summaryrefslogtreecommitdiff
path: root/src/etc/systemd/system/certbot.service.d
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-05 22:27:45 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-06 08:33:33 +0100
commitb8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a (patch)
treec0464f929adf9cb83dce6820303616a7935eac03 /src/etc/systemd/system/certbot.service.d
parentfb4b97b1824b5e6aab4cf7c810ea69897ea6300f (diff)
downloadvyos-1x-b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a.tar.gz
vyos-1x-b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a.zip
pki: T5886: add support for ACME protocol (LetsEncrypt)
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
Diffstat (limited to 'src/etc/systemd/system/certbot.service.d')
-rw-r--r--src/etc/systemd/system/certbot.service.d/10-override.conf7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/etc/systemd/system/certbot.service.d/10-override.conf b/src/etc/systemd/system/certbot.service.d/10-override.conf
new file mode 100644
index 000000000..542f77eb2
--- /dev/null
+++ b/src/etc/systemd/system/certbot.service.d/10-override.conf
@@ -0,0 +1,7 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh"