acmesmith 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/CHANGELOG.md +6 -0
- data/README.md +4 -2
- data/lib/acmesmith/certificate.rb +4 -0
- data/lib/acmesmith/client.rb +2 -2
- data/lib/acmesmith/storages/s3.rb +20 -3
- data/lib/acmesmith/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 428d6ec71e91259de56ffd77471e823c9673eb9002e8c1bb419875f57f9086e3
|
|
4
|
+
data.tar.gz: c85d4efa0fd6a36b04ea1fbfbd346a055426a1fdb818c5c7f25d28d4073f8b56
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f748341d751c06fe73c17e25c381979e6c77700a5df8bed4978fbfb5563e767d94a73cbfb5bc403cd60516e94fdf34af79b43c0ec3dcd82340e96c776a3cef70
|
|
7
|
+
data.tar.gz: f25125c00a446baa23f7025594096081a2ddd10c920d8602b8df8eb8bac0def9bb6ea63ae00d984124dc5a306d79e86faf386135e9f4281ddf28cb77b8094918
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## v2.2.0 (2018-08-08)
|
|
2
|
+
|
|
3
|
+
### Enhancement
|
|
4
|
+
|
|
5
|
+
- s3: Added `pkcs12_passphrase` and `pkcs12_commonname` options for saving PKCS#12 file into a S3 bucket. This is for scripts which read S3 bucket directly and needs PKCS#12 file.
|
|
6
|
+
|
|
1
7
|
## v2.1.0 (2018-06-07)
|
|
2
8
|
|
|
3
9
|
### Changes
|
data/README.md
CHANGED
|
@@ -71,8 +71,8 @@ See `acmesmith help [subcommand]` for more help.
|
|
|
71
71
|
See [config.sample.yml](./config.sample.yml) to start. Default configuration file is `./acmesmith.yml`.
|
|
72
72
|
|
|
73
73
|
``` yaml
|
|
74
|
-
directory: https://acme-staging-v02.api.letsencrypt.org/
|
|
75
|
-
# directory: https://acme-v02.api.letsencrypt.org/ #
|
|
74
|
+
directory: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
75
|
+
# directory: https://acme-v02.api.letsencrypt.org/directory # production
|
|
76
76
|
|
|
77
77
|
storage:
|
|
78
78
|
# configure where to store keys and certificates; described later
|
|
@@ -101,6 +101,8 @@ storage:
|
|
|
101
101
|
# kms_key_id: # KMS key id (optional); if omit, default AWS managed key for S3 will be used
|
|
102
102
|
# kms_key_id_account: # KMS key id for account key (optional); This overrides kms_key_id
|
|
103
103
|
# kms_key_id_certificate_key: # KMS key id for private keys for certificates (optional); This oveerides kms_key_id
|
|
104
|
+
# pkcs12_passphrase: # (optional) Set passphrase to generate PKCS#12 file (for scripts that reads S3 bucket directly)
|
|
105
|
+
# pkcs12_common_names: ['example.org'] # (optional) List of common names to limit certificates for generating PKCS#12 file.
