Giter Site home page Giter Site logo

certman's Introduction

Certman Gem Travis

CLI tool for AWS Certificate Manager.

Installation

Add this line to your application's Gemfile:

gem 'certman'

And then execute:

$ bundle

Or install it yourself as:

$ gem install certman

Usage

Request ACM Certificate with only AWS managed services

$ certman request blog.example.com
NOTICE! Your selected region is *ap-northeast-1*. Certman will create a certificate on *ap-northeast-1*. OK? Yes
NOTICE! Certman has chosen *us-east-1*  for S3/SES resources. OK? Yes
NOTICE! When requesting, Certman appends a Receipt Rule to the current Active Receipt Rule Set. OK? Yes
[✔] [ACM] Check Certificate (us-east-1) (successful)
[✔] [Route53] Check Hosted Zone (us-east-1) (successful)
[✔] [Route53] Check TXT Record (us-east-1) (successful)
[✔] [Route53] Check MX Record (us-east-1) (successful)
[✔] [SES] Check Active Rule Set (us-east-1) (successful)
[✔] [S3] Create Bucket for SES inbound (us-east-1) (successful)
[✔] [SES] Create Domain Identity (us-east-1) (successful)
[✔] [Route53] Create TXT Record Set to verify Domain Identity (us-east-1) (successful)
[✔] [SES] Check Domain Identity Status *verified* (us-east-1) (successful)
[✔] [Route53] Create MX Record Set (us-east-1) (successful)
[✔] [SES] Create and Active Receipt Rule Set (us-east-1) (successful)
[✔] [SES] Create Receipt Rule (us-east-1) (successful)
[✔] [ACM] Request Certificate (us-east-1) (successful)
[✔] [S3] Check approval mail (will take about 30 min) (us-east-1) (successful)
[✔] [SES] Delete Receipt Rule (us-east-1) (successful)
[✔] [SES] Delete Receipt Rule Set (us-east-1) (successful)
[✔] [Route53] Delete MX Record Set (us-east-1) (successful)
[✔] [Route53] Delete TXT Record Set (us-east-1) (successful)
[✔] [SES] Delete Verified Domain Identiry (us-east-1) (successful)
[✔] [S3] Delete Bucket (us-east-1) (successful)
Done.

certificate_arn: arn:aws:acm:ap-northeast-1:0123456789:certificate/123abcd4-5e67-8f90-123a-4567bc89d01

OR

NOTICE! Your selected region is *us-east-1*. Certman will create a certificate on *us-east-1*.
NOTICE! Certman has chosen *us-east-1* for S3/SES resources.
NOTICE! When requesting, Certman appends a Receipt Rule to the current Active Receipt Rule Set.
[✖] [ACM] Check Certificate (us-east-1) (error)

Certificate already exists!

certificate_arn: arn:aws:acm:us-east-1:0123456789:certificate/123abcd4-5e67-8f90-123a-4567bc89d01

Flags

--remain-resources

Skips deleting resources after a certificate has been successfully generated. This is necessary if you cannot use automatic validation (i.e., if your site is not accessible to the public internet via HTTPS). See How Manual Domain Validation Works for more information.

--non-interactive

Suppresses prompts from Certman (i.e, if using with a CI system, such as Travis or Jenkins).

--subject-alternative-names=www.test.example.com cert.test.example.com

Other domain names (separated by spaces) to associate with the requested certificate. Note that only the primary domain name is used for identification purposes and that AWS initially limits each certifcate to 10 SANs.

--hosted-zone=test.example.com

Specify the name (not the ID) of the Route53 Hosted Zone where the DNS record sets Certman uses will be located. By default, Certman will use the apex domain (i.e. "test.example.com" will have a default hosted-zone of "example.com").

Restore Resources

If you want to restore resources generated for an ACM certificate (i.e., in order to receive approval mail again, use certman restore-resources. This supports the --non-interactive and --hosted-zone flags from certman request.

$ certman restore-resources blog.example.com

Delete Certificate

$ certman delete blog.example.com
[✔] [ACM] Delete Certificate (successful)
Done.

License

The gem is available as open source under the terms of the MIT License.

certman's People

Contributors

k1low avatar metricmike avatar kitsunde avatar

Stargazers

avatar avatar avatar avatar avatar John Wells avatar Oleksandr Kukhar avatar shogo muranushi avatar isss802 avatar seike460 avatar avatar Takashi Masuda avatar Tomohisa Oda avatar Takahiro Horike avatar Yohei Kawahara avatar YAMADA Tsuyoshi avatar Kazuhiko Yamashita avatar

Watchers

avatar avatar

Forkers

kitsunde metricmike

certman's Issues

[Route53] Create MX Record Set (us-east-1) fails because it conflicts with the CNAME record.

This might be happening because my apex domain is an alias. I didn't run into this specific issue on other domains.

$ AWS_DEFAULT_REGION=us-east-1 certman request www.venilia.co
NOTICE! Your selected region is *us-east-1*. Certman create certificate on *us-east-1*. OK? Yes
NOTICE! When requesting, Certman replace Active Receipt Rule Set. OK? Yes
[✔] [ACM] Check Certificate (us-east-1) (successfull)
[✔] [Route53] Check Hosted Zone (us-east-1) (successfull)
[✔] [Route53] Check TXT Record (us-east-1) (successfull)
[✔] [Route53] Check MX Record (us-east-1) (successfull)
[✔] [S3] Create Bucket for SES inbound (us-east-1) (successfull)
[✔] [SES] Create Domain Identity (us-east-1) (successfull)
[✔] [Route53] Create TXT Record Set to verify Domain Identity (us-east-1) (successfull)
[✔] [SES] Check Domain Identity Status *verified* (us-east-1) (successfull)
[/] [Route53] Create MX Record Set (us-east-1)
Error: RRSet of type MX with DNS name www.venilia.co. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone venilia.co.
[✖] [Route53] Create MX Record Set (us-east-1) (error)
[✔] [Route53] Delete TXT Record Set (us-east-1) (successfull)
[✔] [SES] Delete Verified Domain Identiry (us-east-1) (successfull)
[✔] [S3] Delete Bucket (us-east-1) (successfull)
Done.

certificate_arn:

My records on this domain:

screenshot 2017-04-11 15 32 08

Intermittently no verification email is received.

There seem to be some race condition between SES reporting receiving is setup and being able to receive emails. Maybe it's because of DNS propagation, or maybe it's because the reported time isn't true.

So I have to manually re-sent the activation email, otherwise it seems like I need to re-run it anywhere between 2 and 10 times.

I think it would be helpful if we both paused for some seconds of a grace period in creating the certificate, and retried sending the verification email every say 30 seconds or minute or whatever seems reasonable.

For instance this is a case where I didn't receive the activation email:

screenshot 2017-04-19 04 21 03

screenshot 2017-04-19 04 21 09

Even though the certificate was created 2 seconds after SES receiving became available.

[Route53] Check TXT Record fails on the apex domain.

I love that I found this when I was thinking if I could do the exact same thing. I ran into an issue though:

$ AWS_DEFAULT_REGION=us-east-1 certman request fairmontsingaporenightrace.com
NOTICE! Your selected region is *us-east-1*. Certman create certificate on *us-east-1*. OK? Yes
NOTICE! When requesting, Certman replace Active Receipt Rule Set. OK? Yes
[/] [ACM] Check Certificate (us-east-1)
[✔] [ACM] Check Certificate (us-east-1) (successfull)
[✔] [Route53] Check Hosted Zone (us-east-1) (successfull)
[\] [Route53] Check TXT Record (us-east-1)/Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/certman-0.4.0/lib/certman/resource/route53.rb:123:in `check_txt_rset': _amazonses.fairmontsingaporenightrace.com TXT already exist (RuntimeError)
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/certman-0.4.0/lib/certman/client.rb:87:in `check_resource'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/certman-0.4.0/lib/certman/client.rb:17:in `request'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/certman-0.4.0/lib/certman/cli.rb:20:in `request'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/gems/certman-0.4.0/exe/certman:7:in `<top (required)>'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/bin/certman:22:in `load'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/bin/certman:22:in `<main>'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/bin/ruby_executable_hooks:15:in `eval'
	from /Users/kitsunde/.rvm/gems/ruby-2.3.3/bin/ruby_executable_hooks:15:in `<main>'

_amazonses.fairmontsingaporenightrace.com didn't exist. I've tried:

  • Adding it through the SES wizard.
  • Using a different much shorter domain like venilia.co
  • Downgrading to 0.3.0
  • Using my system default region (Singapore)

It all comes back like this. Any idea what's going on?

Can't currently validate www subdomains.

*. and www. get stripped. So the verification emails are never received. From: https://aws.amazon.com/certificate-manager/faqs/

The five special email addresses are constructed differently for domain names that begin with "www" or wildcard names beginning with an asterisk (*). ACM removes the leading "www" or asterisk and email is sent to the administrative addresses formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request a certificate for www.example.com, email is sent to the WHOIS contacts, as described previously, plus [email protected] rather than [email protected]. The remaining four special email addresses are similarly formed.

[S3] Create Bucket fails when deploying to us-west-2 

$ certman request aaa.bbb.ccc.example.com
NOTICE! Your selected region is *us-west-2*. Certman create certificate on *us-west-2*. OK? Yes
NOTICE! When requesting, Certman replace Active Receipt Rule Set. OK? Yes
[✔] [ACM] Check Certificate (us-west-2) (successfull)
[✔] [Route53] Check Hosted Zone (us-west-2) (successfull)
[✔] [Route53] Check TXT Record (us-west-2) (successfull)
[✔] [Route53] Check MX Record (us-west-2) (successfull)
[|] [S3] Create Bucket for SES inbound (us-west-2)
Error: The specified bucket is not valid.
[✖] [S3] Create Bucket for SES inbound (us-west-2) (error)
Done.

certificate_arn:

Is there a way to output debug logs?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.