Merge branch 'master' into azure-plugin
This commit is contained in:
commit
b916aef81f
@ -415,8 +415,8 @@ And the worker can be started with desired options such as the following::
|
||||
|
||||
supervisor or systemd configurations should be created for these in production environments as appropriate.
|
||||
|
||||
Add support for LetsEncrypt
|
||||
===========================
|
||||
Add support for LetsEncrypt/ACME
|
||||
================================
|
||||
|
||||
LetsEncrypt is a free, limited-feature certificate authority that offers publicly trusted certificates that are valid
|
||||
for 90 days. LetsEncrypt does not use organizational validation (OV), and instead relies on domain validation (DV).
|
||||
@ -424,7 +424,10 @@ LetsEncrypt requires that we prove ownership of a domain before we're able to is
|
||||
time we want a certificate.
|
||||
|
||||
The most common methods to prove ownership are HTTP validation and DNS validation. Lemur supports DNS validation
|
||||
through the creation of DNS TXT records.
|
||||
through the creation of DNS TXT records as well as HTTP validation, reusing the destination concept.
|
||||
|
||||
ACME DNS Challenge
|
||||
------------------
|
||||
|
||||
In a nutshell, when we send a certificate request to LetsEncrypt, they generate a random token and ask us to put that
|
||||
token in a DNS text record to prove ownership of a domain. If a certificate request has multiple domains, we must
|
||||
@ -462,6 +465,24 @@ possible. To enable this functionality, periodically (or through Cron/Celery) ru
|
||||
This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to
|
||||
Lemur's database (in the dns_providers table). Alternatively, you can manually input this data.
|
||||
|
||||
ACME HTTP Challenge
|
||||
-------------------
|
||||
|
||||
The flow for requesting a certificate using the HTTP challenge is not that different from the one described for the DNS
|
||||
challenge. The only difference is, that instead of creating a DNS TXT record, a file is uploaded to a Webserver which
|
||||
serves the file at `http://<domain>/.well-known/acme-challenge/<token>`
|
||||
|
||||
Currently the HTTP challenge also works without Celery, since it's done while creating the certificate, and doesn't
|
||||
rely on celery to create the DNS record. This will change when we implement mix & match of acme challenge types.
|
||||
|
||||
To create a HTTP compatible Authority, you first need to create a new destination that will be used to deploy the
|
||||
challenge token. Visit `Admin` -> `Destination` and click `Create`. The path you provide for the destination needs to
|
||||
be the exact path that is called when the ACME providers calls ``http://<domain>/.well-known/acme-challenge/`. The
|
||||
token part will be added dynamically by the acme_upload.
|
||||
Currently only the SFTP and S3 Bucket destination support the ACME HTTP challenge.
|
||||
|
||||
Afterwards you can create a new certificate authority as described in the DNS challenge, but need to choose
|
||||
`Acme HTTP-01` as the plugin type, and then the destination you created beforehand.
|
||||
|
||||
LetsEncrypt: pinning to cross-signed ICA
|
||||
----------------------------------------
|
||||
|
@ -224,7 +224,7 @@ class AcmeHandler(object):
|
||||
def revoke_certificate(self, certificate):
|
||||
if not self.reuse_account(certificate.authority):
|
||||
raise InvalidConfiguration("There is no ACME account saved, unable to revoke the certificate.")
|
||||
acme_client, _ = self.acme.setup_acme_client(certificate.authority)
|
||||
acme_client, _ = self.setup_acme_client(certificate.authority)
|
||||
|
||||
fullchain_com = jose.ComparableX509(
|
||||
OpenSSL.crypto.load_certificate(
|
||||
|
@ -24,7 +24,7 @@ keyring==21.2.0 # via twine
|
||||
mccabe==0.6.1 # via flake8
|
||||
nodeenv==1.5.0 # via -r requirements-dev.in, pre-commit
|
||||
pkginfo==1.5.0.1 # via twine
|
||||
pre-commit==2.8.2 # via -r requirements-dev.in
|
||||
pre-commit==2.9.0 # via -r requirements-dev.in
|
||||
pycodestyle==2.6.0 # via flake8
|
||||
pycparser==2.20 # via cffi
|
||||
pyflakes==2.2.0 # via flake8
|
||||
@ -32,7 +32,7 @@ pygments==2.6.1 # via readme-renderer
|
||||
pyyaml==5.3.1 # via -r requirements-dev.in, pre-commit
|
||||
readme-renderer==25.0 # via twine
|
||||
requests-toolbelt==0.9.1 # via twine
|
||||
requests==2.24.0 # via requests-toolbelt, twine
|
||||
requests==2.25.0 # via requests-toolbelt, twine
|
||||
rfc3986==1.4.0 # via twine
|
||||
secretstorage==3.1.2 # via keyring
|
||||
six==1.15.0 # via bleach, cryptography, readme-renderer, virtualenv
|
||||
|
@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko
|
||||
beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare
|
||||
billiard==3.6.3.0 # via -r requirements.txt, celery
|
||||
blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven
