Merge pull request #1 from certkit-io/s3-directory-changes

Update Pathing When Requesting Certs From Storage

Author: J-Griffin

README.md

@@ -1,6 +1,18 @@
 # Ansible Role: certkit_io.sync
 
-An Ansible Role for Linux that installs a script which synchronizes SSL certificates managed by [Certkit.io](https://www.certkit.io/).
+An Ansible Role for Linux that installs a script which synchronizes SSL certificates managed by [Certkit.io](https://www.certkit.io/). It is published on Ansible Galaxy [here](https://galaxy.ansible.com/ui/standalone/roles/certkit_io/sync/install/).
+
+## Overview
+
+* Installs a simple synchronization script to whichever directory you specify.
+* Builds a configuration file from variables you give it.
+* Once installed, the script:
+  * Syncs the latest certificate from CertKit into a local directory using [minio-client](https://docs.min.io/community/minio-object-store/reference/minio-mc.html#quickstart).
+  * Copies the certificate into place if it is changed or missing.
+  * Optionally runs a post-update command (e.g. `nginx -s reload`).
+  * Logs all activity to `certkit.log` (keeping last 2000 log lines)
+  * Is periodically run on a Cron schedule.
+* To sync multiple certificates, call the role multiple times. See the [Syncing Multiple Certificates](#syncing-multiple-certificates) section.
 
 ## Requirements
 
@@ -21,7 +33,7 @@ All variables are listed below. They are all required, unless otherwise specifie
 - `certkit_bucket`: The name of your certkit storage bucket. Get this from the Certkit UI.
 - `certkit_access_key`: The access key for your certkit storage bucket. Get this from the Certkit UI.
 - `certkit_secret_key`: The secret key for your certkit storage bucket. Get this from the Certkit UI.
-- `certkit_common_name`: The domain name of the certificate. Prefix with * if it's a wildcard.
+- `certkit_certificate_id`: The ID of the certificate to sync.  Get this from the Certkit UI.
 - `certkit_dir`: The directory where the certkit sync script and config file will be placed. Arbitrary, pick what you'd like. Should be unique if multiple certkit scripts are installed on the same box!
 - `certkit_update_cmd`: Certkit sync runs this command whenever the certificates are updated. Use to inform the server of a new certificate.
 - `certkit_pem_destination`: File path where Certkit sync will write the certificate PEM file. This is wherever your server software expects the certificate to live.
@@ -45,8 +57,8 @@ None.
         certkit_access_key: YOUR_ACCESS_KEY
         certkit_secret_key: YOUR_SECRET_KEY
 
-        # This is the common name/domain of the certificate.  If it's wildcard, prefix with *.
-        certkit_common_name: "*.yourdomain.com"
+        # The ID of the certificate to sync.  Get this from the Certkit UI.
+        certkit_certificate_id: ab12
 
         # The directory where the certkit sync script and config file will be placed. Arbitrary, pick what you'd like.
         # When syncing multiple certificates, each configuration should use a different directory.
@@ -64,10 +76,11 @@ None.
 ## Syncing Multiple Certificates
 
 Sync more than one certificate by simply calling the role again. These variables will differ between each certificate:
-    - `certkit_common_name`
-    - `certkit_dir`
-    - `certkit_pem_destination`
-    - `certkit_key_destination`
+
+- `certkit_certificate_id`
+- `certkit_dir`
+- `certkit_pem_destination`
+- `certkit_key_destination`
 
 ## License
 

files/certkit-sync.sh

@@ -4,13 +4,13 @@ IFS=$'\n\t'
 
 # Expecting certkit.conf file to exist within the same directory as this script.
 # Expected vars:
-# CERTKIT_CERTIFICATE_DOMAIN
 # CERTKIT_S3_ACCESS_KEY
 # CERTKIT_S3_SECRET_KEY
 # CERTKIT_S3_BUCKET
+# CERTKIT_CERTIFICATE_ID
 # DESTINATION_PEM_FILE
 # DESTINATION_KEY_FILE
-# UPDATE_CERTIFICATE_CMD
+# UPDATE_CERTIFICATE_CMD (Optional)
 
 # To add to cron, and have this script sync daily at 2am:
 # (crontab -l 2>/dev/null; echo "0 2 * * * /path/to/certkit-sync.sh") | crontab -
@@ -64,20 +64,18 @@ echo "Config:     $CONFIG_FILE"
 # shellcheck source=/dev/null
 source "$CONFIG_FILE"
 
