Skip to content

D3DeFi/certbot-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.github/workflows
.github/workflows
 
 
certbot_vault
certbot_vault
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 

Repository files navigation

Certbot-Vault

Running

Create file with credentials (e.g. /etc/letsencrypt/.hashicorp-vault-creds):

vault-addr=https://vault.example.com:8200/
vault-token=s.AADSFSDHJGJHGDFGSERWETTRHTT

Or define ENV files:

export VAULT_ADDR=https://vault.example.com:8200/
export VAULT_TOKEN=s.AADSFSDHJGJHGDFGSERWETTRHTT

Run installer plugin separately (skip --vault-credentials if creds were provided via ENV variables):

certbot install -i vault --vault-credentials=/etc/letsencrypt/.hashicorp-vault-creds --vault-path='secret/le-certs' --vault-single --cert-name example.com

Or as a part or certbot run:

certbot run -a ..... -i vault ... -d example.com,www.example.com

CLI arguments

  • --vault-credentials - INI file with vault-addr=XYZ and vault-token=XYZ key pairs. If not provided, script will attempt to read ENV variables VAULT_ADDR and VAULT_TOKEN.
  • --vault-path - path in Vault where to store certificates, first component is expected to be engine mount point (e.g. secret, kv, etc...).
  • --vault-dpath - last component of path is always taken from certificate's SAN (e.g. kv/*.example.com). This option can override the domain to something else.
  • --vault-single - upload certs only once if provided multiple SANs via -d example.com,www.example.com - in this case only kv/letsencrypt/example.com will be created.

Developing

How to setup test env documented here. Tl;dr version below:

# clone upstream certbot
git clone https://github.com/certbot/certbot.git
cd certbot

# setup virtualenv and install our plugin
python3 tools/venv.py
source venv/bin/activate
pip install -e ../certbot-vault

# run testing ACME server
run_acme_server &

# start Vault dev server and copy root token
vault server -dev &

# generate credentials file for certbot-vault plugin
echo -e 'vault-addr=http://127.0.0.1:8200\nvault-token=ABCDEFG' > ~/dev-hashi-certbot

# issue test certficate
certbot_test run --standalone -d test.example.com -i vault --vault-credentials ~/dev-hashi-certbot --vault-path secret/

# now it should be present in Vault, after checking it, you can try to renew for example
certbot_test renew

Currently supports only kv store.

Generate test cert:

certbot_test certonly --standalone -d test.example.com

Install cert:

certbot_test install -i vault --cert-name test.example.com

This is rather a PoC for newer versions of certbot, but it can be easily modified to support other features in Vault.

About

HashiCorp Vault plugin for Certbot

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases 8

0.4.3 Latest
Feb 24, 2023
+ 7 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages