GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → unrelentingtech → freshcerts

unrelentingtech / freshcerts

Licence: Unlicense License
ACME certificate protocol (Let's Encrypt) proxy client with a dashboard and monitoring

Programming Languages

ruby
36898 projects - #4 most used programming language
HTML
75241 projects
shell
77523 projects

Labels

letsencrypttlssslsecuritymonitoringcertificatedashboardacme

Projects that are alternatives of or similar to freshcerts

Acme client
Java ACME Client application
Stars: ✭ 77 (+30.51%)
Mutual labels:  letsencrypt, tls, ssl, certificate, acme
Acmetool
🔒 acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)
Stars: ✭ 1,882 (+3089.83%)
Mutual labels:  letsencrypt, tls, ssl, certificate, acme
Manuale
A fully manual Let's Encrypt/ACME client
Stars: ✭ 201 (+240.68%)
Mutual labels:  letsencrypt, tls, ssl, acme
qiniu-auto-cert
七牛 CDN 证书自动化工具
Stars: ✭ 20 (-66.1%)
Mutual labels:  letsencrypt, ssl, certificate, acme
letsencrypt-www
Probably the easiest way to create | renew | deploy certificate
Stars: ✭ 27 (-54.24%)
Mutual labels:  letsencrypt, tls, ssl, certificate
Terraform Provider Acme Old
ACME (Let's Encrypt) Support for Terraform
Stars: ✭ 211 (+257.63%)
Mutual labels:  letsencrypt, tls, ssl, acme
ACMECert
PHP client library for Let's Encrypt (ACME v2 - RFC 8555)
Stars: ✭ 83 (+40.68%)
Mutual labels:  letsencrypt, ssl, certificate, acme
Lego
Let's Encrypt client and ACME library written in Go
Stars: ✭ 4,978 (+8337.29%)
Mutual labels:  letsencrypt, tls, certificate, acme
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (+623.73%)
Mutual labels:  letsencrypt, tls, ssl, certificate
Acme Client
Let's Encrypt / ACME client written in PHP for the CLI.
Stars: ✭ 337 (+471.19%)
Mutual labels:  letsencrypt, tls, ssl, acme
Greenlock
Automatic SSL renewal for NodeJS
Stars: ✭ 30 (-49.15%)
Mutual labels:  letsencrypt, tls, ssl, acme
Certificaat
General-purpose ACME client
Stars: ✭ 88 (+49.15%)
Mutual labels:  letsencrypt, ssl, certificate, acme
Acme Nginx
python acme client for nginx
Stars: ✭ 248 (+320.34%)
Mutual labels:  letsencrypt, ssl, certificate
docker-ssl-reverse-proxy
Easy-to-use auto-SSL reverse proxy as a Docker container based on Caddy and Let’s Encrypt
Stars: ✭ 22 (-62.71%)
Mutual labels:  letsencrypt, tls, ssl
cert-manager
Automatically provision and manage TLS certificates in Kubernetes
Stars: ✭ 8,781 (+14783.05%)
Mutual labels:  letsencrypt, tls, certificate
AzureWebAppSSLManager
Acquires and manages free SSL certificates for Azure Web App and Azure Functions applications.
Stars: ✭ 70 (+18.64%)
Mutual labels:  letsencrypt, ssl, acme
httpsbook
《深入浅出HTTPS:从原理到实战》代码示例、勘误、反馈、讨论
Stars: ✭ 77 (+30.51%)
Mutual labels:  letsencrypt, tls, ssl
letsencrypt-inwx
A small cli utility for automating the letsencrypt dns-01 challenge for domains hosted by inwx.
Stars: ✭ 43 (-27.12%)
Mutual labels:  letsencrypt, certificate, acme
tipi
Tipi - the All-in-one Web Server for Ruby Apps
Stars: ✭ 214 (+262.71%)
Mutual labels:  tls, ssl, acme
ght-acme.sh
Shell script to sign certificate by the letsencrypt CA
Stars: ✭ 31 (-47.46%)
Mutual labels:  letsencrypt, certificate, acme
View All Similar Projects ➔

freshcerts unlicense

Screenshot

ACME (currently implemented by Let's Encrypt) is a way to automatically (re)issue TLS certificates.

