cert-puller: using anvil to pull down & install new certificates, then restart services

Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver.

In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and installing those certificates.

In previous blog posts, I’ve described various steps leading up to this:

In this post, I will describe how I configured cert-puller to download & install certificates, and then restart services.

Installing anvil

This will need to be done on every host which you want to install the certificates.

I installed anvil from a FreeBSD package:

pkg install anvil

The anvil package installs the anvil user:

$ grep anvil /etc/passwd 
anvil:*:217:217:anvil certificate dropper:/var/empty:/usr/sbin/nologin

The cert-puller script supplied by the anvil package will run as that user.

Configuration file

The cert-puller configuration file is /usr/local/etc/anvil/cert-puller.conf. Here are the default values. They are closely connected to the default values for the acme.sh port.

CERT_SERVER="https://certs.example.org/certs"
MYCERTS="services.example.org"
SERVICES="nginx"

Let’s look at each one of those values.

  • CERT_SERVER – This is the URL to the webserver. The certificates will be available from this directory.
  • MYCERTS – A space separated list of the domains to be downloaded and installed.
  • SERVICES – The list of services to be restarted. e.g. apache

visudo

cert-puller uses sudo to copy files around. It does with without authentication but it can also show you exactly what commands it will run, provided the configuration file is correctly set up.

Here is what I was shown when I was setting up one of my Nagios servers:

[dvl@nagios02:~] $ cert-puller -s
anvil   ALL=(ALL) NOPASSWD:/bin/cp -a /var/db/anvil/ca.cer /usr/local/etc/ssl/ca.cer.tmp
anvil   ALL=(ALL) NOPASSWD:/bin/mv /usr/local/etc/ssl/ca.cer.tmp /usr/local/etc/ssl/ca.cer
anvil   ALL=(ALL) NOPASSWD:/bin/cp -a /var/db/anvil/nagios02.example.org.cer /usr/local/etc/ssl/nagios02.example.org.cer.tmp
anvil   ALL=(ALL) NOPASSWD:/bin/mv /usr/local/etc/ssl/nagios02.example.org.cer.tmp /usr/local/etc/ssl/nagios02.example.org.cer
anvil   ALL=(ALL) NOPASSWD:/bin/cp -a /var/db/anvil/nagios02.example.org.fullchain.cer /usr/local/etc/ssl/nagios02.example.org.fullchain.cer.tmp
anvil   ALL=(ALL) NOPASSWD:/bin/mv /usr/local/etc/ssl/nagios02.example.org.fullchain.cer.tmp /usr/local/etc/ssl/nagios02.example.org.fullchain.cer
anvil   ALL=(ALL) NOPASSWD:/usr/sbin/service apache24 graceful

I copied the above, ran sudo visudo, and pasted. Done.

You might also need to make some changes to your configuration files in case your certificate and key file names do not match what anvil provides.

Copy the .key file

anvil does not distribute key files. This is a design decision, based on security choices.

You must copy the .key file manually. You only need to do this once, when first configuring anvil.

The anvil crontab

Here is the crontab I installed in order to run cert-puller:

# use /bin/sh to run commands, overriding the default set by cron
SHELL=/bin/sh
# mail any output to here, no matter whose crontab this is
MAILTO=you@example.org

44 14 * * * /usr/local/bin/cert-puller

Adjust the time to suit your situation.

The logging

After doing the above configuration, I watched /var/log/messages, where the following magically appeared:

Jul 16 14:44:00 nagios02 cert-puller: starting /usr/local/bin/cert-puller
Jul 16 14:44:00 nagios02 cert-puller: fetching into /var/db/anvil
Jul 16 14:44:00 nagios02 cert-puller: checking certs for nagios02.unixathome.org
Jul 16 14:44:00 nagios02 cert-puller: nagios02.unixathome.org :: ca.cer
Jul 16 14:44:00 nagios02 cert-puller: nagios02.unixathome.org :: nagios02.unixathome.org.cer
Jul 16 14:44:00 nagios02 cert-puller: nagios02.unixathome.org :: nagios02.unixathome.org.fullchain.cer
Jul 16 14:44:00 nagios02 cert-puller: looking for cert files: /usr/bin/find /var/db/anvil -type f
Jul 16 14:44:00 nagios02 cert-puller: validating nagios02.unixathome.org.cer
Jul 16 14:44:00 nagios02 cert-puller: nagios02.unixathome.org.cer does not exist and will be installed
Jul 16 14:44:00 nagios02 cert-puller: installing nagios02.unixathome.org.cer
Jul 16 14:44:00 nagios02 cert-puller: validating ca.cer
Jul 16 14:44:00 nagios02 cert-puller: ca.cer does not exist and will be installed
Jul 16 14:44:00 nagios02 cert-puller: installing ca.cer
Jul 16 14:44:00 nagios02 cert-puller: validating nagios02.unixathome.org.fullchain.cer
Jul 16 14:44:00 nagios02 cert-puller: nagios02.unixathome.org.fullchain.cer does not exist and will be installed
Jul 16 14:44:00 nagios02 cert-puller: installing nagios02.unixathome.org.fullchain.cer
Jul 16 14:44:00 nagios02 cert-puller: doing a graceful on apache24
Jul 16 14:44:00 nagios02 cert-puller: stopping /usr/local/bin/cert-puller

Done

That was it. I checked the certificate in my browser, and it was the newly minted one from Let’s Encrypt.

I hope you find this useful. I have yet to complete my full deployment, and I know I have more work to do on this project.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top