Repository files navigation

Acmesmith is anACME (Automatic Certificate Management Environment) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well onLet's encrypt.

This tool is written in Ruby, but Acmesmith saves certificates in simple scheme, so you can fetch certificate by your own simple scripts.

• ACME v2 client designed to work on multiple servers
• ACME registration, domain authorization, certificate requests
  • Tested againstLet's encrypt
• Storing keys in several ways
• Challenge response
• Many cloud services support
  • AWS S3 storage and Route 53dns-01 responder support out-of-the-box
  • 3rd party plugins available for OpenStack designate, Google Cloud DNS, simple http-01, and Google Cloud Storage. SeePlugins below

Add this line to your application's Gemfile:

gem'acmesmith'

And then execute:

$ bundle

Or install it yourself as:

$ gem install acmesmith

docker run -v /path/to/acmesmith.yml:/app/acmesmith.yml:ro sorah/acmesmith:latest

Dockerfile is available. Default confguration file is at/app/acmesmith.yml.

Pre-built docker images are provided athttps://hub.docker.com/r/sorah/acmesmith for your convenienceBuilt with GitHub Actions &sorah-rbpkg/dockerfiles.

$ acmesmith new-account CONTACT              # Create account key (contact e.g. mailto:xxx@example.org)

$ acmesmith order COMMON_NAME [SAN]     # request certificate for CN +COMMON_NAME+ with SANs +SAN+$ acmesmith add-san COMMON_NAME [SAN]     # re-request existing certificate of CN with additional SAN(s)

$ acmesmith list [COMMON_NAME]                          # list certificates or its versions$ acmesmith current COMMON_NAME                         # show current version for certificate$ acmesmith show-certificate COMMON_NAME                # show certificate$ acmesmith show-private-key COMMON_NAME                # show private key$ acmesmith save-certificate COMMON_NAME --output=PATH  # Save certificate to a file$ acmesmith save-private-key COMMON_NAME --output=PATH  # Save private key to a file$ acmesmith save-pkcs12      COMMON_NAME --output=PATH  # Save certificate and private key to a PKCS12 file

$ acmesmith autorenew [-d DAYS] # Renew certificates which being expired soon

# Save (or update) certificate files and key in a one command$ acmesmith save COMMON_NAME \      --version-file=/tmp/cert.txt   # Path to save a certificate version for following run       --key-file=/tmp/cert.key       # Path to save a key      --fullchain-file=/tmp/cert.pem # Path to save a certficiate and its chain (concatenated)

Seeacmesmith help [subcommand] for more help.

Seeconfig.sample.yml to start. Default configuration file is./acmesmith.yml.

directory:https://acme-v02.api.letsencrypt.org/directory# productionstorage:# configure where to store keys and certificates; described latertype:s3region:'us-east-1'bucket:'my-acmesmith-bucket'prefix:'prod/'challenge_responders:# configure how to respond ACME challenges; described later  -route53:{}

Storage provider stores issued certificates, private keys and ACME account keys.

• Amazon S3:s3
• Filesystem:filesystem
• Google Cloud Storage:minimum2scp/acmesmith-google-cloud-storage(plugin)

Challenge responders responds to ACME challenges to prove domain ownership to CA.

• API driven
  • AWS Route 53:route53 (dns-01)
  • Google Cloud DNS:nagachika/acmesmith-google-cloud-dns (dns-01,plugin )
  • OpenStack Designate v1:hanazuki/acmesmith-designate (dns-01,plugin )
  • Verisign MDNS REST API:benkap/acmesmith-verisign (dns-01,plugin )
• Generic
  • Static HTTP:mipmip/acmesmith-http-path (http-01,plugin )

challenge_responders:## Multiple responders are accepted.## The first responder that supports a challenge and applicable for given domain name will be used.  -{RESPONDER_TYPE}:{RESPONDER_OPTIONS}### Filter (optional)filter:subject_name_exact:        -my-app.example.comsubject_name_suffix:        -.example.orgsubject_name_regexp:        -'\Aapp\d+.example.org\z'  -{RESPONDER_TYPE}:{RESPONDER_OPTIONS}...

Post issuing hooks are configurable actions that are executedwhen a new certificate has been succesfully issued. The hooks aresequentially executed in the same order as they are configured, and theyare configurable per certificate's common-name.

• Shell script:shell
• Amazon Certificate Manager (ACM):acm

If you want to prefer an alternative chain given by CA (RFC8555 Section 7.4.2.), use the following configuration. Preference may be delcared with common name.

When chain preferences are configured for the common name of an ordered certificate, Acmesmith will retrieve all available alternative chains and evaluate rules in an configured order. The first chain matched to a rule will be used and saved to a storage.

During rule evaluation, a root issuer name and key id are taken from the last available intermediate (Issuer and AKI) provided in a chain, when a chain doesn't have a root certificate (trust anchor).

chain_preferences:  -root_issuer_name:"ISRG Root X1"### Optionally, you may specify CA SKI/AKI:# root_issuer_key_id: "79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e"### Filter by common name (optional)filter:exact:        -my-app.example.comsuffix:        -.example.orgregexp:        -'\Aapp\d+.example.org\z'

• ./docs/vendor/aws.md: IAM and KMS key policies, and some tips

Bug reports and pull requests are welcome on GitHub athttps://github.com/sorah/acmesmith.

unit test:

bundle exec rspec

integration test usingletsencrypt/pebble. needs Docker:

ACMESMITH_CI_START_PEBBLE=1 CI=1 bundle exec -t integration_pebble

Publish as a gem (RubyGems). Files will be loaded automatically fromlib/acmesmith/{plugin_type}/{name}.rb.

e.g.

• storage:lib/acmesmith/storages/perfect_storage.rb &Acmesmith::Storages::PerfectStorage
• challenge_responder:lib/acmesmith/challenge_responders/perfect_authority.rb &Acmesmith::Storages::PerfectAuthority
• post_issuing_hook:lib/acmesmith/challenge_responders/nice_deploy.rb &Acmesmith::Storages::NiceDeploy

After checking out the repo, runbin/setup to install dependencies. Then, runrake spec to run the tests. You can also runbin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, runbundle exec rake install. To release a new version, update the version number inversion.rb, and then runbundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the.gem file torubygems.org.

The gem is available as open source under the terms of theMIT License.