cloudflare / certmgr Goto Github PK
View Code? Open in Web Editor NEWAutomated certificate management using a CFSSL CA.
License: BSD 2-Clause "Simplified" License
certmgr's Issues
docs: building and readme outdated
hey there,
i did playing around with certmgr and cfssl to build internal CA for my homelab, and my first impression is : wow, what great toolset!
but i got a bit confusing while reading docs and making own experience with certmgr.
Can anybody explain how to build the binary of certmgr with go tools?! i am using golang 1.18.2.
go get is deprecated and replaced by go install. but go install github.com/cloudflare/certmgr/cmd/...@latest only build version 1.6.5 how to see here.
since i am using the newest version, the "ca" key in my specs.json works fine and a deprecated info will show if i use the "ca" setting under "authority" like here:
Lines 152 to 156 in 4af0d77
so is there a reason why it still in readme.md at the newest version?!
it confused me while get started with this really nice peace of application.
i think the docs thing is not much important, but how to build can help me and other people a lot. hoping for a short explanation.
Chris
Support on Windows
Just wondering if there's any plans to support Windows (or if it's theoretically even possible). I did try cross compiling on go 1.12.5 without any luck but I'm not sure if that's a general incompatibility with that version of golang.
incorrect version for latest 3.0.3 release
certmgr version is showing the version v3.0.1-15-gec8c2be instead of v3.0.3
FYI, using certmgr-linux-amd64-v3.0.3.tar.gz
should include instructions for starting cfssl serve
It's clear from the readme that this is meant to be used with cfssl. We should have a quick note for someone new who to startup cfssl's API in a way that has reasonable defaults: ie, requires an auth_key and knows about profiles.
Feature: Allow ensure command to take a config name to ensure
user@box:~$ ls /etc/certmgr.d/
certmgr-foo.json certmgr-bar.json
user@box:~$ certmgr ensure foo
certmgr should refresh the certificaficates if the spec changes
How to reproduce:
- update the spec after the certificate has been issued
What to expect:
- the certificate is regenerated with the new spec
Maybe comparing utime of the spec or certificate, or even having a method to force regeneration of a certificate ( so we can call it whenever the spec is changed ) would help.
CI builds are broken after go modules
The CI builds are broken after the migration to Go modules.
$ travis_install_go_dependencies 1.12.x -v
Makefile detected
$ export SOURCE_DATE_EPOCH=$(git show -s --format=%ci ${TRAVIS_TAG:-${TRAVIS_COMMIT}})
The command "export SOURCE_DATE_EPOCH=$(git show -s --format=%ci ${TRAVIS_TAG:-${TRAVIS_COMMIT}})" exited with 0.
$ go get github.com/mitchellh/gox
go get: warning: modules disabled by GO111MODULE=auto in GOPATH/src;
ignoring go.mod;
see 'go help modules'
The command "go get github.com/mitchellh/gox" exited with 0.
$ GOFLAGS=-mod=vendor gox -output="{{.Dir}}-{{.OS}}-{{.Arch}}-${TRAVIS_TAG:-${TRAVIS_COMMIT}}" -os='darwin dragonfly freebsd linux netbsd openbsd solaris' -osarch='!dragonfly/386 !darwin/arm64 !darwin/arm !linux/mips !linux/mipsle' -gcflags="-trimpath=${GOPATH}" ./cmd/certmgr/...
Number of parallel builds: 1
The command "GOFLAGS=-mod=vendor gox -output="{{.Dir}}-{{.OS}}-{{.Arch}}-${TRAVIS_TAG:-${TRAVIS_COMMIT}}" -os='darwin dragonfly freebsd linux netbsd openbsd solaris' -osarch='!dragonfly/386 !darwin/arm64 !darwin/arm !linux/mips !linux/mipsle' -gcflags="-trimpath=${GOPATH}" ./cmd/certmgr/..." exited with 0.
$ for i in certmgr-*; do tar --mtime="${SOURCE_DATE_EPOCH}" --owner=0 --group=0 --numeric-owner -c $i | gzip -n - > $i.tar.gz; done
tar: certmgr-*: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
The command "for i in certmgr-*; do tar --mtime="${SOURCE_DATE_EPOCH}" --owner=0 --group=0 --numeric-owner -c $i | gzip -n - > $i.tar.gz; done" exited with 0.
