Certgrinder is a client/server system for getting LetsEncrypt certificates for your infrastructure. ACME challenges are handled by the Certgrinder server, making it possible to get certificates in highly isolated environments, since only an SSH connection to the Certgrinder server is needed.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
It would be nice if the certgrinder x.yy.z running, log-level is ABC log message could include information to identify the client, like the reported SSH ip address.
It would also be nice if the Certificate SAN list is different from the expected message could state the difference between the current (on-disk certificate) and the expected domainsets. perhaps something like
f"to-be-added: {set(expected).difference(set(ondisk)) } to-be-removed: { set(ondisk).difference(set(expected)) }"Traceback (most recent call last):
File "/opt/certgrinder/virtualenv/bin/certgrinder", line 8, in <module>
sys.exit(main())
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/certgrinder/certgrinder.py", line 2259, in main
certgrinder.grind(args)
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/certgrinder/certgrinder.py", line 1835, in grind
getattr(self, args.method)()
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/certgrinder/certgrinder.py", line 1641, in periodic
if not self.check_ocsp():
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/certgrinder/certgrinder.py", line 1139, in check_ocsp
ocsp_response = self.load_ocsp_response(self.ocsp_response_path)
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/certgrinder/certgrinder.py", line 1045, in load_ocsp_response
return ocsp.load_der_ocsp_response(ocsp_response_data)
File "/opt/certgrinder/virtualenv/lib/python3.10/site-packages/cryptography/x509/ocsp.py", line 622, in load_der_ocsp_response
return ocsp.load_der_ocsp_response(data)
ValueError: error parsing asn1 value: ParseError { kind: ShortData }
Maybe build them in pre-commit hook?
certgrinderd should support a show acmeaccount command to return the acme url for https://datatracker.ietf.org/doc/rfc8657/ use
logging is a mess, especially when the client has to show logs from the server. Revamp the whole thing into structured logging.
I believe this should be
syslog-socket: "/run/systemd/journal/syslog"
on debian, it would be nice if the certgrinder client could try that on Linux, or perhaps try both the BSD and Debian paths before failing.
To avoid a changed SAN list being written to the same files
Running into a weird issue that is most certainly user error, would greatly appreciate some feedback...
Running certgrinder -c ~/certgrinder.conf get certificate to test setup, which results in one of two errors, depending how domain-list: is formatted.
When formatted as
domain-list: "example.com"
I receive the following error:
[certgrinder@proxy /]$ certgrinder -c ~/certgrinder.conf get certificate
Traceback (most recent call last):
File "/usr/local/bin/certgrinder", line 33, in
sys.exit(load_entry_point('certgrinder==0.17.2', 'console_scripts', 'certgrinder')())
File` "/usr/local/lib/python3.8/site-packages/certgrinder/certgrinder.py", line 2232, in main
certgrinder.grind(args)
File "/usr/local/lib/python3.8/site-packages/certgrinder/certgrinder.py", line 1799, in grind
assert isinstance(self.conf["domain-list"], list)
AssertionError
However, when formatted as
domain-list:
- "example.com"
the following ssh error appears, apparently related to having an illegal "-" in the command.
[certgrinder@proxy /]$ certgrinder -c ~/certgrinder.conf get certificate
2022-05-17 06:12:50 -0600 certgrinder INFO Getting new certificate for domainset ['example.com'] ...
2022-05-17 06:12:50 -0600 certgrinder WARNING ssh: illegal option -- -
.....
2022-05-17 06:12:50 -0600 certgrinder ERROR Did not get any output, expected a certificate chain in stdout from certgrinderd
This is on FreeBSD 13.0, client has stock ssh/d_configs, server slightly modified but I'm not sure how that could cause this.
Any idea what I am doing wrong?
The new cryptography 35.0 moved some stuff resulting in the error
AttributeError: module 'cryptography.hazmat.backends.openssl' has no attribute 'ocsp'
This happens when an OCSP responder isn't working and Certgrinderd goes to the next server, more info needed:
2020-10-14 00:00:04 +0000 certgrinder ERROR certgrinderd: OCSP request failed for URL http://ocsp.int-x3.letsencrypt.org with HTTP status code 500 - trying next OCSP server
2020-10-14 00:00:04 +0000 certgrinder WARNING Traceback (most recent call last):
2020-10-14 00:00:04 +0000 certgrinder WARNING File "/home/certgrinderd/virtualenv/bin/certgrinderd", line 8, in <module>
2020-10-14 00:00:04 +0000 certgrinder WARNING sys.exit(main())
2020-10-14 00:00:04 +0000 certgrinder WARNING File "/usr/home/certgrinderd/virtualenv/lib/python3.7/site-packages/certgrinderd/certgrinderd.py", line 1236, in main
2020-10-14 00:00:04 +0000 certgrinder WARNING method()
2020-10-14 00:00:04 +0000 certgrinder WARNING File "/usr/home/certgrinderd/virtualenv/lib/python3.7/site-packages/certgrinderd/certgrinderd.py", line 543, in get_ocsp_command
2020-10-14 00:00:04 +0000 certgrinder WARNING ocsp_response = self.get_ocsp_response(certpath=self.conf["certificate-file"])
2020-10-14 00:00:04 +0000 certgrinder WARNING File "/usr/home/certgrinderd/virtualenv/lib/python3.7/site-packages/certgrinderd/certgrinderd.py", line 608, in get_ocsp_response
2020-10-14 00:00:04 +0000 certgrinder WARNING ), "Unsupported access method, please file a certgrinder bug"
2020-10-14 00:00:04 +0000 certgrinder WARNING AssertionError: Unsupported access method, please file a certgrinder bug
2020-10-14 00:00:04 +0000 certgrinder ERROR Did not get an OCSP response in stdout from certgrinderd
2020-10-14 00:00:04 +0000 certgrinder ERROR Failed getting a new OCSP response for domainset: ['deic-ore.anycast.censurfridns.dk', 'deic-ore.anycast.censurfridns.nu', 'deic-ore.anycast.uncensoreddns.org', 'deic-ore.anycast.uncensoreddns.dk', 'anycast.censurfridns.dk', 'anycast.censurfridns.nu', 'anycast.uncensoreddns.org', 'anycast.uncensoreddns.dk']
reloadAllCertificates()
exporter_exporter: stopped
exporter_exporter: started
certgrinder should support a show caa command to make certgrinderd return the CAA record including method and account pin as described in https://datatracker.ietf.org/doc/rfc8657/
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.