README.md
1# certmgr
2
3[![Build Status](https://travis-ci.org/cloudflare/certmgr.svg?branch=master)](https://travis-ci.org/cloudflare/certmgr)
4[![godoc](https://godoc.org/github.com/cloudflare/certmgr?status.svg)](https://godoc.org/github.com/cloudflare/certmgr)
5
6certmgr is a tool for managing certificates using CFSSL. It does the
7following:
8
9* Ensures certificates are present.
10* Renews certificates before they expire.
11* Triggering a service reload or restart on certificate updates.
12
13It operates on **certificate specs**, which are JSON files containing
14the information needed to generate a certificate.
15
16At regular intervals, `certmgr` will check that the parameters set in a certificate spec match the PKI material on disk. `certmgr` will take actions as needed in ensuring and regenerating PKI material as needed. If there's an error, a material refresh will happen at a later time.
17
18When run without any subcommands, certmgr will start monitoring
19certificates. The configuration and specifications can be validated
20using the `check` subcommand.
21
22If you want to further understand the package logic, take a look at the [godocs](https://godoc.org/github.com/cloudflare/certmgr).
23
24**Note**: `certmgr` requires Go 1.11 or later due to [cfssl](https://github.com/cloudflare/cfssl) dependency.
25
26
27## Web server
28
29When appropriately configured, `certmgr` will start a web server that
30has the following endpoints:
31
32* `/` just contains certmgr start time and current address.
33* `/metrics` is the Prometheus endpoint (see the Metrics section).
34
35## Metrics
36
37Prometheus is used to collect some useful `certmgr` metrics. You can find them in the [godoc](https://godoc.org/github.com/cloudflare/certmgr/metrics).
38
39## certmgr.yaml
40
41The configuration file must be a YAML file; it is expected to be in
42`/usr/local/etc/certmgr/certmgr.yaml`. The location can be changed using the
43`-f` flag.
44
45An example `certmgr.yaml` file is:
46
47```
48dir: /usr/local/etc/certmgr.d
49default_remote: ca.example.net:8888
50svcmgr: systemd
51before: 72h
52interval: 30m
53
54metrics_port: 8080
55metrics_address: localhost
56```
57
58This contains all of the currently available parameters:
59
60* `dir`: this specifies the directory containing the certificate specs
61* `svcmgr`: this specifies the service manager to use for restarting
62 or reloading services. This can be `systemd` (using `systemctl`),
63 `sysv` (using `service`), `circus` (using `circusctl`), `openrc` (using `rc-service`),
64 `dummy` (no restart/reload behavior), or `command` (see the command svcmgr section
65 for details of how to use this).
66* `before`: optional: this is the default duration before a certificate expiry that certmgr starts attempting to
67 renew PKI. This defaults to 72 hours.
68* `interval`: optional: this is the default for how often `certmgr` will check certificate expirations
69 and update PKI material on disk upon any changes (if necessary). This defaults to one hour.
70* `interval_splay`: optional: this is used to vary the interval period. A random time between 0
71 and this value is added to `interval` if specified. This defaults to 0.
72* `initial_splay`: if specified, a random sleep period between 0 and this value is used
73 for the initial sleep after startup of a spec. This provides a way to ensure that
74 if a fleet of certmgr are restarted at the same time, their period of wakeup is randomized
75 to avoid said fleet waking up and doing interval checks at the same time for a given spec.
76 This defaults to 0.
77* `metrics_address`: specifies the address for the Prometheus HTTP
78 endpoint.
79* `metrics_port`: specifies the port for the Prometheus HTTP endpoint.
80* `take_actions_only_if_running`: boolean, if true, only fire a spec's action if the service is actually running.
81 If this is set to false (the default for historical reasons), this can lead to certmgr starting a downed service
82 when PKI expiry occurs.
83
84
85## PKI Specs
86
87A spec is used to manage PKI material for a consuming app. A spec does not have to request a certificate/key, and does not have to request a CA; it must request at least one of those two modes, however.
88
89Said another way; you can use this to maintain a CA on disk. You can use this to maintain certificate/key pair signed by the given authority; you can do both modes if you wish, but one must be specified by the spec.
