anvil

Tools for distributing ssl certificates

Designed on FreeBSD, it uses fetch by default, but can also use wget or curl. Set FETCH_TOOL in the configuration file to either wget or curl. Any other value will invoke fetch.

It also uses sudo, with the goal of this running as non-root and only allowing the cp & mv via sudo.

These tools were designed with acme.sh & Let's Encrypt in mind, but they should with with any certificates generated by any means.

Relevant background:

• The certificates are being generated via acme.sh in a centralized location.
• certs are not generated where they are used.
• Distribution of private keys is outside scope.
• New certs are pulled by the servers/VMs/jails/etc which need them.

The steps to use this stuff:

• create certs in /var/db/acme
• run cert-shifter (see https://github.com/dlangille/anvil-certs/blob/master/collect-certs)
• rsync from /var/db/certs-for-rsync to https://example.org/certs
• run cert-puller to download and install new certs

The distribution of private keys is outside scope.

Overview of anvil use

Before using:

mkdir /var/db/anvil && chown USER:GROUP /var/db/anvil

Where USER & GROUP is the user which will be invoking this script. We suggest anvil:anvil

Said user will also need sudo rights to cp and mv within CERT_DST.

Default configuration files are in /usr/local/etc/anvil/

Variables which can be set in cert-shifter.conf:

CERT_SRC="/var/db/acme/certs"
CERT_DST_ROOT="/var/db/certs-for-rsync"
CERT_DST_CERTS="${CERT_DST_ROOT}/certs"
TMP="${CERT_DST_ROOT}/tmp"

Variables which can be set in cert-puller.conf:

CERT_DST="/usr/local/etc/ssl"
CERT_SERVER="https://certs.example.org/certs"
MYCERTS="example.com"
SERVICES="apache24"
SERVICES_RELOAD="postgresql"
SERVICES_RESTART="postfix"
DOWNLOAD_DIR="/var/db/check-for-new-certs"
USER_AGENT="--user-agent='anvil-cert-puller'"
FETCH="/usr/bin/fetch --mirror --quiet --user-agent=${USER_AGENT}'"
CURL="/usr/local/bin/curl --silent --user-agent '${USER_AGENT}' --remote-time"
WGET="/usr/local/bin/wget --quiet --user-agent='${USER_AGENT}'"
FETCH_OPTIONS="-4"
CURL_OPTIONS="-4"
WGET_OPTIONS="-4"

After getting new certs, services need to be restarted/reloaded.

• Services which can be restarted/reloaded by SERVICES: apache22, apache24, dovecot, mosquitto, nginx, postfix, postgresql

• Services which can be restarted by SERVICES_RESTART: unlimited, anything you want.

• Services which can be reloaded by SERVICES_RELOAD: unlimited, anything you want.

To use wget, set FETCH_TOOL="wget" in cert-puller.conf To use curl, set FETCH_TOOL="curl" in cert-puller.conf To use fetch, set FETCH_TOOL to any other value, or remove it from the file.

Yep, lots to work on here.

Certificate fingerprints for Postfix

If you need certificate fingerprints, say for Postfix, see also https://github.com/dlangille/fingerprint-shifter