|
|
104
106
|
```
|
|
105
107
|
|
|
106
108
|
This saves certificates and keys in the following S3 keys:
|
|
@@ -110,6 +110,10 @@ module Acmesmith
|
|
|
110
110
|
"#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
|
|
111
111
|
end
|
|
112
112
|
|
|
113
|
+
def pkcs12(passphrase)
|
|
114
|
+
OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate)
|
|
115
|
+
end
|
|
116
|
+
|
|
113
117
|
def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
|
|
114
118
|
{}.tap do |h|
|
|
115
119
|
h[:certificate] = certificate.to_pem
|
data/lib/acmesmith/client.rb
CHANGED
|
@@ -12,7 +12,7 @@ module Acmesmith
|
|
|
12
12
|
def new_account(contact, tos_agreed: true)
|
|
13
13
|
key = AccountKey.generate
|
|
14
14
|
acme = Acme::Client.new(private_key: key.private_key, directory: config.fetch('directory'))
|
|
15
|
-
|
|
15
|
+
acme.new_account(contact: contact, terms_of_service_agreed: tos_agreed)
|
|
16
16
|
|
|
17
17
|
storage.put_account_key(key, account_key_passphrase)
|
|
18
18
|
|
|
@@ -139,7 +139,7 @@ module Acmesmith
|
|
|
139
139
|
cert = storage.get_certificate(common_name, version: version)
|
|
140
140
|
cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
|
|
141
141
|
|
|
142
|
-
p12 =
|
|
142
|
+
p12 = cert.pkcs12(passphrase)
|
|
143
143
|
File.open(output, 'w', mode.to_i(8)) do |f|
|
|
144
144
|
f.puts p12.to_der
|
|
145
145
|
end
|
|
@@ -7,7 +7,7 @@ require 'acmesmith/certificate'
|
|
|
7
7
|
module Acmesmith
|
|
8
8
|
module Storages
|
|
9
9
|
class S3 < Base
|
|
10
|
-
def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil)
|
|
10
|
+
def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil)
|
|
11
11
|
@region = region
|
|
12
12
|
@bucket = bucket
|
|
13
13
|
@prefix = prefix
|
|
@@ -15,6 +15,9 @@ module Acmesmith
|
|
|
15
15
|
@prefix += '/'
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
@pkcs12_passphrase = pkcs12_passphrase
|
|
19
|
+
@pkcs12_common_names = pkcs12_common_names
|
|
20
|
+
|
|
18
21
|
@use_kms = use_kms
|
|
19
22
|
@kms_key_id = kms_key_id
|
|
20
23
|
@kms_key_id_account = kms_key_id_account
|
|
@@ -64,12 +67,12 @@ module Acmesmith
|
|
|
64
67
|
def put_certificate(cert, passphrase = nil, update_current: true)
|
|
65
68
|
h = cert.export(passphrase)
|
|
66
69
|
|
|
67
|
-
put = -> (key, body, kms) do
|
|
70
|
+
put = -> (key, body, kms, content_type = 'application/x-pem-file') do
|
|
68
71
|
params = {
|
|
69
72
|
bucket: bucket,
|
|
70
73
|
key: key,
|
|
71
74
|
body: body,
|
|
72
|
-
content_type:
|
|
75
|
+
content_type: content_type,
|
|
73
76
|
}
|
|
74
77
|
if kms
|
|
75
78
|
params[:server_side_encryption] = 'aws:kms'
|
|
@@ -84,6 +87,10 @@ module Acmesmith
|
|
|
84
87
|
put.call fullchain_key(cert.common_name, cert.version), "#{h[:fullchain].rstrip}\n", false
|
|
85
88
|
put.call private_key_key(cert.common_name, cert.version), "#{h[:private_key].rstrip}\n", true
|
|
86
89
|
|
|
90
|
+
if generate_pkcs12?(cert)
|
|
91
|
+
put.call pkcs12_key(cert.common_name, cert.version), "#{cert.pkcs12(@pkcs12_passphrase).to_der}\n", true, 'application/x-pkcs12'
|
|
92
|
+
end
|
|
93
|
+
|
|
87
94
|
if update_current
|
|
88
95
|
@s3.put_object(
|
|
89
96
|
bucket: bucket,
|
|
@@ -171,6 +178,16 @@ module Acmesmith
|
|
|
171
178
|
def fullchain_key(cn, ver)
|
|
172
179
|
"#{certificate_base_key(cn, ver)}/fullchain.pem"
|
|
173
180
|
end
|
|
181
|
+
|
|
182
|
+
def pkcs12_key(cn, ver)
|
|
183
|
+
"#{certificate_base_key(cn, ver)}/cert.p12"
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
def generate_pkcs12?(cert)
|
|
187
|
+
if @pkcs12_passphrase
|
|
188
|
+
@pkcs12_common_names.nil? || @pkcs12_common_names.include?(cert.common_name)
|
|
189
|
+
end
|
|
190
|
+
end
|
|
174
191
|
end
|
|
175
192
|
end
|
|
176
193
|
end
|
data/lib/acmesmith/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: acmesmith
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- sorah (Shota Fukumori)
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-08-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: acme-client
|
|
@@ -192,7 +192,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
192
192
|
version: '0'
|
|
193
193
|
requirements: []
|
|
194
194
|
rubyforge_project:
|
|
195
|
-
rubygems_version: 2.
|
|
195
|
+
rubygems_version: 2.7.7
|
|
196
196
|
signing_key:
|
|
197
197
|
specification_version: 4
|
|
198
198
|
summary: ACME client (Let's encrypt client) to manage certificate in multi server
|