$ shasum -a 512 certmgr-*.tar.gz | tee sha512sum.txt
627d38af59027d716d6c8f8be41c0d1b9855259f5887607ddfd7789593e4708c2a8e1f0565f0c3f4a59e558c404d03dbc427effce87bcf806172dd92bc4c862d certmgr-*.tar.gz
The command "shasum -a 512 certmgr-*.tar.gz | tee sha512sum.txt" exited with 0."Lookup requires cgo" error when testing the README specs example
When following the README.md and trying it with the specs provided it fails with this error:
# ./certmgr-linux-amd64-v1.4.2 check
2017/11/09 11:54:41 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2017/11/09 11:54:41 [INFO] manager: loading certificates from/etc/certmgr.d
2017/11/09 11:54:41 [INFO] manager: loading spec from /etc/certmgr.d/test.json
Failed: user: Lookup requires cgo
Steps to reproduce on a Ubuntu Server 16.04:
- Download latest certmgt version for linux (amd64) from
releases: https://github.com/cloudflare/certmgr/releases/download/v1.4.2/certmgr-linux-arm64-v1.4.2.tar.gz - Run genconfig:
./certmgr-linux-amd64-v1.4.2 genconfig:
-----
dir: /etc/certmgr.d
svcmgr: systemd
before: 72h
interval: 1h
metrics_address: localhost
metrics_port: "8080"
-----
certmgr: creating certificate spec directory /etc/certmgr.d
- Create
/etc/certmgr.d/test.jsonand paste example certificate spec from the README.md - Run
./certmgr-linux-amd64-v1.4.2 checkand get the error:
2017/11/09 12:00:25 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2017/11/09 12:00:25 [INFO] manager: loading certificates from/etc/certmgr.d
2017/11/09 12:00:25 [INFO] manager: loading spec from /etc/certmgr.d/test.json
Failed: user: Lookup requires cgo
If I remove any reference to "owner" : "www-data" and "group" : "www-data" from specs file, it works.
Incompatibility with cfssl/csr
Presumably since b8be2da, projects using both cfssl and certmgr seems to fail to build.
To reproduce:
- Create main.go with:
package main
import (
"fmt"
"github.com/cloudflare/certmgr/cert"
"github.com/cloudflare/cfssl/csr"
)
func main() {
c := csr.New()
x := &cert.Spec{
Request: c,
Key: &cert.File{},
Cert: &cert.File{},
}
fmt.Println(x)
}- Run (1.12 -> 1.11 has the same issue):
docker run --rm -it -v $PWD:/go/src/mytest -w /go/src/mytest golang:1.12 go get -v
- Observe:
./main.go:13:3: cannot use c (type *"github.com/cloudflare/cfssl/csr".CertificateRequest) as type *"github.com/cloudflare/certmgr/vendor/github.com/cloudflare/cfssl/csr".CertificateRequest in field value
./main.go:15:3: cannot use cert.File literal (type *cert.File) as type *cert.CertificateFile in field value
Make certmgr only look for *.json, *.yaml or *.yml files in certmgr.d dir
To avoid problems with temporal files, as when I'm editing some file in that directory:
# ./certmgr-linux-amd64-v1.4.2
2017/11/09 15:40:33 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2017/11/09 15:40:33 [INFO] manager: loading certificates from/etc/certmgr.d
2017/11/09 15:40:33 [INFO] manager: loading spec from /etc/certmgr.d/.test.json.swp
2017/11/09 15:40:33 [FATAL] certmgr: cert: unrecognised spec file format for /etc/certmgr.d/.test.json.swp
SwissSign certificate filenames contain ':' character
The SwissSign certificate filenames contain the ':' character, which prevents the checkout from succeeding on Windows systems.
