Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
A
acme-dns-tiny
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
1
Issues
1
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Adrien Dorsaz
acme-dns-tiny
Commits
4869b6c6
Commit
4869b6c6
authored
Aug 12, 2016
by
Adrien Dorsaz
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update documentations and clean non used file / code
parent
ecfe88c7
Pipeline
#30
passed with stage
in 3 minutes and 48 seconds
Changes
5
Pipelines
2
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
20 additions
and
79 deletions
+20
-79
.travis.yml
.travis.yml
+0
-18
LICENSE
LICENSE
+1
-0
README.md
README.md
+5
-5
tests/README.md
tests/README.md
+13
-37
tests/test_module.py
tests/test_module.py
+1
-19
No files found.
.travis.yml
deleted
100644 → 0
View file @
ecfe88c7
sudo
:
required
dist
:
trusty
language
:
python
python
:
-
"
2.7"
-
"
3.3"
-
"
3.4"
-
"
3.5"
-
"
nightly"
before_install
:
-
sudo apt-get install fuse
-
sudo chmod a+r /etc/fuse.conf
install
:
-
pip install -r tests/requirements.txt
script
:
-
coverage run --source ./ --omit ./tests/server.py -m unittest tests
after_success
:
-
coveralls
LICENSE
View file @
4869b6c6
The MIT License (MIT)
Copyright (c) 2015 Daniel Roesler
Copyright (c) 2016 Adrien Dorsaz
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
...
...
README.md
View file @
4869b6c6
...
...
@@ -5,7 +5,7 @@
This is a tiny, auditable script that you can throw on your server to issue
and renew
[
Let's Encrypt
](
https://letsencrypt.org/
)
certificates with DNS
authentic
ation.
valid
ation.
Since it has to have access to your private ACME account key and the
rights to update the DNS records of your DNS server, this code has been designed
...
...
@@ -13,7 +13,7 @@ to be as tiny as possible (currently less than 250 lines).
The only prerequisites are python (especially the dnspython module) and openssl.
**PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT
WITH
YOUR ACCOUNT PRIVATE KEYS!**
**PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT
! IT HANDLES
YOUR ACCOUNT PRIVATE KEYS!**
Note: this script is a fork of the
[
acme-tiny project
](
https://github.com/diafygi/acme-tiny
)
which uses ACME HTTP verification to create signed certificates.
...
...
@@ -88,7 +88,7 @@ openssl req -new -sha256 -key domain.key -subj "/CN=example.org" > domain.csr
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.org,DNS:www.example.org")) > domain.csr
```
### Step 3: Make your DNS server allow dynamic updates
### Step 3: Make your DNS server allow
s
dynamic updates
You must prove you own the domains you want a certificate for, so Let's Encrypt
requires you host some DNS resource records.
...
...
@@ -106,9 +106,9 @@ The configuration of the script will need:
*
the address and the port of the DNS server
The simplest way to configure the script is to copy the
`example.ini`
file
from this repository and update
the
values as needed.
from this repository and update values as needed.
**
Be careful! Set
permissions correctly on your
configuration file, because
**
Be careful! Set
read permissions correctly on the
configuration file, because
it will contain the key authorized to modify your DNS configuration !
**
### Step 4: Get a signed certificate!
...
...
tests/README.md
View file @
4869b6c6
# How to test acme-tiny
# How to test acme-
dns-
tiny
Testing acme-tiny requires a bit of setup since it interacts with other servers
Testing acme-
dns-
tiny requires a bit of setup since it interacts with other servers
(Let's Encrypt's staging server) to test issuing fake certificates. This readme
explains how to setup and test acme-tiny yourself.
## Setup instructions
1.
Make a test subdomain for a server you control. Set it as an environmental
variable on your local test setup.
*
On your local:
`export TRAVIS_DOMAIN=travis-ci.gethttpsforfree.com`
2.
Generate a shared secret between your local test setup and your server.
*
`openssl rand -base64 32`
*
On your local:
`export TRAVIS_SESSION="<random_string_here>"`
3.
Copy and run the test suite mini-server on your server:
*
`scp server.py ubuntu@travis-ci.gethttpsforfree.com`
*
`ssh ubuntu@travis-ci.gethttpsforfree.com`
*
`export TRAVIS_SESSION="<random_string_here>"`
*
`sudo server.py`
4.
Install the test requirements on your local (FUSE and optionally coveralls).
*
`sudo apt-get install fuse`
*
`virtualenv /tmp/venv`
*
`source /tmp/venv/bin/activate`
*
`pip install -r requirements.txt`
1.
Setup environment variables:
*
Read top of monkey.py, all environnement variables used are defined there (top of file).
*
These variables corresponds to the configuration file you have to do when using in production.
*
If you don't own the gitlab project, you can set them on your build/test machine:
`export GITLABCI_DOMAIN=travis-ci.gethttpsforfree.com`
*
Otherwise, you have to use your gitlab project to define environment variables for gitlab runners.
2.
Install the test requirements on your build/test machine (automated by .gitlab-ci.yml for gitlab runners).
*
`cd /path/to/acme-dns-tiny`
*
`pip install --user -r tests/requirements.txt`
5.
Run the test suit on your local.
*
`cd /path/to/acme-tiny`
*
`coverage run --source ./ --omit ./tests/server.py -m unittest tests`
## Why use FUSE?
Acme-tiny writes the challenge files for certificate issuance. In order to do
full integration tests, we actually need to serve correct challenge files to
the Let's Encrypt staging server on a real domain that they can verify. However,
Travis-CI doesn't have domains associated with their test VMs, so we need to
send the files to the remote server that does have a real domain.
The test suite uses FUSE to do this. It creates a FUSE folder that simulates
being a real folder to acme-tiny. When acme-tiny writes the challenge files
in the mock folder, FUSE POSTs those files to the real server (which is running
the included server.py), and the server starts serving them. That way, both
acme-tiny and Let's Encrypt staging can verify and issue the test certificate.
This technique allows for high test coverage on automated test runners (e.g.
Travis-CI).
*
`cd /path/to/acme-dns-tiny`
*
`coverage run --source ./ -m unittest tests`
tests/test_module.py
View file @
4869b6c6
...
...
@@ -55,24 +55,6 @@ class TestModule(unittest.TestCase):
self
.
assertIsInstance
(
result
,
ValueError
)
self
.
assertIn
(
"Key too small"
,
result
.
args
[
0
])
# def test_invalid_domain(self):
# """ Let's Encrypt rejects invalid domains """
# try:
# result = acme_dns_tiny.main([CONFIGS["invalidCSR"].name])
# except Exception as e:
# result = e
# self.assertIsInstance(result, ValueError)
# self.assertIn("Invalid character in DNS name", result.args[0])
#
# def test_nonexistant_domain(self):
# """ Should be unable verify a nonexistent domain """
# try:
# result = acme_dns_tiny.main([CONFIGS["inexistantDomain"].name])
# except Exception as e:
# result = e
# self.assertIsInstance(result, ValueError)
# self.assertIn("urn:acme:error:connection", result.args[0])
def
test_account_key_domain
(
self
):
""" Can't use the account key for the CSR """
try
:
...
...
@@ -86,4 +68,4 @@ class TestModule(unittest.TestCase):
if
__name__
==
"__main__"
:
unittest
.
main
()
# delete account key registration at end of tests
delete_account
(
CONFIGS
[
"key"
][
"accountkey"
].
name
)
\ No newline at end of file
delete_account
(
CONFIGS
[
"key"
][
"accountkey"
].
name
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment