Giter Site home page Giter Site logo

cert-monitor's Introduction

Build Status FOSSA Status

#WIP

Certificate monitoring process that :

  • checks for certificate expiration
  • generates missing certificates based on configuration
  • executes a command when certificate is renewed (ex: reload a service like Apache)

The certificate backend used is Hashicorp Vault.

Cert-Monitor Configuration

Main configuration example:

checkInterval: 60m
downloadedCertPath: /var/cache/cert-monitor
includePaths:
- /etc/cert-monitor.d/*.yml
vault:
    baseUrl: http://127.0.0.1:8200
    certPath: /v1/pki/issue/webservers
    loginPath: /v1/auth/approle/login
    roleId: <token elided>
    secretId: <token elided>

Certificate check configuration example:

commonName: n1-test.mydomain.com
alternateNames: [ test.mydomain.com ]
reloadCommand: /usr/sbin/apachectl graceful
user: nobody
group: nobody
ttl: 1344h
renewTtl: 672h
output:
  file:
    type: bundle
    name: /etc/httpd/conf.d/n1-test.mydomain.net.pem
    perm: 0600
  items:
    - certificate
    - chain
    - privateKey

Testing

Basic Vault configuration example.

Vault Development Setup

Start (dev mode)

vault server -dev

Setup

export VAULT_TOKEN=
export VAULT_ADDR='http://127.0.0.1:8200'

vault mount pki
vault mount-tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal common_name=webserver ttl=87600h
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
vault write pki/roles/webservers allowed_domains=mydomain.local allow_subdomains="true" max_ttl="72h" client_flag=false key_usage=DigitalSignature,KeyEncipherment

Generate a certificate

vault write pki/issue/webservers common_name=s01-test-app-test.mydomain.local alt_names=n1-s01-test-app-test.mydomain.local

Exemple: issue certificate using curl

/tmp/payload.json:

{ "common_name": "test.mydomain.local", "alt_names": "n1-test.mydomain.local" }

curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    --request POST \
    --data @/tmp/payload.json \
    http://localhost:8200/v1/pki/issue/webservers

Configure a Vault Role

Enable approle backend

vault auth-enable approle

Periodic token, no expiration

vault write auth/approle/role/testrole period=10m policies=certmon

Retreive role_id

vault read auth/approle/role/testrole/role-id

Generate secret_id

vault write -f auth/approle/role/testrole/secret-id

TODO:

  • Testing
  • Refactoring to support other backends (CFSSL?)

License

FOSSA Status

cert-monitor's People

Contributors

fossabot avatar vdesjardins avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.