gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gsadmin/certctl:v2.0.8
Branches Tags
gsadmin/certctl:master
gsadmin/certctl:v2.1.7 gsadmin/certctl:v2.1.6 gsadmin/certctl:v2.1.5 gsadmin/certctl:v2.1.4 gsadmin/certctl:v2.1.3 gsadmin/certctl:v2.1.2 gsadmin/certctl:v2.1.1 gsadmin/certctl:v2.1.0 gsadmin/certctl:v2.0.72 gsadmin/certctl:v2.0.71 gsadmin/certctl:v2.0.70 gsadmin/certctl:v2.0.69 gsadmin/certctl:v2.0.68 gsadmin/certctl:v2.0.67 gsadmin/certctl:v2.0.66 gsadmin/certctl:v2.0.65 gsadmin/certctl:v2.0.64 gsadmin/certctl:v2.0.63 gsadmin/certctl:v2.0.62 gsadmin/certctl:v2.0.61 gsadmin/certctl:v2.0.60 gsadmin/certctl:v2.0.59 gsadmin/certctl:v2.0.57 gsadmin/certctl:v2.0.56 gsadmin/certctl:v2.0.55 gsadmin/certctl:v2.0.53 gsadmin/certctl:v2.0.54 gsadmin/certctl:v2.0.51 gsadmin/certctl:v2.0.52 gsadmin/certctl:v2.0.50 gsadmin/certctl:checkpoint/m1-migration-wip gsadmin/certctl:v2.0.49 gsadmin/certctl:v2.0.48 gsadmin/certctl:v2.0.47 gsadmin/certctl:v2.0.46 gsadmin/certctl:v2.0.45 gsadmin/certctl:v2.0.44 gsadmin/certctl:v2.0.43 gsadmin/certctl:v2.0.42 gsadmin/certctl:v2.0.41 gsadmin/certctl:v2.0.40 gsadmin/certctl:v2.0.39 gsadmin/certctl:v2.0.38 gsadmin/certctl:v2.0.37 gsadmin/certctl:v2.0.36 gsadmin/certctl:v2.0.35 gsadmin/certctl:v2.0.34 gsadmin/certctl:v2.0.33 gsadmin/certctl:v2.0.32 gsadmin/certctl:v2.0.31 gsadmin/certctl:v2.0.30 gsadmin/certctl:v2.0.29 gsadmin/certctl:v2.0.28 gsadmin/certctl:v2.0.27 gsadmin/certctl:v2.0.26 gsadmin/certctl:v2.0.25 gsadmin/certctl:v2.0.24 gsadmin/certctl:v2.0.23 gsadmin/certctl:v2.0.22 gsadmin/certctl:v2.0.21 gsadmin/certctl:v2.0.20 gsadmin/certctl:v2.0.19 gsadmin/certctl:v2.0.18 gsadmin/certctl:v2.0.17 gsadmin/certctl:v2.0.16 gsadmin/certctl:v2.0.15 gsadmin/certctl:v2.0.14 gsadmin/certctl:v2.0.13 gsadmin/certctl:v2.0.12 gsadmin/certctl:v2.0.11 gsadmin/certctl:v2.0.10 gsadmin/certctl:v2.0.9 gsadmin/certctl:v2.0.8 gsadmin/certctl:v2.0.7 gsadmin/certctl:v2.0.6 gsadmin/certctl:v2.0.5 gsadmin/certctl:v2.0.4 gsadmin/certctl:v2.0.3 gsadmin/certctl:v2.0.2 gsadmin/certctl:v2.0.1 gsadmin/certctl:v2.0.0 gsadmin/certctl:v1.0.0
...
compare: gsadmin/certctl:v2.0.17
Branches Tags
gsadmin/certctl:master
gsadmin/certctl:v2.1.7 gsadmin/certctl:v2.1.6 gsadmin/certctl:v2.1.5 gsadmin/certctl:v2.1.4 gsadmin/certctl:v2.1.3 gsadmin/certctl:v2.1.2 gsadmin/certctl:v2.1.1 gsadmin/certctl:v2.1.0 gsadmin/certctl:v2.0.72 gsadmin/certctl:v2.0.71 gsadmin/certctl:v2.0.70 gsadmin/certctl:v2.0.69 gsadmin/certctl:v2.0.68 gsadmin/certctl:v2.0.67 gsadmin/certctl:v2.0.66 gsadmin/certctl:v2.0.65 gsadmin/certctl:v2.0.64 gsadmin/certctl:v2.0.63 gsadmin/certctl:v2.0.62 gsadmin/certctl:v2.0.61 gsadmin/certctl:v2.0.60 gsadmin/certctl:v2.0.59 gsadmin/certctl:v2.0.57 gsadmin/certctl:v2.0.56 gsadmin/certctl:v2.0.55 gsadmin/certctl:v2.0.53 gsadmin/certctl:v2.0.54 gsadmin/certctl:v2.0.51 gsadmin/certctl:v2.0.52 gsadmin/certctl:v2.0.50 gsadmin/certctl:checkpoint/m1-migration-wip gsadmin/certctl:v2.0.49 gsadmin/certctl:v2.0.48 gsadmin/certctl:v2.0.47 gsadmin/certctl:v2.0.46 gsadmin/certctl:v2.0.45 gsadmin/certctl:v2.0.44 gsadmin/certctl:v2.0.43 gsadmin/certctl:v2.0.42 gsadmin/certctl:v2.0.41 gsadmin/certctl:v2.0.40 gsadmin/certctl:v2.0.39 gsadmin/certctl:v2.0.38 gsadmin/certctl:v2.0.37 gsadmin/certctl:v2.0.36 gsadmin/certctl:v2.0.35 gsadmin/certctl:v2.0.34 gsadmin/certctl:v2.0.33 gsadmin/certctl:v2.0.32 gsadmin/certctl:v2.0.31 gsadmin/certctl:v2.0.30 gsadmin/certctl:v2.0.29 gsadmin/certctl:v2.0.28 gsadmin/certctl:v2.0.27 gsadmin/certctl:v2.0.26 gsadmin/certctl:v2.0.25 gsadmin/certctl:v2.0.24 gsadmin/certctl:v2.0.23 gsadmin/certctl:v2.0.22 gsadmin/certctl:v2.0.21 gsadmin/certctl:v2.0.20 gsadmin/certctl:v2.0.19 gsadmin/certctl:v2.0.18 gsadmin/certctl:v2.0.17 gsadmin/certctl:v2.0.16 gsadmin/certctl:v2.0.15 gsadmin/certctl:v2.0.14 gsadmin/certctl:v2.0.13 gsadmin/certctl:v2.0.12 gsadmin/certctl:v2.0.11 gsadmin/certctl:v2.0.10 gsadmin/certctl:v2.0.9 gsadmin/certctl:v2.0.8 gsadmin/certctl:v2.0.7 gsadmin/certctl:v2.0.6 gsadmin/certctl:v2.0.5 gsadmin/certctl:v2.0.4 gsadmin/certctl:v2.0.3 gsadmin/certctl:v2.0.2 gsadmin/certctl:v2.0.1 gsadmin/certctl:v2.0.0 gsadmin/certctl:v1.0.0

22 Commits
v2.0.8 ... v2.0.17

Author SHA1 Message Date
shankar0123 a0b9285323 fix(gui): add missing Name field to certificate creation form 
The New Certificate modal was missing the required "name" field,
causing all certificate creation attempts to fail with "name is
required". Added Name text input above ID field with client-side
validation matching the backend requirement.

Fixes #GH-issue (name is required on certificate creation)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 07:53:14 -04:00
shankar0123 2655493ac8 fix(docs): correct migration guides — 17 issues found via repo audit 
Fixes factual errors, broken links, wrong ports, inaccurate GUI
descriptions, and misleading config formats across all three migration
guides (certbot, acme.sh, cert-manager).

Key fixes:
- Correct server port from 8080/3000 to 8443 across all guides
- Fix HTTPS→HTTP for Docker Compose (not TLS-terminated)
- Fix heartbeat interval: 60 seconds, not 5 minutes
- Fix "50 servers" → "10 servers" (50 certs across 10 servers)
- Replace JSON config blocks with env var format (actual config method)
- Fix policy creation flow to match actual GUI (name/type/severity/config)
- Fix issuer wizard description to match actual 2-step flow
- Fix Vault PKI "coming in v2.1" → "planned" (ships post-2.1.0)
- Fix 5 broken links (cert-manager.md, quickstart anchors, architecture anchor)
- Remove claim of auto-generated suggestions in discovery flow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 01:34:22 -04:00
shankar0123 a8fc177118 fix: resolve NULL csr_pem scan errors and QA smoke test failures 
Root cause: certificate_versions.csr_pem is nullable in the schema but
Go code scanned it into a plain string. Used sql.NullString in
ListVersions and GetLatestVersion to handle NULL values correctly.

Also includes: partial update fetch-merge-update pattern to prevent FK
violations, nil directory guard in discovery service, diagnostic slog
logging in handlers, export handler 422 for unparseable PEM, OpenAPI
spec corrections, MCP tool description improvements, and test fixes.

Rewrites the Release Sign-Off section in testing-guide.md to individual
test-level granularity (320 rows) with smoke test results audited and
checked off (121 pass, 5 skip, 194 manual remaining).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 00:51:18 -04:00
shankar0123 20378ea7bb rename example READMEs to match their example names 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-29 18:35:21 -04:00
shankar0123 bcf2c3ae92 feat(pre-2.1.0): demo data overhaul, examples, migration guides, install script 
Pre-2.1.0 adoption polish delivering all four milestones:

A) Demo Data Overhaul — seed_demo.sql rewritten with 35 certs across
   5 issuers, 8 agents, 8 targets, 50+ jobs spanning 90 days, 55+
   audit events, discovery scans, network scan targets, S/MIME cert.

B) Examples Directory — 5 turnkey docker-compose configs:
   acme-nginx, acme-wildcard-dns01, private-ca-traefik,
   step-ca-haproxy, multi-issuer.

C) Migration Guides — migrate-from-certbot.md,
   migrate-from-acmesh.md, certctl-for-cert-manager-users.md.

D) Agent Install Script — install-agent.sh with cross-platform
   support (Linux systemd + macOS launchd), release.yml updated
   for 6-target cross-compilation.

Triple-audited against codebase: 22 factual corrections applied
across docs, examples, and config (env var names, CLI flags, ports,
DNS hook interface, scheduler loop counts, license conversion date).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-29 18:26:58 -04:00
shankar0123 5f81de3219 chore: bump version to 2.0.14, add gitignore rules 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 21:56:48 -04:00
shankar0123 397d2a1588 fix(helm): remove fail on empty postgresql password for lint/template 
Default to "changeme" so helm lint and helm template pass with stock
values. Operators override at install time via --set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 21:30:13 -04:00
shankar0123 65567d0d83 fix(helm): type comparison error and lint-time fail on empty apiKey 
- Use gt (int .Values.server.replicas) 1 to avoid incompatible type
  comparison between YAML integer and template literal
- Remove fail directive for empty apiKey — lint runs with defaults,
  operators set the key via --set at install time

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 21:28:05 -04:00
shankar0123 0abd984285 fix: staticcheck S1016 struct conversion + Helm with/else-if parse error 
- Use type conversion DigestStatusCount(c) instead of struct literal
- Replace with...else-if (invalid in Go templates) with if...else-if chain
- Add *.bak and cmd/agent/*.key/*.pem to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 21:25:25 -04:00
shankar0123 ec21c9bb29 feat(m28+m29+m30): ACME ARI, email digest, and Helm chart 
M28: ACME Renewal Information (RFC 9702) — CA-directed renewal timing
with cert ID computation, directory endpoint discovery, graceful
degradation for non-ARI CAs. 19 tests.

M29: Email notifier wiring + scheduled certificate digest — SMTP
connector bridged to service layer via NotifierAdapter, DigestService
with HTML email template, 7th scheduler loop (24h), digest preview/send
API endpoints and GUI card. 21 tests.

M30: Production-ready Helm chart — server Deployment, PostgreSQL
StatefulSet, agent DaemonSet, ConfigMaps, Secrets, Ingress, security
contexts, health probes, example values for dev/prod/ACME scenarios.

Also: OpenAPI spec updates, MCP tool additions, CI helm-lint job,
documentation updates across 5 doc files and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 21:18:35 -04:00
shankar0123 cb2ef9d0e7 chore: remove obsolete testing.md and test-gap-prompt.md 
These files are superseded by the comprehensive 34-section
docs/testing-guide.md. Removing to avoid confusion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 20:37:20 -04:00
shankar0123 da79dde611 revert: remove Docker Hub integration from release workflow and README 
Restores release workflow to ghcr.io-only publishing.
Removes Docker Pulls badge from README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 19:34:29 -04:00
shankar0123 935ea1bf9f ci: add Docker Hub dual-push and pulls badge to README 
Release workflow now pushes to both ghcr.io and Docker Hub on tag.
Adds shields.io Docker Pulls badge to README for social proof.
Requires DOCKERHUB_USERNAME and DOCKERHUB_TOKEN repo secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 19:24:12 -04:00
shankar0123 11e752ac01 docs: add v2.1.0 release gate note to README and testing guide 
v2.1.0 will be tagged after all 34 manual QA sections pass.
Updates sign-off table version reference from v2.0.7 to v2.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 18:09:41 -04:00
shankar0123 03472072b8 test + docs: close 12 test gaps (~250 new tests) and expand testing guide to 34 parts 
Implements all P0-P2 test gaps from docs/test-gap-prompt.md:
- Deployment service tests (20), target service tests (18), scheduler tests (8)
- Agent binary tests (48), CSR renewal tests (8), short-lived cert tests (7)
- Domain model tests (25), context cancellation tests (9), concurrency tests (7)
- Handler negative-path tests (23 across 5 files)
- Frontend error handling tests (86) and API client tests (7)

Expands testing-guide.md from 28 to 34 parts covering certificate export,
S/MIME/EKU, OCSP/DER CRL, body size limits, Apache/HAProxy connectors,
and sub-CA mode. Fixes stale profile count (4->5) and updates sign-off table.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 17:57:25 -04:00
shankar0123 63e6f3ef91 chore: update license contact email to certctl@proton.me 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 16:24:34 -04:00
shankar0123 a00bb349c4 feat(m27): certificate export (PEM/PKCS#12) and S/MIME EKU support 
Add certificate export in PEM (JSON or file download) and PKCS#12 formats.
Private keys are never included — they stay on agents. Add EKU-aware
issuance threading profile EKUs (serverAuth, clientAuth, codeSigning,
emailProtection, timeStamping) through the full issuance pipeline. Fix
agent CSR SAN splitting for email addresses, adaptive KeyUsage flags for
S/MIME vs TLS, and a pre-existing generateID collision bug in deployment
job creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 16:16:19 -04:00
shankar0123 78c7bc16b0 fix(gui): wire create modal onSuccess callbacks and fix short-lived profile UX 
- All 5 create modals (Profiles, Teams, Owners, Policies, Agent Groups)
  had no-op onSuccess callbacks — API call fired but modal never closed
  and list never refreshed. Wired invalidateQueries + setShowCreate.
- Removed silent try/catch error swallowing so API errors surface in UI.
- Profile create: auto-set TTL to 300s when short-lived checkbox enabled
  with TTL >= 3600, added validation hint and warning text.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 14:28:56 -04:00
shankar0123 1f98f31f83 chore: bump version to 2.0.9 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 14:12:12 -04:00
shankar0123 6d508cf53f fix: security audit remediation (AUDIT-001, 003, 004, 005, 006, 018) 
- AUDIT-001: Validate OpenSSL revoke inputs (hex-only serials, RFC 5280 reasons)
- AUDIT-003: Enforce /20 CIDR size cap at API level (create + update)
- AUDIT-004: Support comma-separated CERTCTL_AUTH_SECRET for zero-downtime key rotation
- AUDIT-005: Add ReadHeaderTimeout (5s) to prevent Slowloris
- AUDIT-006: Document audit trail query parameter exclusion rationale
- AUDIT-018: Add immediate-run-on-start to short-lived expiry scheduler loop

