certsd 0.6.5

CertsD - automated, asynchronous LE certificate issuer.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

# CertsD

> CertsD-open - open-source, automated, asynchronous LE certificate issuer


# Author:

Daniel ([@dmilith](https://twitter.com/dmilith)) Dettlaff



## Features:

- Generates separate certificates for the root domain and its wildcard version.

- Uses [RON](https://github.com/ron-rs/ron) formatted configuration.

- Supports multiple CloudFlare accounts and multiple domains/ zones at once.

- Automatic management of DNS TXT records via the CloudFlare API.

- Notifies Slack using a Webhook after a successful renewal.

- Asynchronous by default.



## Requirements read from the configuration file:

- CloudFlare API Token (with "Edit zone DNS" permission).

- CloudFlare Zone ID

- A domain



## Step by step how it works

- CertsD reads the input configuration from [one of the existing paths](https://github.com/VerKnowSys/certsd-open/blob/master/src/config.rs#L29-L32).

- The ACME registration process starts in the current working directory.

- Attempt to reuse all non-existent key files (`account.key` + `example.com/domain.key` + `wild_example.com/domain.key`) or generates them automatically.

- Validate the expiration date of both certs (`example.com/chained.pem` and `wild_example.com/chained.pem`). By default, ACME provides certificates valid for 90 days. Based on that CertsD will only renew certificates that have less than 60 days of validity time.

- ACME process creates the DNS challenge.

- A DNS TXT record for a given domain (with the value of the challenge) is created using CF API.

- Await confirmation of the order from the ACME response.

- A DNS TXT record for a given domain is deleted using CF API.

- After order confirmation, the (`example.com/chained.pem` + `wild_example.com/chained.pem`) are fetched from ACME.



## A few notes about ACME service:

- CertsD stability relies on the stability of ACME services. Don't panic. Be patient.

- From time to time the ACME API responds with a random "invalid" status just because. Don't panic. Be patient.

- If you won't remove one of (`account`.key` + `example.com/domain.key` + `wild_example.com/domain.key`) too often, the ACME is likely to renew your certs faster without any issues (ACME cert caching mechanism).

- If you want to use ACME Staging for testing, set the `acme_staging: true` in your configuration.


## Software requirements:

- Rust >= 1.68.2
- OpenSSL >= 1.1.1t



## Additional build requirements:

- Clang >= 6.x
- Make >= 3.x
- Cmake >= 3.16
- Perl >= 5.x
- Patchelf > 0.17
- POSIX-compliant base-system (tested on systems: FreeBSD/ HardenedBSD/ Darwin and Linux)



# Production Configuration:

> NOTE: I hold the configuration under `/Services/Certsd/service.conf`, all keys and generated certificates under `/Services/Certsd`.

```ron
(
    acme_staging: false,
    accounts: [
        (
            cloudflare_api_token: "cloudflare-api-token",
            cloudflare_zone_id: "cloudflare-zone-id",
            domain: "myexample.com",
            contacts: ["domains@example.com"],
        ),
    ],

    slack_webhook: "https://hooks.slack.com/services/AAAAAAAAAAA/AAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAA",
)
```


# Production cron entry example:

```cron
# run certsd every 7 days, 30 minutes before midnight:
30 23 7,14,24 * * "cd /Services/Certsd && /Software/Certsd/exports/certsd >> /var/log/renew-example.com.log"
```


# Example Nginx proxy configuration (to serve generated `chained.pem` to remote hosts):

```conf
server {
   listen       80;
   server_name  my.example.com;
   autoindex off;

   location ~ .*/chained.pem {
       root   /var/www/certsd;
   }

   location / {
       deny  all;
   }
}
```