Certmgr should provide the ability to block startup until all certificates have been created
The certmgr daemon on starting should have the option to block startup until it has managed to create all certificates, similar to the functionality provided by certmgr ensure
Certmgr should verify that a preexisting cert matches the spec provided
If certmgr starts and sees that a certificate already exists that is not past it's expiration it will not validate that it matches the parameters specified in the certificate spec. This ends up being an issue in cases when you want to do things like change a SAN.
cert: no CA file provided, won't write to disk
After successfully configured cfssl serve I configured certmgr like this:
{
"service": "nginx",
"action": "restart",
"request": {
"CN": "www.example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 521
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco",
"O": "Example, LLC"
}
]
},
"private_key": {
"path": "/etc/ssl/private/www.key",
"mode": "0600"
},
"certificate": {
"path": "/home/kyle/tmp/certmgr/certs/test1.pem"
},
"authority": {
"remote": "localhost:8888",
"auth_key": "0123456789ABCDEF0123456789ABCDEF",
"profile": "server"
}
}
All settings are correct, but when I try to exec this ./certmgr-linux-amd64-v1.4.2 check I get this message:
2017/11/09 15:28:21 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2017/11/09 15:28:21 [INFO] manager: loading certificates from/etc/certmgr.d
2017/11/09 15:28:21 [INFO] manager: loading spec from /etc/certmgr.d/test.json
2017/11/09 15:28:21 [INFO] cert: no CA file provided, won't write to disk
2017/11/09 15:28:21 [INFO] manager: watching 1 certificates
OK
After searching the code for cert: no CA file provided, won't write to disk I figured out that I have to include a "file": "<something>" in the authority section, but when I do I always get a format error:
Failed: json: cannot unmarshal string into Go struct field CA.file of type cert.File
This is not documented and I can't figure out what value should I set there. Is that really necessary?
spec as yaml broken
hey,
i wanted to provide my specs as yaml. according to spec.rst and release changelog since 2.0.0 it is supported for spec files, too.
i have testet with the binary from release 3.0.3. and an own builded binary from source.
with binary from 1.6.5 it works, but without 'ca' key in the global section like shown in example json from readme.
my yaml:
service: nginx
action: restart
request:
CN: www.example.net
hosts:
- example.net
- www.example.net
key:
algo: ecdsa
size: 521
names:
- C: US
ST: CA
L: San Francisco
O: Example, LLC
private_key:
path: "/opt/pki/www_yaml.key"
owner: www-data
group: www-data
mode: "0600"
certificate:
path: "/opt/pki/test1_yaml.pem"
owner: www-data
group: www-data
ca:
path: "/opt/pki/ca_yaml.pem"
owner: www-data
group: www-data
authority:
remote: ca.example.net:8888
auth_key: "012345678012345678"
label: www_ca
profile: three-month
and the error output:
root@sslca:/etc/certmgr.d# /opt/certmgr check
INFO[0000] certmgr: loading from config file /etc/certmgr/certmgr.yaml
INFO[0000] manager: loading certificates from /etc/certmgr.d
INFO[0000] manager: loading spec from /etc/certmgr.d/nginx.yaml
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc020460348 stack=[0xc020460000, 0xc040460000]
fatal error: stack overflow
runtime stack:
runtime.throw({0xafe312?, 0xfd3260?})
/usr/local/go/src/runtime/panic.go:992 +0x71
runtime.newstack()
/usr/local/go/src/runtime/stack.go:1101 +0x5cc
runtime.morestack()
/usr/local/go/src/runtime/asm_amd64.s:547 +0x8b
goroutine 1 [running]:
reflect.Value.Elem({0xa7d700?, 0xc0003fe0d8?, 0x16?})
/usr/local/go/src/reflect/value.go:1166 +0x1ba fp=0xc020460358 sp=0xc020460350 pc=0x49507a
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:308 +0x18d fp=0xc0204603e8 sp=0xc020460358 pc=0x7bad2d
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020460450 sp=0xc0204603e8 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc0204604f0 sp=0xc020460450 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460518 sp=0xc0204604f0 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020460580 sp=0xc020460518 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020460610 sp=0xc020460580 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020460678 sp=0xc020460610 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020460718 sp=0xc020460678 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460740 sp=0xc020460718 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204607a8 sp=0xc020460740 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020460838 sp=0xc0204607a8 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204608a0 sp=0xc020460838 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020460940 sp=0xc0204608a0 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460968 sp=0xc020460940 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204609d0 sp=0xc020460968 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020460a60 sp=0xc0204609d0 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020460ac8 sp=0xc020460a60 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020460b68 sp=0xc020460ac8 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460b90 sp=0xc020460b68 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020460bf8 sp=0xc020460b90 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020460c88 sp=0xc020460bf8 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020460cf0 sp=0xc020460c88 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020460d90 sp=0xc020460cf0 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460db8 sp=0xc020460d90 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020460e20 sp=0xc020460db8 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x100?