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 14:11:16 -04:00
shankar0123 591dcfb139 chore: remove CONTRIBUTING.md 
BSL 1.1 licensed project — external contributions not accepted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 12:21:18 -04:00
shankar0123 4881056528 docs: add auth configuration note to quickstart 
Clarify that Docker Compose demo runs with auth disabled and
explain how to enable API key auth for production deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-28 07:52:23 -04:00
140 changed files with 19784 additions and 631 deletions
Expand all files Collapse all files
.github/workflows/ci.yml
+17
View File
@@ -125,3 +125,20 @@ jobs:
- name: Build Frontend
working-directory: web
run: npx vite build
helm-lint:
name: Helm Chart Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: '3.13.0'
- name: Lint Helm Chart
run: helm lint deploy/helm/certctl/
- name: Template Helm Chart
run: helm template certctl deploy/helm/certctl/ > /dev/null
.github/workflows/release.yml
+138 -6
View File
@@ -7,9 +7,74 @@ on:
env:
REGISTRY: ghcr.io
GO_VERSION: '1.22'
jobs:
build-and-push:
# Cross-compile agent and server binaries for multiple platforms
build-binaries:
name: Build Cross-Platform Binaries
runs-on: ubuntu-latest
permissions:
contents: write
strategy:
matrix:
include:
# Agent binaries (4 platforms)
- os: linux
arch: amd64
binary: agent
- os: linux
arch: arm64
binary: agent
- os: darwin
arch: amd64
binary: agent
- os: darwin
arch: arm64
binary: agent
# Server binaries (2 platforms)
- os: linux
arch: amd64
binary: server
- os: linux
arch: arm64
binary: server
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Extract version from tag
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
- name: Build ${{ matrix.binary }} binary (${{ matrix.os }}-${{ matrix.arch }})
env:
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
CGO_ENABLED: 0
run: |
OUTPUT_NAME="certctl-${{ matrix.binary }}-${{ matrix.os }}-${{ matrix.arch }}"
go build -ldflags="-w -s -X main.Version=${{ steps.version.outputs.VERSION }}" \
-o "dist/${OUTPUT_NAME}" \
"./cmd/${{ matrix.binary }}"
ls -lh "dist/${OUTPUT_NAME}"
- name: Upload binaries to release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
dist/certctl-agent-*
dist/certctl-server-*
# Build and push Docker images
build-and-push-docker:
name: Build & Push Docker Images
runs-on: ubuntu-latest
permissions:
@@ -57,19 +122,67 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Create GitHub Release
# Create release notes with all artifacts
create-release:
name: Create Release Notes
runs-on: ubuntu-latest
needs: [build-binaries, build-and-push-docker]
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Extract version from tag
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
- name: Create release with notes
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
body: |
## Docker Images
## Installation
### Quick Install (Linux/macOS)
```bash
docker pull shankar0123.docker.scarf.sh/certctl-server:${{ steps.version.outputs.VERSION }}
docker pull shankar0123.docker.scarf.sh/certctl-agent:${{ steps.version.outputs.VERSION }}
curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
```
## Quick Start
### Manual Binary Download
Download the appropriate binary for your OS and architecture:
- **Linux x86_64**: `certctl-agent-linux-amd64`
- **Linux ARM64**: `certctl-agent-linux-arm64`
- **macOS x86_64**: `certctl-agent-darwin-amd64`
- **macOS ARM64 (Apple Silicon)**: `certctl-agent-darwin-arm64`
Then make it executable and start the service:
```bash
chmod +x certctl-agent-linux-amd64
sudo mv certctl-agent-linux-amd64 /usr/local/bin/certctl-agent
```
## Docker Images
Pull pre-built Docker images for server and agent:
```bash
docker pull ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
docker pull ghcr.io/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
```
Or use the latest tag:
```bash
docker pull ghcr.io/shankar0123/certctl-server:latest
docker pull ghcr.io/shankar0123/certctl-agent:latest
```
## Docker Compose Quick Start
```bash
git clone https://github.com/shankar0123/certctl.git
@@ -77,3 +190,22 @@ jobs:
cp deploy/.env.example deploy/.env
docker compose -f deploy/docker-compose.yml up -d
```
## Server Binaries
Pre-compiled server binaries are also available for direct installation:
- **Linux x86_64**: `certctl-server-linux-amd64`
- **Linux ARM64**: `certctl-server-linux-arm64`
## Helm Chart
Deploy certctl to Kubernetes using Helm:
```bash
helm repo add certctl https://github.com/shankar0123/certctl/tree/master/deploy/helm
helm repo update
helm install certctl certctl/certctl
```
See `deploy/helm/certctl/` for values customization.
.gitignore
+5
View File
@@ -43,6 +43,11 @@ vendor/
tmp/
temp/
*.log
*.bak
# Private keys (agent-generated, never commit)
cmd/agent/*.key
cmd/agent/*.pem
# Database
*.db
CONTRIBUTING.md
-162
View File
@@ -1,162 +0,0 @@
# Contributing to certctl
## Architecture Conventions
certctl follows a strict **Handler -> Service -> Repository** layering.
**Handlers** define their own service interfaces (dependency inversion). A handler never imports a concrete service type. This means adding a method to a service requires updating the corresponding handler interface and mock.
**Services** contain business logic. Each service should have at most 5-6 direct dependencies. If a service exceeds ~500 lines or ~6 dependencies, decompose it using the facade/delegation pattern (see `CertificateService` -> `RevocationSvc` + `CAOperationsSvc` for the reference implementation).
**Repositories** are PostgreSQL implementations behind interfaces defined in `internal/repository/interfaces.go`. All SQL is hand-written (no ORM). Use `IF NOT EXISTS` for schema, `ON CONFLICT` for idempotent upserts.
**Connectors** implement pluggable interfaces for issuers (`issuer.Connector`), targets (`target.Connector`), and notifiers (`Notifier`). The `IssuerConnectorAdapter` bridges the connector-layer interface with the service-layer interface to maintain dependency inversion.
### When to Split vs. Extend
Split a component when it exceeds ~500 lines, mixes distinct responsibilities (e.g., CRUD + revocation + CRL generation), or has more than 6 dependencies. Use the facade pattern to avoid breaking handler interfaces.
Extend an existing component when the new functionality is tightly coupled to existing state and adding a new file would create unnecessary indirection.
## Middleware Stack Ordering
The HTTP middleware chain is order-sensitive. The current ordering in `cmd/server/main.go`:
1. `RequestID` - assigns a unique request ID
2. `NewLogging` - structured slog middleware with request ID propagation
3. `Recovery` - panic recovery (must be early to catch panics in later middleware)
4. `NewBodyLimit` - request body size limits via `http.MaxBytesReader` (before auth to reject oversized payloads early)
5. `NewCORS` - CORS preflight handling (deny-by-default)
6. `NewAuth` - API key / JWT authentication
7. `NewAuditLog` - records every API call to the audit trail (after auth so actor is available)
When rate limiting is enabled, `NewRateLimiter` is inserted between `NewBodyLimit` and `NewCORS`.
Contributors adding new middleware must respect this ordering. Body-level middleware goes before auth. Auth-dependent middleware goes after auth.
## Test Patterns and Conventions
### Test File Organization
Every package with production code should have corresponding `_test.go` files in the same package (not a `_test` package). Test helpers belong in `testutil_test.go` within the package.
### Mock Naming Convention
Mock types in test files must be **unexported** (lowercase). The convention:
```go
// Good - unexported, test-only
type mockCertificateService struct { ... }
func newMockCertificateService() *mockCertificateService { ... }
// Bad - exported, leaks into package API
type MockCertificateService struct { ... }
```
**Known exception:** Handler test files currently use exported Mock types (e.g., `MockCertificateService`). This is a known deviation being tracked for cleanup.
### Service Layer Tests
Service tests use mock repositories defined in `internal/service/testutil_test.go`. The pattern:
```go
func TestMyService_Method(t *testing.T) {
repo := newMockCertificateRepository()
auditRepo := newMockAuditRepository()
auditService := NewAuditService(auditRepo)
svc := NewMyService(repo, auditService)
// Set up test data
repo.AddCert(&domain.ManagedCertificate{...})
// Exercise
err := svc.DoSomething(context.Background(), "cert-1")
// Verify
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
}
```
### Handler Layer Tests
Handler tests use `httptest.NewRequest` and `httptest.NewRecorder`. Each handler test file defines its own mock service type implementing the handler's service interface:
```go
type mockFooService struct {
err error
// fields for capturing calls and returning data
}
func TestFooHandler_List(t *testing.T) {
mock := &mockFooService{}
handler := NewFooHandler(mock)
// ...
}
```
### Repository Integration Tests
Repository tests in `internal/repository/postgres/` use `testcontainers-go` to spin up a real PostgreSQL 16 container. Key patterns:
- `setupTestDB(t)` creates a shared container for the test run
- `freshSchema(t, db)` creates an isolated PostgreSQL schema per test (`CREATE SCHEMA test_xxx; SET search_path TO test_xxx`)
- All migrations are run in each schema so tests start with a clean database
- Tests are skipped in CI short mode (`testing.Short()`) since they require Docker
- Run locally with: `go test ./internal/repository/postgres/... -v`
### Fuzz Tests
Fuzz tests use Go's native `testing/fuzz` framework. Located in `*_fuzz_test.go` files. Seed corpora include known adversarial inputs (SQL injection, shell metacharacters, etc.). Run with: `go test -fuzz=FuzzValidateShellCommand ./internal/validation/...`
### CI Coverage Thresholds
The CI pipeline enforces per-layer coverage floors:
| Layer | Threshold | Package Pattern |
|-------|-----------|-----------------|
| Service | 60% | `internal/service` |
| Handler | 60% | `internal/api/handler` |
| Domain | 40% | `internal/domain` |
| Middleware | 50% | `internal/api/middleware` |
Adding a new package with tests? Ensure it's included in the `go test` command in `.github/workflows/ci.yml`.
### Race Detection
All tests run with `-race` in CI. Never use shared mutable state without synchronization. The scheduler uses `sync/atomic.Bool` guards; follow the same pattern for any concurrent code.
## Adding New Features
1. **Domain model** in `internal/domain/` - types, constants, validation helpers
2. **Migration** in `migrations/` - `000N_feature.up.sql` and `.down.sql`, idempotent
3. **Repository interface** in `internal/repository/interfaces.go`, implementation in `internal/repository/postgres/`
4. **Service** in `internal/service/` with tests
5. **Handler** in `internal/api/handler/` defining its own service interface, with tests
6. **Route registration** via `HandlerRegistry` struct in `internal/api/router/router.go`
7. **Wire** in `cmd/server/main.go`
8. **OpenAPI spec** update in `api/openapi.yaml`
9. **GUI page** in `web/src/pages/` with route in `web/src/main.tsx`
10. **Seed data** in `migrations/seed_demo.sql` for demo mode
Every backend feature ships with its corresponding GUI surface.
## Environment
- **Go 1.25+**, **PostgreSQL 16+**, **Node.js 22+** (frontend)
- No ORM - raw `database/sql` + `lib/pq`
- No web framework - `net/http` stdlib routing
- Minimal dependencies: 5 direct Go dependencies (see `go.mod`)
- Frontend: Vite + React 18 + TypeScript + TanStack Query + Recharts + Tailwind CSS
## Documentation That Should Exist But Doesn't Yet
The following are recommended future additions:
- **Architecture diagrams** (Mermaid in `docs/architecture.md` covers some, but data flow diagrams for key workflows like renewal and revocation would help)
- **Threat model** (formal STRIDE analysis for the control plane, agent communication, and key management boundaries)
- **Testing philosophy guide** (rationale for mock-vs-real testing decisions, when to use testcontainers vs mocks)
- **Disaster recovery runbook** (PostgreSQL backup/restore, agent re-registration, CA key rotation procedures)
- **Upgrade guide** (migration steps between major versions, breaking change policy)
- **API versioning strategy** (how breaking changes will be handled when /api/v2 is needed)
LICENSE
+1 -1
View File
@@ -19,7 +19,7 @@ Change Date: March 14, 2033
Change License: Apache License, Version 2.0
For information about alternative licensing arrangements for the Licensed Work,
please contact: skreddy040@gmail.com
please contact: certctl@proton.me
Notice
README.md
+75 -22
View File
@@ -38,6 +38,11 @@ certctl is a self-hosted platform that automates the entire certificate lifecycl
| [Feature Inventory](docs/features.md) | Complete reference of all V2 capabilities, API endpoints, and configuration |
| [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
| [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
| [Migrate from Certbot](docs/migrate-from-certbot.md) | Step-by-step migration from Certbot/Let's Encrypt cron jobs |
| [Migrate from acme.sh](docs/migrate-from-acmesh.md) | Migration guide for acme.sh users with DNS-01 scripts |
| [certctl for cert-manager Users](docs/certctl-for-cert-manager-users.md) | Using certctl alongside cert-manager for non-Kubernetes infrastructure |
> **Next release:** v2.1.0 will be tagged after the full V2 feature suite passes manual QA across all 34 sections of the [testing guide](docs/testing-guide.md). Automated CI (1,471 Go tests + 193 frontend tests) gates every commit; the manual playbook covers integration, deployment, and UX verification that unit tests can't reach.
## Why certctl Exists
@@ -53,13 +58,19 @@ For a detailed comparison with CertKit, KeyTalk, and enterprise platforms (Venaf
certctl gives you a single pane of glass for every TLS certificate in your organization:
- **Web dashboard** — full certificate inventory with status, ownership, expiration heatmaps, and bulk operations
- **REST API** — 93 endpoints under `/api/v1/` + `/.well-known/est/` for complete automation
- **Agents** — generate private keys locally, discover existing certs on disk, submit CSRs (private keys never leave your servers)
- **Network scanner** — discovers certificates on TLS endpoints across CIDR ranges without requiring agents
- **Web dashboard** — 22 operational pages: certificate inventory, deployment timeline with TLS verification, bulk operations (renew/revoke/reassign), discovery triage, network scan management, approval workflows, audit trail with CSV/JSON export, agent fleet overview with OS/arch grouping, short-lived credential monitoring, digest email preview
- **REST API** — 99 endpoints under `/api/v1/` + `/.well-known/est/` for complete automation, with sparse fields, sort, cursor pagination, and time-range filters
- **Agents** — generate private keys locally (ECDSA P-256), discover existing certs on disk (PEM/DER), submit CSRs only (private keys never leave your servers)
- **Network scanner** — discovers certificates on TLS endpoints across CIDR ranges without requiring agents, concurrent scanning with configurable timeouts
- **Certificate export** — PEM (JSON or file download) and PKCS#12 formats, with audit trail; private keys never included
- **S/MIME + EKU support** — issue certificates with emailProtection, codeSigning, timeStamping, clientAuth EKUs; email SAN routing for S/MIME
- **EST server** (RFC 7030) — device and WiFi certificate enrollment via industry-standard protocol
- **Post-deployment verification** — agent-side TLS probe confirms the target serves the correct certificate by SHA-256 fingerprint match
- **Approval workflows** — require human sign-off on renewals before deployment
- **Background scheduler** — watches expiration dates and triggers renewals automatically, handling constant rotation at 47-day lifespans without human involvement
- **Background scheduler** — 7 automated loops: renewal checks, job processing, agent health, notifications, short-lived cert expiry, network scanning, and scheduled certificate digest emails
- **ACME Renewal Information (ARI, RFC 9702)** — CA-directed renewal timing; certctl asks the CA when to renew instead of using fixed thresholds
- **Scheduled certificate digest emails** — HTML digest with certificate stats, expiration timeline, and job health; optional daily briefing via SMTP
- **Helm chart** — Production-ready Kubernetes deployment with server, PostgreSQL, and agent DaemonSet
For the full capability breakdown — revocation infrastructure, policy engine, observability, EST enrollment, and more — see the [Feature Inventory](docs/features.md).
@@ -131,6 +142,8 @@ All connectors are pluggable — build your own by implementing the [connector i
</tr>
</table>
> **22 operational GUI pages** covering the full certificate lifecycle: dashboard, certificates (list + detail with EKU badges, deployment timeline, TLS verification status), agents, fleet overview, jobs (with approval workflow), notifications, policies, profiles, issuers, targets (wizard with NGINX/Apache/HAProxy/Traefik/Caddy/F5/IIS), owners, teams, agent groups, audit trail, short-lived credentials, discovery triage, and network scan management.
## Quick Start
### Docker Pull
@@ -150,7 +163,7 @@ docker compose -f deploy/docker-compose.yml up -d --build
Wait ~30 seconds, then open **http://localhost:8443** in your browser.
The dashboard comes pre-loaded with 15 demo certificates, 5 agents, policy rules, audit events, and notifications — a realistic snapshot of a certificate inventory so you can explore immediately.
The dashboard comes pre-loaded with 35 demo certificates across 5 issuers, 8 agents, 90 days of job history, discovery scan data, and network scan targets — a realistic snapshot of a certificate inventory that looks like it's been running for months.
Verify the API:
```bash
@@ -158,13 +171,21 @@ curl http://localhost:8443/health
# {"status":"healthy"}
curl -s http://localhost:8443/api/v1/certificates | jq '.total'
# 15
# 35
```
### Agent Install (One-Liner)
```bash
curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
```
Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details.
### Manual Build
```bash
# Prerequisites: Go 1.25+, PostgreSQL 16+
# Prerequisites: Go 1.25+, PostgreSQL 16+, Docker (for testcontainers-go)
go mod download
make build
@@ -186,7 +207,7 @@ export CERTCTL_AGENT_ID=agent-local-01
## Architecture
**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). Background scheduler runs 6 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.
**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). Background scheduler runs 7 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h), certificate digest (24h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.
### Key Design Decisions
@@ -350,7 +371,7 @@ make docker-clean # Stop + remove volumes
## API Overview
93 endpoints under `/api/v1/` + `/.well-known/est/`, all returning JSON. List endpoints support pagination, sparse field selection (`?fields=`), sort (`?sort=-notAfter`), time-range filters, and cursor-based pagination. Full request/response schemas in the [OpenAPI 3.1 spec](api/openapi.yaml).
99 endpoints under `/api/v1/` + `/.well-known/est/`, all returning JSON. List endpoints support pagination, sparse field selection (`?fields=`), sort (`?sort=-notAfter`), time-range filters, and cursor-based pagination. Full request/response schemas in the [OpenAPI 3.1 spec](api/openapi.yaml).
### Key Endpoints
```
@@ -358,6 +379,8 @@ make docker-clean # Stop + remove volumes
GET /api/v1/certificates List (filter, sort, cursor, sparse fields)
POST /api/v1/certificates/{id}/renew Trigger renewal → 202 Accepted
POST /api/v1/certificates/{id}/revoke Revoke with RFC 5280 reason code
GET /api/v1/certificates/{id}/export/pem Export PEM (JSON or file download)
POST /api/v1/certificates/{id}/export/pkcs12 Export PKCS#12 bundle (no private key)
GET /api/v1/crl/{issuer_id} DER-encoded X.509 CRL
GET /api/v1/ocsp/{issuer_id}/{serial} OCSP responder (good/revoked/unknown)
@@ -383,6 +406,10 @@ GET /api/v1/jobs/{id}/verification Get verification status
GET /api/v1/metrics/prometheus Prometheus exposition format
