![]() which are all run by the same person, Lizzie the Chameleon, who is a one-man multinational corporation in her own right. Whenever Charlie needs something, he buys it from a different overspecialized store.In some episodes, Anvil Industries is Charlie's one-stop-shop for everything he needs, and in others, he has to go hunt for gadget-of-the-day in small mom-and-pop stores.The story of Zany Avenue is sometimes interrupted by Parody Commercials for Anvil Industries, trying to sell various improbable wares and gadgets to the audience.Charlie and his friends react with genuine shock when they find out that there are, in fact, other companies that aren't Anvil Industries.I run this script once a day, the same frequency as my acme.sh script, but not at the same time. I so this because I store all my certificates in /usr/local/etc/ssl. The cert-shifter script renames all fullchain.cer files to be prefixed by the domain name. NOTE: this differs from what acme.sh creates. What’s in that directory? This: -rw-r-r- 1 anvil anvil 1647 Jul 15 13:13 ca.cer Jul 15 20:19:00 certs cert-shifter: stopping /usr/local/bin/cert-shifterĪs you can see, only one certificate was copied over. Jul 15 20:19:00 certs cert-shifter: collecting from /var/db/acme/certs/ Here is what it looked like when it last ran here: Jul 15 20:19:00 certs cert-shifter: starting /usr/local/bin/cert-shifter # mail any output to `dan', no matter whose crontab this 20 * * * /usr/local/bin/cert-shifter Here is the crontab I set for the anvil user so the certificates are collected. All you need to do is the chown described above. The default values should just work if you are using the acme.sh port. It should be on the same filesystem as CERT_DST_CERTS because mv will be used during the copy process. TMP – a temp directory used by cert-shifter when copying the certificates.CERT_DST_CERTS – This is the subdirectory of the above and it is where the certificates will be copied.CERT_DST_ROOT – This is the top level directory where cert-shifter will copy the certificates.The above layout is how acme.sh produces certificates, and by design, that’s what anvil works with. rw-r-r- 1 acme anvil 3456 Jul 4 20:38 fullchain.cer I configured that via:ĭrwxr-xr-x 2 acme anvil 9 Jul 4 20:38 ĭrwxr-xr-x 2 acme anvil 9 Jul 13 22:24 ĭrwxr-xr-x 2 acme anvil 9 Jul 13 22:21 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:03 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:04 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:05 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:06 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:14 ĭrwxr-xr-x 2 acme anvil 9 Jul 14 14:15 ĭrwxr-x- 2 acme anvil 9 Jul 15 13:13 ĭrwxr-xr-x 2 acme anvil 9 Jul 11 22:32 ĭrwxr-xr-x 2 acme anvil 9 Jul 13 22:18 ĭrwxr-xr-x 2 acme anvil 9 Jun 30 21:10 Let’s see what’s inside one of those directories: $ sudo ls -l /var/db/acme/certs/ More precisely, the user which runs the cert-shifter command must be able to read that directory. The anvil user must be able to read everything in that directory. CERT_SRC – the location of the certificates.They are closely connected to the default values for the acme.sh port. The cert-shifter configuration file is /usr/local/etc/anvil/nf. The cert-shifter script supplied by the anvil package will run as that user. The anvil package installs the anvil user: $ grep anvil /etc/passwdĪnvil:*:217:217:anvil certificate dropper:/var/empty:/usr/sbin/nologin I installed anvil from a FreeBSD package: pkg install anvil Should that connection ever be exploited, all they have is public certificates. The copy process will connect to the rsync jail. This directory will then be nullfs mounted read-only into another jail (I call that the rsync jail). Instead, I copy the certificates, which by definition are public, and not the keys, to another directory. However, allowing the webserver to have access to the acme.sh jail is not a wise decision. I do not want to push them, I want the webserver to pull them. ![]() Why shift certificates?Īs part of my certificate distribution solution, I want to copy the certificates to a webserver. Throughout this blog post, it is assumed that the cert-shifter will be run as the anvil user. Today, I’m going to show you how I use anvil to copy those certificates from the original location to another directory, which is then used for rsync by another jail. I have already described how I use acme.sh to obtain SSL certificates from Let’s Encrypt.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |