acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries:
- acme/*.py - a bunch of classes implementing ACME server functionality based on rfc8555
- ca_handler.py - interface towards CA server. The intention of this library is to be modular that an adaption to other CA servers should be straight forward. As of today the following handlers are available:
For more up-to-date information and further documentation, please visit the project's home page at: https://github.com/grindsa/acme2certifier
Releasenotes and ChangLog can be found at https://github.com/grindsa/acme2certifier/releases
I am running this project as my RnD guys told me that it won’t be possible :-)
I am using acme.sh, Certbot and acmeshell to test the server functionality. Other clients are on my list for later testing. In case you are bored, feel free to test other came ACME clients and raise issues if something does not work as expected.
Command-line parameters used for testing
I am not a professional developer. Keep this in mind while laughing about my code and don’t forget to send patches.
As of today acme2certifier supports the below ACME functions only:
- "directory" resource (Section 7.1.1)
- "newNonce" resource (Section 7.2)
- "newAccount" resource (Section 7.3)
- Finding an Account URL Given a Key (Section 7.3.1)
- Account update (Section 7.3.2)
- Key Rollover (Section 7.3.5)
- Account Deactivation (Section 7.3.6)
- "new-order" resource (Section 7.4)
- "order finalization" (Section 7.4)
- "certificate download" (Section 7.4.2)
- "authz" resource (Section 7.5)
- "challenge" resource (Section 7.5.1)
- "certificate revocation" (Section 7.6)
Starting from version 0.4 acme2certifer includes experimental support for TNAuthList identifiers and tkauth-01 challenges. Check tnauthlist.md for further information.
IMPORTANT: The current version does NOT perform Identifier validation. In the current version the acme server will change the status of each challenge to "valid" forcing an acme client to send the CSR immediately.
Additional functionality will be added over time. If you are badly missing a certain feature please raise an issue to let me know.
The proxy can run either as Django project or as plain wsgi-script
- check of the wsgi module is running on your apache2
root@rlh:~# apache2ctl -M | grep -i wsgi
wsgi_module (shared)
root@rlh:~#
if the wsgi_module is not enabled please check the internet how to do this.
-
download the archive and unpack it.
-
install the missing modules via pip
root@rlh:~# pip3 install -r requirements.txt
-
copy the file "examples/apache_acme.conf" to "/etc/apache2/sites-available" and modify it according to you needs.
-
activate the virtual server
root@rlh:~# a2ensite acme_acme.conf
-
create a directory /var/www/acme
-
copy the file acme2certifier_wsgi.py to /var/www/acme
-
create a directory /var/www/acme/acme
-
copy the content of the acme -directory to /var/www/acme/acme
-
create a configuration file 'acme_srv.cfg' in /var/www/acme/acme or use the example stored in the example directory
-
modify the configuration file according to you needs
-
pick the correct ca handler from the examples/ca_handler directory and copy it to /var/www/acme/acme/ca_handler.py
-
configure the connection to your ca server. Example for Insta Certifier
-
activate the wsgi database handler
root@rlh:~# cp /var/www/acme/examples/db_handler/wsgi_handler.py /var/www/acme/acme/db_handler.py
- ensure that the all files and directories under /var/www/acme are owned by the user running the webserver (www-data is just an example!)
root@rlh:~# chown -R www-data.www-data /var/www/acme/
- set correct permissions to acme subdirectory
root@rlh:~# chmod a+x /var/www/acme/acme
- Check access to the directory resource to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1/directory
{"newAccount": "http://127.0.0.1/acme/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1/acme/key-change", "newNonce": "http://127.0.0.1/acme/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1/acme/neworders", "revokeCert": "http://127.0.0.1/acme/revokecert"}[root@srv ~]#
I barely know NGINX. Main input has been taken from here. If you see room for improvement let me know.
Setup is done in a way that uWSGI will serve acme2certifier while NGINX will act as reverse proxy to provide better connection handling.
- setup your project directory
[root@srv ~]# mkdir /opt/acme2certifier
-
download the archive and unpack it into /opt/acme2certifier.
-
create a configuration file 'acme_srv.cfg' in /opt/acme2certifier/acme/ or use the example stored in the examples directory
-
modify the configuration file according to you needs
-
pick the correct ca handler from the /opt/acme2certifier/examples/ca_handler directory and copy it to /opt/acme2certifier/acme/ca_handler.py
-
configure the connection to your ca server. Example for Insta Certifier
-
activate the wsgi database handler
root@rlh:~# cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme/db_handler.py
- copy the application file "acme2certifer_wsgi.py" from examples directory
root@rlh:~# cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
- set the correct permissions to the acme-subdirectory
[root@srv ~]# chmod a+x /opt/acme2certifier/acme
- set the ownership of the acme subdirectory to the user running nginx
[root@srv ~]# chown -R nginx /opt/acme2certifier/acme
- install the missing python modules
[root@srv ~]# pip install -r requirements.txt
- Install uswgi by using pip
[root@srv ~]# pip install uwsgi
- Test acme2certifier by starting the application
[root@srv ~]# uwsgi --socket 0.0.0.0:8000 --protocol=http -w acme2certifier_wsgi
- Check access to directory resource in a parallel session to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1:8000/directory
{"newAccount": "http://127.0.0.1:8000/acme/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme/key-change", "newNonce": "http://127.0.0.1:8000/acme/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1:8000/acme/neworders", "revokeCert": "http://127.0.0.1:8000/acme/revokecert"}[root@srv ~]#
- create an uWSGI config file or use the one stored in examples/nginx directory
[root@srv ~]# cp examples/nginx/acme2certifier.ini /opt/acme2certifier
- Create a Systemd Unit File for uWSGI or use the one stored in excample/nginx directory
[root@srv ~]# cp examples/nginx/uwsgi.service /etc/systemd/system/
[root@srv ~]# systemctl enable uwsgi.service
- start uWSGI as service
[root@srv ~]# systemctl start uwsgi
- configure NGINX as reverse proxy or use example stored in examples/nginx directory and modify it according to your needs
[root@srv ~]# cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
- restart nginx
[root@srv ~]# systemctl restart nginx
- test the server by accessing the directory resource
[root@srv ~]# curl http://<your server name>/directory
you should get your resource overview now
- create a new Django project called acme2certier
missing
- create a new app inside your project called "acme"
missing
- copy the content of the folder "examples/django/acme2certifier" into the "acme2certifer" folder of your project
- copy the content of the folder "examples/django/acme" into the "acme" folder created in step 2
Please read CONTRIBUTING.md for details on my code of conduct, and the process for submitting pull requests. Please note that I have a life besides programming. Thus, expect a delay in answering.
I use SemVer for versioning. For the versions available, see the tags on this repository.
This project is licensed under the GPLv3 - see the LICENSE file for details