GET /api/v1/stats/summary Dashboard summary
# Digest emails (scheduled briefing)
GET /api/v1/digest/preview HTML email preview
POST /api/v1/digest/send Send digest immediately
# EST enrollment (RFC 7030)
POST /.well-known/est/simpleenroll Device certificate enrollment
GET /.well-known/est/cacerts CA certificate chain (PKCS#7)
@@ -457,11 +484,11 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
### V2: Operational Maturity
18 milestones complete, 1100+ tests. See the [Feature Inventory](docs/features.md) for details on every capability.
30 milestones complete, 1500+ tests. See the [Feature Inventory](docs/features.md) for details on every capability.
**What shipped (all ✅):**
- **Issuers** — Sub-CA mode (enterprise root chains), ACME DNS-01 + DNS-PERSIST-01 (wildcard certs, any DNS provider), step-ca (native /sign API), OpenSSL/Custom CA (script-based signing)
- **Issuers** — Sub-CA mode (enterprise root chains), ACME DNS-01 + DNS-PERSIST-01 (wildcard certs, any DNS provider), step-ca (native /sign API), OpenSSL/Custom CA (script-based signing), ACME ARI (RFC 9702, CA-directed renewal timing)
- **Revocation** — RFC 5280 reason codes, DER-encoded X.509 CRL, embedded OCSP responder, short-lived cert exemption
- **Profiles + Ownership** — certificate profiles (key types, max TTL, crypto constraints), ownership tracking (owners + teams), dynamic agent groups, interactive renewal approval
- **GUI Operations** — bulk renew/revoke/reassign, deployment timeline, inline policy editor, target wizard, audit export (CSV/JSON), short-lived credentials view
@@ -470,26 +497,52 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
- **EST Server** (RFC 7030) — device/WiFi certificate enrollment, PKCS#7 wire format, configurable issuer + profile binding
- **MCP Server** — 78 API operations as AI tools for Claude, Cursor, and any MCP-compatible client
- **CLI** — 12 subcommands (list/get/renew/revoke certs, agents, jobs, import, status), JSON/table output
- **Notifications** — Slack, Microsoft Teams, PagerDuty, OpsGenie connectors
- **Notifications** — Email (SMTP), Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie connectors
- **API Enhancements** — sparse fields, sort, time-range filters, cursor pagination, immutable API audit logging
- **Compliance Mapping** — SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides
- **Post-Deployment TLS Verification** — agent-side TLS probe confirms the target is serving the correct certificate by SHA-256 fingerprint match
- **Traefik + Caddy Targets** — Traefik (file provider, auto-reload) and Caddy (Admin API hot-reload or file-based)
- **Post-Deployment TLS Verification** — agent-side TLS probe confirms the target is serving the correct certificate by SHA-256 fingerprint match, verification status visible in deployment timeline
- **Traefik + Caddy Targets** — Traefik (file provider, auto-reload) and Caddy (Admin API hot-reload or file-based), both in target wizard GUI
- **Certificate Export** — PEM (JSON or file download) and PKCS#12 formats, private keys never included (agent-side only), audit trail, GUI export buttons
- **S/MIME Support** — EKU-aware issuance (emailProtection, codeSigning, timeStamping), adaptive KeyUsage flags, email SAN routing, EKU badges in GUI
- **ACME ARI (RFC 9702)** — CA-directed renewal timing: the CA tells certctl the optimal renewal window, gracefully degrading to fixed thresholds when ARI is unavailable
- **Scheduled Certificate Digest** — HTML email digests with certificate stats, expiration timeline, job trends, and agent health; configurable daily/hourly/weekly briefings via SMTP
- **Helm Chart** — Production-ready Kubernetes with server Deployment, PostgreSQL StatefulSet with PVC, Agent DaemonSet, security contexts, resource limits, optional Ingress
**Coming next:**
- **Certificate Export** (v2.1.x) — single-cert download in PFX/PKCS12, DER, and PEM formats
- **S/MIME Support** (v2.2.x) — profile EKU constraints for S/MIME (emailProtection), code signing, and custom EKUs
**Coming in v2.1.0:**
- Vault PKI issuer connector (HashiCorp Vault /sign API)
- DigiCert CertCentral issuer connector (enterprise CA)
- Dynamic issuer and target configuration via GUI (no env var restarts)
- Issuer catalog page (see all supported CAs, configure from dashboard)
- First-run onboarding wizard
- Turnkey deployment examples (ACME+NGINX, wildcard+DNS-01, private CA+Traefik, step-ca+HAProxy, multi-issuer)
- Migration guides (Certbot, acme.sh, cert-manager complement)
- One-line agent install script with cross-compiled binaries
### V3: certctl Pro
Team access controls, identity provider integration, enterprise deployment targets, compliance and risk scoring, advanced fleet operations, event-driven architecture, advanced search, real-time operational views, and premium CA integrations.
Team access controls, identity provider integration, enterprise deployment targets, compliance and risk scoring, advanced fleet operations, event-driven architecture, advanced search, real-time operational views.
### V4+: Cloud, Scale & Passive Discovery
Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Vault PKI, Google CAS, EJBCA), and platform-scale features (Terraform provider, multi-tenancy, HSM support).
Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Google CAS, EJBCA, Sectigo), and platform-scale features (Terraform provider, multi-tenancy, HSM support).
## Examples
Turnkey Docker Compose configurations for common scenarios — pick the one closest to your setup and have it running in 2 minutes.
| Example | Scenario |
|---------|----------|
| [`examples/acme-nginx/`](examples/acme-nginx/) | Let's Encrypt + NGINX, HTTP-01 challenges |
| [`examples/acme-wildcard-dns01/`](examples/acme-wildcard-dns01/) | Wildcard certs via DNS-01 (Cloudflare hook included) |
| [`examples/private-ca-traefik/`](examples/private-ca-traefik/) | Local CA (self-signed or sub-CA) + Traefik file provider |
| [`examples/step-ca-haproxy/`](examples/step-ca-haproxy/) | Smallstep step-ca + HAProxy combined PEM |
| [`examples/multi-issuer/`](examples/multi-issuer/) | ACME for public + Local CA for internal, one dashboard |
Each directory contains a `docker-compose.yml` and a `README.md` explaining the scenario, prerequisites, and customization.
## License
Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties.
Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties. The BSL 1.1 license converts automatically to Apache 2.0 on March 1, 2033, providing perpetual freedom.
For licensing inquiries: certctl@proton.me
api/openapi.yaml
+164
View File
@@ -62,6 +62,8 @@ tags:
description: Certificate discovery — filesystem scanning by agents and network TLS probing
- name: Network Scan
description: Network scan target management for active TLS certificate discovery
- name: Digest
description: Scheduled certificate digest email notifications
paths:
# ─── Health & Auth ───────────────────────────────────────────────────
@@ -248,6 +250,8 @@ paths:
$ref: "#/components/schemas/ManagedCertificate"
"400":
$ref: "#/components/responses/BadRequest"
"404":
$ref: "#/components/responses/NotFound"
"500":
$ref: "#/components/responses/InternalError"
delete:
@@ -259,6 +263,8 @@ paths:
responses:
"204":
description: Certificate archived
"404":
$ref: "#/components/responses/NotFound"
"500":
$ref: "#/components/responses/InternalError"
@@ -304,6 +310,12 @@ paths:
application/json:
schema:
$ref: "#/components/schemas/StatusResponse"
"400":
$ref: "#/components/responses/BadRequest"
"404":
$ref: "#/components/responses/NotFound"
"409":
$ref: "#/components/responses/Conflict"
"500":
$ref: "#/components/responses/InternalError"
@@ -367,6 +379,84 @@ paths:
"500":
$ref: "#/components/responses/InternalError"
# ─── Certificate Export ──────────────────────────────────────────────
/api/v1/certificates/{id}/export/pem:
get:
tags: [Certificates]
summary: Export certificate as PEM
description: |
Returns the certificate and its chain in PEM format. By default returns JSON
with cert_pem, chain_pem, and full_pem fields. Add ?download=true to get the
full PEM chain as a file download with Content-Disposition headers.
operationId: exportCertificatePEM
parameters:
- $ref: "#/components/parameters/resourceId"
- name: download
in: query
schema:
type: string
enum: ["true"]
description: Set to "true" to get a file download instead of JSON.
responses:
"200":
description: PEM export
content:
application/json:
schema:
type: object
properties:
cert_pem:
type: string
description: Leaf certificate PEM
chain_pem:
type: string
description: Intermediate/root chain PEM
full_pem:
type: string
description: Full PEM chain (cert + intermediates)
application/x-pem-file:
schema:
type: string
format: binary
description: Full PEM file (when download=true)
"404":
$ref: "#/components/responses/NotFound"
"500":
$ref: "#/components/responses/InternalError"
/api/v1/certificates/{id}/export/pkcs12:
post:
tags: [Certificates]
summary: Export certificate as PKCS#12
description: |
Returns a PKCS#12 (.p12) bundle containing the certificate and chain.
Private keys are NOT included — they live on agents and never touch the control plane.
The bundle is encrypted with the provided password (or empty password if omitted).
operationId: exportCertificatePKCS12
parameters:
- $ref: "#/components/parameters/resourceId"
requestBody:
content:
application/json:
schema:
type: object
properties:
password:
type: string
description: Password to encrypt the PKCS#12 bundle (can be empty)
responses:
"200":
description: PKCS#12 binary
content:
application/x-pkcs12:
schema:
type: string
format: binary
"404":
$ref: "#/components/responses/NotFound"
"500":
$ref: "#/components/responses/InternalError"
# ─── CRL & OCSP ─────────────────────────────────────────────────────
/api/v1/crl:
get:
@@ -740,6 +830,8 @@ paths:
$ref: "#/components/schemas/Agent"
"400":
$ref: "#/components/responses/BadRequest"
"409":
$ref: "#/components/responses/Conflict"
"500":
$ref: "#/components/responses/InternalError"
@@ -797,6 +889,8 @@ paths:
$ref: "#/components/schemas/StatusResponse"
"400":
$ref: "#/components/responses/BadRequest"
"404":
$ref: "#/components/responses/NotFound"
"500":
$ref: "#/components/responses/InternalError"
@@ -2294,6 +2388,56 @@ paths:
"500":
$ref: "#/components/responses/InternalError"
# ─── Digest ────────────────────────────────────────────────────────
/api/v1/digest/preview:
get:
tags: [Digest]
summary: Preview digest email
description: |
Returns an HTML preview of the scheduled certificate digest email.
This includes a summary of certificate status, pending jobs, and expiring certificates.
operationId: previewDigest
responses:
"200":
description: HTML digest email preview
content:
text/html:
schema:
type: string
example: "<html>...</html>"
"503":
description: Digest service not configured
content:
application/json:
schema:
$ref: "#/components/schemas/StatusMessageResponse"
"500":
$ref: "#/components/responses/InternalError"
/api/v1/digest/send:
post:
tags: [Digest]
summary: Send digest email
description: |
Triggers immediate sending of the certificate digest email to configured recipients.
If no explicit recipients are configured, sends to certificate owners.
operationId: sendDigest
responses:
"200":
description: Digest sent successfully
content:
application/json:
schema:
$ref: "#/components/schemas/StatusMessageResponse"
"503":
description: Digest service not configured
content:
application/json:
schema:
$ref: "#/components/schemas/StatusMessageResponse"
"500":
$ref: "#/components/responses/InternalError"
# ═══════════════════════════════════════════════════════════════════════
components:
securitySchemes:
@@ -2339,6 +2483,12 @@ components:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
Conflict:
description: Resource conflict
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
InternalError:
description: Internal server error
content:
@@ -2441,6 +2591,13 @@ components:
updated_at:
type: string
format: date-time
required:
- name
- common_name
- renewal_policy_id
- issuer_id
- owner_id
- team_id
CertificateVersion:
type: object
@@ -2712,8 +2869,15 @@ components:
type: integer
allowed_ekus:
type: array
description: Extended Key Usages to include in issued certificates
items:
type: string
enum:
- serverAuth
- clientAuth
- codeSigning
- emailProtection
- timeStamping
required_san_patterns:
type: array
items:
cmd/agent/agent_test.go
+830
View File
@@ -0,0 +1,830 @@
package main
import (
"bytes"
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"io"
"log/slog"
"math/big"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"testing"
"time"
)
// TestAgent_Heartbeat_Success tests that heartbeat sends correct metadata and handles 200 response.
func TestAgent_Heartbeat_Success(t *testing.T) {
// Create mock server to validate heartbeat request
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Verify correct endpoint and method
if r.URL.Path != "/api/v1/agents/a-test-agent/heartbeat" {
t.Errorf("unexpected path: %s", r.URL.Path)
}
if r.Method != http.MethodPost {
t.Errorf("unexpected method: %s, expected POST", r.Method)
}
// Verify auth header
auth := r.Header.Get("Authorization")
if auth != "Bearer test-key" {
t.Errorf("unexpected auth header: %s", auth)
}
// Verify request body contains required fields
var payload map[string]string
if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
t.Fatalf("failed to decode payload: %v", err)
}
// Check required fields
if _, ok := payload["version"]; !ok {
t.Error("missing version in heartbeat")
}
if _, ok := payload["hostname"]; !ok {
t.Error("missing hostname in heartbeat")
}
if _, ok := payload["os"]; !ok {
t.Error("missing os in heartbeat")
}
if _, ok := payload["architecture"]; !ok {
t.Error("missing architecture in heartbeat")
}
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test-agent",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Should not panic
agent.sendHeartbeat(context.Background())
}
// TestAgent_Heartbeat_ServerError tests that heartbeat handles 500 response gracefully.
func TestAgent_Heartbeat_ServerError(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte("server error"))
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test-agent",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Should increment consecutive failures
failureBefore := agent.consecutiveFailures
agent.sendHeartbeat(context.Background())
failureAfter := agent.consecutiveFailures
if failureAfter != failureBefore+1 {
t.Errorf("expected consecutive failures to increment, got %d, want %d", failureAfter, failureBefore+1)
}
}
// TestAgent_Heartbeat_ConnectionError tests that heartbeat handles connection error.
func TestAgent_Heartbeat_ConnectionError(t *testing.T) {
// Use an invalid address that will fail immediately
cfg := &AgentConfig{
ServerURL: "http://invalid-host-that-does-not-exist.local:9999",
APIKey: "test-key",
AgentID: "a-test-agent",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Should fail due to connection error
agent.sendHeartbeat(context.Background())
if agent.consecutiveFailures != 1 {
t.Errorf("expected consecutive failures to be 1, got %d", agent.consecutiveFailures)
}
}
// TestAgent_PollWork_NoWork tests that work polling handles empty work list.
func TestAgent_PollWork_NoWork(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/api/v1/agents/a-test-agent/work" {
t.Errorf("unexpected path: %s", r.URL.Path)
}
if r.Method != http.MethodGet {
t.Errorf("unexpected method: %s", r.Method)
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(WorkResponse{
Jobs: []JobItem{},
Count: 0,
})
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test-agent",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Should not panic
agent.pollForWork(context.Background())
}
// TestAgent_PollWork_Success tests that work polling parses and returns jobs correctly.
func TestAgent_PollWork_Success(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
workResp := WorkResponse{
Count: 2,
Jobs: []JobItem{
{
ID: "j-csr-001",
Type: "Issuance",
CertificateID: "mc-001",
CommonName: "example.com",
SANs: []string{"www.example.com"},
Status: "AwaitingCSR",
},
{
ID: "j-deploy-001",
Type: "Deployment",
CertificateID: "mc-001",
TargetID: strPtr("t-nginx-1"),
TargetType: "NGINX",
TargetConfig: json.RawMessage(`{"cert_path":"/etc/nginx/cert.pem"}`),
Status: "Pending",
},
},
}
json.NewEncoder(w).Encode(workResp)
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test-agent",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Should not panic; work items are processed in separate gorines in real usage
agent.pollForWork(context.Background())
}
// TestSplitPEMChain tests PEM chain splitting into cert and chain.
func TestSplitPEMChain(t *testing.T) {
// Create two test certificates
cert1, _ := generateTestCertWithCN("cert1.example.com")
cert2, _ := generateTestCertWithCN("cert2.example.com")
block1 := &pem.Block{Type: "CERTIFICATE", Bytes: cert1.Raw}
block2 := &pem.Block{Type: "CERTIFICATE", Bytes: cert2.Raw}
cert1PEM := string(pem.EncodeToMemory(block1))
cert2PEM := string(pem.EncodeToMemory(block2))
chainPEM := cert1PEM + "\n" + cert2PEM
// Split
certOnly, chain := splitPEMChain(chainPEM)
// Verify cert part
if !bytes.Contains([]byte(certOnly), []byte("-----BEGIN CERTIFICATE-----")) {
t.Error("cert part missing BEGIN marker")
}
// Verify chain part
if !bytes.Contains([]byte(chain), []byte("-----BEGIN CERTIFICATE-----")) {
t.Error("chain part missing BEGIN marker")
}
// Verify they're different
if certOnly == chain {
t.Error("cert and chain should be different")
}
}
// TestSplitPEMChain_SingleCert tests PEM chain splitting with single certificate.
func TestSplitPEMChain_SingleCert(t *testing.T) {
cert, _ := generateTestCertWithCN("example.com")
block := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
certPEM := string(pem.EncodeToMemory(block))
certOnly, chain := splitPEMChain(certPEM)
if certOnly != certPEM {
t.Error("single cert should be returned as-is")
}
if chain != "" {
t.Error("chain should be empty for single cert")
}
}
// TestSplitPEMChain_InvalidPEM tests PEM chain splitting with invalid PEM.
func TestSplitPEMChain_InvalidPEM(t *testing.T) {
invalidPEM := "not a valid pem"
certOnly, chain := splitPEMChain(invalidPEM)
if certOnly != invalidPEM {
t.Error("invalid PEM should be returned as-is in cert part")
}
if chain != "" {
t.Error("chain should be empty for invalid PEM")
}
}
// TestParsePEMFile tests parsing a PEM file with certificates.
func TestParsePEMFile(t *testing.T) {
// Create a temporary file with a PEM certificate
tmpdir := t.TempDir()
certPath := filepath.Join(tmpdir, "cert.pem")
cert, _ := generateTestCert()
block := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
certPEM := pem.EncodeToMemory(block)
if err := os.WriteFile(certPath, certPEM, 0644); err != nil {
t.Fatalf("failed to write test cert: %v", err)
}
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Parse the file
entries := agent.parsePEMFile(certPath)
if len(entries) != 1 {
t.Errorf("expected 1 certificate, got %d", len(entries))
return
}
entry := entries[0]
if entry.CommonName != "test.example.com" {
t.Errorf("expected CN 'test.example.com', got '%s'", entry.CommonName)
}
if entry.SourceFormat != "PEM" {
t.Errorf("expected format 'PEM', got '%s'", entry.SourceFormat)
}
if entry.SourcePath != certPath {
t.Errorf("expected path '%s', got '%s'", certPath, entry.SourcePath)
}
// Verify fingerprint is non-empty and correct length (SHA256 hex = 64 chars)
if len(entry.FingerprintSHA256) != 64 {
t.Errorf("expected 64-char fingerprint, got %d", len(entry.FingerprintSHA256))
}
}
// TestParsePEMFile_MultipleCerts tests parsing a PEM file with multiple certificates.
func TestParsePEMFile_MultipleCerts(t *testing.T) {
tmpdir := t.TempDir()
certPath := filepath.Join(tmpdir, "chain.pem")
cert1, _ := generateTestCertWithCN("cert1.example.com")
cert2, _ := generateTestCertWithCN("cert2.example.com")
block1 := &pem.Block{Type: "CERTIFICATE", Bytes: cert1.Raw}
block2 := &pem.Block{Type: "CERTIFICATE", Bytes: cert2.Raw}
certPEM := append(pem.EncodeToMemory(block1), pem.EncodeToMemory(block2)...)
if err := os.WriteFile(certPath, certPEM, 0644); err != nil {
t.Fatalf("failed to write test cert: %v", err)
}
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
