manuale
manuale copied to clipboard
veeti
Split challenge generation & challenge verification
For ease of automation, please split the generation of a challenge & the verification call.
Workflow example.
-
manuale authorize --generate-only --method dns example.com >somefile -
grep TXT somefile | $custom_update_DNS --append example.com -
manuale authorize --verify-only --method dns example.com
manuale as its name suggests... 😄
I use this shell function as a background job: https://github.com/szepeviktor/debian-server-tools/blob/master/security/cert-update-manuale-CN.sh#L31-L49
Yes, I already have tooling to do the DNS update, but right now I need something that parses the manuale output and tells it to continue after the DNS change is live. Just want to cleanly split it up.
@szepeviktor since upstream seems to have stopped making any changes, interested in forking this fully?
Hey,
As you might gather from the project name, I'm surprised to see that people are using this for automated issuance at all. My intention was to create an easy, guided interface for a real person who wants to do things by hand and/or is issuing a single one-off certificate. The only reason authorize and issue are separate commands at all is that a long time ago there wasn't a method to detect an existing authorization for a domain, and authorizations lived longer than certificates. Now that this isn't the case, I've been thinking of rolling the commands into one.
I'm not completely opposed to this idea, but you may be better served by another client designed for the purpose or a custom fork. For example, acme.sh has built-in DNS provider integrations and lets you drop in your own DNS authorization script if needed. Maybe once I get around to doing an ACMEv2 overhaul there could be a single high level guided issuance command and lower level commands for working with authorizations and orders that could be used in automated scripts.
Where I think it's also going to be more relevant is cases that request multiple validations (ACME-08 has renamed them from challenges) be completed, and upcoming validations like ip-01.
As for other clients, I tried many of them before winding up Manuale. My usage case is not fully automated, but just semi-automated by wrapping Manuale, to authorize & issue via DNS, then securely ship the key+cert to new hosts (they don't even exist yet when the issuance is done).
I'd agree with having a high-level command that does authorize & issue together, which really wraps around lower-level commands (and are also exposed).
Manuale is the closest there is to a good competing Python Library other than Certbot's ACME module. Many others either just wrap certbot's ACME, or provide a minimal implementation.
https://github.com/schors/perkele/ perkeLE is a fork of ManuaLE
New in perkeLE Support for HTTP validation. (In fact, that's the only validation method supported).
Authorization is separate from certificate issuance. Authorizations last for months on Let's Encrypt: there's no need to waste time validating the domain every time you renew the certificate.
New in perkeLE The authorization can be divided into two parts - get authorization, and check validation. You can distribute verification files manualy.