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020460eb0 sp=0xc020460e20 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020460f18 sp=0xc020460eb0 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020460fb8 sp=0xc020460f18 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020460fe0 sp=0xc020460fb8 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461048 sp=0xc020460fe0 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc0204610d8 sp=0xc020461048 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020461140 sp=0xc0204610d8 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc0204611e0 sp=0xc020461140 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461208 sp=0xc0204611e0 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461270 sp=0xc020461208 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461300 sp=0xc020461270 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020461368 sp=0xc020461300 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461408 sp=0xc020461368 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461430 sp=0xc020461408 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461498 sp=0xc020461430 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461528 sp=0xc020461498 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020461590 sp=0xc020461528 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461630 sp=0xc020461590 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461658 sp=0xc020461630 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204616c0 sp=0xc020461658 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461750 sp=0xc0204616c0 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204617b8 sp=0xc020461750 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461858 sp=0xc0204617b8 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461880 sp=0xc020461858 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204618e8 sp=0xc020461880 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461978 sp=0xc0204618e8 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204619e0 sp=0xc020461978 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461a80 sp=0xc0204619e0 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461aa8 sp=0xc020461a80 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461b10 sp=0xc020461aa8 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461ba0 sp=0xc020461b10 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020461c08 sp=0xc020461ba0 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461ca8 sp=0xc020461c08 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461cd0 sp=0xc020461ca8 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461d38 sp=0xc020461cd0 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461dc8 sp=0xc020461d38 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020461e30 sp=0xc020461dc8 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020461ed0 sp=0xc020461e30 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020461ef8 sp=0xc020461ed0 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020461f60 sp=0xc020461ef8 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020461ff0 sp=0xc020461f60 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020462058 sp=0xc020461ff0 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc0204620f8 sp=0xc020462058 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462120 sp=0xc0204620f8 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020462188 sp=0xc020462120 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462218 sp=0xc020462188 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020462280 sp=0xc020462218 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462320 sp=0xc020462280 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462348 sp=0xc020462320 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204623b0 sp=0xc020462348 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462440 sp=0xc0204623b0 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204624a8 sp=0xc020462440 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462548 sp=0xc0204624a8 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462570 sp=0xc020462548 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc0204625d8 sp=0xc020462570 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462668 sp=0xc0204625d8 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204626d0 sp=0xc020462668 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462770 sp=0xc0204626d0 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462798 sp=0xc020462770 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020462800 sp=0xc020462798 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462890 sp=0xc020462800 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc0204628f8 sp=0xc020462890 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462998 sp=0xc0204628f8 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc0204629c0 sp=0xc020462998 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020462a28 sp=0xc0204629c0 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462ab8 sp=0xc020462a28 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020462b20 sp=0xc020462ab8 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462bc0 sp=0xc020462b20 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462be8 sp=0xc020462bc0 pc=0x9b324b
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler(0xc00039e840, 0xc000401880, {0x7fa534b441f0, 0xc0003fe0d8})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:270 +0xa7 fp=0xc020462c50 sp=0xc020462be8 pc=0x7ba727
gopkg.in/yaml%2ev2.(*decoder).prepare(0x0?, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x0?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:313 +0x252 fp=0xc020462ce0 sp=0xc020462c50 pc=0x7badf2
gopkg.in/yaml%2ev2.(*decoder).unmarshal(0xc00039e840, 0xc000401880, {0xa7d700?, 0xc0003fe0d8?, 0x40f025?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:364 +0x105 fp=0xc020462d48 sp=0xc020462ce0 pc=0x7baf65
gopkg.in/yaml%2ev2.(*decoder).callUnmarshaler.func1({0xa7d700?, 0xc0003fe0d8?})
/root/go/pkg/mod/gopkg.in/[email protected]/decode.go:272 +0x125 fp=0xc020462de8 sp=0xc020462d48 pc=0x7ba9e5
github.com/cloudflare/certmgr/certmgr/mgr.(*ParsableAuthority).UnmarshalYAML(0x0?, 0xa7d700?)
/opt/certmgr-src/certmgr/mgr/file.go:67 +0x2b fp=0xc020462e10 sp=0xc020462de8 pc=0x9b324b
...additional frames elided...
maybe @ferringb @jmunson can help, because they did huge great work on this project in the past.