|
||||
boto3==1.16.14 # via -r requirements.txt
|
||||
botocore==1.19.14 # via -r requirements.txt, boto3, s3transfer
|
||||
boto3==1.16.24 # via -r requirements.txt
|
||||
botocore==1.19.24 # via -r requirements.txt, boto3, s3transfer
|
||||
celery[redis]==4.4.2 # via -r requirements.txt
|
||||
certifi==2020.11.8 # via -r requirements.txt, requests
|
||||
certsrv==2.1.1 # via -r requirements.txt
|
||||
@ -79,19 +79,20 @@ pyrfc3339==1.1 # via -r requirements.txt, acme
|
||||
python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore
|
||||
python-editor==1.0.4 # via -r requirements.txt, alembic
|
||||
python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python
|
||||
python-ldap==3.3.1 # via -r requirements.txt
|
||||
pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339
|
||||
pyyaml==5.3.1 # via -r requirements.txt, cloudflare
|
||||
raven[flask]==6.10.0 # via -r requirements.txt
|
||||
redis==3.5.3 # via -r requirements.txt, celery
|
||||
requests-toolbelt==0.9.1 # via -r requirements.txt, acme
|
||||
requests[security]==2.24.0 # via -r requirements.txt, acme, certsrv, cloudflare, hvac, requests-toolbelt, sphinx
|
||||
requests[security]==2.25.0 # via -r requirements.txt, acme, certsrv, cloudflare, hvac, requests-toolbelt, sphinx
|
||||
retrying==1.3.3 # via -r requirements.txt
|
||||
s3transfer==0.3.3 # via -r requirements.txt, boto3
|
||||
six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, packaging, pynacl, pyopenssl, python-dateutil, retrying, sphinxcontrib-httpdomain, sqlalchemy-utils
|
||||
snowballstemmer==2.0.0 # via sphinx
|
||||
soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4
|
||||
sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in
|
||||
sphinx==3.3.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain
|
||||
sphinx==3.3.1 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain
|
||||
sphinxcontrib-applehelp==1.0.2 # via sphinx
|
||||
sphinxcontrib-devhelp==1.0.2 # via sphinx
|
||||
sphinxcontrib-htmlhelp==1.0.3 # via sphinx
|
||||
|
@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint
|
||||
aws-xray-sdk==2.5.0 # via moto
|
||||
bandit==1.6.2 # via -r requirements-tests.in
|
||||
black==20.8b1 # via -r requirements-tests.in
|
||||
boto3==1.16.14 # via aws-sam-translator, moto
|
||||
boto3==1.16.24 # via aws-sam-translator, moto
|
||||
boto==2.49.0 # via moto
|
||||
botocore==1.19.14 # via aws-xray-sdk, boto3, moto, s3transfer
|
||||
botocore==1.19.24 # via aws-xray-sdk, boto3, moto, s3transfer
|
||||
certifi==2020.11.8 # via requests
|
||||
cffi==1.14.0 # via cryptography
|
||||
cfn-lint==0.29.5 # via moto
|
||||
@ -24,7 +24,7 @@ decorator==4.4.2 # via networkx
|
||||
docker==4.2.0 # via moto
|
||||
ecdsa==0.14.1 # via moto, python-jose, sshpubkeys
|
||||
factory-boy==3.1.0 # via -r requirements-tests.in
|
||||
faker==4.14.2 # via -r requirements-tests.in, factory-boy
|
||||
faker==4.17.1 # via -r requirements-tests.in, factory-boy
|
||||
fakeredis==1.4.4 # via -r requirements-tests.in
|
||||
flask==1.1.2 # via pytest-flask
|
||||
freezegun==1.0.0 # via -r requirements-tests.in
|
||||
@ -69,7 +69,7 @@ pyyaml==5.3.1 # via -r requirements-tests.in, bandit, cfn-lint, moto
|
||||
redis==3.5.3 # via fakeredis
|
||||
regex==2020.4.4 # via black
|
||||
requests-mock==1.8.0 # via -r requirements-tests.in
|
||||
requests==2.24.0 # via docker, moto, requests-mock, responses
|
||||
requests==2.25.0 # via docker, moto, requests-mock, responses
|
||||
responses==0.10.12 # via moto
|
||||
rsa==4.0 # via python-jose
|
||||
s3transfer==0.3.3 # via boto3
|
||||
|
@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko
|
||||
beautifulsoup4==4.9.1 # via cloudflare
|
||||
billiard==3.6.3.0 # via celery
|
||||
blinker==1.4 # via flask-mail, flask-principal, raven
|
||||
boto3==1.16.14 # via -r requirements.in
|
||||
botocore==1.19.14 # via -r requirements.in, boto3, s3transfer
|
||||
boto3==1.16.24 # via -r requirements.in
|
||||
botocore==1.19.24 # via -r requirements.in, boto3, s3transfer
|
||||
celery[redis]==4.4.2 # via -r requirements.in
|
||||
certifi==2020.11.8 # via -r requirements.in, requests
|
||||
certsrv==2.1.1 # via -r requirements.in
|
||||
@ -78,7 +78,7 @@ pyyaml==5.3.1 # via -r requirements.in, cloudflare
|
||||
raven[flask]==6.10.0 # via -r requirements.in
|
||||
redis==3.5.3 # via -r requirements.in, celery
|
||||
requests-toolbelt==0.9.1 # via acme
|
||||
requests[security]==2.24.0 # via -r requirements.in, acme, certsrv, cloudflare, hvac, requests-toolbelt
|
||||
requests[security]==2.25.0 # via -r requirements.in, acme, certsrv, cloudflare, hvac, requests-toolbelt
|
||||
retrying==1.3.3 # via -r requirements.in
|
||||
s3transfer==0.3.3 # via boto3
|
||||
six==1.15.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils
|
||||
|
Loading…
Reference in New Issue
Block a user