90
91An example spec that writes both a CA and certificate key pair defined in JSON:
92
93```
94{
95 "service": "nginx",
96 "action": "restart",
97 "request": {
98 "CN": "www.example.net",
99 "hosts": [
100 "example.net",
101 "www.example.net"
102 ],
103 "key": {
104 "algo": "ecdsa",
105 "size": 521
106 },
107 "names": [
108 {
109 "C": "US",
110 "ST": "CA",
111 "L": "San Francisco",
112 "O": "Example, LLC"
113 }
114 ]
115 },
116 "private_key": {
117 "path": "/etc/ssl/private/www.key",
118 "owner": "www-data",
119 "group": "www-data",
120 "mode": "0600"
121 },
122 "certificate": {
123 "path": "/home/kyle/tmp/certmgr/certs/test1.pem",
124 "owner": "www-data",
125 "group": "www-data"
126 },
127 "ca": {
128 "path": "/etc/myservice/ca.pem",
129 "owner": "www-data",
130 "group": "www-data"
131 },
132 "authority": {
133 "remote": "ca.example.net:8888",
134 "auth_key": "012345678012345678",
135 "label": "www_ca",
136 "profile": "three-month",
137 root_ca: "/etc/cfssl/api_server_ca.pem"
138 }
139}
140```
141
142And this is an example that writes just the CA to disk:
143```
144{
145 "service": "nginx",
146 "action": "restart",
147 "authority": {
148 "remote": "ca.example.net:8888",
149 "auth_key": "012345678012345678",
150 "label": "www_ca",
151 "profile": "three-month",
152 "file": {
153 "path": "/etc/myservice/ca.pem",
154 "owner": "www-data",
155 "group": "www-data"
156 },
157 root_ca: "/etc/cfssl/api_server_ca.pem"
158 }
159}
160```
161
162A certificate spec has the following fields:
163
164* `service`: this is optional, and names the service that the `action`
165 should be applied to.
166* `action`: this is optional, and may be one of "restart", "reload",
167 or "nop".
168* `svcmgr`: this is optional, and defaults to whatever the global
169 config defines. This allows fine-grained control for specifying the
170 svcmgr per cert. If you're using this in a raw certificate definition,
171 you likely want the 'command' svcmgr- see that section for details of
172 how to use it.
173* `request`: a CFSSL certificate request (see below). If this is specified, a `certificate` and `private_key` field is required.
174* `private_key` and `certificate`: file specifications (see below) for
175 the private key and certificate. Both must be specified- as must `request`- if you wish to manage a certificate/key pair.
176* `authority`: contains the CFSSL CA configuration (see below).
177* `before`: optional: this is the default duration before a certificate expiry that certmgr starts attempting to
178 renew PKI. This defaults to the managers default, which defaults to 72 hours if unspecified.
179* `interval`: optional: this is the default for how often `certmgr` will check certificate expirations
180 and update PKI material on disk upon any changes (if necessary). This defaults to the managers default, which
181 defaults to one hour if unspecified.
182* `interval_splay`: optional: this is used to vary the interval period. A random time between 0
183 and this value is added to `interval` if specified. This defaults to the managers default, which defaults to 0
184 if unspecified.
185* `initial_splay`: if specified, a random sleep period between 0 and this value is used
186 for the initial sleep after startup of a spec. This provides a way to ensure that
187 if a fleet of certmgr are restarted at the same time, their period of wakeup is randomized
188 to avoid said fleet waking up and doing interval checks at the same time for a given spec.
189 This defaults to the managers default, which defaults to 0 if unspecified.
190* `take_actions_only_if_running`: boolean, if true, only fire a spec's action if the service is actually running.
191 If this is set to false (the default for historical reasons), this can lead to certmgr starting a downed service
192 when PKI expiry occurs.
193* `key_usages`: optional: An array of strings defining what this key should be used for. Certmgr will consider a cert invalid
194 if it does not contain these key usages. Possible values are from cfssl's [ExtKeyUsage map](https://github.com/cloudflare/cfssl/blob/1.3.3/config/config.go#L568)
195
196
197
198**Note**: `certmgr` will throw a warning if `svcmgr` is `dummy` _AND_ `action` is "nop" or undefined. This is because such a setup will not properly restart or reload a service upon certificate renewal, which will likely cause your service to crash. Running `certmgr` with the `--strict` flag will not even load a certificate spec with a `dummy svcmgr` and undefined/nop `action` configuration.
