Skip to content

Receive x509 certs via ACME protocol and distribute them using Hashicorp Vault

License

Notifications You must be signed in to change notification settings

soerenschneider/acmevault

Repository files navigation

acmevault

Go Report Card test-workflow release-workflow golangci-lint-workflow

Features

🔐 Issues certificates from any ACME provider, such as Let's Encrypt
⏰ Automatically renews certificates before they expire
🔌 Stores all data inside Vault and thus decouples from clients

Why would I need this?

Problem Statement

Rolling out TLS encryption shouldn't need to be pitched anymore (even for internal services). Using the DNS01 ACME challenge is proven and allows issuing certs non-public routable machines. On the other hand, you need to have access to either highly-privileged/narrowly-scoped credentials of your DNS provider to solve these DNS01 challenges.

In the case of Route53, if you don't want to end up creating dozens of hosted zones, one for each of your subdomains, you're at risk of leaking highly-privileged IAM credentials.

Acmevault requests short-lived IAM credentials for Route53 and uses them to perform DNS01 challenges for the configured domains and writes the issued X509 certificates to Hashicorp Vault's K/V secret store - only readable by the appropriate AppRole.

Its client mode reads the respective written certificates from Vault and installs them to a preconfigured location, optionally invoking post-installation hooks.

Overview

Overview

Installation

Docker / Podman

$ git clone https://github.com/soerenschneider/acmevault
$ cd acmevault
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/acmevault -conf /config/server.json

Binaries

Download a prebuilt binary from the releases section for your system.

From Source

As a prerequisite, you need to have Golang SDK installed. Then you can install acmevault from source by invoking:

$ go install github.com/soerenschneider/acmevault@latest

Configuration

See the configuration section for examples and configuration reference.

Observability

See the metrics section for an overview of exposed metrics.

Changelog

See the full changelog here