GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → tykling → certgrinder

tykling / certgrinder

Licence: other
Certgrinder is a client/server system for getting LetsEncrypt certificates for your infrastructure. ACME challenges are handled by the Certgrinder server, making it possible to get certificates in highly isolated environments, since only an SSH connection to the Certgrinder server is needed.

Programming Languages

python
139335 projects - #7 most used programming language
Roff
2310 projects

Labels

letsencryptx509pkispkicertbottlsaocsp

Projects that are alternatives of or similar to certgrinder

certbot-dns-acmedns
Certbot ACME-DNS DNS01 plugin for Certbot
Stars: ✭ 24 (+0%)
Mutual labels:  x509, pki, certbot
Pebble
A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority. Let's Encrypt is hiring! Work on Pebble with us.
Stars: ✭ 359 (+1395.83%)
Mutual labels:  letsencrypt, x509, pki
certbot-dns-powerdns
PowerDNS DNS Authenticator plugin for Certbot
Stars: ✭ 22 (-8.33%)
Mutual labels:  x509, pki, certbot
rfc3161timestampingserver
This project offers a rfc 3161 compliant timestamping authority/server
Stars: ✭ 30 (+25%)
Mutual labels:  x509, pki
Letscertbot
Let's Certbot is a tool builds automated scripts base on Certbot for obtaining, renewing, deploying SSL certificates.
Stars: ✭ 84 (+250%)
Mutual labels:  letsencrypt, certbot
Dockerweb
A docker-powered bash script for shared web hosting management. The ultimate Docker LAMP/LEMP Stack.
Stars: ✭ 89 (+270.83%)
Mutual labels:  letsencrypt, certbot
Docker Nginx Letsencrypt Upstream
infrastructure: docker-compose config for node and redis behind upstream nginx ( SSL/HTTPS ) on debian jessie
Stars: ✭ 47 (+95.83%)
Mutual labels:  letsencrypt, certbot
txacme
Twisted client for the ACME (Automatic Certificate Management Environment) protocol
Stars: ✭ 42 (+75%)
Mutual labels:  letsencrypt, certbot
Certbot Plugin Gandi
Certbot plugin for authentication using Gandi LiveDNS
Stars: ✭ 98 (+308.33%)
Mutual labels:  letsencrypt, certbot
pki-manager
IT Freelancers : Manage small PKI for multiple projects (or clients) with 2 bash scripts
Stars: ✭ 36 (+50%)
Mutual labels:  x509, pki
Sewer
Let's Encrypt(ACME) client. Python library & CLI app.
Stars: ✭ 131 (+445.83%)
Mutual labels:  letsencrypt, certbot
Ansible Letsencrypt
Ansible role for LetsEncrypt
Stars: ✭ 66 (+175%)
Mutual labels:  letsencrypt, certbot
Docker Letsencrypt Certgen
Docker image to generate, renew, revoke RSA and/or ECDSA SSL certificates from LetsEncrypt CA using certbot and acme.sh clients in automated fashion
Stars: ✭ 64 (+166.67%)
Mutual labels:  letsencrypt, certbot
Certbot
Dockerized HTTPS with Let's Encrypt
Stars: ✭ 91 (+279.17%)
Mutual labels:  letsencrypt, certbot
Certbot Install
Install the latest Certbot in a breeze. Great for Ubuntu Focal 20.04, and other Linux/Mac.
Stars: ✭ 50 (+108.33%)
Mutual labels:  letsencrypt, certbot
Acme Dns Certbot Joohoi
Certbot client hook for acme-dns
Stars: ✭ 99 (+312.5%)
Mutual labels:  letsencrypt, certbot
Certbot Zimbra
Automated letsencrypt/certbot certificate request and deploy script for Zimbra hosts
Stars: ✭ 129 (+437.5%)
Mutual labels:  letsencrypt, certbot
certbot-he-hook
Certbot (Let's Encrypt) auth hook script for the Hurricane Electric DNS service
Stars: ✭ 50 (+108.33%)
Mutual labels:  letsencrypt, certbot
Certbot Letencrypt Wildcardcertificates Alydns Au
certbot'renewing letencrypt certificate plugin - automatic verification aliyun/tencentyun/godaddy dns
Stars: ✭ 839 (+3395.83%)
Mutual labels:  letsencrypt, certbot
Certbot
Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
Stars: ✭ 28,541 (+118820.83%)
Mutual labels:  letsencrypt, certbot
View All Similar Projects ➔

Certgrinder

Tests Coverage

This repository contains the source code for Certgrinder, including docs. Read more on ReadTheDocs: https://certgrinder.readthedocs.io/en/latest/

Introduction

Certgrinder is a client/server system written in Python to handle Letsencrypt certificate issuing on a central host (the Certgrinder server), rather than on the machines which need the certificates (the Certgrinder clients). This is accomplished by redirecting the LetsEncrypt challenges to the Certgrinder server. For DNS-01 challenges this is done with a CNAME record and for HTTP-01 challenges it is done with a HTTP 301 redirect.

To get a certificate the Certgrinder client calls the Certgrinder server (typically over SSH) with a CSR on stdin and (if all goes well) get a signed certificate in return on stdout.

Certgrinder support both RSA and ECDSA keys and certificates, and defaults to getting both kinds.

Advantages

  • The approach with a central host serving all challenges simplifies getting certificates for stuff like loadbalanced or anycast services, where it can be impossible to predict which cluster node the LetsEncrypt challenge checker will hit when using HTTP-01.

  • Using DNS-01 with a separate delegated zone dedicated to serve the challenges is safer than opening up dynamic updates of your primary zone(s) with your provider.

  • Migrating services to new infrastructure becomes simpler because the new infrastructure can get real certificates before changing DNS to point to the new infrastructure.

  • Certgrinder makes it trivial to get certificates for infrastructure behind firewalls or even on networks with no Internet connection. As long as the Certgrinder client can reach the Certgrinder server it is possible to use DNS-01 to issue certificates for the client.

  • Certgrinder does not rotate the RSA/ECDSA keypair on each certificate renewal, which makes TLSA and similar public key pinning easy. The Certgrinder client can output and check such TLSA and SPKI pins for the keypairs it manages, as well as checking correctness of TLSA records in the DNS.

  • Certgrinder supports fetching OCSP responses via the Certgrinder server. Having Certgrinder fetch the OCSP response makes it possible to configure OCSP stapling without relying on the various TLS servers own OCSP-fetching implementation. It also means that OCSP stapling can be done on servers behind strict firewalls or with no Internet connection, as the communication with CA is done via the Certgrinder server.

  • Certgrinder supports alternate chain selection and understands the longer chain used by LetsEncrypt since May 2021.

Terminology

The central host with the LetsEncrypt signing stack is called the "Certgrinder server". The individual servers (the ones that need the certificates) are called "Certgrinder clients". These match the two Python packages certgrinderd and certgrinder, respectively.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].