Most ACME clients are designed to run on the same machine as your TLS services. But if you have a lot of servers, there are two problems with that:

  • you either have to copy your account private key onto all of them, or register multiple accounts;
  • you don't have a nice monitoring dashboard & notifications!

freshcerts solves both problems. It runs a server that exposes a much simpler API to your servers (they'll use a tiny shell script that's pretty much openssl | curl | tar) and a dashboard to your system administrators. Servers are monitored to ensure they actually use the certs issued for them. Email notifications are sent to the admins for all errors found by monitoring and for all issued certificates.

Installation

It's a typical Ruby app, so you'll need Bundler:

git clone https://github.com/myfreeweb/freshcerts.git
cd freshcerts
bundle install --path vendor/bundle
mkdir data

Use environment variables to configure the app. Read common.rb to see which variables are available. You probably should change the ACME endpoint (by default, Let's Encrypt staging is used, not production):

export ACME_ENDPOINT="https://acme-v01.api.letsencrypt.org/"
export ADMIN_EMAIL="[email protected]"

Generate a tokens key:

openssl ecparam -genkey -name prime256v1 -out data/tokens.key.pem

Generate and register an account key:

openssl genrsa -out data/account.key.pem 4096
chmod 0400 data/account.key.pem
bundle exec ./register-account-key

Run:

bundle exec rackup -p 9393

(or bundle exec puma ...)

In production, you'll want to configure your process manager to run it. Set RACK_ENV=production there in addition to the config variables (ACME_ENDPOINT, etc.)

Minimizing Memory Footprint

If you want to run freshcerts on e.g. a cheap VPS with low RAM:

  • by default, the monitoring worker runs in a thread inside of the app. You can run it separately with cron:
    • set SEPARATE_MONITORING=1 for the server process (puma/rackup);
    • put bundle exec ruby monitoring.rb into your crontab for every 10 minutes or so.
  • run the server process under soad! It will start the server on demand and shut it down when it's inactive. Don't set the time-until-stop to something ridiculously low like 1 second, because freshcerts keeps challenges in memory.

This way, memory will only be used when there are requests to the freshcerts server or when it's doing the monitoring.

Usage

For every domain:

Generate an auth token with bundle exec ./generate-token.

Configure the HTTP server to forward /.well-known/acme-challenge/* requests to the freshcerts server.

Configure cron to run the freshcerts-client script every day.

Args: domain, subject, ports (comma separated), reload command, auth token. Like this:

FRESHCERTS_HOST="https://certs.example.com:4333" freshcerts-client example.com /CN=example.com 443 "service nginx reload" "eyJ0eXAiOi..."

And figure out cert paths and file permissions :-)

Multi-domain certificates (SAN, Subject Alternative Name)

If you want to issue a certificate for multiple domains, there's a more advanced Ruby client, use it like that:

FRESHCERTS_HOST="https://certs.example.com:4333" FRESHCERTS_TOKEN="eyJ0eXAiOi..." freshcerts-multi-client example.com,www.example.com 443 && service nginx reload

If you can't use Ruby, you can modify the shell client to support multi-domain certificates. Set up openssl.cnf to read SAN from the environment, modify the client to read that config section (add e.g. -extensions san_env to the CSR generation command) and pass the domains via that variable. For the freshcerts part (first arg), use a comma-separated list of domains instead of just one domain. Do not use subjectAltName as a subject field, that's a special syntax supported by some CAs (not Let's Encrypt!) that will turn it into real SAN fields.

Contributing

Please feel free to submit pull requests!

By participating in this project you agree to follow the Contributor Code of Conduct.

The list of contributors is available on GitHub.

License

This is free and unencumbered software released into the public domain.
For more information, please refer to the UNLICENSE file or unlicense.org.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].