The tool that requests certificates from ACME supporting CA, solves DNS challenges, and stores certificates in Vault.
- Add domains that need certificates to domains.yml file
- Set necessary environment variables (see configuration)
- Run certificator
- Find certificates in Vault
Certificator reads most configuration parameters from environment variables. They are defined in pkg/config/config.go Config struct
Configuration variables:
ACME_ACCOUNT_EMAIL- email used in certificate retrieval process. RequiredACME_DNS_CHALLENGE_PROVIDER- DNS challenge provider. Available providers can be found here. RequiredACME_DNS_PROPAGATION_REQUIREMENT- if set to true, requires complete DNS record propagation before stating that challenge is solved. Default: trueACME_REREGISTER_ACCOUNT- if set to true, allows registering an account with CA. This should be set to true for the first use. When credentials are stored in Vault, you can set this to false to avoid accidental registrations. Default: falseACME_SERVER_URL- ACME directory location. Default: https://acme-staging-v02.api.letsencrypt.org/directoryVAULT_APPROLE_ROLE_ID- role ID for Vault approle authentication method. Required in prod envVAULT_APPROLE_SECRET_ID- secret ID for Vault approle authentication method. Required in prod envVAULT_KV_STORAGE_PATH- path in Vault KV storage where certificator stores certificates and account data. Default: secret/data/certificator/VAULT_ADDRsets vault address, example: "http://localhost:8200". RequiredLOG_FORMAT- logging format, supported formats - JSON and LOGFMT. Default: JSONLOG_LEVEL- logging level, supported levels - DEBUG, INFO, WARN, ERROR, FATAL. Default: INFO.DNS_ADDRESS- DNS server address that is used to check challenge DNS record propagation. Default: 127.0.0.1:53ENVIRONMENT- sets an environment where the certificator is running. If the environment is dev it uses token set inVAULT_DEV_ROOT_TOKEN_IDenv variable to authenticate in Vault. If the environment is prod it uses an approle authentication method. Default: prodCERTIFICATOR_DOMAINS_FILE- path to a file where domains are defined. Default: /code/domains.ymlCERTIFICATOR_RENEW_BEFORE_DAYS- set how many validity days should certificate have remaining before renewal. Default: 30
LEGO_EXPERIMENTAL_CNAME_SUPPORTboolean value which enables CNAME support. Whentrue, it tries to resolve_acme-challenge.<YOUR_DOMAIN>and if it finds a CNAME record for that request it solves the challenge for the CNAME record value. Example:
If it finds this record:
CNAME _acme_challenge.test.com -> test.com.challenges.test.com
it creates TXT record in challenges.test.com zone:
TXT test.com.challenges.test.com -> <CHALLENGE_VALUE>
CA will verify domain ownership following the same scheme
This allows giving this tool a token with access rights limited to a single DNS zone.
Domains that the certificator should retrieve certificates for should be defined in this file in YAML format. An example file is in domains.yml.
Every item in the array under the domains key results in a certificate. The first domain in an array item is used for the CommonName field of the certificate, all other domains are added using the Subject Alternate Names extension. Domains in a single array item are separated by commas. The first domain is also used as a key in the Vault KV store.
This project contains unit and integration tests. To run them follow the instructions
Files related to integration tests lie in directory test.
It relies on several components: pebble, vault, challtestsrv.
Steps to run it:
- Build container that runs tests:
docker-compose build tester - Run tests:
- only integration tests:
docker-compose run --rm tester go test ./test/... - all tests:
docker-compose run --rm tester go test ./...
- only integration tests:
- Check results
- Bring down testing infrastructure
docker-compose down
Unit tests can be run without any dependencies, simply execute:
go test ./pkg/...