-# Normalize directory and file names based on wildcard or not
-if [[ "$CERTKIT_CERTIFICATE_DOMAIN" == \*.* ]]; then
-  # Strip leading "*." for folder name
-  S3_FOLDER_NAME="${CERTKIT_CERTIFICATE_DOMAIN#*.}"
-  CERT_BASENAME="wildcard.${CERTKIT_CERTIFICATE_DOMAIN#*.}"
-else
-  S3_FOLDER_NAME="${CERTKIT_CERTIFICATE_DOMAIN}"
-  CERT_BASENAME="${CERTKIT_CERTIFICATE_DOMAIN}"
-fi
+: "${CERTKIT_CERTIFICATE_ID:?CERTKIT_CERTIFICATE_ID must be set in certkit.conf}"
+: "${CERTKIT_S3_ACCESS_KEY:?CERTKIT_S3_ACCESS_KEY must be set in certkit.conf}"
+: "${CERTKIT_S3_SECRET_KEY:?CERTKIT_S3_SECRET_KEY must be set in certkit.conf}"
+: "${CERTKIT_S3_BUCKET:?CERTKIT_S3_BUCKET must be set in certkit.conf}"
+: "${DESTINATION_PEM_FILE:?DESTINATION_PEM_FILE must be set in certkit.conf}"
+: "${DESTINATION_KEY_FILE:?DESTINATION_KEY_FILE must be set in certkit.conf}"
 
-CERT_DIR="${SCRIPT_DIR}/certs/${CERT_BASENAME}"
-CERTKIT_PEM_FILE="${CERT_BASENAME}.pem"
-CERTKIT_KEY_FILE="${CERT_BASENAME}.key"
+# Base S3 folder is /certificate-{id}/
+S3_FOLDER_NAME="certificate-${CERTKIT_CERTIFICATE_ID}"
 
+# Local directory for this certificate
+CERT_DIR="${SCRIPT_DIR}/certs/${S3_FOLDER_NAME}"
 mkdir -p "$CERT_DIR"
 
 # Ensure MinIO client (mc) is present locally next to the script
@@ -122,8 +120,8 @@ files_differ() {
   return 0    # differ
 }
 
-SRC_PEM="${CERT_DIR}/${CERTKIT_PEM_FILE}"
-SRC_KEY="${CERT_DIR}/${CERTKIT_KEY_FILE}"
+SRC_PEM=$(echo "$CERT_DIR"/*.pem)
+SRC_KEY=$(echo "$CERT_DIR"/*.key)
 
 NEED_UPDATE=false
 REASONS=()
@@ -172,4 +170,4 @@ else
 fi
 
 sleep 0.1
-echo "== $(date -Is) | Done"
+echo "== $(date -Is) | Done"

tasks/main.yml

@@ -10,7 +10,7 @@
 #   certkit_bucket - The name of your certkit storage bucket. Get this from the Certkit UI.
 #   certkit_access_key - The access key for your certkit storage bucket. Get this from the Certkit UI.
 #   certkit_secret_key - The secret key for your certkit storage bucket. Get this from the Certkit UI.
-#   certkit_common_name - The domain name of the certificate. Prefix with * if it's a wildcard.
+#   certkit_certificate_id - The ID of the certificate to sync.  Get this from the Certkit UI.
 #   certkit_dir - The directory where the certkit sync script and config file will be placed. Arbitrary, pick what you'd like. Should be unique if multiple certkit scripts are installed on the same box!
 #   certkit_update_cmd - Certkit sync runs this command whenever the certificates are updated. Use to inform the server of a new certificate.
 #   certkit_pem_destination - File path where Certkit sync will write the certificate PEM file. This is wherever your server software expects the certificate to live.
@@ -22,7 +22,7 @@
 #       certkit_bucket: certkit-1234
 #       certkit_access_key: YOUR_ACCESS_KEY
 #       certkit_secret_key: YOUR_SECRET_KEY
-#       certkit_common_name: "*.yourdomain.com"
+#       certkit_certificate_id: ab12
 #       certkit_dir: /opt/certkit-nginx
 #       certkit_update_cmd: "/usr/sbin/nginx -s reload"  
 #       certkit_pem_destination: "/etc/nginx/yourdomain.pem"

templates/certkit.conf.j2

@@ -3,8 +3,8 @@ CERTKIT_S3_ACCESS_KEY="{{certkit_access_key}}"
 CERTKIT_S3_SECRET_KEY="{{certkit_secret_key}}"
 CERTKIT_S3_BUCKET="{{certkit_bucket}}"
 
-# This is the common name/domain of the certificate.  If it's wildcard, prefix with *.
-CERTKIT_CERTIFICATE_DOMAIN="{{certkit_common_name}}"
+# The ID of the certificate to sync.  Get this from the Certkit UI.
+CERTKIT_CERTIFICATE_ID="{{certkit_certificate_id}}"
 
 # When certificates are updated, this command will be run.
 UPDATE_CERTIFICATE_CMD="{{certkit_update_cmd}}"