This project provides CLI utility cesnet-tcs for requesting and fetching server certificates from CESNET TCS using TCS API.
It also provides ready-made cron scripts for complete automation of the certificates renewal before expiration.
-
POSIX-sh compatible shell (e.g. Busybox ash, dash, ZSH, bash, …)
-
grep,sed,tr(both GNU and Busybox) -
curl -
openssl(≥ 1.1.1 if you use subject alternative names)
|
Note
|
The project’s Makefile supports standard GNU variables such as DESTDIR, prefix, bindir…
|
apk add cesnet-tcs-cli
ln -s /usr/bin/cesnet-tcs-fetch-issued /etc/periodic/hourly/
ln -s /usr/bin/cesnet-tcs-renew /etc/periodic/daily/git clone -b v0.4.0 https://github.com/jirutka/cesnet-tcs-cli.git
cd cesnet-tcs-cli
make install
make install-cronSee --help of cesnet-tcs, cesnet-tcs-fetch-issued, cesnet-tcs-renew and comments in cesnet-tcs.conf.
-
Request a new certificate using
cesnet-tcs req my.example.org -
Once the request is approved and the certificate issued, the
cesnet-tcs-fetch-issuedcron script will automatically fetch it and store in/etc/ssl/cesnet. -
Two weeks before the certificate’s expiration date the
cesnet-tcs-renewcron script will automatically request a new one. goto 2
- /usr/bin/cesnet-tcs
-
Requests a certificate or fetches the issued certificate from CESNET TCS.
- /usr/bin/cesnet-tcs-fetch-issued (<– /etc/periodic/hourly/cesnet-tcs-fetch-issued)
-
Checks pending certificate requests in
$spool_dir[1] and fetches all that are already issued. Afterwards runs$post_fetch_scriptwith domain names of the fetched certificates as arguments, if there are some. This script is supposed to be run periodically by cron. - /usr/bin/cesnet-tcs-renew (<– /etc/periodic/daily/cesnet-tcs-renew)
-
Checks all certificates in
$certs_dirand for each that is N days to expire (N is specified by$renew_days_before) sends a new certificate request to CESNET TCS. This script is supposed to be run periodically by cron. - /etc/cesnet-tcs/cesnet-tcs.conf
-
Configuration file in shell syntax for all the above scripts.
- /etc/cesnet-tcs/post-fetch.sh
-
A hook script that is executed by
cesnet-tcs-fetch-issuedafter it fetches some new certificate(s). - /etc/ssl/cesnet
-
Directory where certificates and keys are stored. The location can be changed by
$certs_dirand$keys_dirconfig variables. - /var/spool/cesnet-tcs
-
Directory where IDs of the sent certificate requests are stored. The location can be changed by
$spool_dirconfig variable.
|
Note
|
All paths correspond to installation with prefix=/usr.
|
This project is licensed under MIT License. For the full text of the license, see the LICENSE file.
cesnet-tcs req writes theres file for each requested certificate.