entries := agent.parsePEMFile(certPath)
if len(entries) != 2 {
t.Errorf("expected 2 certificates, got %d", len(entries))
}
}
// TestParseDERFile tests parsing a DER-encoded certificate file.
func TestParseDERFile(t *testing.T) {
tmpdir := t.TempDir()
derPath := filepath.Join(tmpdir, "cert.der")
cert, _ := generateTestCertWithCN("test.example.com")
if err := os.WriteFile(derPath, cert.Raw, 0644); err != nil {
t.Fatalf("failed to write test cert: %v", err)
}
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
entry, err := agent.parseDERFile(derPath)
if err != nil {
t.Errorf("unexpected error: %v", err)
return
}
if entry.CommonName != "test.example.com" {
t.Errorf("expected CN 'test.example.com', got '%s'", entry.CommonName)
}
if entry.SourceFormat != "DER" {
t.Errorf("expected format 'DER', got '%s'", entry.SourceFormat)
}
if len(entry.FingerprintSHA256) != 64 {
t.Errorf("expected 64-char fingerprint, got %d", len(entry.FingerprintSHA256))
}
}
// TestParseDERFile_Invalid tests parsing an invalid DER file.
func TestParseDERFile_Invalid(t *testing.T) {
tmpdir := t.TempDir()
derPath := filepath.Join(tmpdir, "invalid.der")
if err := os.WriteFile(derPath, []byte("not a valid der file"), 0644); err != nil {
t.Fatalf("failed to write test file: %v", err)
}
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
_, err := agent.parseDERFile(derPath)
if err == nil {
t.Error("expected error for invalid DER file")
}
}
// TestScanDirectory tests scanning a directory for certificate files.
func TestScanDirectory(t *testing.T) {
tmpdir := t.TempDir()
// Create subdirectory
subdir := filepath.Join(tmpdir, "subdir")
if err := os.MkdirAll(subdir, 0755); err != nil {
t.Fatalf("failed to create subdir: %v", err)
}
// Create certificates with various extensions
cert1, _ := generateTestCertWithCN("cert1.example.com")
cert2, _ := generateTestCertWithCN("cert2.example.com")
// Write cert1.pem
block1 := &pem.Block{Type: "CERTIFICATE", Bytes: cert1.Raw}
if err := os.WriteFile(filepath.Join(tmpdir, "cert1.pem"), pem.EncodeToMemory(block1), 0644); err != nil {
t.Fatalf("failed to write cert1: %v", err)
}
// Write cert2.crt in subdir
block2 := &pem.Block{Type: "CERTIFICATE", Bytes: cert2.Raw}
if err := os.WriteFile(filepath.Join(subdir, "cert2.crt"), pem.EncodeToMemory(block2), 0644); err != nil {
t.Fatalf("failed to write cert2: %v", err)
}
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
DiscoveryDirs: []string{tmpdir},
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
// Simulate directory walk manually (as runDiscoveryScan does)
var certs []discoveredCertEntry
filepath.Walk(tmpdir, func(path string, info os.FileInfo, err error) error {
if err != nil {
return nil
}
if info.IsDir() {
return nil
}
ext := filepath.Ext(path)
switch ext {
case ".pem", ".crt":
found := agent.parsePEMFile(path)
certs = append(certs, found...)
}
return nil
})
if len(certs) != 2 {
t.Errorf("expected 2 certificates from directory scan, got %d", len(certs))
}
}
// TestCreateTargetConnector_NGINX tests connector creation for NGINX target.
func TestCreateTargetConnector_NGINX(t *testing.T) {
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
configJSON := json.RawMessage(`{"cert_path":"/etc/nginx/cert.pem"}`)
connector, err := agent.createTargetConnector("NGINX", configJSON)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if connector == nil {
t.Error("expected connector to be non-nil")
}
}
// TestCreateTargetConnector_Unsupported tests connector creation for unsupported type.
func TestCreateTargetConnector_Unsupported(t *testing.T) {
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
_, err := agent.createTargetConnector("UnsupportedType", nil)
if err == nil {
t.Error("expected error for unsupported target type")
}
}
// TestFetchCertificate_Success tests fetching a certificate from the control plane.
func TestFetchCertificate_Success(t *testing.T) {
cert, _ := generateTestCertWithCN("test.example.com")
block := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
expectedCertPEM := string(pem.EncodeToMemory(block))
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/api/v1/agents/a-test/certificates/mc-001" {
t.Errorf("unexpected path: %s", r.URL.Path)
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string]string{
"certificate_pem": expectedCertPEM,
})
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
certPEM, err := agent.fetchCertificate(context.Background(), "mc-001")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if certPEM != expectedCertPEM {
t.Error("certificate PEM mismatch")
}
}
// TestFetchCertificate_NotFound tests fetching a non-existent certificate.
func TestFetchCertificate_NotFound(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusNotFound)
w.Write([]byte("not found"))
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
_, err := agent.fetchCertificate(context.Background(), "mc-nonexistent")
if err == nil {
t.Error("expected error for non-existent certificate")
}
}
// TestReportJobStatus_Success tests reporting job status to the control plane.
func TestReportJobStatus_Success(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/api/v1/agents/a-test/jobs/j-001/status" {
t.Errorf("unexpected path: %s", r.URL.Path)
}
if r.Method != http.MethodPost {
t.Errorf("unexpected method: %s", r.Method)
}
var payload map[string]string
json.NewDecoder(r.Body).Decode(&payload)
if payload["status"] != "Completed" {
t.Errorf("expected status 'Completed', got '%s'", payload["status"])
}
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
err := agent.reportJobStatus(context.Background(), "j-001", "Completed", "")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
// TestReportJobStatus_WithError tests reporting job status with error message.
func TestReportJobStatus_WithError(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var payload map[string]string
json.NewDecoder(r.Body).Decode(&payload)
if payload["status"] != "Failed" {
t.Errorf("expected status 'Failed', got '%s'", payload["status"])
}
if payload["error"] != "deployment failed" {
t.Errorf("expected error 'deployment failed', got '%s'", payload["error"])
}
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
err := agent.reportJobStatus(context.Background(), "j-001", "Failed", "deployment failed")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
// TestMakeRequest_Success tests making an authenticated HTTP request.
func TestMakeRequest_Success(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Verify auth header
auth := r.Header.Get("Authorization")
if auth != "Bearer test-key" {
t.Errorf("unexpected auth: %s", auth)
}
// Verify content-type
ct := r.Header.Get("Content-Type")
if ct != "application/json" {
t.Errorf("unexpected content-type: %s", ct)
}
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
cfg := &AgentConfig{
ServerURL: server.URL,
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
resp, err := agent.makeRequest(context.Background(), http.MethodPost, "/test", map[string]string{"key": "value"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("unexpected status: %d", resp.StatusCode)
}
}
// TestMakeRequest_InvalidURL tests making a request with invalid URL.
func TestMakeRequest_InvalidURL(t *testing.T) {
cfg := &AgentConfig{
ServerURL: "http://invalid-host-that-does-not-exist.local:9999",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
_, err := agent.makeRequest(context.Background(), http.MethodGet, "/test", nil)
if err == nil {
t.Error("expected error for unreachable host")
}
}
// TestCertKeyInfo tests extraction of key algorithm and size from certificates.
func TestCertKeyInfo(t *testing.T) {
tests := []struct {
name string
genKey func() interface{}
expectedAlg string
minBitSize int
}{
{
name: "ECDSA P-256",
genKey: func() interface{} {
key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
return key.Public()
},
expectedAlg: "ECDSA",
minBitSize: 256,
},
{
name: "RSA 2048",
genKey: func() interface{} {
key, _ := rsa.GenerateKey(rand.Reader, 2048)
return key.Public()
},
expectedAlg: "RSA",
minBitSize: 2048,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
pubKey := tt.genKey()
// Create certificate with this key
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "test.com",
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
var privKey interface{}
if ecdsaPub, ok := pubKey.(*ecdsa.PublicKey); ok {
key, _ := ecdsa.GenerateKey(ecdsaPub.Curve, rand.Reader)
privKey = key
} else if rsaPub, ok := pubKey.(*rsa.PublicKey); ok {
key, _ := rsa.GenerateKey(rand.Reader, rsaPub.N.BitLen())
privKey = key
}
certDER, _ := x509.CreateCertificate(rand.Reader, template, template, pubKey, privKey)
cert, _ := x509.ParseCertificate(certDER)
alg, bitSize := certKeyInfo(cert)
if alg != tt.expectedAlg {
t.Errorf("expected algorithm %s, got %s", tt.expectedAlg, alg)
}
if bitSize < tt.minBitSize {
t.Errorf("expected bitsize >= %d, got %d", tt.minBitSize, bitSize)
}
})
}
}
// TestNewAgent tests agent initialization.
func TestNewAgent(t *testing.T) {
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
agent := NewAgent(cfg, logger)
if agent.config != cfg {
t.Error("config not set correctly")
}
if agent.heartbeatInterval != 60*time.Second {
t.Errorf("expected heartbeat interval 60s, got %v", agent.heartbeatInterval)
}
if agent.pollInterval != 30*time.Second {
t.Errorf("expected poll interval 30s, got %v", agent.pollInterval)
}
if agent.client == nil {
t.Error("HTTP client not initialized")
}
}
// TestNewAgent_WithLogger tests agent initialization with logger.
func TestNewAgent_WithLogger(t *testing.T) {
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
cfg := &AgentConfig{
ServerURL: "http://localhost:8443",
APIKey: "test-key",
AgentID: "a-test",
Hostname: "test-host",
}
agent := NewAgent(cfg, logger)
if agent.logger != logger {
t.Error("logger not set correctly")
}
}
// Helper to create test certificates with specific CN
func generateTestCertWithCN(commonName string) (*x509.Certificate, error) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, err
}
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: commonName,
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
DNSNames: []string{commonName},
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDER)
}
// Helper to create string pointer
func strPtr(s string) *string {
return &s
}
cmd/agent/main.go
+13 -1
View File
@@ -344,11 +344,23 @@ func (a *Agent) executeCSRJob(ctx context.Context, job JobItem) {
}
// Step 3: Create CSR with common name and SANs
// Split SANs into DNS names and email addresses for proper CSR encoding
var dnsNames []string
var emailAddresses []string
for _, san := range job.SANs {
if strings.Contains(san, "@") {
emailAddresses = append(emailAddresses, san)
} else {
dnsNames = append(dnsNames, san)
}
}
csrTemplate := &x509.CertificateRequest{
Subject: pkix.Name{
CommonName: job.CommonName,
},
DNSNames: job.SANs,
DNSNames: dnsNames,
EmailAddresses: emailAddresses,
}
csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
cmd/server/main.go
+57 -6
View File
@@ -21,6 +21,7 @@ import (
"github.com/shankar0123/certctl/internal/connector/issuer/local"
opensslissuer "github.com/shankar0123/certctl/internal/connector/issuer/openssl"
stepcaissuer "github.com/shankar0123/certctl/internal/connector/issuer/stepca"
notifyemail "github.com/shankar0123/certctl/internal/connector/notifier/email"
notifyopsgenie "github.com/shankar0123/certctl/internal/connector/notifier/opsgenie"
notifypagerduty "github.com/shankar0123/certctl/internal/connector/notifier/pagerduty"
notifyslack "github.com/shankar0123/certctl/internal/connector/notifier/slack"
@@ -44,7 +45,7 @@ func main() {
}))
logger.Info("certctl server starting",
"version", "2.0.8",
"version", "2.0.9",
"server_host", cfg.Server.Host,
"server_port", cfg.Server.Port)
@@ -189,6 +190,25 @@ func main() {
logger.Info("OpsGenie notifier enabled")
}
// Wire email notifier if SMTP is configured
var emailAdapter *notifyemail.NotifierAdapter
if cfg.Notifiers.SMTPHost != "" && cfg.Notifiers.SMTPFromAddress != "" {
emailConnector := notifyemail.New(&notifyemail.Config{
SMTPHost: cfg.Notifiers.SMTPHost,
SMTPPort: cfg.Notifiers.SMTPPort,
Username: cfg.Notifiers.SMTPUsername,
Password: cfg.Notifiers.SMTPPassword,
FromAddress: cfg.Notifiers.SMTPFromAddress,
UseTLS: cfg.Notifiers.SMTPUseTLS,
}, logger)
emailAdapter = notifyemail.NewNotifierAdapter(emailConnector)
notifierRegistry["Email"] = emailAdapter
logger.Info("Email notifier enabled",
"smtp_host", cfg.Notifiers.SMTPHost,
"smtp_port", cfg.Notifiers.SMTPPort,
"from", cfg.Notifiers.SMTPFromAddress)
}
notificationService := service.NewNotificationService(notificationRepo, notifierRegistry)
notificationService.SetOwnerRepo(ownerRepo)
@@ -209,6 +229,7 @@ func main() {
deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certificateRepo, auditService, notificationService)
jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
agentService := service.NewAgentService(agentRepo, certificateRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
agentService.SetProfileRepo(profileRepo)
issuerService := service.NewIssuerService(issuerRepo, auditService)
targetService := service.NewTargetService(targetRepo, auditService)
profileService := service.NewProfileService(profileRepo, auditService)
@@ -262,6 +283,28 @@ func main() {
networkScanHandler := handler.NewNetworkScanHandler(networkScanService)
verificationService := service.NewVerificationService(jobRepo, auditService, logger)
verificationHandler := handler.NewVerificationHandler(verificationService)
exportService := service.NewExportService(certificateRepo, auditService)
exportHandler := handler.NewExportHandler(exportService)
// Initialize digest service (requires email notifier)
var digestService *service.DigestService
var digestHandler *handler.DigestHandler
if cfg.Digest.Enabled && emailAdapter != nil {
digestService = service.NewDigestService(
statsService, certificateRepo, ownerRepo, emailAdapter, cfg.Digest.Recipients, logger,
)
digestHandler = handler.NewDigestHandler(digestService)
logger.Info("digest service enabled",
"interval", cfg.Digest.Interval.String(),
"recipients", len(cfg.Digest.Recipients))
} else {
// Create a no-op digest handler for route registration
digestHandler = handler.NewDigestHandler(nil)
if cfg.Digest.Enabled && emailAdapter == nil {
logger.Warn("digest enabled but SMTP not configured — digest emails will not be sent")
}
}
logger.Info("initialized all handlers")
// Create context with cancellation
@@ -287,6 +330,11 @@ func main() {
sched.SetNetworkScanInterval(cfg.NetworkScan.ScanInterval)
logger.Info("network scanning enabled", "interval", cfg.NetworkScan.ScanInterval.String())
}
if digestService != nil {
sched.SetDigestService(digestService)
sched.SetDigestInterval(cfg.Digest.Interval)
logger.Info("digest scheduler enabled", "interval", cfg.Digest.Interval.String())
}
// Start scheduler
logger.Info("starting scheduler")
@@ -315,6 +363,8 @@ func main() {
Discovery: discoveryHandler,
NetworkScan: networkScanHandler,
Verification: verificationHandler,
Export: exportHandler,
Digest: *digestHandler,
})
// Register EST (RFC 7030) handlers if enabled
if cfg.EST.Enabled {
@@ -445,11 +495,12 @@ func main() {
// Server configuration
addr := net.JoinHostPort(cfg.Server.Host, strconv.Itoa(cfg.Server.Port))
httpServer := &http.Server{
Addr: addr,
Handler: finalHandler,
ReadTimeout: 15 * time.Second,
WriteTimeout: 15 * time.Second,
IdleTimeout: 60 * time.Second,
Addr: addr,
Handler: finalHandler,
ReadTimeout: 15 * time.Second,
ReadHeaderTimeout: 5 * time.Second,
WriteTimeout: 15 * time.Second,
IdleTimeout: 60 * time.Second,
}
// Start HTTP server in background
deploy/docker-compose.yml
+1
View File
@@ -18,6 +18,7 @@ services:
- ../migrations/000005_revocation.up.sql:/docker-entrypoint-initdb.d/005_revocation.sql
- ../migrations/000006_discovery.up.sql:/docker-entrypoint-initdb.d/006_discovery.sql
- ../migrations/000007_network_discovery.up.sql:/docker-entrypoint-initdb.d/007_network_discovery.sql
- ../migrations/000008_verification.up.sql:/docker-entrypoint-initdb.d/008_verification.sql
- ../migrations/seed.sql:/docker-entrypoint-initdb.d/010_seed.sql
- ../migrations/seed_demo.sql:/docker-entrypoint-initdb.d/011_seed_demo.sql
networks:
deploy/helm/CHART_SUMMARY.md
+461
View File
@@ -0,0 +1,461 @@
# Certctl Helm Chart - Complete Summary
## Overview
A production-ready Helm chart for deploying certctl (self-hosted certificate lifecycle management platform) on Kubernetes. The chart provides:
- High availability support with multi-replica deployments
- Persistent PostgreSQL database with automatic schema migration
- DaemonSet or Deployment-based agent deployment
- Comprehensive security contexts and RBAC
- Multiple deployment scenarios (dev, prod, HA, external DB)
- Full documentation and examples
## Chart Metadata
- **Name**: certctl
- **Chart Version**: 0.1.0
- **App Version**: 2.1.0
- **Type**: application
- **License**: BSL-1.1 (converts to Apache 2.0 in 2033)
## File Structure
```
deploy/helm/
├── README.md # Main Helm chart documentation
├── DEPLOYMENT_GUIDE.md # Step-by-step deployment guide
├── CHART_SUMMARY.md # This file
├── certctl/
│ ├── Chart.yaml # Chart metadata
│ ├── values.yaml # Default configuration values
│ ├── .helmignore # Files to ignore when building chart
│ │
│ └── templates/
│ ├── _helpers.tpl # Helm template helper functions
│ ├── NOTES.txt # Post-deployment notes
│ │
│ ├── server-deployment.yaml # Certctl API server deployment
│ ├── server-service.yaml # Server Kubernetes service
│ ├── server-configmap.yaml # Server configuration
│ ├── server-secret.yaml # Server secrets (API key, DB password, etc)
│ │
│ ├── postgres-statefulset.yaml # PostgreSQL database statefulset
│ ├── postgres-service.yaml # PostgreSQL headless service
│ ├── postgres-secret.yaml # Database credentials secret
│ │
│ ├── agent-daemonset.yaml # Certctl agent daemonset/deployment
│ ├── agent-configmap.yaml # Agent configuration
│ │
│ ├── ingress.yaml # Optional ingress resource
│ └── serviceaccount.yaml # ServiceAccount and RBAC
└── examples/
├── values-dev.yaml # Development/testing configuration
├── values-prod-ha.yaml # Production HA configuration
├── values-external-db.yaml # External PostgreSQL (RDS, Cloud SQL)
└── values-acme-dns01.yaml # ACME with DNS-01 (Let's Encrypt)
```
## Key Components
### 1. Server Deployment
**File**: `templates/server-deployment.yaml`
- Manages certctl API server instances
- Configurable replicas (default: 1)
- Health checks (liveness & readiness probes)
- Security context: non-root user, read-only filesystem
- Resource limits (default: 500m CPU, 512Mi memory)
- Automatic restart on failure
**Values**:
```yaml
server:
replicas: 1
port: 8443
auth:
type: api-key
apiKey: "REQUIRED"
resources:
requests: {cpu: 100m, memory: 128Mi}
limits: {cpu: 500m, memory: 512Mi}
```
### 2. PostgreSQL StatefulSet
**File**: `templates/postgres-statefulset.yaml`
- Persistent database storage
- Automatic schema migrations on startup
- Single replica (can be extended with external HA tools)
- Health checks via pg_isready
- Configurable storage size and class
- Security context: non-root user (UID 999)
**Values**:
```yaml
postgresql:
enabled: true
storage:
size: 10Gi
storageClass: "" # Use default
auth:
database: certctl
username: certctl
password: "REQUIRED"
```
### 3. Agent DaemonSet/Deployment
**File**: `templates/agent-daemonset.yaml`
- DaemonSet mode: one agent per Kubernetes node
- Deployment mode: custom number of agent replicas
- Local key storage with secure permissions (0600)
- Health checks and automatic restart
- Optional certificate discovery from filesystem
**Values**:
```yaml
agent:
enabled: true
kind: DaemonSet # or Deployment
replicas: 1 # for Deployment only
keyDir: /var/lib/certctl/keys
discoveryDirs: "/etc/ssl/certs" # optional
```
### 4. Ingress (Optional)
**File**: `templates/ingress.yaml`
- Optional HTTPS ingress
- cert-manager integration for automatic TLS
- Multiple host support
- Path-based routing
**Values**:
```yaml
ingress:
enabled: false
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
```
### 5. ConfigMaps and Secrets
**Files**:
- `server-configmap.yaml` - Non-secret server configuration
- `server-secret.yaml` - API key, database URL, SMTP password
