getssl
lexicon
getssl | lexicon | |
---|---|---|
9 | 16 | |
2,036 | 1,442 | |
0.3% | - | |
7.0 | 8.8 | |
14 days ago | 3 months ago | |
Shell | Python | |
GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
getssl
-
Why Certificate Lifecycle Automation Matters
A 'competitor' to this would be GetSSL which is a pure-shell ACME client (plus OpenSSL and cURL) and can be executed on one host, but send verification tokens to remote systems (where you may not have cron access):
> Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, as it's a shared server for example.
* https://github.com/srvrco/getssl
-
why should we use ssl certificates for our self-hosted services in our internal network?
I first got by with self signed certificates, but with all the major browsers warning they'll stop supporting those eventually I finally bit the bullet last month and installed getssl to automatically update all my certificates once a month.
-
letsencrypt with noip free domain?
because I didn't want to install another package manager (snapd) on my Ubuntu 18.04 server I checked the ACME Client Implementations page and decided to try getssl, a nice little shell script that does everything I need and then some.
-
Running certbot container on schedule without cron?
I just have a dedicated container that runs getssl everyday. Anything that has a web interface (Or anything that requires TLS) gets it's own conf file that gets added to the daily check. Each conf file tells getssl how to load the certificate for its particular service.
-
LetsEncrypt / CertBot without snapd?
I have been using https://github.com/srvrco/getssl for years on my raspberry pi. It's a much simpler Bash script that doesn't break after every update.
- Uacme: ACMEv2 client written in plain C with minimal dependencies
- Any reason NOT to use Debian-provided Certbot?
-
Old files keep appearing bug
i have a problem where after installing getssl (https://github.com/srvrco/getssl) to /root/.getssl i populated it's contents with bunch of SSL files using Dockerfile's COPY command. And now no matter what i do they keep reappearing.
-
Should you use Let's Encrypt for internal hostnames?
> acme.sh
Another shell-based ACME client I like is dehyradted. But for sending certs to remote systems from one central area, perhaps the shell-based GetSSL:
> Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers.
* https://github.com/srvrco/getssl
In general, what you may want to do is configure Ansible/Puppet/etc, and have your ACME client drop the new cert in a particular area and have your configuration management system push things out from there.
lexicon
-
Dehydrated: Letsencrypt/acme client implemented as a shell-script
One of the biggest benefits of dehydrated is that it doesn't try to integrate with a DNS provider on its own. It just calls a hook, which can be implemented with a simple shell script[1]. The most popular third-party integration is lexicon[2], though you're not required to use Lexicon. (e.g. you're free to use awscli, gcloud, linode-cli, etc. to do the actual DNS record manipulation)
This means its dependencies footprint is much smaller, and allows you to do things that can be a nightmare to configure with Certbot or other alternatives. For example, at one of the scenarios I had to set up was that we had to query a credential via HashiCorp Vault, which is then used to cURL into an API endpoint. The shell script in total was pretty short (< 100 LOC) and it worked extremely well.
[1]: https://github.com/dehydrated-io/dehydrated/blob/master/docs...
[2]: https://github.com/AnalogJ/lexicon
-
Why Certificate Lifecycle Automation Matters
A reminder that if you an internal-only server where the typical http-01' verification connection method will not work, especially if you cannot easily/dynamically update DNS records, one can use dns-01* by using DNS aliasing/CNAME:
* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
So if you want a cert for www.internal.example.com, you will first have do a one-time change to have a _acme-challenge.www.internal… CNAME created to point to any other (sub-)domain where you can easily update things dynamically, e.g., www-internal.example-dnsapi.com.
When request the cert for "www.internal…", LE/ACME will look up the corresponding _acme-challenge record, and go to "_acme-challenge.www-internal.example-dnsapi.com. The nonce token will be there in the 'final' destination following the CNAME in a TXT, which shows LE/ACME that you control the DNS chain.
To do the DNS updating, you can use a CLI/Python library like Lexicon, which supports dozens of APIs:
* https://github.com/AnalogJ/lexicon
-
Easy HTTPS for your private networks
This leverages the ACME DNS server which has a REST API:
* https://github.com/joohoi/acme-dns
If your DNS provider has an API, you can hook into that for internal-only web servers; this handy code supports several dozen APIs so you don't have to re-invent the wheel:
* https://github.com/AnalogJ/lexicon
* https://pypi.org/project/dns-lexicon/
* https://dns-lexicon.readthedocs.io/en/latest/user_guide.html
- Wie kommt Google Safe Browsing darauf, dass alle Seiten auf meiner Dyndns Domain phishing Seiten sind?
-
Uacme: ACMEv2 client written in plain C with minimal dependencies
> It even comes preconfigured for various DNS providers[2]
Also, CLI utility that supports a bunch of APIs:
* https://github.com/AnalogJ/lexicon
-
what are better alternatives of noip?
Then, you can use ddclient, which supports many DNS services (including those providing DynDNS protocol), or you can write a Python script using the dns-lexicon module to manipulate the DNS records over the API.
- NextDNS Launches API
- Lexicon: Manipulate DNS records on various DNS providers in a standardized way.
- Lexicon: Manipulate DNS records on various DNS providers in a standardized way
- Some of the popular DNS management services as a self hosted service
What are some alternatives?
boulder - An ACME-based certificate authority, written in Go.
letsencrypt - Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
cli - 🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
octoDNS - Tools for managing DNS across multiple providers
certificates - 🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
acme.sh - A pure Unix shell script implementing ACME client protocol
uacme - ACMEv2 client written in plain C with minimal dependencies
extdns - External DNS for docker-compose
puppeteer - Node.js API for Chrome
duckdns - Caddy module: dns.providers.duckdns
acme-tiny - A tiny script to issue and renew TLS certs from Let's Encrypt
lego - Let's Encrypt/ACME client and library written in Go