<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/op_mode/pki.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-04T23:33:41+00:00</updated>
<entry>
<title>pki: T8165: Add ability to show certificate full chain in pem format</title>
<updated>2026-06-04T23:33:41+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-27T19:27:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b27b74433a594a3c3b799b31db208da5bac8dd80'/>
<id>urn:sha1:b27b74433a594a3c3b799b31db208da5bac8dd80</id>
<content type='text'>
Add op-mode command having ability to show certificate
full chain in pem format as part of PKI configuration.

The certificates are ordered beginning with the end
entity (leaf) certificate, followed by any intermediate
certificates and finally the private key if requested.

This allows users to easily export a certificate along
with its CA hierarchy for use in external applications,
that require the full chain to be provided in a single
file.

One can now run the following commands:

```
show pki ca NAME pem full-chain
show pki certificate NAME pem full-chain
show pki certificate NAME private pem full-chain
```
</content>
</entry>
<entry>
<title>pki: T8877: Add ability to show private key in pem format</title>
<updated>2026-05-19T04:33:51+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-15T23:26:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=88a50d1700cac0b38595b206f804a59592bdb3d2'/>
<id>urn:sha1:88a50d1700cac0b38595b206f804a59592bdb3d2</id>
<content type='text'>
Add op-mode command having ability to show private
key in pem format as part of PKI configuration.

This is needed for users who want to render the
certificate and its private key.
</content>
</entry>
<entry>
<title>pki: T7953: implement certbot_renew() function to have everything at one place</title>
<updated>2025-10-29T19:18:41+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-26T15:27:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=220209abde9646cf7b7fc4832e46b9b6c461c433'/>
<id>urn:sha1:220209abde9646cf7b7fc4832e46b9b6c461c433</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7885: "renew certbot force" now supports setting up ACME from scratch</title>
<updated>2025-10-02T21:39:40+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-10-02T21:29:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ae74a511e11b7516a276b9bfa40e2c02cbe182cd'/>
<id>urn:sha1:ae74a511e11b7516a276b9bfa40e2c02cbe182cd</id>
<content type='text'>
Assume someone deleted the certbot_config folder, "renew certbot force" alone
will not work as there are no configuration files left to know what to renew.

Re-run CLI PKI helper to initially request certificates via ACME again. This
"should" (famous last words) never be the case - but sometimes the universe has
a bad time.
</content>
</entry>
<entry>
<title>op-mode: pki: T7648: fix pylint error</title>
<updated>2025-07-21T19:02:24+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-07-21T19:02:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1e4cc0806435f6e694e74cd6123a45bdedf3f0c9'/>
<id>urn:sha1:1e4cc0806435f6e694e74cd6123a45bdedf3f0c9</id>
<content type='text'>
************* Module pki
src/op_mode/pki.py:459:8: E1128: Assigning result of a function call, where
  the function returns None (assignment-from-none)
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
<entry>
<title>pki: T7574: add optional force argument to renew certbot-issued certificates</title>
<updated>2025-06-23T20:45:32+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-23T20:43:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=74941af39dc59c42d8ec6749169ee1c1663b78b7'/>
<id>urn:sha1:74941af39dc59c42d8ec6749169ee1c1663b78b7</id>
<content type='text'>
Certbot renewal command in op-mode "renew certbot" only works if any of the
certificates is up for renewal. There is no CLI option to forcefully renew a
certificate. This is about adding a force option to the CLI and with this
addition move the entire certbot renew handling to new-style op-mode commands.

vyos@vyos:~$ renew certbot force
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /config/auth/letsencrypt/renewal/vyos.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vyos.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /config/auth/letsencrypt/live/vyos/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
 Updating certificates in /etc/ssl/certs...
 0 added, 0 removed; done.
 Running hooks in /etc/ca-certificates/update.d...
 done.
</content>
</entry>
<entry>
<title>pki: T4914: reformat file by linter rules</title>
<updated>2024-10-18T13:46:39+00:00</updated>
<author>
<name>Nataliia Solomko</name>
<email>natalirs1985@gmail.com</email>
</author>
<published>2024-10-18T13:46:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=52e3ba35c09237744340c2cce4cba1783ec3f2be'/>
<id>urn:sha1:52e3ba35c09237744340c2cce4cba1783ec3f2be</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T4914: Rewrite the PKI op mode in the new style</title>
<updated>2024-10-18T12:42:59+00:00</updated>
<author>
<name>Nataliia Solomko</name>
<email>natalirs1985@gmail.com</email>
</author>
<published>2024-10-18T12:42:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8943446c8c79c6daad2326ddc7a59950123b35d2'/>
<id>urn:sha1:8943446c8c79c6daad2326ddc7a59950123b35d2</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T6481: auto import ACME certificate chain into CLI</title>
<updated>2024-10-06T18:13:56+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-10-06T18:13:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=875764b07f937fc599e2e62c667e7b811ddc2ed3'/>
<id>urn:sha1:875764b07f937fc599e2e62c667e7b811ddc2ed3</id>
<content type='text'>
When using an ACME based certificate with VyOS we provide the necessary PEM
files opaque in the background when using the internal tools. This however will
not properly work with the CA chain portion, as the system is based on the
"pki certificate &lt;name&gt; acme" CLI node of a certificate but CA chains reside
under "pki ca".

This adds support for importing the PEM data of a CA chain issued via ACME into
the "pki ca AUTOCHAIN_&lt;name&gt; certificate" subsystem so it can be queried by
other daemons. Importing the chain only happens, when the chain was not already
added manually by the user.

ACME certificate chains that are automatically added to the CLI are all prefixed
using AUTOCHAIN_certname so they can be consumed by any daemon. This also adds
a safeguard when the intermediate CA changes, the referenced name on the CLI
stays consitent for any pending daemon updates.
</content>
</entry>
</feed>
