acmesmith 2.1.0 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +6 -0
- data/README.md +4 -2
- data/lib/acmesmith/certificate.rb +4 -0
- data/lib/acmesmith/client.rb +2 -2
- data/lib/acmesmith/storages/s3.rb +20 -3
- data/lib/acmesmith/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 428d6ec71e91259de56ffd77471e823c9673eb9002e8c1bb419875f57f9086e3
|
|
4
|
+
data.tar.gz: c85d4efa0fd6a36b04ea1fbfbd346a055426a1fdb818c5c7f25d28d4073f8b56
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f748341d751c06fe73c17e25c381979e6c77700a5df8bed4978fbfb5563e767d94a73cbfb5bc403cd60516e94fdf34af79b43c0ec3dcd82340e96c776a3cef70
|
|
7
|
+
data.tar.gz: f25125c00a446baa23f7025594096081a2ddd10c920d8602b8df8eb8bac0def9bb6ea63ae00d984124dc5a306d79e86faf386135e9f4281ddf28cb77b8094918
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## v2.2.0 (2018-08-08)
|
|
2
|
+
|
|
3
|
+
### Enhancement
|
|
4
|
+
|
|
5
|
+
- s3: Added `pkcs12_passphrase` and `pkcs12_commonname` options for saving PKCS#12 file into a S3 bucket. This is for scripts which read S3 bucket directly and needs PKCS#12 file.
|
|
6
|
+
|
|
1
7
|
## v2.1.0 (2018-06-07)
|
|
2
8
|
|
|
3
9
|
### Changes
|
data/README.md
CHANGED
|
@@ -71,8 +71,8 @@ See `acmesmith help [subcommand]` for more help.
|
|
|
71
71
|
See [config.sample.yml](./config.sample.yml) to start. Default configuration file is `./acmesmith.yml`.
|
|
72
72
|
|
|
73
73
|
``` yaml
|
|
74
|
-
directory: https://acme-staging-v02.api.letsencrypt.org/
|
|
75
|
-
# directory: https://acme-v02.api.letsencrypt.org/ #
|
|
74
|
+
directory: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
75
|
+
# directory: https://acme-v02.api.letsencrypt.org/directory # production
|
|
76
76
|
|
|
77
77
|
storage:
|
|
78
78
|
# configure where to store keys and certificates; described later
|
|
@@ -101,6 +101,8 @@ storage:
|
|
|
101
101
|
# kms_key_id: # KMS key id (optional); if omit, default AWS managed key for S3 will be used
|
|
102
102
|
# kms_key_id_account: # KMS key id for account key (optional); This overrides kms_key_id
|
|
103
103
|
# kms_key_id_certificate_key: # KMS key id for private keys for certificates (optional); This oveerides kms_key_id
|
|
104
|
+
# pkcs12_passphrase: # (optional) Set passphrase to generate PKCS#12 file (for scripts that reads S3 bucket directly)
|
|
105
|
+
# pkcs12_common_names: ['example.org'] # (optional) List of common names to limit certificates for generating PKCS#12 file.
