下水道是一个编程的let encrypt(acme)客户端
sewer的Python项目详细描述
Let’s Encrypt is a free, automated, and open Certificate Authority. - https://letsencrypt.org
下水道可以很容易地作为代码库使用。
下水道还配有一个命令行(cli)界面(app),您可以
从您喜爱的终端使用
有关更改日志(发行说明),请参见: https://github.com/komuw/sewer/releases
安装
pip3 install sewer # with All DNS Provider support, include aliyun, Hurricane Electric, Aurora, ACME ... # pip3 install sewer[alldns] # with Cloudflare support # pip3 install sewer[cloudflare] # with Aliyun support # pip3 install sewer[aliyun] # with HE DNS(Hurricane Electric DNS) support # pip3 install sewer[hurricane] # with Aurora DNS Support # pip3 install sewer[aurora] # with ACME DNS Support # pip3 install sewer[acmedns] # with Rackspace DNS Support # pip3 install sewer[rackspace] # with DNSPod DNS Support # pip3 install sewer[dnspod] # with DuckDNS DNS Support # pip3 install sewer[duckdns]
下水道(从0.5.0版开始)现在仅限于python3。安装(现在 不支持)python2版本,运行;
pip install sewer==0.3.0
下水道正在积极开发中,其API可能会向后改变
不兼容的方式。
用法
importsewerdns_class=sewer.CloudFlareDns(CLOUDFLARE_EMAIL='example@example.com',CLOUDFLARE_API_KEY='nsa-grade-api-key')# 1. to create a new certificate:client=sewer.Client(domain_name='example.com',dns_class=dns_class)certificate=client.cert()certificate_key=client.certificate_keyaccount_key=client.account_keyprint("your certificate is:",certificate)print("your certificate's key is:",certificate_key)print("your letsencrypt.org account key is:",account_key)# NB: your certificate_key and account_key should be SECRET.# keep them very safe.# you can write these out to individual files, eg::withopen('certificate.crt','w')ascertificate_file:certificate_file.write(certificate)withopen('certificate.key','w')ascertificate_key_file:certificate_key_file.write(certificate_key)withopen('account_key.key','w')asaccount_key_file:account_key_file.write(account_key)# 2. to renew a certificate:importsewerdns_class=sewer.CloudFlareDns(CLOUDFLARE_EMAIL='example@example.com',CLOUDFLARE_API_KEY='nsa-grade-api-key')withopen('account_key.key','r')asaccount_key_file:account_key=account_key_file.read()client=sewer.Client(domain_name='example.com',dns_class=dns_class,account_key=account_key)certificate=client.renew()certificate_key=client.certificate_keywithopen('certificate.crt','w')ascertificate_file:certificate_file.write(certificate)withopen('certificate.key','w')ascertificate_key_file:certificate_key_file.write(certificate_key)# 3. You can also request/renew wildcard certificates:importsewerdns_class=sewer.CloudFlareDns(CLOUDFLARE_EMAIL='example@example.com',CLOUDFLARE_API_KEY='nsa-grade-api-key')client=sewer.Client(domain_name='*.example.com',dns_class=dns_class)certificate=client.cert()certificate_key=client.certificate_keyaccount_key=client.account_key
cli
下水道还附带一个命令行接口(称为sewer或
sewer-cli)可用于获取/续订证书。
您的dns提供程序凭据需要作为环境提供
变量。
要获得证书,请运行:
CLOUDFLARE_EMAIL=example@example.com \ CLOUDFLARE_API_KEY=api-key \ sewer \ --dns cloudflare \ --domain example.com \ --action run
要续订证书,请运行:
CLOUDFLARE_EMAIL=example@example.com \ CLOUDFLARE_API_KEY=api-key \ sewer \ --account_key /path/to/your/account.key \ --dns cloudflare \ --domain example.com \ --action renew
查看帮助:
sewer --help usage: sewer [-h][--version][--account_key ACCOUNT_KEY][--certificate_key CERTIFICATE_KEY] --dns {cloudflare,aurora,acmedns,aliyun,hurricane} --domain DOMAIN [--alt_domains [ALT_DOMAINS [ALT_DOMAINS ...]]][--bundle_name BUNDLE_NAME][--endpoint {production,staging}][--email EMAIL] --action {run,renew}[--out_dir OUT_DIR][--loglevel {DEBUG,INFO,WARNING,ERROR,CRITICAL}] Sewer is a Let's Encrypt(ACME) client. optional arguments: -h, --help show this help message and exit --version The currently installed sewer version. --account_key ACCOUNT_KEY The path to your letsencrypt/acme account key. eg: --account_key /home/myaccount.key --certificate_key CERTIFICATE_KEY The path to your certificate key. eg: --certificate_key /home/mycertificate.key --dns {cloudflare,aurora,acmedns,aliyun,hurricane} The name of the dns provider that you want to use. --domain DOMAIN The domain/subdomain name for which you want to get/renew certificate for. wildcards are also supported eg: --domain example.com --alt_domains [ALT_DOMAINS [ALT_DOMAINS ...]] A list of alternative domain/subdomain name/s(if any)for which you want to get/renew certificate for. eg: --alt_domains www.example.com blog.example.com --bundle_name BUNDLE_NAME The name to use for certificate certificate key and account key. Default is name of domain. --endpoint {production,staging} Whether to use letsencrypt/acme production/live endpoints or staging endpoints. production endpoints are used by default. eg: --endpoint staging --email EMAIL Email to be used for registration and recovery. eg: --email me@example.com --action {run,renew} The action that you want to perform. Either run (get a new certificate) or renew (renew a certificate). eg: --action run --out_dir OUT_DIR The dir where the certificate and keys file will be stored. default: The directory you run sewer command. eg: --out_dir /data/ssl/ --loglevel {DEBUG,INFO,WARNING,ERROR,CRITICAL} The log level to output log messages at. eg: --loglevel DEBUG
