Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
Acmesmith is an ACME (Automatic Certificate Management Environment) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on Let's encrypt.
This tool is written in Ruby, but Acmesmith saves certificates in simple scheme, so you can fetch certificate by your own simple scripts.
Features
- ACME v2 client designed to work on multiple servers
- ACME registration, domain authorization, certificate requests
- Tested against Let's encrypt
- Storing keys in several ways
- Challenge response
- Many cloud services support
- AWS S3 storage and Route 53
dns-01
responder support out-of-the-box - 3rd party plugins available for OpenStack designate, Google Cloud DNS, simple http-01, and Google Cloud Storage. See Plugins below
- AWS S3 storage and Route 53
Installation
Add this line to your application's Gemfile:
gem 'acmesmith'
And then execute:
$ bundle
Or install it yourself as:
$ gem install acmesmith
Docker
docker run -v /path/to/acmesmith.yml:/app/acmesmith.yml:ro sorah/acmesmith:latest
Dockerfile
is available. Default confguration file is at /app/acmesmith.yml
.
Pre-built docker images are provided at https://hub.docker.com/r/sorah/acmesmith for your convenience Built with GitHub Actions & sorah-rbpkg/dockerfiles.
Usage
$ acmesmith new-account CONTACT # Create account key (contact e.g. mailto:xxx@example.org)
$ acmesmith order COMMON_NAME [SAN] # request certificate for CN +COMMON_NAME+ with SANs +SAN+
$ acmesmith add-san COMMON_NAME [SAN] # re-request existing certificate of CN with additional SAN(s)
$ acmesmith list [COMMON_NAME] # list certificates or its versions
$ acmesmith current COMMON_NAME # show current version for certificate
$ acmesmith show-certificate COMMON_NAME # show certificate
$ acmesmith show-private-key COMMON_NAME # show private key
$ acmesmith save-certificate COMMON_NAME --output=PATH # Save certificate to a file
$ acmesmith save-private-key COMMON_NAME --output=PATH # Save private key to a file
$ acmesmith save-pkcs12 COMMON_NAME --output=PATH # Save certificate and private key to a PKCS12 file
$ acmesmith autorenew [-d DAYS] # Renew certificates which being expired soon
# Save (or update) certificate files and key in a one command
$ acmesmith save COMMON_NAME \
--version-file=/tmp/cert.txt # Path to save a certificate version for following run
--key-file=/tmp/cert.key # Path to save a key
--fullchain-file=/tmp/cert.pem # Path to save a certficiate and its chain (concatenated)
See acmesmith help [subcommand]
for more help.
Configuration
See config.sample.yml to start. Default configuration file is ./acmesmith.yml
.
directory: https://acme-v02.api.letsencrypt.org/directory # production
storage:
# configure where to store keys and certificates; described later
type: s3
region: 'us-east-1'
bucket: 'my-acmesmith-bucket'
prefix: 'prod/'
challenge_responders:
# configure how to respond ACME challenges; described later
- route53: {}
Storage
Storage provider stores issued certificates, private keys and ACME account keys.
- Amazon S3: s3
- Filesystem: filesystem
- Google Cloud Storage: minimum2scp/acmesmith-google-cloud-storage (plugin)
Challenge Responders
Challenge responders responds to ACME challenges to prove domain ownership to CA.
- API driven
- AWS Route 53: route53 (
dns-01
) - Google Cloud DNS: nagachika/acmesmith-google-cloud-dns (
dns-01
, plugin ) - OpenStack Designate v1: hanazuki/acmesmith-designate (
dns-01
, plugin ) - Verisign MDNS REST API: benkap/acmesmith-verisign (
dns-01
, plugin )
- AWS Route 53: route53 (
- Generic
- Static HTTP: mipmip/acmesmith-http-path (
http-01
, plugin )
- Static HTTP: mipmip/acmesmith-http-path (
Common options
challenge_responders:
## Multiple responders are accepted.
## The first responder that supports a challenge and applicable for given domain name will be used.
- {RESPONDER_TYPE}:
{RESPONDER_OPTIONS}
### Filter (optional)
filter:
subject_name_exact:
- my-app.example.com
subject_name_suffix:
- .example.org
subject_name_regexp:
- '\Aapp\d+.example.org\z'
- {RESPONDER_TYPE}:
{RESPONDER_OPTIONS}
...
Post Issuing Hooks
Post issuing hooks are configurable actions that are executed when a new certificate has been succesfully issued. The hooks are sequentially executed in the same order as they are configured, and they are configurable per certificate's common-name.
Chain preference
If you want to prefer an alternative chain given by CA (RFC8555 Section 7.4.2.), use the following configuration. Preference may be delcared with common name.
When chain preferences are configured for the common name of an ordered certificate, Acmesmith will retrieve all available alternative chains and evaluate rules in an configured order. The first chain matched to a rule will be used and saved to a storage.
During rule evaluation, a root issuer name and key id are taken from the last available intermediate (Issuer and AKI) provided in a chain, when a chain doesn't have a root certificate (trust anchor).
chain_preferences:
- root_issuer_name: "ISRG Root X1"
### Optionally, you may specify CA SKI/AKI:
# root_issuer_key_id: "79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e"
### Filter by common name (optional)
filter:
exact:
- my-app.example.com
suffix:
- .example.org
regexp:
- '\Aapp\d+.example.org\z'
Vendor dependent notes
- ./docs/vendor/aws.md: IAM and KMS key policies, and some tips
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/acmesmith.
Running tests
unit test:
bundle exec rspec
integration test using letsencrypt/pebble. needs Docker:
ACMESMITH_CI_START_PEBBLE=1 CI=1 bundle exec -t integration_pebble
Writing plugins
Publish as a gem (RubyGems). Files will be loaded automatically from lib/acmesmith/{plugin_type}/{name}.rb
.
e.g.
- storage:
lib/acmesmith/storages/perfect_storage.rb
&Acmesmith::Storages::PerfectStorage
- challenge_responder:
lib/acmesmith/challenge_responders/perfect_authority.rb
&Acmesmith::Storages::PerfectAuthority
- post_issuing_hook:
lib/acmesmith/challenge_responders/nice_deploy.rb
&Acmesmith::Storages::NiceDeploy
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run rake spec
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
License
The gem is available as open source under the terms of the MIT License.