Chris
Feature: Homebrew Install for macOS
Iโm using a Mac mini as a web server for a few sites that are served through Cloudflare. I use Homebrew to manage most packages installed on this headless Mac. Iโd appreciate it if certmgr could be installed via Homebrew, as it appears not to be there at the moment.
certmgr ensure doesn't regenerate key if algorithm or size changes
Just demonstrating the problem w/ the following stream of commands:
root@36ssds125:~/configs# grep -E '(algo|size)' /etc/certmgr.d/mysqld.json
"algo": "ecdsa",
"size": 256
root@36ssds125:~/configs# md5sum /state/db/mysql-certs/mysqld.*
1e8b16a85830bba1a2b1530c22d362aa /state/db/mysql-certs/mysqld.ca.crt
0398960b15741a176d1120fbe45ca23e /state/db/mysql-certs/mysqld.cert
7a3068bdd0a16807fb568a02da392ec2 /state/db/mysql-certs/mysqld.key
root@36ssds125:~/configs# sed -i -e 's:ecdsa:rsa:' /etc/certmgr.d/mysqld.json
root@36ssds125:~/configs# certmgr ensure
2018/08/14 22:52:12 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2018/08/14 22:52:12 [INFO] manager: loading certificates from /etc/certmgr.d
2018/08/14 22:52:12 [INFO] manager: loading spec from /etc/certmgr.d/mysqld.json
2018/08/14 22:52:12 [INFO] manager: watching 1 certificates
2018/08/14 22:52:12 [INFO] manager: ensuring all certificates exist and are ready (maximum 3 tries)
2018/08/14 22:52:12 [INFO] cert: existing CA certificate at /state/db/mysql-certs/mysqld.ca.crt is current
2018/08/14 22:52:12 [INFO] refreshing due to spec /etc/certmgr.d/mysqld.json having a newer mtime then /state/db/mysql-certs/mysqld.key
2018/08/14 22:52:12 [INFO] manager: processing certificate spec /etc/certmgr.d/mysqld.json on attempt 1
2018/08/14 22:52:12 [INFO] encoded CSR
2018/08/14 22:52:12 [INFO] manager: certificate spec /etc/certmgr.d/mysqld.json successfully processed
2018/08/14 22:52:12 [INFO] manager: certificate queue is clear
OK
root@36ssds125:~/configs# md5sum /state/db/mysql-certs/mysqld.*
1e8b16a85830bba1a2b1530c22d362aa /state/db/mysql-certs/mysqld.ca.crt
7580bcd69192ef4b02790a3f23d2202a /state/db/mysql-certs/mysqld.cert
7a3068bdd0a16807fb568a02da392ec2 /state/db/mysql-certs/mysqld.key
In this case, that should've also failed since the rsa size is 256- 2048 is minimal; it didn't catch this since it didn't catch that the algo changed. Either way, the algo was switched from ecc to rsa- it should've been regenerated (the cert was at least).
