Project

cert_watch

0.01
No commit activity in last 3 years
No release in over 3 years
cert_watchcodevise/cert_watchHomepageDocumentationSource CodeBug Tracker
Rails engine for automatically renewing SSL certificates.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
5,794
Stars
7
Forks
3
Watchers
9
 Releases
Current version
1.1.0
Total releases
2
First release
2016-07-15
Latest release
2018-01-08
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
4
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2017-07-10
Reverse Dependencies
0

 Dependencies

Development

activeadmin
= 1.0.0.pre2
capybara
~> 2.7
combustion
~> 0.5.4
factory_girl_rails
~> 4.0
rspec-rails
~> 3.5
semmy
~> 1.0
sqlite3
>= 0
timecop
~> 0.7.1

Runtime

rails
~> 4.0
resque
~> 1.25
state_machine
~> 1.2
state_machine_job
< 2, >= 0.2
 Project Readme

CertWatch

Gem Version Dependency Status Build Status Coverage Status Code Climate

A Rails engine to manage and automatically obtain, install and renew SSL certificates.

Ingredients

CertWatch consists of the following components:

  • Resque jobs to renew and install certificates.
  • A mixin for models with a cname attribute to request certificats on attribute change.
  • Rake tasks to reinstall certificates on a fresh server

Optionally:

  • An Active Admin resource to manage certificates.
  • An Arbre view component to display certificate status for a given domain.

Requirements

Limitations

  • Requires sudo on the server. The certbot script used to obtain certificates needs root priviledges. This could probably be avoided by using the acme-client gem instead.
  • Works only with webservers that can read certificates from a directory (Tested with HAProxy).

Installation

Add the following lines to your Gemfile and run bundle install:

gem 'cert_watch'

# Required since state_machine gem is unmaintained
gem 'state_machine', git: 'https://github.com/codevise/state_machine.git'

Add an initializer:

# config/initializers/cert_watch.rb
CertWatch.setup do |config|
  # Uncomment any of the below options to change the default

  # Maximum age of certificates before renewal.
  # config.renewal_interval = 1.month

  # Number of expiring certificates to renew in one run of the
  # `RenewExpiringCertificatesJob`.
  # config.renewal_batch_size = 10

  # File name of the certbot executable.
  # config.certbot_executable = '/usr/local/share/letsencrypt/bin/certbot'

  # Port for the standalone certbot HTTP server
  # config.certbot_port = 9999

  # Directory certbot outputs certificates to
  # config.certbot_output_directory = '/etc/letsencrypt/live'

  # Directory the web server reads pem files from
  # config.pem_directory = '/etc/haproxy/ssl/'

  # Place pem files in provider specific subdirectories of pem directory.
  # By default, all pem files are placed in pem directory itself.
  # config.provider_install_directory_mapping = {
  #   certbot: 'letsencrypt',
  #   custom: 'custom'
  # }

  # Command to make server reload pem files
  # config.server_reload_command = '/etc/init.d/haproxy reload'
end

Ensure private keys do not show up in log files:

# config/initializers/filter_parameter_logging.rb
Rails.application.config.filter_parameters += [:private_key]

Include the DomainOwner mixin into a model with a domain attribute. This makes CertWatch obtain or renew certificates whenever the attribute changes. Validation has to be provided by the host application.

# app/models/account.rb
# assuming Account has a cname attribute
class Account
  include CertWatch.domain_owner(attribute: :cname)
end

If you want to use the Active Admin resource, add the following line to the top of your Active Admin initializer:

# config/initializers/active_admin.rb
ActiveAdmin.application.load_paths.unshift(CertWatch.active_admin_load_path)

If you use the CanCan authorization adapter, you also need to add the following rule for users that should be allowed to manage certificats:

# app/models/ability.rb
can :manage, CertWatch::Certificate

Now install migrations and migrate your database:

$ bin/rake cert_watch:install:migrations
$ bin/rake db:migrate

Setup your resque_schedule.yml to check for expiring certificates:

# config/resque_schedule.yml
fetch_billed_traffic_usages:
  every:
    - "5h"
    - :first_in: "1m"
  class: "CertWatch::RenewExpiringCertificatesJob"
  queue: cert_watch
  description: "Check for expiring SSL certificates"

Finally ensure Resque workers have been assigned to the cert_watch queue.

Rake Tasks

Add the following line to your application's Rakefile:

# Rakefile
require 'cert_watch/tasks'

To reinstall all certificates (i.e. on a new server), run:

$ bin/rake cert_watch:reinstall:all

Active Admin View Components

You can render a status tag displaying the current certificate state for a given domain:

# app/admin/dashboard.rb
require 'cert_watch/views/certificate_state'

div(class: 'account_cname') do
  text_node(account.cname)
  cert_watch_certificate_state(account.cname)
end

Troubleshooting

If you run into problems or want to discuss a feature request, please file an issue.