-
Notifications
You must be signed in to change notification settings - Fork 39
CA handler for NetGuard Certificate Manager and Insta Certifier
grindsa edited this page Jun 13, 2021
·
9 revisions
- the Certifier needs to have the REST-service activated
- you have a user and password to access Certifier via REST-Service
- copy the ca_handler into the acme directory
root@rlh:~# cp example/ca_handlers/certifier_ca_handler.py acme/ca_handler.py
- modify the server configuration (
/acme/acme_srv.cfg
) and add the following parameters
[CAhandler]
api_host: http://<ip>:<port>
api_user: <user>
api_password: <password>
ca_bundle: <value>
ca_name: <ca_name>
polling_timeout: <seconds>
- api_host - URL of the Certifier-REST service
- api_user - REST user
- api_user_variable - optional - name of the environment variable containing the REST username (a configured
api_user
parameter in acme_srv.cfg takes precedence) - api_password - password for REST user
- api_password_variable - optional - name of the environment variable containing the password for the REST user (a configured
api_password
parameter in acme_srv.cfg takes precedence) - ca_bundle - optional - certificate bundle needed to validate the server certificate - can be True/False or a filename (default: True)
- ca_name - name of the CA used to enroll certificates
- polling_timeout - optional - polling timeout (default: 60s)
Depending on CA policy configuration a CSR may require approval. In such a situation acme2certfier will poll the CA server to check the CSR status. The polling interval can be configured in acme.server.cfg.
You can get the ca_name by running the following REST call against certifier.
root@rlh:~# curl -u '$api_user':'$api_password' $api_host'/v1/cas
The response to this call will show a dictionary containing the list of CAs including description and name. Pick the value in the "name" field.
"offset": 0,
"limit": 50,
"totalCount": 3,
"href": "<url>",
"cas": [
{
"href": "<url>/v1/cas/kQg0moMYAHGyG7jrQeT2Fw",
"name": "Insta Certifier Internal CA",
"description": "CA for Certifier internal TLS communication and operational use",
"status": "active",
"type": "online",
"certificates": {
"active": "<url>/v1/certificates/JPnxc-OqxkXdQt6An2vqnw"
}
},
{
"href": ""<url>/v1/cas/PnOBdgHSiz5c1sR0MsZMtw",
"name": "ca_name",
"description": "Test CA for acme2certfier",
"status": "active",
"type": "online",
"certificates": {
"active": "<url>/v1/certificates/Ur-YAdXw6S8ddGl7ITVTjA"
}
}
]
}
A csr generated by certbot client does not contain any subject name. Such csr will be refused by Certifier. To overcome this, you need a CA policy as below setting a subject name.
(policy
(receive-request
(set-validity-period
(null)
(length 30)
(type 86400)
(end-of-day #f)
(overwrite #t))
(issue-automatic
(null)
(mode all))
(issue-manual
(null)))
(accept-request
(conditional-policy
(null)
(clause
(test
(module match-subject-name)
(match-subject-name
(null)
(pattern)
(prefix #f)
(invert-match #f)))
(chain
(set-subject-name
(null)
(format "CN=%{altname:dns}")))))
(set-validity-period
(null)
(length 1)
(type 2592000)
(end-of-day #t)
(overwrite #t))
(add-aia
(null)
(url http://aia_path/))
(set-crl-distribution-point
(null))
(accept-all
(null)))
(view-request
(accept-all
(null)))
(update-request
(accept-all
(null))))
IMPORTANT: the above policy will configure a certificate lifetime of 30 days only. Please review carefully and modify according to your needs.