From 1983eb79de4b46ec2bbb0e194fe2bce0c333ddfd Mon Sep 17 00:00:00 2001 From: Mathias Petermann Date: Wed, 23 Sep 2020 13:00:14 +0200 Subject: [PATCH 1/4] Add paragraph about reusing ACME accounts --- docs/production/index.rst | 42 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/production/index.rst b/docs/production/index.rst index 9f90c0cc..21fca650 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -511,3 +511,45 @@ The following must be added to the config file to activate the pinning (the pinn KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- """ + + +LetsEncrypt: Using a pre-existing ACME account +----------------------------------------------- + +Let's Encrypt allows reusing an existing ACME account, to create and especially revoke certificates. The current +implementation in the acme plugin, only allows for a single account for all ACME authorities, which might be an issue, +when you try to use Let's Encrypt together with another certificate authority that uses the ACME protocol. + +To use an existing account, you need to configure the `ACME_PRIVATE_KEY` and `ACME_REGR` variables in the lemur +configuration. + +`ACME_PRIVATE_KEY` needs to be in the JWK format:: + + { + "kty": "RSA", + "n": "yr1qBwHizA7ME_iV32bY10ILp.....", + "e": "AQAB", + "d": "llBlYhil3I.....", + "p": "-5LW2Lewogo.........", + "q": "zk6dHqHfHksd.........", + "dp": "qfe9fFIu3mu.......", + "dq": "cXFO-loeOyU.......", + "qi": "AfK1sh0_8sLTb..........." + } + + +Using `python-jwt` converting a existing private key in PEM format is quite easy:: + + import python_jwt as jwt, jwcrypto.jwk as jwk + + priv_key = jwk.JWK.from_pem(b"""-----BEGIN RSA PRIVATE KEY----- + ... + -----END RSA PRIVATE KEY-----""") + + print(priv_key.export()) + +`ACME_REGR` needs to be a valid JSON with a `body` and a `uri` attribute, similar to this:: + + {"body": {}, "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/"} + +The uri can be retrieved from the ACME create account endpoint, when trying to create a new account, using the existing key. \ No newline at end of file From ae1ead6d7551dab0435e2f553bf2af469158aa4f Mon Sep 17 00:00:00 2001 From: Mathias Petermann Date: Wed, 23 Sep 2020 13:04:51 +0200 Subject: [PATCH 2/4] Document ACME plugin specific configurations --- docs/administration.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/administration.rst b/docs/administration.rst index 0cec16a0..4c0477aa 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1171,6 +1171,23 @@ The following configuration properties are required to use the PowerDNS ACME Plu File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle. +ACME Plugin +~~~~~~~~~~~~ + +The following configration properties are optional for the ACME plugin to use. They allow reusing an existing ACME +account. + + +.. data:: ACME_PRIVATE_KEY + :noindex: + + This is the private key, the account was registered with (in JWK format) + +.. data:: ACME_REGR + :noindex: + + This is the registration for the ACME account, the most important part is the uri attribute (in JSON) + .. _CommandLineInterface: Command Line Interface From 4f1e09e3afe88c5d04918e0acf1da8effc0c1b16 Mon Sep 17 00:00:00 2001 From: Mathias Petermann Date: Wed, 23 Sep 2020 13:20:35 +0200 Subject: [PATCH 3/4] Add reference from configuration options, to more detailed explanation --- docs/administration.rst | 2 +- docs/production/index.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index 4c0477aa..f44ad1a3 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -1175,7 +1175,7 @@ ACME Plugin ~~~~~~~~~~~~ The following configration properties are optional for the ACME plugin to use. They allow reusing an existing ACME -account. +account. See :ref:`Using a pre-existing ACME account ` for more details. .. data:: ACME_PRIVATE_KEY diff --git a/docs/production/index.rst b/docs/production/index.rst index 21fca650..bace15d3 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -513,6 +513,8 @@ The following must be added to the config file to activate the pinning (the pinn """ +.. _AcmeAccountReuse: + LetsEncrypt: Using a pre-existing ACME account ----------------------------------------------- From 21c2255c754b48fd2a1887cad64098fa73b99f03 Mon Sep 17 00:00:00 2001 From: Mathias Petermann Date: Wed, 23 Sep 2020 19:14:09 +0200 Subject: [PATCH 4/4] Minor spelling improvements --- docs/production/index.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/production/index.rst b/docs/production/index.rst index bace15d3..c6f561ca 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -540,7 +540,7 @@ configuration. } -Using `python-jwt` converting a existing private key in PEM format is quite easy:: +Using `python-jwt` converting an existing private key in PEM format is quite easy:: import python_jwt as jwt, jwcrypto.jwk as jwk @@ -554,4 +554,4 @@ Using `python-jwt` converting a existing private key in PEM format is quite easy {"body": {}, "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/"} -The uri can be retrieved from the ACME create account endpoint, when trying to create a new account, using the existing key. \ No newline at end of file +The URI can be retrieved from the ACME create account endpoint when creating a new account, using the existing key. \ No newline at end of file