证书、证书密钥和帐户密钥将保存在 从中运行下水道的目录。
命令行接口(app)称为sewer,或者 可以使用,sewer-cli。
功能
- 获得证书。
- 更新证书。
- 支持多个DNS提供程序。
- 支持通配符证书
- 仅支持Acme版本2。
- Bring your own dns provider
- 支持SAN证书。
- 可以用作python库和命令行(cli) 申请。
- 捆绑证书。
- 写得好(如果我不得不自己这么说的话):
- Good test coverage
- Passing continous integration
- High grade statically analyzed code
带上自己的DNS提供商
使用任何带有下水道的DNS提供商都非常容易。
您只需创建自己的dns类,它是一个子类
属于
^{TT5}$<;https://github.com/komuw/sewer/blob/master/sewer/dns_providers/common.py>;。`_
然后执行
create_dns_record和delete_dns_record方法。
作为一个例子,如果您想使用AWS
route53作为
下水道,你
会做类似的事情;
importsewerimportboto3classAWSroute53Dns(sewer.BaseDns):def__init__(self,HostedZoneId,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY):self.dns_provider_name='AWS_route53'self.HostedZoneId=HostedZoneIdself.boto_client=boto3.client('route53',aws_access_key_id=AWS_ACCESS_KEY_ID,aws_secret_access_key=AWS_SECRET_ACCESS_KEY)super(AWSroute53Dns,self).__init__()defcreate_dns_record(self,domain_name,domain_dns_value):""" AWS route53 with boto3 documentation; https://boto3.readthedocs.io/en/latest/reference/services/route53.html#Route53.Client.change_resource_record_sets """# do whatever is necessary for your particular DNS provider to create a TXT DNS record# eg for AWS route53, it will be something like::self.boto_client.change_resource_record_sets(HostedZoneId=self.HostedZoneId,ChangeBatch={'Changes':[{'Action':'CREATE','ResourceRecordSet':{'Name':'_acme-challenge'+'.'+domain_name+'.','Type':'TXT','TTL':123,'ResourceRecords':[{'Value':"{0}".format(domain_dns_value)},]}},]})defdelete_dns_record(self,domain_name,domain_dns_value):# do whatever is necessary for your particular DNS provider to delete a TXT DNS record# eg for AWS route53, it will be something like::self.boto_client.change_resource_record_sets(HostedZoneId=self.HostedZoneId,ChangeBatch={'Changes':[{'Action':'DELETE','ResourceRecordSet':{'Name':'_acme-challenge'+'.'+domain_name+'.','Type':'TXT','TTL':123,'ResourceRecords':[{'Value':"{0}".format(domain_dns_value)},]}},]})custom_route53_dns_class=AWSroute53Dns(HostedZoneId='my-zone',AWS_ACCESS_KEY_ID='access-key',AWS_SECRET_ACCESS_KEY='secret-access-key')# create a new certificate:client=sewer.Client(domain_name='example.com',dns_class=custom_route53_dns_class)certificate=client.cert()certificate_key=client.certificate_keyaccount_key=client.account_keyprint("certificate::",certificate)print("certificate's key::",certificate_key)
开发设置
了解如何做出贡献 documentation
待办事项
- 支持更多DNS提供程序
- https://github.com/komuw/sewer/milestone/1
常见问题解答
- 为什么是另一个acme客户? 我想要一个acme客户机,我可以用它来编程(作为 库)获取/获取证书。但是我什么也找不到 适合在python代码中使用。
- 为什么叫下水道?我真的很喜欢肯尼亚的嘻哈艺人 叫北斗下水道。
下面是使用cli应用程序运行下水道的输出:
CLOUDFLARE_EMAIL=example@example.com \ CLOUDFLARE_API_KEY=nsa-grade-api-key \ sewer \ --endpoint staging \ --dns cloudflare \ --domain subdomain.example.com \ --action run 2018-03-06 18:08.41 chosen_dns_provider message=Using cloudflare as dns provider. 2018-03-06 18:08.46 acme_register acme_server=https://acme-staging... domain_names=['subdomain.example.com']sewer_version=0.5.0b 2018-03-06 18:08.52 acme_register_response acme_server=https://acme-staging... domain_names=['subdomain.example.com']2018-03-06 18:08.52 apply_for_cert_issuance acme_server=https://acme-staging... domain_names=['subdomain.example.com']sewer_version=0.5.0b 2018-03-06 18:09.01 apply_for_cert_issuance_response acme_server=https://acme-staging... domain_names=['subdomain.example.com']2018-03-06 18:09.08 create_dns_record dns_provider_name=CloudFlareDns 2018-03-06 18:09.16 create_cloudflare_dns_record_response dns_provider_name=CloudFlareDns status_code=2002018-03-06 18:09.36 send_csr acme_server=https://acme-staging... domain_names=['subdomain.example.com']sewer_version=0.5.0b 2018-03-06 18:09.45 send_csr_response acme_server=https://acme-staging... domain_names=['subdomain.example.com']2018-03-06 18:09.45 download_certificate acme_server=https://acme-staging... domain_names=['subdomain.example.com']sewer_version=0.5.0b 2018-03-06 18:09.50 download_certificate_response acme_server=https://acme-staging... domain_names=['subdomain.example.com']2018-03-06 18:09.54 the_end message=Certificate Succesfully issued. The certificate, certificate key and account key have been saved in the current directory