From 195239f59a98b1e1f1e1737d47d57c5d0559c009 Mon Sep 17 00:00:00 2001 From: Dimitri Sokolyuk Date: Fri, 18 Mar 2016 15:32:50 +0100 Subject: Alternative aproach --- README.md | 18 ++++++++++++++++++ cmd/batch/args.go | 34 ++++++++++++++++++++++++++++++++++ cmd/batch/files.go | 29 +++++++++++++++++++++++++++++ cmd/batch/main.go | 17 +++++++++++++++++ 4 files changed, 98 insertions(+) create mode 100644 cmd/batch/args.go create mode 100644 cmd/batch/files.go create mode 100644 cmd/batch/main.go diff --git a/README.md b/README.md index 4e0b33e..3bec8da 100644 --- a/README.md +++ b/README.md @@ -119,3 +119,21 @@ outbound2.letsencrypt.org - do nothing 4. key present, cert exires/expired - request new cert + +# Rethink (configless setup) + +## renew (batch mode) +- param: gracetime (default 1 week), basedir (default /etc/ssl/ or ~/.acme/) +- look for file pairs in {basedir}/private/{filename}.key and {basedir}/certs/{filename}.pem +- if found extract NotAfter, DNSNames, EmailAddress + - if issuer is LE and if NotAfter reaches GraceTime use key, DNSNames and email to renew certificate +- backup old cert as {filename}.pem.old and save new cert in {basename}/certs/{filename}.pem + +## new (manual mode) +- params: basedir, email, domain +- generate key + - register key and email(s) +- generate csr + - request cert with altnames (domain) and email(s) +- store {basedir}/private/{altname[0]}.key and {basedir}/certs/{altname[0]}.pem + diff --git a/cmd/batch/args.go b/cmd/batch/args.go new file mode 100644 index 0000000..0bb4d99 --- /dev/null +++ b/cmd/batch/args.go @@ -0,0 +1,34 @@ +package main + +import ( + "flag" + "fmt" + "time" + + "dim13.org/acme" +) + +type Domains []string + +func (v Domains) String() string { return fmt.Sprint([]string(v)) } +func (v *Domains) Set(s string) error { *v = append(*v, s); return nil } + +type Emails []string + +func (v Emails) String() string { return fmt.Sprint([]string(v)) } +func (v *Emails) Set(s string) error { *v = append(*v, s); return nil } + +var ( + baseDir = flag.String("basedir", "/etc/ssl", "Base directory for SSL files") + graceTime = flag.Duration("gracetime", 24*7*time.Hour, "Renew grace time") + keySize = flag.Int("keysize", 2048, "Private key size") + provider = flag.String("provider", acme.LE1, "Certificate provider") + emails = new(Emails) + domains = new(Domains) +) + +func init() { + flag.Var(domains, "domain", "Domain list (multiple values)") + flag.Var(emails, "email", "eMail addresses (multiple values)") + flag.Parse() +} diff --git a/cmd/batch/files.go b/cmd/batch/files.go new file mode 100644 index 0000000..cc4cad5 --- /dev/null +++ b/cmd/batch/files.go @@ -0,0 +1,29 @@ +package main + +import ( + "crypto/tls" + "crypto/x509" + "path" + "path/filepath" +) + +func scanFiles(dir string) ([]tls.Certificate, error) { + var certs []tls.Certificate + keys, err := filepath.Glob(path.Join(dir, "private", "*.key")) + if err != nil { + return nil, err + } + for _, k := range keys { + c := filepath.Join(dir, "certs", filepath.Base(k[:len(k)-4])+".pem") + crt, err := tls.LoadX509KeyPair(c, k) + if err != nil { + continue + } + crt.Leaf, err = x509.ParseCertificate(crt.Certificate[0]) + if err != nil { + return nil, err + } + certs = append(certs, crt) + } + return certs, nil +} diff --git a/cmd/batch/main.go b/cmd/batch/main.go new file mode 100644 index 0000000..208bc34 --- /dev/null +++ b/cmd/batch/main.go @@ -0,0 +1,17 @@ +package main + +import "log" + +func main() { + crt, err := scanFiles(*baseDir) + if err != nil { + log.Fatal(err) + } + for _, c := range crt { + log.Printf("%+v\n", c.Leaf) + } + if len(*emails) > 0 && len(*domains) > 0 { + log.Println(*emails) + log.Println(*domains) + } +} -- cgit v1.2.3