- `postgres-secret.yaml` - Database credentials
- `agent-configmap.yaml` - Agent configuration
All secrets are base64-encoded and stored in Kubernetes Secrets.
### 6. ServiceAccount and RBAC
**File**: `templates/serviceaccount.yaml`
- Optional ServiceAccount creation
- Optional RBAC (ClusterRole, ClusterRoleBinding)
- Namespace-scoped by default
## Deployment Scenarios
### Development Setup
Use `examples/values-dev.yaml`:
```bash
helm install certctl certctl/ \
--values examples/values-dev.yaml \
--set server.auth.apiKey="dev-key" \
--set postgresql.auth.password="dev-password"
```
**Features**:
- Single server replica
- Demo auth (no API key required)
- Small database (5Gi)
- LoadBalancer service for easy access
- Debug logging level
### Production HA Setup
Use `examples/values-prod-ha.yaml`:
```bash
helm install certctl certctl/ \
--values examples/values-prod-ha.yaml \
--set server.auth.apiKey="$(openssl rand -base64 32)" \
--set postgresql.auth.password="$(openssl rand -base64 32)"
```
**Features**:
- 3 server replicas with pod anti-affinity
- Large database storage (100Gi)
- Pod disruption budgets
- Prometheus monitoring enabled
- Production resource limits
### External PostgreSQL
Use `examples/values-external-db.yaml`:
```bash
helm install certctl certctl/ \
--values examples/values-external-db.yaml \
--set postgresql.enabled=false \
--set 'server.env.CERTCTL_DATABASE_URL=postgres://...'
```
**Use cases**:
- AWS RDS
- Google Cloud SQL
- Azure Database for PostgreSQL
- External self-managed PostgreSQL
### ACME with DNS-01
Use `examples/values-acme-dns01.yaml`:
```bash
helm install certctl certctl/ \
--values examples/values-acme-dns01.yaml
```
**Enables**:
- Automatic certificate issuance from Let's Encrypt
- DNS-01 challenge (wildcard support)
- Custom DNS provider scripts
## Configuration Options
### Server Configuration
| Option | Default | Description |
|--------|---------|-------------|
| `server.replicas` | 1 | Number of server replicas |
| `server.port` | 8443 | Server port |
| `server.auth.type` | api-key | Authentication type |
| `server.auth.apiKey` | "" | API key (REQUIRED) |
| `server.logging.level` | info | Log level |
| `server.logging.format` | json | Log format |
### PostgreSQL Configuration
| Option | Default | Description |
|--------|---------|-------------|
| `postgresql.enabled` | true | Enable internal PostgreSQL |
| `postgresql.storage.size` | 10Gi | Database storage size |
| `postgresql.storage.storageClass` | "" | Storage class name |
| `postgresql.auth.password` | "" | Database password (REQUIRED) |
### Agent Configuration
| Option | Default | Description |
|--------|---------|-------------|
| `agent.enabled` | true | Deploy agents |
| `agent.kind` | DaemonSet | DaemonSet or Deployment |
| `agent.replicas` | 1 | Replicas (Deployment only) |
| `agent.keyDir` | /var/lib/certctl/keys | Key storage directory |
### Issuer Configuration
| Option | Default | Description |
|--------|---------|-------------|
| `server.issuer.local.enabled` | true | Enable Local CA |
| `server.issuer.acme.enabled` | false | Enable ACME |
| `server.issuer.acme.directoryURL` | "" | ACME directory URL |
| `server.issuer.acme.email` | "" | ACME email |
| `server.issuer.acme.challengeType` | http-01 | Challenge type |
See `values.yaml` for complete configuration options.
## Helm Template Functions
Defined in `templates/_helpers.tpl`:
| Function | Purpose |
|----------|---------|
| `certctl.name` | Chart name |
| `certctl.fullname` | Full release name |
| `certctl.chart` | Chart name and version |
| `certctl.labels` | Common labels |
| `certctl.selectorLabels` | Selector labels |
| `certctl.serverSelectorLabels` | Server selector labels |
| `certctl.agentSelectorLabels` | Agent selector labels |
| `certctl.postgresSelectorLabels` | PostgreSQL selector labels |
| `certctl.serviceAccountName` | ServiceAccount name |
| `certctl.serverImage` | Server image URI |
| `certctl.agentImage` | Agent image URI |
| `certctl.postgresImage` | PostgreSQL image URI |
| `certctl.databaseURL` | Database connection string |
| `certctl.serverURL` | Server URL for agents |
## Security Features
### Pod Security
- Non-root users (UID 1000 for app, UID 999 for PostgreSQL)
- Read-only root filesystems
- No privilege escalation
- Dropped capabilities (ALL)
- Resource limits to prevent DoS
### Secrets Management
- All sensitive data in Kubernetes Secrets
- Base64 encoded at rest
- Can be integrated with:
- sealed-secrets
- external-secrets
- Vault
- AWS Secrets Manager
### RBAC
- ServiceAccount per release
- Optional ClusterRole/ClusterRoleBinding
- Extensible for custom permissions
### Network Security
- Support for Kubernetes NetworkPolicies
- Service-to-service communication via internal DNS
- Optional Ingress with TLS
## Monitoring and Observability
### Health Checks
- Liveness probes (detect dead containers)
- Readiness probes (detect not-ready services)
- HTTP endpoints: `/health`, `/readyz`
### Logging
- Structured JSON logging
- Request ID propagation
- Configurable log levels (debug, info, warn, error)
### Metrics
- Prometheus metrics endpoint: `/api/v1/metrics/prometheus`
- Optional ServiceMonitor for Prometheus Operator
- Built-in metrics:
- Certificate counts by status
- Agent counts and status
- Job completion/failure rates
- Server uptime
## Installation Quick Reference
```bash
# Development
helm install certctl certctl/ \
--set server.auth.apiKey=dev \
--set postgresql.auth.password=dev
# Production HA
helm install certctl certctl/ \
--values examples/values-prod-ha.yaml \
--set server.auth.apiKey="$(openssl rand -base64 32)" \
--set postgresql.auth.password="$(openssl rand -base64 32)"
# External database
helm install certctl certctl/ \
--values examples/values-external-db.yaml \
--set postgresql.enabled=false \
--set 'server.env.CERTCTL_DATABASE_URL=postgres://...'
# ACME with Let's Encrypt
helm install certctl certctl/ \
--set server.issuer.acme.enabled=true \
--set server.issuer.acme.directoryURL=https://acme-v02.api.letsencrypt.org/directory
# Check status
kubectl get pods -l app.kubernetes.io/instance=certctl
kubectl logs -l app.kubernetes.io/component=server -f
# Upgrade
helm upgrade certctl certctl/ -f new-values.yaml
# Uninstall
helm uninstall certctl
```
## Best Practices
### 1. Use Secrets Management
```bash
# Use sealed-secrets
kubectl create secret generic certctl-secrets \
--from-literal=api-key="$(openssl rand -base64 32)" \
--dry-run=client -o yaml | kubeseal -f - | kubectl apply -f -
```
### 2. Configure Resource Limits
Match limits to your cluster capacity:
```yaml
server:
resources:
requests: {cpu: 250m, memory: 256Mi}
limits: {cpu: 1000m, memory: 512Mi}
```
### 3. Enable HA for Production
```yaml
server:
replicas: 3
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: [...]
```
### 4. Use Persistent Storage
```yaml
postgresql:
storage:
size: 100Gi
storageClass: fast-ssd
```
### 5. Enable Monitoring
```yaml
monitoring:
enabled: true
serviceMonitor:
enabled: true
```
## Documentation
- **README.md** - Complete Helm chart documentation
- **DEPLOYMENT_GUIDE.md** - Step-by-step deployment instructions
- **values.yaml** - Commented configuration reference
## Support
For issues, questions, or contributions:
- GitHub: https://github.com/shankar0123/certctl
- Documentation: https://github.com/shankar0123/certctl/tree/main/docs
## License
BSL-1.1 (Business Source License)
Converts to Apache 2.0 on March 28, 2033
deploy/helm/DEPLOYMENT_GUIDE.md
+515
View File
@@ -0,0 +1,515 @@
# Certctl Helm Deployment Guide
Complete guide for deploying certctl on Kubernetes with Helm.
## Table of Contents
1. [Prerequisites](#prerequisites)
2. [Installation Methods](#installation-methods)
3. [Production Deployment](#production-deployment)
4. [Configuration Examples](#configuration-examples)
5. [Post-Deployment Setup](#post-deployment-setup)
6. [Monitoring and Logging](#monitoring-and-logging)
7. [Maintenance](#maintenance)
## Prerequisites
### Required Tools
```bash
# Verify Kubernetes cluster access
kubectl cluster-info
kubectl get nodes
# Install Helm (if not already installed)
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
helm version
# Verify Helm installation
helm repo list
```
### Kubernetes Requirements
- Kubernetes 1.19 or later
- At least 2GB available memory
- At least 10GB available storage (for PostgreSQL)
- Network policies support (optional, for security)
- Ingress controller (nginx, istio, etc.) - optional
### Create Namespace
```bash
# Create isolated namespace
kubectl create namespace certctl
# Set as default namespace
kubectl config set-context --current --namespace=certctl
# Label for network policies (optional)
kubectl label namespace certctl certctl-ns=true
```
## Installation Methods
### Method 1: Minimal Development Setup
Perfect for testing and development:
```bash
# Install with minimal configuration
helm install certctl certctl/certctl \
--namespace certctl \
--set server.auth.apiKey="dev-key-change-in-production" \
--set postgresql.auth.password="dev-password-change-in-production"
# Wait for deployment
kubectl rollout status deployment/certctl-server
kubectl rollout status statefulset/certctl-postgres
```
### Method 2: Production HA Setup
For production workloads:
```bash
# Generate secure credentials
API_KEY=$(openssl rand -base64 32)
DB_PASSWORD=$(openssl rand -base64 32)
# Install with HA configuration
helm install certctl certctl/certctl \
--namespace certctl \
--values deploy/helm/examples/values-prod-ha.yaml \
--set server.auth.apiKey="$API_KEY" \
--set postgresql.auth.password="$DB_PASSWORD"
```
### Method 3: External PostgreSQL
Using managed database service:
```bash
# Install with external database
helm install certctl certctl/certctl \
--namespace certctl \
--values deploy/helm/examples/values-external-db.yaml \
--set server.auth.apiKey="$API_KEY" \
--set 'server.env.CERTCTL_DATABASE_URL=postgres://user:pass@db.example.com:5432/certctl?sslmode=require'
```
### Method 4: Using Custom values.yaml
Recommended for GitOps workflows:
```bash
# Create values file with secrets management
cat > /tmp/certctl-values.yaml <<EOF
server:
auth:
apiKey: "$API_KEY"
logging:
level: info
postgresql:
auth:
password: "$DB_PASSWORD"
storage:
size: 50Gi
agent:
enabled: true
kind: DaemonSet
ingress:
enabled: true
className: nginx
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
EOF
# Install using values file
helm install certctl certctl/certctl \
--namespace certctl \
--values /tmp/certctl-values.yaml
```
## Production Deployment
### Step 1: Prepare Environment
```bash
# Create namespace
kubectl create namespace certctl
cd deploy/helm
# Generate credentials
API_KEY=$(openssl rand -base64 32)
DB_PASSWORD=$(openssl rand -base64 32)
echo "API Key: $API_KEY"
echo "DB Password: $DB_PASSWORD"
# Save credentials in secure location (e.g., 1Password, Vault, AWS Secrets Manager)
```
### Step 2: Prepare Storage
```bash
# List available storage classes
kubectl get storageclass
# If needed, create a high-performance storage class for production
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast-ssd
provisioner: ebs.csi.aws.com # For AWS, adjust for your cloud provider
parameters:
type: gp3
iops: "3000"
throughput: "125"
EOF
```
### Step 3: Set Up TLS with cert-manager
```bash
# Install cert-manager (if not already installed)
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
# Create ClusterIssuer for Let's Encrypt
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
```
### Step 4: Install Certctl
```bash
# Install using HA values
helm install certctl certctl/ \
--namespace certctl \
--values examples/values-prod-ha.yaml \
--set server.auth.apiKey="$API_KEY" \
--set postgresql.auth.password="$DB_PASSWORD" \
--set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \
--set ingress.hosts[0].host=certctl.example.com
# Verify installation
kubectl get all -l app.kubernetes.io/instance=certctl
```
### Step 5: Verify Deployment
```bash
# Check pod status
kubectl get pods -l app.kubernetes.io/instance=certctl
kubectl describe pods -l app.kubernetes.io/instance=certctl
# Check service status
kubectl get svc -l app.kubernetes.io/instance=certctl
# Check ingress status
kubectl get ingress
kubectl describe ingress certctl
# Test API connectivity
POD=$(kubectl get pods -l app.kubernetes.io/component=server -o jsonpath='{.items[0].metadata.name}')
kubectl port-forward $POD 8443:8443 &
curl -H "Authorization: Bearer $API_KEY" http://localhost:8443/health
```
### Step 6: Access the Dashboard
```bash
# Port forward to local machine
kubectl port-forward svc/certctl-server 8443:8443 &
# Or if using Ingress:
# Open browser: https://certctl.example.com
# Login with API key: $API_KEY
```
## Configuration Examples
### Example 1: ACME (Let's Encrypt)
```bash
helm install certctl certctl/ \
--set server.issuer.acme.enabled=true \
--set server.issuer.acme.directoryURL=https://acme-v02.api.letsencrypt.org/directory \
--set server.issuer.acme.email=admin@example.com \
--set server.issuer.acme.challengeType=http-01
```
### Example 2: DNS-01 (Wildcard Certs)
Requires DNS scripts ConfigMap:
```bash
# Create DNS scripts ConfigMap
kubectl create configmap dns-scripts \
--from-file=dns-present.sh=./scripts/dns-present.sh \
--from-file=dns-cleanup.sh=./scripts/dns-cleanup.sh
# Install with DNS-01
helm install certctl certctl/ \
--set server.issuer.acme.enabled=true \
--set server.issuer.acme.challengeType=dns-01 \
--values examples/values-acme-dns01.yaml
```
### Example 3: AWS RDS Database
```bash
helm install certctl certctl/ \
--set postgresql.enabled=false \
--set 'server.env.CERTCTL_DATABASE_URL=postgres://user:password@mydb.c9akciq32.us-east-1.rds.amazonaws.com:5432/certctl?sslmode=require'
```
### Example 4: Multiple Issuers
```bash
helm install certctl certctl/ \
--set server.issuer.local.enabled=true \
--set server.issuer.acme.enabled=true \
--set server.issuer.acme.directoryURL=https://acme-v02.api.letsencrypt.org/directory
```
### Example 5: Email Notifications
```bash
helm install certctl certctl/ \
--set server.smtp.enabled=true \
--set server.smtp.host=smtp.example.com \
--set server.smtp.port=587 \
--set server.smtp.username=alerts@example.com \
--set server.smtp.password="$SMTP_PASSWORD" \
--set server.smtp.fromAddress=certctl@example.com
```
## Post-Deployment Setup
### 1. Initial Database Setup
```bash
# Check database connection
POD=$(kubectl get pods -l app.kubernetes.io/component=postgres -o jsonpath='{.items[0].metadata.name}')
# Execute psql commands
kubectl exec -it $POD -- \
psql -U certctl -d certctl -c '\dt'
# View database status
kubectl logs $POD | tail -20
```
### 2. Create Default Certificates
```bash
# Port forward to API
kubectl port-forward svc/certctl-server 8443:8443 &
# Create a test certificate
API_KEY="your-api-key"
curl -X POST http://localhost:8443/api/v1/certificates \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"common_name": "test.example.com",
"sans": ["test.example.com", "*.example.com"],
"owner": "admin@example.com"
}'
```
### 3. Configure Agents
```bash
# Get agent names
kubectl get pods -l app.kubernetes.io/component=agent -o wide
# Check agent connectivity
POD=$(kubectl get pods -l app.kubernetes.io/component=agent -o jsonpath='{.items[0].metadata.name}')
kubectl logs $POD | grep -i heartbeat
```
### 4. Set Up HTTPS for Web Dashboard
The Ingress will handle TLS if configured properly:
```bash
# Verify ingress is ready
kubectl get ingress
kubectl describe ingress certctl
# Test HTTPS
curl https://certctl.example.com/health
```
## Monitoring and Logging
### 1. View Logs
```bash
# Server logs
kubectl logs -l app.kubernetes.io/component=server -f --all-containers=true
# PostgreSQL logs
kubectl logs -l app.kubernetes.io/component=postgres -f
# Agent logs
kubectl logs -l app.kubernetes.io/component=agent -f --all-containers=true
# Logs from all components
kubectl logs -l app.kubernetes.io/instance=certctl -f --all-containers=true
```
### 2. Install Prometheus Monitoring
```bash
# Install Prometheus operator (if not already installed)
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack \
--namespace monitoring \
--create-namespace
# Certctl will automatically expose metrics if monitoring.enabled=true
helm install certctl certctl/ \
--set monitoring.enabled=true \
--set monitoring.serviceMonitor.enabled=true
```
### 3. Set Up Alerts
```bash
# Create Prometheus alerts
cat <<EOF | kubectl apply -f -
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: certctl-alerts
spec:
groups:
- name: certctl
interval: 30s
rules:
- alert: CertctlServerDown
expr: up{job="certctl-server"} == 0
for: 5m
annotations:
summary: "Certctl server is down"
- alert: CertificateExpiringSoon
expr: certctl_certificate_expiring_soon > 0
for: 1h
annotations:
summary: "{{ \$value }} certificates expiring soon"
EOF
```
## Maintenance
### Scaling
```bash
# Scale server replicas
helm upgrade certctl certctl/ \
--set server.replicas=5
# Scale agents (Deployment kind only)
helm upgrade certctl certctl/ \
--set agent.kind=Deployment \
--set agent.replicas=10
```
### Updating
```bash
# Update chart version
helm repo update
helm upgrade certctl certctl/certctl \
--namespace certctl \
-f values.yaml
# Verify update
kubectl rollout status deployment/certctl-server
kubectl rollout status statefulset/certctl-postgres
```
### Backup and Restore
```bash
# Backup PostgreSQL data
kubectl exec -i $(kubectl get pods -l app.kubernetes.io/component=postgres -o jsonpath='{.items[0].metadata.name}') \
pg_dump -U certctl certctl | gzip > certctl-backup.sql.gz
# Restore from backup
zcat certctl-backup.sql.gz | kubectl exec -i $(kubectl get pods -l app.kubernetes.io/component=postgres -o jsonpath='{.items[0].metadata.name}') \
psql -U certctl certctl
# Backup PVC data
kubectl get pvc
kubectl exec -i $(kubectl get pods -l app.kubernetes.io/component=postgres -o jsonpath='{.items[0].metadata.name}') \
tar czf - /var/lib/postgresql/data | gzip > certctl-data-backup.tar.gz
```
### Uninstall
```bash
# Remove Helm release (keeps PVCs by default)
helm uninstall certctl --namespace certctl
# Delete PVCs if needed
kubectl delete pvc --all -n certctl
# Delete namespace
kubectl delete namespace certctl
```
## Troubleshooting
See [README.md](README.md#troubleshooting) for detailed troubleshooting steps.
Common commands:
```bash
# Get all resources
kubectl get all -n certctl
# Describe pod for events
kubectl describe pod <pod-name> -n certctl
# Stream logs
kubectl logs -f <pod-name> -n certctl
# Execute commands in pod
kubectl exec -it <pod-name> -n certctl -- /bin/sh
# Check events
kubectl get events -n certctl --sort-by='.lastTimestamp'
```
deploy/helm/INDEX.md
+234
View File
@@ -0,0 +1,234 @@
# Certctl Helm Chart - Complete File Index
## Navigation Guide
### Getting Started
1. **Start here**: `INSTALLATION.md` - Quick installation guide with one-liners
2. **Full reference**: `README.md` - Complete Helm chart documentation
3. **Detailed guide**: `DEPLOYMENT_GUIDE.md` - Step-by-step deployment walkthrough
4. **Architecture**: `CHART_SUMMARY.md` - Technical overview and design
### Chart Directory Structure
```
deploy/helm/
├── README.md Main documentation (15 KB)
├── DEPLOYMENT_GUIDE.md Step-by-step guide (12 KB)
├── CHART_SUMMARY.md Architecture & design (13 KB)
├── INSTALLATION.md Quick start (2.2 KB)
├── INDEX.md This file
├── certctl/ Helm chart package
│ ├── Chart.yaml Chart metadata
│ ├── values.yaml Default configuration (11 KB)
│ ├── .helmignore Build ignore patterns
│ │
│ └── templates/ 15 Kubernetes resource templates
│ ├── _helpers.tpl Helper functions
│ ├── NOTES.txt Post-install notes
│ ├── server-deployment.yaml API server
│ ├── server-service.yaml Server networking
│ ├── server-configmap.yaml Server configuration
│ ├── server-secret.yaml Server secrets
│ ├── postgres-statefulset.yaml Database
│ ├── postgres-service.yaml Database networking
│ ├── postgres-secret.yaml Database secrets
│ ├── agent-daemonset.yaml Agents (DaemonSet/Deployment)
│ ├── agent-configmap.yaml Agent configuration
│ ├── ingress.yaml Optional HTTPS ingress
│ └── serviceaccount.yaml RBAC resources
└── examples/ Example configurations
├── values-dev.yaml Development setup
├── values-prod-ha.yaml Production HA setup
├── values-external-db.yaml External PostgreSQL
