size: 18.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.24.0 setuptools/49.1.3 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.9.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 88b05eb789dde1c616e0c3c1e345765ebfdbeef4f59a61e9e3ca39986dcfefaf |
|
| MD5 | b71b67a66eb4cb6e4fa121a34a348656 |
|
| BLAKE2b-256 | 4de4bb576f8c3b596acbd140788ade6052ca309f467226df4b20d899c23de91c |
