How we automate acmetool

December 15, 2017

Acmetool is my preferred client for Let's Encrypt and the one we've adopted for our switch to Let's Encrypt at work. If you know acmetool, talking about automating it sounds like a contradiction in terms, because the entire design of acmetool is about automating everything already; you put it in cron (or more exactly you let it put itself in cron as part of setup with 'acmetool quickstart'), and then you forget about it. Perhaps you have to write a hook script or two or adjust file permissions because a daemon runs as a different user, but that should be it.

However, there are a few questions that acmetool will ask you initially and there's one situation where it has to ask you a new question during certificate renewal, as was pointed out by a commentator on my earlier entry:

Recently Let's Encrypt switched over to a new version of their user agreement (v1.2). As a result, all certificate renewals for old accounts started failing (because they had only agreed to v1.1), and I had to ssh to all our servers, interactively run acmetool, and re-confirm the signup process (agreement & email) myself.

Fortunately you can automate this too, and you should. Acmetool supports a response file, which contains answers to questions that acmetool may try to ask you during either installation or certificate renewal. We automate these questions by preinstalling a responses file in /var/lib/acme/conf, which makes 'acmetool quickstart' work without having to ask us anything. When Let's Encrypt updated their user agreement, we pushed out a new version of the responses file that auto-accepted it and so returned certificate renewals to working without any manual action.

(The first renewal attempt after Let's Encrypt's update reported errors, then we worked out what the problem was, updated the file, pushed out a new version, and everything was happy. My personal websites avoided the problem entirely because of the timing; I had a chance to update my own responses file before any of their renewals came up, and when renewal time hit acmetool was fine.)

The responses settings we use are:

"acme-enter-email": "<redacted>@<redacted>"
"acmetool-quickstart-choose-method": webroot
"acmetool-quickstart-webroot-path": "/var/www/.well-known/acme-challenge"
"acmetool-quickstart-install-cronjob": true
# add an additional line to accept any new user agreement

As shown in the example responses file, you can set additional parameters like the normal key type, RSA key size, and so on. We haven't bothered doing this so far, but we may in the future.

You could vary the email address if you wanted to (for example for different classes of machines). We don't bother, because it's mostly unimportant; in practice, all it gets is the occasional email about one of our generic test machine hostnames that hasn't renewed its certificate because we haven't been using that hostname for anything that needed one.

Written on 15 December 2017.
« How Python makes it hard to write well structured little utilities
Mozilla betrays Firefox users and its nominal principles »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 15 15:27:36 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.