└── values-acme-dns01.yaml ACME DNS-01 configuration
```
## File Descriptions
### Documentation Files
| File | Purpose | Size |
|------|---------|------|
| `README.md` | Complete Helm chart documentation, configuration reference, security considerations | 15 KB |
| `DEPLOYMENT_GUIDE.md` | Step-by-step installation instructions, production setup, troubleshooting | 12 KB |
| `CHART_SUMMARY.md` | Technical overview, architecture, features, best practices | 13 KB |
| `INSTALLATION.md` | Quick start guide, one-liner commands, verification steps | 2.2 KB |
| `INDEX.md` | This file - complete file index and navigation | - |
### Chart Files
| File | Purpose |
|------|---------|
| `Chart.yaml` | Helm chart metadata (name, version, appVersion, license) |
| `values.yaml` | Default configuration values with comprehensive comments |
| `.helmignore` | Files to ignore when building the chart |
### Template Files
| File | Components Created |
|------|-------------------|
| `_helpers.tpl` | 14 Helm template helper functions |
| `NOTES.txt` | Post-installation notes and instructions |
| `server-deployment.yaml` | Certctl API server deployment (1-N replicas) |
| `server-service.yaml` | Service exposing the server |
| `server-configmap.yaml` | Non-secret server configuration |
| `server-secret.yaml` | Secrets (API key, DB password, SMTP) |
| `postgres-statefulset.yaml` | PostgreSQL database with persistent storage |
| `postgres-service.yaml` | Headless service for PostgreSQL |
| `postgres-secret.yaml` | Database credentials |
| `agent-daemonset.yaml` | Certctl agents (DaemonSet or Deployment) |
| `agent-configmap.yaml` | Agent configuration |
| `ingress.yaml` | Optional HTTPS ingress resource |
| `serviceaccount.yaml` | ServiceAccount and RBAC resources |
### Example Configuration Files
| File | Use Case | Features |
|------|----------|----------|
| `values-dev.yaml` | Development/testing | Single replica, debug logging, LoadBalancer, no auth |
| `values-prod-ha.yaml` | Production HA | 3 replicas, pod anti-affinity, monitoring, large storage |
| `values-external-db.yaml` | External PostgreSQL | AWS RDS, Cloud SQL, Azure Database, self-managed |
| `values-acme-dns01.yaml` | Let's Encrypt | DNS-01 challenges, wildcard certs, custom DNS scripts |
## Quick Links
### Installation Commands
#### Development
```bash
helm install certctl certctl/ \
--set server.auth.type=none \
--set postgresql.auth.password=dev
```
#### Production HA
```bash
helm install certctl certctl/ \
--values examples/values-prod-ha.yaml \
--set server.auth.apiKey="$(openssl rand -base64 32)" \
--set postgresql.auth.password="$(openssl rand -base64 32)"
```
#### External Database
```bash
helm install certctl certctl/ \
--values examples/values-external-db.yaml \
--set postgresql.enabled=false \
--set 'server.env.CERTCTL_DATABASE_URL=postgres://...'
```
### Verification Commands
```bash
# Check chart syntax
helm lint certctl/
helm template certctl certctl/
# Install in cluster
helm install certctl certctl/
helm status certctl
# Check pod status
kubectl get pods -l app.kubernetes.io/instance=certctl
# View logs
kubectl logs -l app.kubernetes.io/component=server -f
```
## Documentation Organization
### By User Role
**DevOps/Platform Engineers**
- Start: `INSTALLATION.md`
- Deep dive: `DEPLOYMENT_GUIDE.md`
- Configuration reference: `README.md`
**Kubernetes Developers**
- Architecture: `CHART_SUMMARY.md`
- Configuration: `values.yaml`
- Templates: `templates/`
**Security/SREs**
- Security section: `README.md#security-considerations`
- RBAC: `templates/serviceaccount.yaml`
- Network policies: `DEPLOYMENT_GUIDE.md#network-policies`
**Database Administrators**
- PostgreSQL config: `values.yaml` (postgresql section)
- External DB setup: `examples/values-external-db.yaml`
- Backup/restore: `DEPLOYMENT_GUIDE.md#backup-and-restore`
### By Task
**Getting Started**
1. Read: `INSTALLATION.md`
2. Install: `helm install certctl certctl/`
3. Verify: Run commands in `INSTALLATION.md`
**Production Deployment**
1. Read: `DEPLOYMENT_GUIDE.md`
2. Choose: `examples/values-prod-ha.yaml`
3. Deploy: Follow step-by-step guide
4. Reference: `README.md` for detailed options
**Troubleshooting**
- Common issues: `README.md#troubleshooting`
- Detailed guide: `DEPLOYMENT_GUIDE.md#troubleshooting`
- Error messages: kubectl logs and events
**Configuration**
- All options: `values.yaml`
- Examples: `examples/values-*.yaml`
- Detailed docs: `README.md#configuration`
## Key Features
### High Availability
- Multi-replica server deployment
- Pod anti-affinity
- StatefulSet for database
- Pod disruption budgets
### Security
- Non-root containers
- Read-only filesystems
- RBAC support
- Kubernetes Secrets
- Network policies
### Flexibility
- Multiple issuers (Local CA, ACME, step-ca, OpenSSL)
- Internal or external PostgreSQL
- DaemonSet or Deployment agents
- Optional Ingress with TLS
- Email notifications
### Observability
- Health checks
- Structured logging
- Prometheus metrics
- ServiceMonitor support
## Support
- **GitHub**: https://github.com/shankar0123/certctl
- **Issues**: Report on GitHub issues
- **Documentation**: All docs are in `deploy/helm/`
## File Statistics
- **Total files**: 24
- **Documentation**: 4 files (42 KB)
- **Chart files**: 3 files
- **Templates**: 13 files
- **Examples**: 4 files
- **Total size**: 144 KB
## License
All files are covered under the BSL-1.1 license (converts to Apache 2.0 in 2033).
deploy/helm/INSTALLATION.md
+95
View File
@@ -0,0 +1,95 @@
# Quick Installation Guide
## One-Liner Installation
### Development (no auth)
```bash
helm install certctl certctl/ \
--set server.auth.type=none \
--set postgresql.auth.password=dev
```
### Production (with API key)
```bash
API_KEY=$(openssl rand -base64 32)
DB_PASSWORD=$(openssl rand -base64 32)
helm install certctl certctl/ \
--values examples/values-prod-ha.yaml \
--set server.auth.apiKey="$API_KEY" \
--set postgresql.auth.password="$DB_PASSWORD"
```
## Verify Installation
```bash
# Wait for pods to be ready
kubectl rollout status deployment/certctl-server
kubectl rollout status statefulset/certctl-postgres
# Check all components
kubectl get pods -l app.kubernetes.io/instance=certctl
# View server logs
kubectl logs -l app.kubernetes.io/component=server -f
# Access the API
kubectl port-forward svc/certctl-server 8443:8443 &
curl http://localhost:8443/health
```
## Next Steps
1. **Read Documentation**
- `README.md` - Complete reference
- `DEPLOYMENT_GUIDE.md` - Step-by-step guide
- `CHART_SUMMARY.md` - Architecture overview
2. **Configure for Your Environment**
- Review `examples/` for your deployment scenario
- Customize `values.yaml` as needed
- Use `helm upgrade` to apply changes
3. **Set Up Monitoring**
- Install Prometheus (optional)
- Enable Ingress with HTTPS
- Configure email notifications
4. **Deploy Agents**
- Agents deploy automatically as DaemonSet
- Verify with: `kubectl get pods -l app.kubernetes.io/component=agent`
5. **Create Certificates**
- Configure issuer connectors (Local CA, ACME, etc.)
- Access web dashboard at ingress or port-forward
## Common Commands
```bash
# List installations
helm list
# View chart values
helm values certctl
# Upgrade chart
helm upgrade certctl certctl/ -f new-values.yaml
# Rollback to previous version
helm rollback certctl 1
# Uninstall chart
helm uninstall certctl
# View deployment history
helm history certctl
# Dry-run installation to see generated YAML
helm install certctl certctl/ --dry-run --debug
```
## Support
- Full documentation in `README.md`
- Troubleshooting in `DEPLOYMENT_GUIDE.md`
- Issues: https://github.com/shankar0123/certctl
deploy/helm/README.md
+516
View File
@@ -0,0 +1,516 @@
# Certctl Helm Chart
Production-ready Helm chart for deploying certctl (self-hosted certificate lifecycle management platform) on Kubernetes.
## Table of Contents
1. [Quick Start](#quick-start)
2. [Chart Features](#chart-features)
3. [Prerequisites](#prerequisites)
4. [Installation](#installation)
5. [Configuration](#configuration)
6. [Usage Examples](#usage-examples)
7. [Upgrading](#upgrading)
8. [Uninstalling](#uninstalling)
9. [Architecture](#architecture)
10. [Security Considerations](#security-considerations)
11. [Troubleshooting](#troubleshooting)
## Quick Start
```bash
# Add the chart repository (when available)
helm repo add certctl https://charts.example.com
helm repo update
# Install with default values
helm install certctl certctl/certctl \
--set server.auth.apiKey="your-secure-api-key" \
--set postgresql.auth.password="your-secure-password"
# Check installation status
kubectl get pods -l app.kubernetes.io/instance=certctl
```
## Chart Features
- **Server Deployment** — certctl control plane with configurable replicas
- **PostgreSQL StatefulSet** — Persistent database with automatic schema migration
- **Agent DaemonSet or Deployment** — Flexible agent deployment (per-node or custom replicas)
- **Ingress Support** — Optional HTTPS ingress with cert-manager integration
- **Security Contexts** — Non-root containers, read-only filesystems, minimal capabilities
- **Resource Limits** — Configurable CPU and memory requests/limits
- **Health Checks** — Liveness and readiness probes on all containers
- **ConfigMaps and Secrets** — Centralized configuration management
- **Service Account and RBAC** — Optional cluster role bindings
- **Pod Disruption Budgets** — HA-ready with configurable disruption budgets
- **Monitoring** — Optional Prometheus ServiceMonitor support
## Prerequisites
- Kubernetes 1.19 or later
- Helm 3.0 or later
- Optional: cert-manager (for automatic TLS certificate provisioning)
- Optional: Prometheus (for metrics scraping)
## Installation
### 1. Using Chart from Repository
```bash
helm repo add certctl https://charts.example.com
helm repo update
helm install certctl certctl/certctl -f my-values.yaml
```
### 2. Using Local Chart
```bash
cd deploy/helm
helm install certctl certctl/ \
--set server.auth.apiKey="$(openssl rand -base64 32)" \
--set postgresql.auth.password="$(openssl rand -base64 32)"
```
### 3. Minimal Production Installation
```bash
helm install certctl certctl/certctl \
--namespace certctl \
--create-namespace \
--set server.auth.apiKey="change-me" \
--set postgresql.auth.password="change-me" \
--set server.replicas=2 \
--set server.resources.requests.cpu=200m \
--set server.resources.requests.memory=256Mi \
--set ingress.enabled=true \
--set ingress.className=nginx \
--set ingress.hosts[0].host=certctl.example.com
```
## Configuration
### Server Configuration
```yaml
server:
replicas: 1 # Number of server replicas
port: 8443 # Service port
auth:
type: api-key # Authentication type
apiKey: "your-api-key" # REQUIRED for production
logging:
level: info # Log level (debug, info, warn, error)
format: json # Output format
issuer:
local:
enabled: true # Enable local CA issuer
acme:
enabled: false # Enable ACME issuer
directoryURL: "" # ACME directory URL
email: "" # ACME registration email
challengeType: "http-01" # Challenge type (http-01, dns-01, dns-persist-01)
```
### PostgreSQL Configuration
```yaml
postgresql:
enabled: true # Use managed PostgreSQL
auth:
database: certctl
username: certctl
password: "your-password" # REQUIRED
storage:
size: 10Gi # PVC size
storageClass: "" # Use default StorageClass
```
### Agent Configuration
```yaml
agent:
enabled: true # Deploy agents
kind: DaemonSet # DaemonSet (one per node) or Deployment
replicas: 1 # For Deployment kind only
discoveryDirs: "" # Comma-separated cert discovery paths
nodeSelector: {} # Node affinity for DaemonSet
```
### Ingress Configuration
```yaml
ingress:
enabled: false
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: certctl-tls
hosts:
- certctl.example.com
```
See `values.yaml` for all available configuration options.
## Usage Examples
### Example 1: High Availability Setup
```yaml
# ha-values.yaml
server:
replicas: 3
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1000m
memory: 512Mi
postgresql:
storage:
size: 50Gi
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values: [server]
topologyKey: kubernetes.io/hostname
```
Deploy with:
```bash
helm install certctl certctl/certctl -f ha-values.yaml
```
### Example 2: External PostgreSQL Database
```yaml
# external-db-values.yaml
postgresql:
enabled: false
server:
env:
CERTCTL_DATABASE_URL: "postgres://user:password@rds.example.com:5432/certctl?sslmode=require"
```
Deploy with:
```bash
helm install certctl certctl/certctl -f external-db-values.yaml
```
### Example 3: ACME + Let's Encrypt
```yaml
# acme-values.yaml
server:
issuer:
acme:
enabled: true
directoryURL: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
challengeType: dns-01
dnsPresentScript: /scripts/dns-present.sh
dnsCleanupScript: /scripts/dns-cleanup.sh
dnsPropagationWait: 30s
```
### Example 4: Email Notifications via Slack + SMTP
```yaml
# notifications-values.yaml
server:
smtp:
enabled: true
host: smtp.example.com
port: 587
username: certctl@example.com
password: "smtp-password"
fromAddress: certctl@example.com
useTLS: true
notifiers:
slack:
enabled: true
webhookUrl: https://hooks.slack.com/services/YOUR/WEBHOOK/URL
channel: "#certificates"
```
## Upgrading
```bash
# Update chart repository
helm repo update
# Upgrade release
helm upgrade certctl certctl/certctl -f values.yaml
# View upgrade history
helm history certctl
# Rollback to previous version
helm rollback certctl 1
```
## Uninstalling
```bash
# Delete the release (keeps data by default)
helm uninstall certctl
# Also delete persistent data
kubectl delete pvc --all -l app.kubernetes.io/instance=certctl
# Delete namespace
kubectl delete namespace certctl
```
## Architecture
### Components
```
┌──────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
├──────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌──────────────────┐ │
│ │ Ingress/LB │ │ Agent Pod 1 │ │
│ │ (optional) │ │ (DaemonSet) │ │
│ └────────┬────────┘ └──────────────────┘ │
│ │ │
│ ▼ ┌──────────────────┐ │
│ ┌─────────────────────────┐ │ Agent Pod 2 │ │
│ │ Server Deployment │ │ (DaemonSet) │ │
│ │ (1 to N replicas) │ └──────────────────┘ │
│ │ - REST API │ │
│ │ - Scheduler │ ┌──────────────────┐ │
│ │ - UI Dashboard │ │ Agent Pod N │ │
│ └────────┬────────────────┘ │ (DaemonSet) │ │
│ │ └──────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────┐ │
│ │ PostgreSQL StatefulSet │ │
│ │ - Database │ │
│ │ - PVC (persistent) │ │
│ └──────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────┘
```
### Network Communication
- **Server → PostgreSQL**: Internal cluster DNS (`certctl-postgres:5432`)
- **Agent → Server**: Internal cluster DNS (`certctl-server:8443`)
- **External → Server**: Via Ingress or Service (ClusterIP/LoadBalancer/NodePort)
## Security Considerations
### 1. Secrets Management
All sensitive data is stored in Kubernetes Secrets:
- PostgreSQL credentials
- API keys
- SMTP passwords
- ACME account secrets
**Best Practices:**
- Use sealed-secrets or external-secrets operator
- Enable encryption at rest in etcd
- Rotate secrets regularly
```bash
# Example: Using sealed-secrets
kubectl create secret generic certctl-api-key --from-literal=api-key="$(openssl rand -base64 32)" --dry-run=client -o yaml | kubeseal -f - | kubectl apply -f -
```
### 2. RBAC
The chart creates minimal RBAC by default:
- ServiceAccount per release
- ClusterRole (empty, extensible)
- ClusterRoleBinding
**To restrict further:**
```yaml
rbac:
create: true
# Add specific rules here
```
### 3. Pod Security
All containers run with:
- Non-root user (UID 1000)
- Read-only root filesystem
- No privilege escalation
- Dropped capabilities (ALL)
### 4. Network Policies
Restrict pod-to-pod communication:
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: certctl-default-deny
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: certctl
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: certctl
egress:
- to:
- namespaceSelector:
matchLabels:
name: certctl
- to:
- podSelector: {}
ports:
- protocol: TCP
port: 53 # DNS
- protocol: UDP
port: 53
```
### 5. TLS/HTTPS
Enable HTTPS with cert-manager:
```bash
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
```
Then configure Ingress with TLS.
### 6. API Key Security
For production:
1. Generate a strong API key: `openssl rand -base64 32`
2. Store securely (Vault, sealed-secrets, etc.)
3. Never commit to Git
4. Rotate periodically
```bash
# Generate and deploy API key
NEW_KEY=$(openssl rand -base64 32)
kubectl patch secret certctl-server -p "{\"data\":{\"api-key\":\"$(echo -n $NEW_KEY | base64)\"}}"
```
## Troubleshooting
### 1. Pods Not Starting
```bash
# Check pod status
kubectl get pods -l app.kubernetes.io/instance=certctl
kubectl describe pod <pod-name>
kubectl logs <pod-name>
```
### 2. Database Connection Issues
```bash
# Verify PostgreSQL is running
kubectl get pods -l app.kubernetes.io/component=postgres
kubectl logs -l app.kubernetes.io/component=postgres
# Test connection from server pod
kubectl exec -it <server-pod> -- \
psql postgres://certctl:password@certctl-postgres:5432/certctl
```
### 3. Agent Not Connecting
```bash
# Check agent logs
kubectl logs -l app.kubernetes.io/component=agent
# Verify server is reachable
kubectl exec -it <agent-pod> -- \
wget -q -O - http://certctl-server:8443/health
```
### 4. Persistent Data Loss
```bash
# Check PVC status
kubectl get pvc
# Verify data is being stored
kubectl exec -it <postgres-pod> -- \
ls -lah /var/lib/postgresql/data/postgres
```
### 5. Permission Denied Errors
The chart runs containers as non-root (UID 1000). If you see permission errors:
```yaml
# Temporarily allow root for debugging
server:
securityContext:
runAsUser: 0 # NOT FOR PRODUCTION
```
### 6. Out of Memory
Increase resource limits:
```bash
helm upgrade certctl certctl/certctl \
--set server.resources.limits.memory=1Gi \
--set postgresql.resources.limits.memory=2Gi
```
### 7. Certificate Validation Issues
For self-signed certificates:
```bash
kubectl exec -it <pod> -- \
CERTCTL_TLS_INSECURE_SKIP_VERIFY=true <command>
```
### Common Issues and Solutions
| Issue | Solution |
|-------|----------|
| `ImagePullBackOff` | Update `server.image.repository` to your registry |
| `CrashLoopBackOff` | Check logs with `kubectl logs <pod>` |
| `Pending` PVC | Check storage class availability |
| Connection timeout | Verify network policies and service DNS |
| High memory usage | Adjust `postgresql.resources.limits` and `server.resources.limits` |
## Support and Contributing
For issues, questions, or contributions, visit:
- GitHub: https://github.com/shankar0123/certctl
- Documentation: https://github.com/shankar0123/certctl/tree/main/docs
## License
BSL-1.1 (converts to Apache 2.0 in 2033)
deploy/helm/certctl/.helmignore
+31
View File
@@ -0,0 +1,31 @@
# Patterns to ignore when building packages.
# This supports shell glob patterns, relative path patterns, and negated
# patterns. Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.swo
*~
*.pyo
*.pyc
.pytest_cache/
*.egg-info/
dist/
build/
# IDE
.vscode/
.idea/
*.sublime-project
*.sublime-workspace
# OS
Thumbs.db
# Helm
Chart.lock
deploy/helm/certctl/Chart.yaml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: v2
name: certctl
description: Self-hosted certificate lifecycle management platform
type: application
version: 0.1.0
appVersion: "2.1.0"
keywords:
- certificate
- tls
- ssl
- pki
- acme
- lifecycle
- kubernetes
maintainers:
- name: certctl
home: https://github.com/shankar0123/certctl
sources:
- https://github.com/shankar0123/certctl
license: BSL-1.1
deploy/helm/certctl/templates/NOTES.txt
+68
View File
@@ -0,0 +1,68 @@
1. Get the certctl Server URL by running:
{{- if .Values.ingress.enabled }}
https://{{ index .Values.ingress.hosts 0 "host" }}
{{- else if contains "NodePort" .Values.server.service.type }}
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "certctl.fullname" . }}-server)
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.server.service.type }}
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "certctl.fullname" . }}-server --template "{.status.loadBalancer.ingress[0].ip}")
echo http://$SERVICE_IP:{{ .Values.server.service.port }}
{{- else }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "certctl.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=server" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}
