2018-02-20 18:59:46 +00:00
# acme_vault
#### Table of Contents
1. [Description ](#description )
2. [Setup - The basics of getting started with acme_vault ](#setup )
* [What acme_vault affects ](#what-acme_vault-affects )
* [Beginning with acme_vault ](#beginning-with-acme_vault )
3. [Usage - Configuration options and additional functionality ](#usage )
4. [Reference - An under-the-hood peek at what the module is doing and how ](#reference )
5. [Limitations - OS compatibility, etc. ](#limitations )
6. [Development - Guide for contributing to the module ](#development )
## Description
2018-03-01 15:34:38 +00:00
This module uses [acme.sh ](https://github.com/Neilpang/acme.sh ) to request
letsencrypt certificates using the DNS-01 challenge. Once valid certificates
are recieved, they are stored in [Hashicorp
vault](https://www.vaultproject.io/) where they can be retrieved by any
appropriate machine.
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
This module consists of a common class, a request class, and a deploy class.
2018-03-01 19:34:25 +00:00
The request class is intended to be enabled on a single machine that will
2018-03-01 15:34:38 +00:00
handle all the certificate request and validation. The deploy class is then
enabled on any machine that requires the requested certificates.
2018-02-20 18:59:46 +00:00
## Setup
2018-03-01 15:34:38 +00:00
### What acme_vault affects
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
This module will create a new system user that is used to request and deploy
certificates. It uses [lexicon ](https://github.com/AnalogJ/lexicon ) to make
api requests for dns changes. We use namecheap, so the required namecheap
python library is also included. Both are installed via pip.
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
This module also assumes a working installation of vault.
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
### Beginning with acme_vault
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
Just include the appropriate modules for the appropriate machines, and make
sure the required values are provided via hiera or class. Note: the common
module must be included before either.
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
Typically this would involve a profile like:
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
```puppet
class profiles::acme_request {
include ::acme_vault::common
include ::acme_vault::request
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
}
```
2018-02-20 18:59:46 +00:00
## Usage
This section is where you describe how to customize, configure, and do the fancy stuff with your module here. It's especially helpful if you include usage examples and code samples for doing things with your module.
## Reference
2018-03-01 15:34:38 +00:00
**Classes:**
* [acme_vault::common ](#acme_vaultcommon )
* [acme_vault::request ](#acme_vaultrequest )
* [acme_vault::deploy ](#acme_vaultdeploy )
### Classes
#### acme_vault::common
2018-03-01 19:02:28 +00:00
This class needs to be included before acme_vault::request or
acme_vault::deploy and contains configurations common to both. The user,
vault, vault vars, and cron mailto are needed for both request and deploy
##### `user`
user to be created to request/deploy certs
Default value: `acme_vault`
##### `group`
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: `acme_vault`
##### `home_dir`
home dir of the above user, where scripts and config will be stored.
Default value: `/home/$user`
##### `contact_email`
contact email used for cert registration, also used as MAILTO variable for cron jobs
Default value: `''`
##### `domains`
mapping of domains to be included in the cert. The key is the "main" domain,
and the value is the list of extra names to be requested. Both the main domain
and the list of domains are included.
REQUIRED
#### `vault_token`
2018-03-01 19:09:23 +00:00
Vault token for authenticating to vault. This should have appropriate
permissions applied in vault. A demo script is provided
[here ](vault_policy.sh )
2018-03-01 19:02:28 +00:00
REQUIRED
#### `vault_addr`
Address of vault server
REQUIRED
#### `vault_bin`
Path to the vault binary.
Default value: `${home_dir}/vault"`
#### `vault_prefix`
The path within vault where the certificates will be stored and retrieved.
Default value: `/secret/letsencrypt/`
2018-03-01 15:34:38 +00:00
#### acme_vault::request
2018-03-01 19:02:28 +00:00
This class uses acme.sh, and pulls down the git repo for it. It uses the
lexicon provider in acme.sh to do the dns updating for the dns-01 challenge.
It configures a cron job to periodically check if a cert needs renewal.
2018-03-01 15:34:38 +00:00
Note: it does not automatically trigger requesting certs, but relies on cron
coordination to eventually reach the desired end state. Since certificate
2018-03-01 19:02:28 +00:00
renewal has a large time window, this is acceptable. Any urgent issue/renewals
can be triggered by running the cron job manually as needed.
2018-03-01 15:34:38 +00:00
#### Parameters inherited from common, but can be overriden:
##### `user`
user to be created to request/deploy certs
Default value: `acme_vault`
##### `group`
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: `acme_vault`
##### `home_dir`
home dir of the above user, where scripts and config will be stored.
Default value: `/home/$user`
##### `contact_email`
contact email used for cert registration, also used as MAILTO variable for cron jobs
Default value: `''`
##### `domains`
mapping of domains to be included in the cert. The key is the "main" domain,
and the value is the list of extra names to be requested. Both the main domain
and the list of domains are included.
REQUIRED
#### Parameters only for request:
#### `staging`
whether to use the acme staging endpoint
Valid values: `true` , `false`
Default value: `false`
#### `staging_url`
url to acme staging endpoint
Default value: `https://acme-staging-v02.api.letsencrypt.org/directory`
#### `prod_url`
url to the acme prod endpoint
Default value: `https://acme-v02.api.letsencrypt.org/directory`
#### `acme_revision`
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
git revision/tag to be used to checkout acme.sh repository.
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
Default value: `HEAD`
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
#### `acme_repo_path`
2018-02-20 18:59:46 +00:00
2018-03-01 15:34:38 +00:00
where the repo should be checked out.
Default value: `$home_dir/acme.sh`
#### `acme_script`
path the the acme.sh script itself
Default value: `$acme_repo_path/acme.sh`
#### `lexicon_provider`
provider for lexicon to use for dns-01 challanges.
REQUIRED
#### `lexicon_username`
username for lexicon dns.
REQUIRED
#### `lexicon_token`
token for lexicon user.
REQUIRED
### acme_vault::deploy
2018-03-01 19:02:28 +00:00
This class handles taking a cert/key out of vault, and placing it in a
configured path on the filesystem. It will also accept a restart command to
restart any appropriate services to take advantage of the new cert.
It employs a script, check_cert.sh, to validate the cert in vault exists, and
is appropriate to replace the existing one
2018-03-01 15:34:38 +00:00
#### Parameters inherited from common, but can be overriden:
##### `user`
user to be created to request/deploy certs
Default value: `acme_vault`
##### `group`
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: `acme_vault`
##### `home_dir`
home dir of the above user, where scripts and config will be stored.
Default value: `/home/$user`
##### `domains`
mapping of domains to be included in the cert. The key is the "main" domain,
and the value is the list of extra names to be requested. Both the main domain
and the list of domains are included.
REQUIRED
#### Parameters only for deplay:
##### `cert_destination_path`
where the cert should be deployed to. cert will end up in $cert_destination_path/$domain/.
Default value: `/etc/acme-vault`
##### `restart`
indicates if cron should include a restart after cert is deployed
Valid values: `true` `false`
##### `restart_command`
The command used restart any service after cert is deployed
Default value: `''`
2018-02-20 18:59:46 +00:00
## Limitations
2018-03-01 15:34:38 +00:00
Has only been tested on Centos 7
2018-02-20 18:59:46 +00:00
## Development
2018-03-01 15:34:38 +00:00
Contributions are welcome!
2018-02-20 18:59:46 +00:00