GithubHelp home page GithubHelp logo

mhilton / certbot-charm Goto Github PK

View Code? Open in Web Editor NEW

This project forked from canonical/certbot-charm

0.0 2.0 0.0 70 KB

Charm for maintaining certificates provided by ACME services.

License: GNU General Public License v3.0

Shell 1.40% Python 98.60%

certbot-charm's Introduction

certbot

Description

Certbot is used to acquire and manage certificates from Let's Encrypt.

Acquiring Certificates

The charm will attempt to acquire a certificate in the start hook, this will only be successful if the charm has been configured for acquiring certificates. The configuration parameters agree-tos, domains, email & plugin must have all been set for this to work along with any necessary plugin-specific settings.

DNS-Google Plugin

Certbot's dns-google plugin uses the Google Cloud DNS API to prove ownership of the requested domain. Documentation for the plugin can be found at https://certbot-dns-google.readthedocs.io/en/stable/. This plugin requires API credentials to be supplied either through the credentials parameter on the get-dns-google-certificate action, or from the dns-google-credentials setting in the charm configuration.

To acquire a certificate using this plugin run a command like the following:

$ juju run-action --wait certbot/0 get-dns-google-certificate \
    agree-tos=true \
    credentials=`cat cred.json | base64 -w0` \
    domains=example.com \
    [email protected]

Integrating With Web-Servers

HAProxy

HAProxy uses a combined certificate chain and key file for its TLS confguration. If the combined-path charm configuration setting is configured then a suitable file will be created at that path.

The easiest way to use this charm with the haproxy charm is to set the following configuration settings:

combined-path: /ver/lib/haproxy/default.pem
deploy-command: systemctl reload haproxy

In the haproxy charm configuration set services to something like:

- service_name: app_https
  service_host: "0.0.0.0"
  service_port: 443
  service_options:
    - mode http
    - option httpchk GET / HTTP/1.0
  crts: [DEFAULT]
  server_options: check inter 2000 rise 2 fall 5 maxconn 4096
- service_name: api_http
  service_host: "0.0.0.0"
  service_port: 80
  service_options:
    - mode http
    - http-request redirect scheme https

Notes about Scale Out

The units of a certbot application will make no attempt to communicate with each other, and do not share certificates. This means that the units will have to acquire certificates individually.

If the charm is configured to acquire certificates in the start hook then there is a potential for units to race acquiring certificates. In most cases this is not a problem. If a unit fails to acquire a certificate in the start hook it charm will remain in the blocked state and a certificate will have to be acquired using an action instead.

Developing

Create and activate a virtualenv, and install the development requirements,

virtualenv -p python3 venv
source venv/bin/activate
pip install -r requirements-dev.txt

Testing

Just run run_tests:

./run_tests

certbot-charm's People

Contributors

mhilton avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.