2. Get the default API key:
kubectl get secret --namespace {{ .Release.Namespace }} {{ include "certctl.fullname" . }}-server -o jsonpath="{.data.api-key}" | base64 --decode; echo
3. Get PostgreSQL connection details:
Host: {{ include "certctl.fullname" . }}-postgres.{{ .Release.Namespace }}.svc.cluster.local
Port: 5432
Database: {{ .Values.postgresql.auth.database }}
Username: {{ .Values.postgresql.auth.username }}
Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "certctl.fullname" . }}-postgres -o jsonpath="{.data.password}" | base64 --decode)
4. Check deployment status:
kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
5. View server logs:
kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "certctl.name" . }},app.kubernetes.io/component=server -f
{{- if .Values.agent.enabled }}
6. View agent logs:
kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "certctl.name" . }},app.kubernetes.io/component=agent -f
{{- end }}
IMPORTANT NOTES FOR PRODUCTION:
1. Update the API key for security:
kubectl patch secret {{ include "certctl.fullname" . }}-server -n {{ .Release.Namespace }} \
-p '{"data":{"api-key":"'$(echo -n "YOUR_NEW_API_KEY" | base64)'"}}'
2. Update PostgreSQL password:
kubectl patch secret {{ include "certctl.fullname" . }}-postgres -n {{ .Release.Namespace }} \
-p '{"data":{"password":"'$(echo -n "YOUR_NEW_PASSWORD" | base64)'"}}'
3. Configure certificate issuers (ACME, step-ca, etc.) via values.yaml:
helm upgrade {{ .Release.Name }} certctl/certctl \
--set server.issuer.acme.enabled=true \
--set server.issuer.acme.directoryURL=https://acme-v02.api.letsencrypt.org/directory \
--set server.issuer.acme.email=admin@example.com
4. For production with persistent databases and backups:
- Use an external PostgreSQL managed service (AWS RDS, Cloud SQL, etc.)
- Set postgresql.enabled=false and configure CERTCTL_DATABASE_URL in values
5. Enable HTTPS/TLS using an Ingress with certificate management:
- Configure cert-manager for automatic TLS certificate renewal
- Update ingress values with your domain and certificate issuer
6. Review security contexts and network policies:
- All containers run as non-root
- Implement network policies to restrict traffic between components
- Consider pod security policies or security standards for your cluster
deploy/helm/certctl/templates/_helpers.tpl
+125
View File
@@ -0,0 +1,125 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "certctl.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "certctl.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "certctl.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "certctl.labels" -}}
helm.sh/chart: {{ include "certctl.chart" . }}
{{ include "certctl.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Selector labels for the main service (server, agent, postgres)
*/}}
{{- define "certctl.selectorLabels" -}}
app.kubernetes.io/name: {{ include "certctl.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Server selector labels
*/}}
{{- define "certctl.serverSelectorLabels" -}}
{{ include "certctl.selectorLabels" . }}
app.kubernetes.io/component: server
{{- end }}
{{/*
Agent selector labels
*/}}
{{- define "certctl.agentSelectorLabels" -}}
{{ include "certctl.selectorLabels" . }}
app.kubernetes.io/component: agent
{{- end }}
{{/*
PostgreSQL selector labels
*/}}
{{- define "certctl.postgresSelectorLabels" -}}
{{ include "certctl.selectorLabels" . }}
app.kubernetes.io/component: postgres
{{- end }}
{{/*
Service account name
*/}}
{{- define "certctl.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "certctl.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Server image
*/}}
{{- define "certctl.serverImage" -}}
{{- $image := .Values.server.image }}
{{- printf "%s:%s" $image.repository (coalesce $image.tag .Chart.AppVersion) }}
{{- end }}
{{/*
Agent image
*/}}
{{- define "certctl.agentImage" -}}
{{- $image := .Values.agent.image }}
{{- printf "%s:%s" $image.repository (coalesce $image.tag .Chart.AppVersion) }}
{{- end }}
{{/*
PostgreSQL image
*/}}
{{- define "certctl.postgresImage" -}}
{{- $image := .Values.postgresql.image }}
{{- printf "%s:%s" $image.repository $image.tag }}
{{- end }}
{{/*
Database connection string
*/}}
{{- define "certctl.databaseURL" -}}
postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "certctl.fullname" . }}-postgres:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable
{{- end }}
{{/*
Server URL (for agents)
*/}}
{{- define "certctl.serverURL" -}}
http://{{ include "certctl.fullname" . }}-server:{{ .Values.server.service.port }}
{{- end }}
deploy/helm/certctl/templates/agent-configmap.yaml
+13
View File
@@ -0,0 +1,13 @@
{{- if .Values.agent.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "certctl.fullname" . }}-agent
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: agent
data:
{{- if .Values.agent.discoveryDirs }}
discovery-dirs: {{ .Values.agent.discoveryDirs | quote }}
{{- end }}
{{- end }}
deploy/helm/certctl/templates/agent-daemonset.yaml
+162
View File
@@ -0,0 +1,162 @@
{{- if .Values.agent.enabled }}
{{- if eq .Values.agent.kind "DaemonSet" }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "certctl.fullname" . }}-agent
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: agent
spec:
selector:
matchLabels:
{{- include "certctl.agentSelectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "certctl.agentSelectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "certctl.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.agent.securityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: agent
image: {{ include "certctl.agentImage" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
env:
- name: CERTCTL_SERVER_URL
value: {{ include "certctl.serverURL" . }}
- name: CERTCTL_API_KEY
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: api-key
- name: CERTCTL_AGENT_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: CERTCTL_KEY_DIR
value: {{ .Values.agent.keyDir }}
{{- if .Values.agent.discoveryDirs }}
- name: CERTCTL_DISCOVERY_DIRS
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-agent
key: discovery-dirs
{{- end }}
{{- with .Values.agent.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.agent.resources | nindent 12 }}
volumeMounts:
- name: agent-keys
mountPath: {{ .Values.agent.keyDir }}
- name: tmp
mountPath: /tmp
volumes:
- name: agent-keys
emptyDir:
sizeLimit: 1Gi
- name: tmp
emptyDir: {}
{{- else if eq .Values.agent.kind "Deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "certctl.fullname" . }}-agent
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: agent
spec:
replicas: {{ .Values.agent.replicas }}
selector:
matchLabels:
{{- include "certctl.agentSelectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "certctl.agentSelectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "certctl.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.agent.securityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.agent.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: agent
image: {{ include "certctl.agentImage" . }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
env:
- name: CERTCTL_SERVER_URL
value: {{ include "certctl.serverURL" . }}
- name: CERTCTL_API_KEY
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: api-key
- name: CERTCTL_AGENT_NAME
{{- if .Values.agent.name }}
value: {{ .Values.agent.name | quote }}
{{- else }}
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: CERTCTL_KEY_DIR
value: {{ .Values.agent.keyDir }}
{{- if .Values.agent.discoveryDirs }}
- name: CERTCTL_DISCOVERY_DIRS
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-agent
key: discovery-dirs
{{- end }}
{{- with .Values.agent.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.agent.resources | nindent 12 }}
volumeMounts:
- name: agent-keys
mountPath: {{ .Values.agent.keyDir }}
- name: tmp
mountPath: /tmp
volumes:
- name: agent-keys
emptyDir:
sizeLimit: 1Gi
- name: tmp
emptyDir: {}
{{- end }}
{{- end }}
deploy/helm/certctl/templates/ingress.yaml
+41
View File
@@ -0,0 +1,41 @@
{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "certctl.fullname" . }}
labels:
{{- include "certctl.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ include "certctl.fullname" . }}-server
port:
number: {{ $.Values.server.service.port }}
{{- end }}
{{- end }}
{{- end }}
deploy/helm/certctl/templates/postgres-secret.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "certctl.fullname" . }}-postgres
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: postgres
type: Opaque
stringData:
password: {{ .Values.postgresql.auth.password | default "changeme" | quote }}
username: {{ .Values.postgresql.auth.username | quote }}
database: {{ .Values.postgresql.auth.database | quote }}
deploy/helm/certctl/templates/postgres-service.yaml
+18
View File
@@ -0,0 +1,18 @@
{{- if .Values.postgresql.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "certctl.fullname" . }}-postgres
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: postgres
spec:
clusterIP: None
ports:
- port: {{ .Values.postgresql.service.port }}
targetPort: postgres
protocol: TCP
name: postgres
selector:
{{- include "certctl.postgresSelectorLabels" . | nindent 4 }}
{{- end }}
deploy/helm/certctl/templates/postgres-statefulset.yaml
+79
View File
@@ -0,0 +1,79 @@
{{- if .Values.postgresql.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "certctl.fullname" . }}-postgres
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: postgres
spec:
serviceName: {{ include "certctl.fullname" . }}-postgres
replicas: 1
selector:
matchLabels:
{{- include "certctl.postgresSelectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "certctl.postgresSelectorLabels" . | nindent 8 }}
spec:
securityContext:
{{- toYaml .Values.postgresql.securityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: postgres
image: {{ include "certctl.postgresImage" . }}
imagePullPolicy: {{ .Values.postgresql.image.pullPolicy }}
ports:
- name: postgres
containerPort: 5432
protocol: TCP
env:
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-postgres
key: database
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-postgres
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-postgres
key: password
- name: POSTGRES_INITDB_ARGS
value: "--encoding=UTF8"
livenessProbe:
{{- toYaml .Values.postgresql.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.postgresql.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.postgresql.resources | nindent 12 }}
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
subPath: postgres
- name: postgres-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: postgres-init
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: postgres-data
spec:
accessModes:
- ReadWriteOnce
{{- if .Values.postgresql.storage.storageClass }}
storageClassName: {{ .Values.postgresql.storage.storageClass }}
{{- end }}
resources:
requests:
storage: {{ .Values.postgresql.storage.size }}
{{- end }}
deploy/helm/certctl/templates/server-configmap.yaml
+36
View File
@@ -0,0 +1,36 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "certctl.fullname" . }}-server
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: server
data:
log-level: {{ .Values.server.logging.level | quote }}
auth-type: {{ .Values.server.auth.type | quote }}
keygen-mode: {{ .Values.server.keygen.mode | quote }}
rate-limit-rps: {{ .Values.server.rateLimiting.rps | quote }}
rate-limit-burst: {{ .Values.server.rateLimiting.burst | quote }}
{{- if .Values.server.cors.origins }}
cors-origins: {{ .Values.server.cors.origins | quote }}
{{- end }}
{{- if .Values.server.networkScan.enabled }}
network-scan-interval: {{ .Values.server.networkScan.interval | quote }}
{{- end }}
{{- if .Values.server.est.enabled }}
est-issuer-id: {{ .Values.server.est.issuerID | quote }}
{{- if .Values.server.est.profileID }}
est-profile-id: {{ .Values.server.est.profileID | quote }}
{{- end }}
{{- end }}
{{- if .Values.server.smtp.enabled }}
smtp-host: {{ .Values.server.smtp.host | quote }}
smtp-port: {{ .Values.server.smtp.port | quote }}
smtp-username: {{ .Values.server.smtp.username | quote }}
smtp-from-address: {{ .Values.server.smtp.fromAddress | quote }}
{{- end }}
{{- if .Values.server.issuer.acme.enabled }}
acme-directory-url: {{ .Values.server.issuer.acme.directoryURL | quote }}
acme-email: {{ .Values.server.issuer.acme.email | quote }}
acme-challenge-type: {{ .Values.server.issuer.acme.challengeType | quote }}
{{- end }}
deploy/helm/certctl/templates/server-deployment.yaml
+196
View File
@@ -0,0 +1,196 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "certctl.fullname" . }}-server
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: server
spec:
{{- if gt (int .Values.server.replicas) 1 }}
replicas: {{ .Values.server.replicas }}
{{- end }}
selector:
matchLabels:
{{- include "certctl.serverSelectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "certctl.serverSelectorLabels" . | nindent 8 }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/server-configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/server-secret.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "certctl.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.server.securityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: server
image: {{ include "certctl.serverImage" . }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.server.port }}
protocol: TCP
env:
- name: CERTCTL_SERVER_HOST
value: "0.0.0.0"
- name: CERTCTL_SERVER_PORT
value: "{{ .Values.server.port }}"
- name: CERTCTL_DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: database-url
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-postgres
key: password
- name: CERTCTL_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: log-level
- name: CERTCTL_LOG_FORMAT
value: "json"
- name: CERTCTL_AUTH_TYPE
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: auth-type
{{- if eq .Values.server.auth.type "api-key" }}
- name: CERTCTL_AUTH_SECRET
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: api-key
{{- end }}
- name: CERTCTL_KEYGEN_MODE
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: keygen-mode
- name: CERTCTL_RATE_LIMIT_RPS
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: rate-limit-rps
- name: CERTCTL_RATE_LIMIT_BURST
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: rate-limit-burst
{{- if .Values.server.cors.origins }}
- name: CERTCTL_CORS_ORIGINS
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: cors-origins
{{- end }}
{{- if .Values.server.networkScan.enabled }}
- name: CERTCTL_NETWORK_SCAN_ENABLED
value: "true"
- name: CERTCTL_NETWORK_SCAN_INTERVAL
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: network-scan-interval
{{- end }}
{{- if .Values.server.est.enabled }}
- name: CERTCTL_EST_ENABLED
value: "true"
- name: CERTCTL_EST_ISSUER_ID
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: est-issuer-id
{{- if .Values.server.est.profileID }}
- name: CERTCTL_EST_PROFILE_ID
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: est-profile-id
{{- end }}
{{- end }}
{{- if .Values.server.smtp.enabled }}
- name: CERTCTL_SMTP_HOST
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: smtp-host
- name: CERTCTL_SMTP_PORT
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: smtp-port
- name: CERTCTL_SMTP_USERNAME
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: smtp-username
- name: CERTCTL_SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: smtp-password
- name: CERTCTL_SMTP_FROM_ADDRESS
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: smtp-from-address
{{- end }}
{{- if .Values.server.issuer.acme.enabled }}
- name: CERTCTL_ACME_DIRECTORY_URL
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: acme-directory-url
- name: CERTCTL_ACME_EMAIL
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: acme-email
- name: CERTCTL_ACME_CHALLENGE_TYPE
valueFrom:
configMapKeyRef:
name: {{ include "certctl.fullname" . }}-server
key: acme-challenge-type
{{- end }}
{{- with .Values.server.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
livenessProbe:
{{- toYaml .Values.server.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.server.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
volumeMounts:
- name: tmp
mountPath: /tmp
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12 }}
{{- end }}
volumes:
- name: tmp
emptyDir: {}
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 8 }}
{{- end }}
{{- if .Values.nodeAffinity }}
affinity:
nodeAffinity:
{{- toYaml .Values.nodeAffinity | nindent 10 }}
{{- else if .Values.podAntiAffinity }}
affinity:
podAntiAffinity:
{{- toYaml .Values.podAntiAffinity | nindent 10 }}
{{- else if .Values.podAffinity }}
affinity:
podAffinity:
{{- toYaml .Values.podAffinity | nindent 10 }}
{{- end }}
deploy/helm/certctl/templates/server-secret.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "certctl.fullname" . }}-server
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: server
type: Opaque
stringData:
database-url: postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "certctl.fullname" . }}-postgres:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable
{{- if and (eq .Values.server.auth.type "api-key") .Values.server.auth.apiKey }}
api-key: {{ .Values.server.auth.apiKey | quote }}
{{- end }}
{{- if .Values.server.smtp.enabled }}
smtp-password: {{ .Values.server.smtp.password | quote }}
{{- end }}
deploy/helm/certctl/templates/server-service.yaml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "certctl.fullname" . }}-server
labels:
{{- include "certctl.labels" . | nindent 4 }}
app.kubernetes.io/component: server
{{- with .Values.server.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.server.service.type }}
ports:
- port: {{ .Values.server.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "certctl.serverSelectorLabels" . | nindent 4 }}
deploy/helm/certctl/templates/serviceaccount.yaml
+37
View File
@@ -0,0 +1,37 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "certctl.serviceAccountName" . }}
labels:
{{- include "certctl.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "certctl.fullname" . }}
labels:
{{- include "certctl.labels" . | nindent 4 }}
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "certctl.fullname" . }}
labels:
{{- include "certctl.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "certctl.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "certctl.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
deploy/helm/certctl/values.yaml
+434
View File
@@ -0,0 +1,434 @@
# Default values for certctl Helm chart
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Namespace override (optional)
namespace: ""
# Global configuration
commonLabels: {}
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# ==============================================================================
# Certctl Server Configuration
# ==============================================================================
server:
# Number of replicas (for HA deployments)
replicas: 1
# Image configuration
image:
repository: ghcr.io/shankar0123/certctl
tag: "" # defaults to Chart.appVersion
pullPolicy: IfNotPresent
# Server port
port: 8443
# Resource requests and limits
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Pod security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# Liveness and readiness probes
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /readyz
port: http
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 2
# Service type (ClusterIP, LoadBalancer, NodePort)
service:
type: ClusterIP
port: 8443
annotations: {}
# Authentication configuration
auth:
type: api-key # Options: api-key, none (for demo only)
apiKey: "" # REQUIRED in production - set via --set or values override
# Logging configuration
logging:
level: info # debug, info, warn, error
format: json # json or text
# SMTP configuration for email notifications (optional)
smtp:
enabled: false
host: ""
port: 587
username: ""
password: ""
fromAddress: ""
useTLS: true
# Certificate digest digest (periodic email summary)
digest:
enabled: false
interval: "24h"
recipients: []
# Example:
# - admin@example.com
# - ops@example.com
# Enrollment over Secure Transport (EST) configuration
est:
enabled: false
issuerID: "iss-local"
profileID: ""
# Rate limiting configuration
rateLimiting:
