Project description

Certbot-Vault

Running

Create file with credentials (e.g. /etc/letsencrypt/.hashicorp-vault-creds):

vault-addr=https://vault.example.com:8200/
vault-token=s.AADSFSDHJGJHGDFGSERWETTRHTT

Or define ENV files:

export VAULT_ADDR=https://vault.example.com:8200/
export VAULT_TOKEN=s.AADSFSDHJGJHGDFGSERWETTRHTT

Run installer plugin separately (skip --vault-credentials if creds were provided via ENV variables):

certbot install -i vault --vault-credentials=/etc/letsencrypt/.hashicorp-vault-creds --vault-path='secret/le-certs' --vault-single --cert-name example.com

Or as a part or certbot run:

certbot run -a ..... -i vault ... -d example.com,www.example.com

CLI arguments

--vault-credentials - INI file with vault-addr=XYZ and vault-token=XYZ key pairs. If not provided, script will attempt to read ENV variables VAULT_ADDR and VAULT_TOKEN.
--vault-path - path in Vault where to store certificates, first component is expected to be engine mount point (e.g. secret, kv, etc...).
--vault-dpath - last component of path is always taken from certificate's SAN (e.g. kv/*.example.com). This option can override the domain to something else.
--vault-single - upload certs only once if provided multiple SANs via -d example.com,www.example.com - in this case only kv/letsencrypt/example.com will be created.

Developing

How to setup test env documented here. Tl;dr version below:

# clone upstream certbot
git clone https://github.com/certbot/certbot.git
cd certbot

# setup virtualenv and install our plugin
python3 tools/venv.py
source venv/bin/activate
pip install -e ../certbot-vault

# run testing ACME server
run_acme_server &

# start Vault dev server and copy root token
vault server -dev &

# generate credentials file for certbot-vault plugin
echo -e 'vault-addr=http://127.0.0.1:8200\nvault-token=ABCDEFG' > ~/dev-hashi-certbot

# issue test certficate
certbot_test run --standalone -d test.example.com -i vault --vault-credentials ~/dev-hashi-certbot --vault-path secret/

# now it should be present in Vault, after checking it, you can try to renew for example
certbot_test renew

Currently supports only kv store.

Generate test cert:

certbot_test certonly --standalone -d test.example.com

Install cert:

certbot_test install -i vault --cert-name test.example.com

This is rather a PoC for newer versions of certbot, but it can be easily modified to support other features in Vault.

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.4.3

Feb 24, 2023

0.4.2

Feb 23, 2023

0.4.1

Dec 1, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certbot-vault-installer-0.4.3.tar.gz (8.2 kB view hashes)

Uploaded Feb 24, 2023 Source

Built Distribution

certbot_vault_installer-0.4.3-py3-none-any.whl (9.0 kB view hashes)

Uploaded Feb 24, 2023 Python 3

Hashes for certbot-vault-installer-0.4.3.tar.gz

Hashes for certbot-vault-installer-0.4.3.tar.gz
Algorithm	Hash digest
SHA256	`68555a556e531d5afb15ca06ccb0577fb5ccba23a7603f1bd2490f94a9ed3569`
MD5	`d1b4dddb287a0f7fd35c1a92ff989ef5`
BLAKE2b-256	`0ed729ac5dd2911bad747238abdd7849b6f7807c839862b58dcfcfa8e96896a0`

Hashes for certbot_vault_installer-0.4.3-py3-none-any.whl

Hashes for certbot_vault_installer-0.4.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`b2da9699a7464be72f5d4e661571d985924ab542856fd7fe1ececfb99035506d`
MD5	`369f1761bb3b9ac3b7d66890afd081ce`
BLAKE2b-256	`25e17985fd678e188c1ed03cdf5254f3e7d68670267537d849fc52acc3dfb9b5`