As for size detection, note the key md5sum in the following sequence:
root@36ssds125:~/configs# grep -E '(algo|size)' /etc/certmgr.d/mysqld.json
"algo": "rsa",
"size": 2048
root@36ssds125:~/configs# certmgr ensure
2018/08/14 22:55:42 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2018/08/14 22:55:42 [INFO] manager: loading certificates from /etc/certmgr.d
2018/08/14 22:55:42 [INFO] manager: loading spec from /etc/certmgr.d/mysqld.json
2018/08/14 22:55:42 [INFO] manager: watching 1 certificates
2018/08/14 22:55:42 [INFO] manager: ensuring all certificates exist and are ready (maximum 3 tries)
2018/08/14 22:55:42 [INFO] cert: wrote CA certificate: /state/db/mysql-certs/mysqld.ca.crt
2018/08/14 22:55:42 [INFO] manager: processing certificate spec /etc/certmgr.d/mysqld.json on attempt 1
2018/08/14 22:55:42 [INFO] encoded CSR
2018/08/14 22:55:42 [INFO] manager: certificate spec /etc/certmgr.d/mysqld.json successfully processed
2018/08/14 22:55:42 [INFO] manager: certificate queue is clear
OK
root@36ssds125:~/configs# md5sum /state/db/mysql-certs/*
1e8b16a85830bba1a2b1530c22d362aa /state/db/mysql-certs/mysqld.ca.crt
67aa768dcb312daeb017bc46907eeddd /state/db/mysql-certs/mysqld.cert
922ff6815ad63400997ca860448bc977 /state/db/mysql-certs/mysqld.key
root@36ssds125:~/configs# sed -i -e 's:2048:4096:' /etc/certmgr.d/mysqld.json
root@36ssds125:~/configs# certmgr ensure
2018/08/14 22:56:12 [INFO] certmgr: loading from config file /etc/certmgr/certmgr.yaml
2018/08/14 22:56:12 [INFO] manager: loading certificates from /etc/certmgr.d
2018/08/14 22:56:12 [INFO] manager: loading spec from /etc/certmgr.d/mysqld.json
2018/08/14 22:56:12 [INFO] manager: watching 1 certificates
2018/08/14 22:56:12 [INFO] manager: ensuring all certificates exist and are ready (maximum 3 tries)
2018/08/14 22:56:12 [INFO] cert: existing CA certificate at /state/db/mysql-certs/mysqld.ca.crt is current
2018/08/14 22:56:12 [INFO] refreshing due to spec /etc/certmgr.d/mysqld.json having a newer mtime then /state/db/mysql-certs/mysqld.key
2018/08/14 22:56:12 [INFO] manager: processing certificate spec /etc/certmgr.d/mysqld.json on attempt 1
2018/08/14 22:56:12 [INFO] encoded CSR
2018/08/14 22:56:12 [INFO] manager: certificate spec /etc/certmgr.d/mysqld.json successfully processed
2018/08/14 22:56:12 [INFO] manager: certificate queue is clear
OK
root@36ssds125:~/configs# md5sum /state/db/mysql-certs/*
1e8b16a85830bba1a2b1530c22d362aa /state/db/mysql-certs/mysqld.ca.crt
9d6cfb8eb4f1b158d48ffe4bc8f69140 /state/db/mysql-certs/mysqld.cert
922ff6815ad63400997ca860448bc977 /state/db/mysql-certs/mysqld.key
cert changed, but the key didn't. That's also wrong.
Build fails on riscv64 FreeBSD
The software is currently broken on riscv64 FreeBSD due to an outdated version of golang.org/x/sys. Please bump this dependency to version 0.5.0 to fix the breakage.
Any way to dump certificate bundle?
Hi,
Is there any way to dump not only cert/key/ca, but also cert+ca bundle?
Thanks!
Feature: Certmgr as an in-process supervisor
Problem:
Currently it's difficult to use certmgr as an in-process supervisor.
Use case:
I am a go library that doesn't want to require my customers to configure Certmgr with cert.Spec JSON files, instead letting them pass in configuration via function parameters.
Potential Solution:
- Remove the checked-in vendor directory. This causes type issues when using certmgr as a library.
- Expose the svcmgr.Manager interface on Manager (either within the Manager struct or via a constructor). This will enable users of certmgr to pass in their own svcmgr.Manager implementations, enabling users to restart/reload their process as needed.
- Don't require cert.Spec to exist on the filesystem. Currently the Load() function initializes the renew channel. This makes it impossible to configure certmgr without writing a Spec to the filesystem, which is cumbersome from a library perspective.
If a CA is renewed call svc manager restart/reload.
When a CA is renewed there is no mechanism for notifying the registered service manager that it needs to reload the CA. Checks may need to be added to the following code paths to ensure that the notification happens.
https://github.com/cloudflare/certmgr/blob/master/mgr/manager.go#L225
https://github.com/cloudflare/certmgr/blob/master/mgr/manager.go#L258
https://github.com/cloudflare/certmgr/blob/master/mgr/manager.go#L290
Cut a new release
๐ it has been three years since last release, 3.0.3, good to cut a new release. Thanks!
support self-signed certificates
As noted in #51, If you run cfssl apiserver tls-enabled, it is currently not possible to use self-signed certificate, because certmgr will reject it.
The request is to support self-signed certificates, in order to support the use case described in NixOS/nixpkgs#45670 where certmgr is intended to support Kubernetes on NixOS.
Opening this as an issue to put the question of whether certmgr should support self-signed certs, and to expose that as a desirable goal for the above use case.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.