199
200
201File specifications contain the following fields:
202
203* `path`: this is required, and is the path to store the file.
204* `owner`: this is optional; if it's not provided, the current user is
205 used.
206* `group`: this is optional; if it's not provided, the primary group
207 of the current user is used.
208* `mode`: this is optional; if it's not provided, "0644" will be
209 used. It should be a numeric file mode.
210
211CFSSL certificate requests have the following fields:
212
213* `CN`: this contains the common name for the certificate.
214* `hosts`: this is a list of SANs and/or IP addresses for the
215 certificate.
216* `key`: this is optional; it should contain an "algo" of either "rsa"
217 or "ecdsa" and a "size" appropriate for the chosen
218 algorithm. Recommendations are "rsa" and 2048 or "ecdsa"
219 and 256. The default is "ecdsa" and 256.
220* `names`: contains PKIX name information, including the "C"
221 (country), "ST" (state), "L" (locality/city), "O" (organisation),
222 and "OU" (organisational unit) fields.
223
224The CA specification contains the following fields:
225
226* `remote`: the CA to use. If not provided, the default remote from
227 the config file is used.
228* `auth_key`: the authentication key used to request a certificate.
229* `auth_key_file`: optional, if defined read the auth_key from this. If
230 `auth_key` and `auth_key_file` is defined, `auth_key` is used.
231* `label`: the CA to use for the certificate.
232* `profile`: the CA profile that should be used.
233* `file`: if this is included, the CA certificate will be saved here. It
234 follows the same file specification format above. Use this if you want to save your CA cert to disk.
235* `root_ca`: optionally, a path to a certificate to trust as CA for the
236 cfssl API server certificate. Usable if the "remote" is tls enabled
237 and configured with a self-signed certificate. By default,
238 the system root CA chain is trusted.
239
240## `command svcmgr` and how to use it
241
242If the svcmgr is set to `command`, then `action` is interpreted as a
243shell snippet to invoke via `bash -c`. Bash is preferred since
244it allows parse checks to run. If Bash isn't available, parse checks
245are skipped and `sh -c` is used. If `sh` can't be found, then this svcmgr
246is disabled. The `command svcmgr` is useful in Marathon environments.
247
248Environment variables are set as follows:
249
250* CERTMGR_CA_PATH: if CA was configured for the spec, this is the path
251 to the CA ondisk that was changed.
252* CERTMGR_CERT_PATH: This is the path to the cert that was written.
253* CERTMGR_KEY_PATH: This is the path to the key that was written.
254
255## Subcommands
256
257In addition to the certificate manager, there are a few utilities
258functions specified:
259
260* `check`: validates the configuration file and all the certificate
261 specs available in the certificate spec directory. Note that if you
262 wish to operate on just one spec, you can use `-d /path/to/that/spec`
263 to accomplish it.
264* `clean`: removes all of the certificates and private keys specified
265 by the certificate specs. Note that if you wish to operate on just one spec,
266 you can use `-d /path/to/that/spec` to accomplish it.
267* `ensure`: attempts to load all certificate specs, and ensure that
268 the TLS key pairs they identify exist, are valid, and that they are
269 up-to-date. Note that if you wish to operate on just one spec, you
270 can use `-d /path/to/that/spec` to accomplish this.
271* `genconfig`: generates a default configuration file and ensures the
272 default service directory exists.
273* `version`: prints certificate manager's version, the version of Go
274 it was built with, and shows the current configuration.
275
276## See also
277
278The `certmgr` spec is included as `SPEC.rst`.
279
280
281## Contributing
282
283To contribute, fork this repo and make your changes. Then, make a PR to this repo. A PR requires at least one approval from a repo admin and successful CI build.
284
285### Unit Testing
286Unit tests can be written locally. This should be straightforward in a Linux environment.
287To run them in a non-Linux environment, have Docker up and run `make test`. This will spin up a container with your local build. From here you can `go test -v ./...` your files. This unconventional setup is because [cfssl](https://github.com/cloudflare/cfssl), the underlying logic of `certmgr`, uses [cgo](https://golang.org/cmd/cgo/).
288