ruhnet
/
leapi
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 2 Wiki Activity
Lets Encrypt certificate renewal API for server cluster and getssl.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
3 Branches
248 KiB
 
Branch: wildcard
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'wildcard'
${ noResults }
 ZIP  TAR.GZ
Ruel Tmeizeh - RuhNet b0cc266193 Sync, reload sync, cert upload, and process reload fixes. 6 months ago
.gitignore Split into separate files. 2 years ago
LICENSE Added license. 4 years ago
README.md README update, more detailed cert error logging. 8 months ago
actions.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago
amqp.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago
api.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago
go.mod Wildcard certs and Kazoo 10 months ago
go.sum Wildcard certs and Kazoo 10 months ago
leapi.service Fixed certificate locations for multi-domain, and changed SIGHUP to SIGUSR1 for reloading certs. 2 years ago
leapi_config.json.sample Fixed bug preventing ACL from being able to upload to other servers. 6 months ago
main.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago
sync.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago
util.go Sync, reload sync, cert upload, and process reload fixes. 6 months ago

README.md

LEAPI

LEAPI is a clustered server API system, written in Go, for managing Lets Encrypt certificate renewals.

LEAPI uses the excellent getssl Bash script for the actual renewal of certificates.

It can be used on a single server, but is particularly useful for clusters of servers, with many domains. You can use it standalone, for acquiring/renewing certificates for non web services, or with an external webserver like Nginx, Caddy, etc.

LEAPI operates in a multi-master configuration. When you add or delete a server or domain on any server, it automatically replicates the changes to all other servers, and renews your certificate. Replication is accomplished via HTTP.

Endpoints:

[GET] https://leapiserver.tld/api/servers --- List Servers

[PUT] https://leapiserver.tld/api/servers/web1.mybackend.com --- Add New Server

[DELETE] https://leapiserver.tld/api/servers/web1.mybackend.com --- Remove Server

[GET] https://leapiserver.tld/api/domains --- List Domains

[PUT] https://leapiserver.tld/api/domains/mycoolsite.com --- Add New Domain [PUT] https://leapiserver.tld/api/domains/%2A.example.com {"domain":"mycoolsite} --- Add New Domain (wildcard--urlencoded) [PUT] https://leapiserver.tld/api/domains {"domain":"*.example.com"} --- Add New Domain (wildcard domain in request body) [PUT] https://leapiserver.tld/api/domains {"domain":"*.example.com", "check_domain":"web1.example.com"} --- Add New Domain (wildcard domain in request body, with domain to use for checking if cert was installed [otherwise api.example.com will be used for check])

[DELETE] https://leapiserver.tld/api/domains/mycoolsite.com --- Remove Domain

[POST] https://leapiserver.tld/api/renew --- Force Renewal

[GET] https://leapiserver.tld/up --- Uptime Check

Install

  • Download the LEAPI binary, or build from source.
  • Copy it to /opt/leapi
  • You may use the included SystemD service file if you use a SystemD based distribution.
  • Edit the leapi_config.json file for your needs, leaving production set to false until setup is complete. Set the sync_type to either ssh or https. If you choose ssh you must create and copy keys and verify you can login to all servers that need to share files between each other. Note: if you enable https_server_port in the config file, LEAPI needs a certificate to be able to start (it requires the tls_chain_path_prefix and tls_key_path_prefix). You can generate a temporary self signed certificate and key with OpenSSL:
openssl req -x509 -nodes -newkey rsa:4096 -keyout privkey.key -out cert.crt -sha256 -days 365

cp cert.crt {tls_chain_path_prefix}00.crt # example: 'cp cert.crt /etc/ssl/leapi/chain00.crt'
cp privkey.key {tls_key_path_prefix}00.key
  • Copy the config file to /opt/leapi or /etc.
  • Install getssl
curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > /opt/leapi/getssl ; chmod 700 /opt/leapi/getssl
  • Create the base config for getssl:
/opt/leapi/getssl -w /opt/leapi -c mycoolsite.com
  • Start LEAPI, either from the commandline or with systemctl start leapi
  • Add your servers via the LEAPI API: (You don't necessarily have to do this on the server itself.)
curl -X PUT http://localhost/api/servers/server1.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/servers/server2.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/servers/server3.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
  • Add your domains via the LEAPI API:
curl -X PUT http://localhost/api/domains/mycoolsite.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/domains/myothersite.com -H 'Authorization: Bearer mySeCrEtKeY'
  • Assuming there were no errors, edit your leapi_config.json file and change production to true.
  • Force a renewal via the API:
curl -X POST http://localhost/api/renew -H 'Authorization: Bearer mySeCrEtKeY'

Installation

Build

  • You must have go v1.16 or later installed.
  • clone the repo in the usual way
cd leapi
go build

Install

mkdir -p /opt/leapi
cp ./leapi /opt/leapi
cp ./leapi.service /etc/systemd/system/
cp ./leapi_config.json.sample /opt/leapi/leapi_config.json
systemctl daemon-reload

Enable the Service

systemctl enable leapi
systemctl start leapi