|
|
104
106
|
```
|
|
105
107
|
|
|
106
108
|
This saves certificates and keys in the following S3 keys:
|
|
@@ -110,6 +110,10 @@ module Acmesmith
|
|
|
110
110
|
"#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
|
|
111
111
|
end
|
|
112
112
|
|
|
113
|
+
def pkcs12(passphrase)
|
|
114
|
+
OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate)
|
|
115
|
+
end
|
|
116
|
+
|
|
113
117
|
def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
|
|
114
118
|
{}.tap do |h|
|
|
115
119
|
h[:certificate] = certificate.to_pem
|
data/lib/acmesmith/client.rb
CHANGED
|
@@ -12,7 +12,7 @@ module Acmesmith
|
|
|
12
12
|
def new_account(contact, tos_agreed: true)
|
|
13
13
|
key = AccountKey.generate
|
|
14
14
|
acme = Acme::Client.new(private_key: key.private_key, directory: config.fetch('directory'))
|
|
15
|
-
|
|
15
|
+
acme.new_account(contact: contact, terms_of_service_agreed: tos_agreed)
|
|
16
16
|
|
|
17
17
|
storage.put_account_key(key, account_key_passphrase)
|
|
18
18
|
|
|
@@ -139,7 +139,7 @@ module Acmesmith
|
|
|
139
139
|
cert = storage.get_certificate(common_name, version: version)
|
|
140
140
|
cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
|
|
141
141
|
|
|
142
|
-
p12 =
|
|
142
|
+
p12 = cert.pkcs12(passphrase)
|
|
143
143
|
File.open(output, 'w', mode.to_i(8)) do |f|
|
|
144
144
|
f.puts p12.to_der
|
|
145
145
|
end
|
|
@@ -7,7 +7,7 @@ require 'acmesmith/certificate'
|
|
|
7
7
|
module Acmesmith
|
|
8
8
|
module Storages
|
|
9
9
|
class S3 < Base
|
|
10
|
-
def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil)
|
|
10
|
+
def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil)
|
|
11
11
|
@region = region
|
|
12
12
|
@bucket = bucket
|
|
13
13
|
@prefix = prefix
|
|
@@ -15,6 +15,9 @@ module Acmesmith
|
|
|
15
15
|
@prefix += '/'
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
+
@pkcs12_passphrase = pkcs12_passphrase
|
|
19
|
+
@pkcs12_common_names = pkcs12_common_names
|
|
20
|
+
|
|
18
21
|
@use_kms = use_kms
|
|
19
22
|
@kms_key_id = kms_key_id
|
|
20
23
|
@kms_key_id_account = kms_key_id_account
|
|
@@ -64,12 +67,12 @@ module Acmesmith
|
|
|
64
67
|
def put_certificate(cert, passphrase = nil, update_current: true)
|
|
65
68
|
h = cert.export(passphrase)
|
|
66
69
|
|
|
67
|
-
put = -> (key, body, kms) do
|
|
70
|
+
put = -> (key, body, kms, content_type = 'application/x-pem-file') do
|
|
68
71
|
params = {
|
|
69
72
|
bucket: bucket,
|
|
70
73
|
key: key,
|
|
71
74
|
body: body,
|
|
72
|
-
content_type:
|
|
75
|
+
content_type: content_type,
|
|
73
76
|
}
|
|
74
77
|
if kms
|
|
75
78
|
params[:server_side_encryption] = 'aws:kms'
|
|
@@ -84,6 +87,10 @@ module Acmesmith
|
|
|
84
87
|
put.call fullchain_key(cert.common_name, cert.version), "#{h[:fullchain].rstrip}\n", false
|
|
85
88
|
put.call private_key_key(cert.common_name, cert.version), "#{h[:private_key].rstrip}\n", true
|
|
86
89
|
|
|
90
|
+
if generate_pkcs12?(cert)
|
|
91
|
+
put.call pkcs12_key(cert.common_name, cert.version), "#{cert.pkcs12(@pkcs12_passphrase).to_der}\n", true, 'application/x-pkcs12'
|
|
92
|
+
end
|
|
93
|
+
|
|
87
94
|
if update_current
|
|
88
95
|
@s3.put_object(
|
|
89
96
|
bucket: bucket,
|
|
@@ -171,6 +178,16 @@ module Acmesmith
|
|
|
171
178
|
def fullchain_key(cn, ver)
|
|
172
179
|
"#{certificate_base_key(cn, ver)}/fullchain.pem"
|
|
173
180
|
end
|
|
181
|
+
|
|
182
|
+
def pkcs12_key(cn, ver)
|
|
183
|
+
"#{certificate_base_key(cn, ver)}/cert.p12"
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
def generate_pkcs12?(cert)
|
|
187
|
+
if @pkcs12_passphrase
|
|
188
|
+
@pkcs12_common_names.nil? || @pkcs12_common_names.include?(cert.common_name)
|
|
189
|
+
end
|
|
190
|
+
end
|
|
174
191
|
end
|
|
175
192
|
end
|
|
176
193
|
end
|
data/lib/acmesmith/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: acmesmith
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- sorah (Shota Fukumori)
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-08-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: acme-client
|
|
@@ -192,7 +192,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
192
192
|
version: '0'
|
|
193
193
|
requirements: []
|
|
194
194
|
rubyforge_project:
|
|
195
|
-
rubygems_version: 2.
|
|
195
|
+
rubygems_version: 2.7.7
|
|
196
196
|
signing_key:
|
|
197
197
|
specification_version: 4
|
|
198
198
|
summary: ACME client (Let's encrypt client) to manage certificate in multi server
|