Browse Source
Merge pull request #1957 from pashinin/master
Write certs in Vault for Fabio load balancer
dnsconf
neil
6 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
45 additions and
5 deletions
-
deploy/README.md
-
deploy/vault_cli.sh
|
|
@ -295,4 +295,40 @@ You can then deploy the certificate as follows |
|
|
|
|
|
|
|
```sh |
|
|
|
acme.sh --deploy -d www.mydomain.com --deploy-hook gitlab |
|
|
|
``` |
|
|
|
``` |
|
|
|
|
|
|
|
## 12. Deploy your cert to Hashicorp Vault |
|
|
|
|
|
|
|
```sh |
|
|
|
export VAULT_PREFIX="acme" |
|
|
|
``` |
|
|
|
|
|
|
|
You can then deploy the certificate as follows |
|
|
|
|
|
|
|
```sh |
|
|
|
acme.sh --deploy -d www.mydomain.com --deploy-hook vault_cli |
|
|
|
``` |
|
|
|
|
|
|
|
Your certs will be saved in Vault using this structure: |
|
|
|
|
|
|
|
```sh |
|
|
|
vault write "${VAULT_PREFIX}/${domain}/cert.pem" value=@"..." |
|
|
|
vault write "${VAULT_PREFIX}/${domain}/cert.key" value=@"..." |
|
|
|
vault write "${VAULT_PREFIX}/${domain}/chain.pem" value=@"..." |
|
|
|
vault write "${VAULT_PREFIX}/${domain}/fullchain.pem" value=@"..." |
|
|
|
``` |
|
|
|
|
|
|
|
You might be using Fabio load balancer (which can get certs from |
|
|
|
Vault). It needs a bit different structure of your certs in Vault. It |
|
|
|
gets certs only from keys that were saved in `prefix/domain`, like this: |
|
|
|
|
|
|
|
```bash |
|
|
|
vault write <PREFIX>/www.domain.com cert=@cert.pem key=@key.pem |
|
|
|
``` |
|
|
|
|
|
|
|
If you want to save certs in Vault this way just set "FABIO" env |
|
|
|
variable to anything (ex: "1") before running `acme.sh`: |
|
|
|
|
|
|
|
```sh |
|
|
|
export FABIO="1" |
|
|
|
``` |
|
|
@ -49,9 +49,13 @@ vault_cli_deploy() { |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 |
|
|
|
if [ -n "$FABIO" ]; then |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1 |
|
|
|
else |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1 |
|
|
|
$VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
} |