rps: 100 # Requests per second
burst: 200 # Burst capacity
# Network scanning configuration
networkScan:
enabled: false
interval: "6h"
# Certificate key generation mode
keygen:
mode: agent # Options: agent (production), server (demo with warning)
# CORS configuration
cors:
origins: "" # Comma-separated list, empty means deny all cross-origin requests
# Issuer connectors configuration
issuer:
local:
enabled: true
# For sub-CA mode, provide these paths:
# caCertPath: /path/to/ca.crt
# caKeyPath: /path/to/ca.key
acme:
enabled: false
directoryURL: ""
email: ""
challengeType: "http-01" # Options: http-01, dns-01, dns-persist-01
# DNS configuration (for dns-01 or dns-persist-01)
# dnsPresentScript: /path/to/dns-present.sh
# dnsCleanupScript: /path/to/dns-cleanup.sh
# dnsPropagationWait: "30s"
# dnsPersistIssuerDomain: "validation.example.com"
# EAB configuration (for ZeroSSL, Google Trust Services, etc.)
# eabKid: ""
# eabHmac: ""
stepca:
enabled: false
# rootCAPath: /path/to/root_ca.crt
# intermediateCAPath: /path/to/intermediate_ca.crt
# provisionerName: ""
# provisionerPassword: ""
openssl:
enabled: false
# signScript: /path/to/sign.sh
# revokeScript: /path/to/revoke.sh
# crlScript: /path/to/crl.sh
# timeoutSeconds: 30
# Notifier connectors configuration
notifiers:
slack:
enabled: false
# webhookUrl: ""
# channel: ""
# username: ""
# iconEmoji: ""
teams:
enabled: false
# webhookUrl: ""
pagerduty:
enabled: false
# routingKey: ""
# severity: warning
opsgenie:
enabled: false
# apiKey: ""
# priority: P3
# Additional environment variables
# Will be passed as-is to the server container
env: {}
# Example:
# CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL: "1h"
# CERTCTL_DATABASE_MAX_CONNS: "25"
# Additional volume mounts for custom configurations
# volumeMounts: []
# - name: ca-cert
# mountPath: /etc/ssl/certs/ca.crt
# subPath: ca.crt
# Additional volumes
# volumes: []
# - name: ca-cert
# secret:
# secretName: ca-cert
# ==============================================================================
# PostgreSQL Configuration
# ==============================================================================
postgresql:
# Enable/disable PostgreSQL (set to false if using external database)
enabled: true
# Image configuration
image:
repository: postgres
tag: "16-alpine"
pullPolicy: IfNotPresent
# Authentication
auth:
database: certctl
username: certctl
password: "" # REQUIRED - set via --set or values override
# Storage configuration
storage:
size: 10Gi
storageClass: "" # Uses default StorageClass if empty
# deleteOnTermination: false # Keep data on Helm uninstall
# Resource requests and limits
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Pod security context
securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
fsGroup: 999
# Liveness and readiness probes
livenessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U certctl -d certctl
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U certctl -d certctl
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 2
# Service configuration
service:
type: ClusterIP
port: 5432
# PostgreSQL-specific settings
postgresqlConfig: {}
# Example:
# max_connections: "200"
# shared_buffers: "256MB"
# ==============================================================================
# Certctl Agent Configuration
# ==============================================================================
agent:
# Enable/disable agent deployment
enabled: true
# Deployment strategy: DaemonSet (recommended) or Deployment
kind: DaemonSet # Options: DaemonSet, Deployment
# Image configuration
image:
repository: ghcr.io/shankar0123/certctl-agent
tag: "" # defaults to Chart.appVersion
pullPolicy: IfNotPresent
# Number of replicas (for Deployment kind; ignored for DaemonSet)
replicas: 1
# Resource requests and limits
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi
# Pod security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# Agent name (can be overridden per pod via StatefulSet ordinals)
name: "" # If empty, uses release name
# Key storage directory
keyDir: /var/lib/certctl/keys
# Certificate discovery directories (comma-separated)
discoveryDirs: ""
# Example: "/etc/ssl/certs,/etc/pki/tls"
# Node selector for agent pods (for DaemonSet)
nodeSelector: {}
# Example:
# node-role.kubernetes.io/worker: "true"
# Tolerations for agent pods
tolerations: []
# Example:
# - key: node-role
# operator: Equal
# value: worker
# effect: NoSchedule
# Affinity rules
affinity: {}
# Additional environment variables
env: {}
# ==============================================================================
# Ingress Configuration
# ==============================================================================
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: certctl.local
paths:
- path: /
pathType: Prefix
tls: []
# - secretName: certctl-tls
# hosts:
# - certctl.local
# ==============================================================================
# Service Account Configuration
# ==============================================================================
serviceAccount:
create: true
annotations: {}
name: "" # defaults to release name if empty
# ==============================================================================
# RBAC Configuration
# ==============================================================================
rbac:
create: true
# ==============================================================================
# Pod Disruption Budget (for HA deployments)
# ==============================================================================
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# ==============================================================================
# Monitoring Configuration
# ==============================================================================
monitoring:
enabled: false
# Prometheus ServiceMonitor
serviceMonitor:
enabled: false
interval: 30s
scrapeTimeout: 10s
# labels: {}
# selector: {}
# ==============================================================================
# Advanced Configuration
# ==============================================================================
# Node affinity for server pods
nodeAffinity: {}
# Pod affinity for server pods
podAffinity: {}
# Pod anti-affinity for server pods (for HA)
podAntiAffinity: {}
# Example:
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 100
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/name
# operator: In
# values:
# - certctl
# topologyKey: kubernetes.io/hostname
# Custom labels for all resources
customLabels: {}
# Custom annotations for all resources
customAnnotations: {}
deploy/helm/examples/values-acme-dns01.yaml
+77
View File
@@ -0,0 +1,77 @@
# Certctl with ACME DNS-01 Challenge (Let's Encrypt)
# Enables automatic certificate issuance from Let's Encrypt
# using DNS-01 verification (wildcard-capable)
server:
auth:
type: api-key
apiKey: "CHANGE_ME"
issuer:
local:
enabled: true
acme:
enabled: true
directoryURL: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
challengeType: dns-01
dnsPresentScript: /scripts/dns-present.sh
dnsCleanupScript: /scripts/dns-cleanup.sh
dnsPropagationWait: 30s
# For DNS-PERSIST-01 (standing validation record, no per-renewal updates):
# challengeType: dns-persist-01
# dnsPersistIssuerDomain: validation.example.com
# Mount DNS scripts as ConfigMap
volumes:
- name: dns-scripts
configMap:
name: dns-scripts
defaultMode: 0755
volumeMounts:
- name: dns-scripts
mountPath: /scripts
readOnly: true
postgresql:
enabled: true
storage:
size: 20Gi
agent:
enabled: true
kind: DaemonSet
ingress:
enabled: true
className: nginx
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
---
# You'll need to create the DNS scripts ConfigMap separately:
#
# kubectl create configmap dns-scripts \
# --from-file=dns-present.sh=./scripts/dns-present.sh \
# --from-file=dns-cleanup.sh=./scripts/dns-cleanup.sh
#
# Example dns-present.sh (Cloudflare):
# #!/bin/bash
# DOMAIN=$1
# TOKEN=$2
#
# curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
# -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
# -d "{\"type\":\"TXT\",\"name\":\"_acme-challenge.${DOMAIN}\",\"content\":\"${TOKEN}\"}"
#
# Example dns-cleanup.sh (Cloudflare):
# #!/bin/bash
# DOMAIN=$1
#
# curl -X DELETE "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_id}" \
# -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}"
deploy/helm/examples/values-dev.yaml
+99
View File
@@ -0,0 +1,99 @@
# Certctl Development Configuration
# Lightweight setup for development and testing
# - Single server replica
# - Small PostgreSQL storage
# - Minimal resource limits
# - No ingress or monitoring
# - Demo auth mode (no API key required)
server:
replicas: 1
image:
repository: ghcr.io/shankar0123/certctl
pullPolicy: IfNotPresent # Use latest tag
port: 8443
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi
auth:
type: none # Demo mode - no authentication
logging:
level: debug
format: json
service:
type: LoadBalancer # Easy external access for dev
issuer:
local:
enabled: true
rateLimiting:
rps: 100
burst: 200
postgresql:
enabled: true
image:
repository: postgres
tag: "16-alpine"
pullPolicy: IfNotPresent
auth:
database: certctl
username: certctl
password: "dev-password-change-me"
storage:
size: 5Gi
storageClass: "" # Use default storage class
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
agent:
enabled: true
kind: Deployment
replicas: 1
image:
repository: ghcr.io/shankar0123/certctl-agent
pullPolicy: IfNotPresent
resources:
requests:
cpu: 25m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
ingress:
enabled: false
serviceAccount:
create: true
rbac:
create: true
monitoring:
enabled: false
customLabels:
environment: development
deploy/helm/examples/values-external-db.yaml
+50
View File
@@ -0,0 +1,50 @@
# Certctl with External PostgreSQL Database
# Use this when PostgreSQL is managed externally:
# - AWS RDS
# - Cloud SQL (Google Cloud)
# - Azure Database for PostgreSQL
# - Self-managed PostgreSQL server
server:
replicas: 2
auth:
type: api-key
apiKey: "CHANGE_ME"
issuer:
local:
enabled: true
# Pass external database URL via environment variable
env:
CERTCTL_DATABASE_URL: "postgres://certctl:CHANGE_ME@postgres.example.com:5432/certctl?sslmode=require"
# Disable internal PostgreSQL
postgresql:
enabled: false
agent:
enabled: true
kind: DaemonSet
ingress:
enabled: true
className: nginx
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
# For AWS RDS with IAM authentication:
# env:
# CERTCTL_DATABASE_URL: "postgres://certctl:CHANGE_ME@mydb.123456789.us-east-1.rds.amazonaws.com:5432/certctl?sslmode=require"
# For Google Cloud SQL:
# env:
# CERTCTL_DATABASE_URL: "postgres://certctl:CHANGE_ME@/certctl?host=/cloudsql/PROJECT:REGION:INSTANCE&sslmode=require"
# For Azure Database:
# env:
# CERTCTL_DATABASE_URL: "postgres://certctl@servername:CHANGE_ME@servername.postgres.database.azure.com:5432/certctl?sslmode=require"
deploy/helm/examples/values-prod-ha.yaml
+159
View File
@@ -0,0 +1,159 @@
# Certctl Production HA Configuration
# High availability deployment with:
# - 3 server replicas with pod anti-affinity
# - Large PostgreSQL storage
# - Resource limits for production
# - Prometheus monitoring
# - Network policies enforcement
namespace: certctl
server:
replicas: 3
image:
repository: ghcr.io/shankar0123/certctl
tag: "2.1.0"
pullPolicy: IfNotPresent
port: 8443
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1000m
memory: 512Mi
auth:
type: api-key
apiKey: "CHANGE_ME_IN_PRODUCTION" # Use --set or sealed-secrets
logging:
level: info
format: json
service:
type: ClusterIP
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8443"
prometheus.io/path: "/api/v1/metrics/prometheus"
issuer:
local:
enabled: true
acme:
enabled: true
directoryURL: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
challengeType: dns-01
rateLimiting:
rps: 500
burst: 1000
postgresql:
enabled: true
image:
repository: postgres
tag: "16-alpine"
pullPolicy: IfNotPresent
auth:
database: certctl
username: certctl
password: "CHANGE_ME_IN_PRODUCTION" # Use --set or sealed-secrets
storage:
size: 100Gi
storageClass: "fast-ssd" # Use your high-performance storage class
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
agent:
enabled: true
kind: DaemonSet
image:
repository: ghcr.io/shankar0123/certctl-agent
tag: "2.1.0"
pullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
discoveryDirs: "/etc/ssl/certs,/etc/pki/tls,/etc/ssl"
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
hosts:
- host: certctl.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: certctl-tls
hosts:
- certctl.example.com
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/certctl-role # For IRSA on AWS
rbac:
create: true
podDisruptionBudget:
enabled: true
minAvailable: 2
monitoring:
enabled: true
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
# Pod anti-affinity for HA
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- certctl
- key: app.kubernetes.io/component
operator: In
values:
- server
topologyKey: kubernetes.io/hostname
customLabels:
environment: production
team: platform
cost-center: ops
customAnnotations:
slack-alerts: "#ops"
backup-policy: daily
docs/architecture.md
+38 -8
View File
@@ -61,7 +61,7 @@ flowchart TB
API["REST API\n(Go net/http, :8443)"]
SVC["Service Layer"]
REPO["Repository Layer\n(database/sql + lib/pq)"]
SCHED["Background Scheduler\n6 loops"]
SCHED["Background Scheduler\n7 loops"]
DASH["Web Dashboard\n(React SPA)"]
end
@@ -450,7 +450,7 @@ Short-lived certificates (those with profile TTL < 1 hour) return "good" from OC
### 4. Automatic Renewal
The control plane runs a scheduler with six background loops:
The control plane runs a scheduler with seven background loops:
```mermaid
flowchart LR
@@ -461,6 +461,7 @@ flowchart LR
N["Notification Processor\n⏱ every 1m"]
SL["Short-Lived Expiry\n⏱ every 30s"]
NS["Network Scanner\n⏱ every 6h"]
DG["Certificate Digest\n⏱ every 24h"]
end
R -->|"Find expiring certs\nCreate renewal jobs"| DB[("PostgreSQL")]
@@ -469,6 +470,7 @@ flowchart LR
N -->|"Send pending notifications\nEmail / Webhook / Slack"| DB
SL -->|"Expire short-lived certs\nMark as Expired"| DB
NS -->|"Probe TLS endpoints\nStore discovered certs"| DB
DG -->|"Generate & send HTML digest\nEmail to recipients"| DB
```
| Loop | Interval | Timeout | Purpose |
@@ -478,7 +480,10 @@ flowchart LR
| Agent health check | 2 minutes | 1 minute | Marks agents as offline if heartbeat is stale |
| Notification processor | 1 minute | 1 minute | Sends pending notifications via configured channels |
| Short-lived expiry | 30 seconds | 30 seconds | Marks expired short-lived certificates (profile TTL < 1 hour) |
| Network scanner | 6 hours | 30 minutes | Probes TLS endpoints on configured CIDR ranges, stores discovered certs (M21, opt-in via `CERTCTL_NETWORK_SCAN_ENABLED`) |
| Network scanner | 6 hours | 30 minutes | Probes TLS endpoints on configured CIDR ranges, stores discovered certs (M21, opt-in via `CERTCTL_NETWORK_SCAN_ENABLED`). CIDR size validated at API level — max /20 (4096 IPs) per range. |
| Certificate digest | 24 hours | 5 minutes | Generates HTML email with certificate stats, expiration timeline, job health, agent count. Does NOT run on startup — waits for first scheduled tick. Configurable interval and recipients via `CERTCTL_DIGEST_INTERVAL` and `CERTCTL_DIGEST_RECIPIENTS`. Falls back to certificate owner emails if no explicit recipients configured. |
Each loop uses `sync/atomic.Bool` idempotency guards to prevent concurrent tick execution — if a loop iteration is still running when the next tick fires, the tick is skipped with a warning log. All loops (including short-lived expiry check) run immediately on startup before entering their ticker interval, ensuring no gap between scheduler start and first execution. The certificate digest loop is the exception — it does NOT run on startup, only on scheduled ticks. Graceful shutdown uses `sync.WaitGroup` with `WaitForCompletion()` to drain all in-flight work before process exit.
Each operation has a context timeout to prevent indefinite hangs if external services become unresponsive.
@@ -565,7 +570,11 @@ type Connector interface {
}
```
Built-in issuers: **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, compatible with Let's Encrypt, ZeroSSL, Sectigo, Google Trust Services, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), and **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance and optional External Account Binding (EAB) for CAs that require it (ZeroSSL, Google Trust Services, SSL.com), order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks, DNS-PERSIST-01 via standing TXT records with auto-fallback to DNS-01), order finalization, and DER-to-PEM chain conversion. For ZeroSSL, EAB credentials are auto-fetched from ZeroSSL's public API when the directory URL is detected as ZeroSSL and no EAB credentials are provided — zero-friction onboarding with no dashboard visit required. The interface also includes `GetCACertPEM(ctx)` for CA chain distribution (used by the EST server's `/cacerts` endpoint).
Built-in issuers: **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, compatible with Let's Encrypt, ZeroSSL, Sectigo, Google Trust Services, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), and **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance and optional External Account Binding (EAB) for CAs that require it (ZeroSSL, Google Trust Services, SSL.com), order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks, DNS-PERSIST-01 via standing TXT records with auto-fallback to DNS-01), order finalization, and DER-to-PEM chain conversion. For ZeroSSL, EAB credentials are auto-fetched from ZeroSSL's public API when the directory URL is detected as ZeroSSL and no EAB credentials are provided — zero-friction onboarding with no dashboard visit required.
**ACME Renewal Information (ARI, RFC 9702):** The ACME connector supports CA-directed renewal timing via the `GetRenewalInfo()` method. Instead of using fixed thresholds (e.g., renew 30 days before expiry), the CA tells certctl when to renew by providing a `suggestedWindow` with start and end times. This is useful for distributing renewal load during maintenance windows and coordinating mass-revocation scenarios. Enable with `CERTCTL_ACME_ARI_ENABLED=true`. Cert ID is computed as `base64url(SHA-256(DER cert))` per RFC 9702. If the CA doesn't support ARI (404 from the ARI endpoint), certctl automatically falls back to threshold-based renewal — no operator intervention required. Errors from the CA are logged as warnings.
The interface also includes `GetCACertPEM(ctx)` for CA chain distribution (used by the EST server's `/cacerts` endpoint).
### Target Connector
@@ -709,7 +718,9 @@ Audit events cannot be modified or deleted. They support filtering by actor, act
### API Audit Log
In addition to application-level audit events, certctl records every HTTP API call via middleware. The audit middleware captures method, path, actor (extracted from auth context), SHA-256 request body hash (truncated to 16 characters), response status code, and request latency. Health and readiness probes are excluded to avoid noise.
In addition to application-level audit events, certctl records every HTTP API call via middleware. The audit middleware captures method, URL path (excluding query parameters — see security note below), actor (extracted from auth context), SHA-256 request body hash (truncated to 16 characters), response status code, and request latency. Health and readiness probes are excluded to avoid noise.
**Security: Query Parameter Exclusion** — The audit middleware intentionally records `r.URL.Path` only (not `r.URL.String()` or `r.RequestURI`). Query strings may contain cursor tokens, API keys passed as params, or other sensitive filter values. Since the audit trail is append-only with no deletion capability, any sensitive data recorded would persist permanently.
Audit recording is async (via goroutine) so it never blocks the HTTP response. If audit persistence fails, the error is logged immediately — the API call still succeeds. The middleware sits after the auth middleware in the stack so the actor identity is available from context.
@@ -740,7 +751,7 @@ The HTTP middleware stack processes requests in the following order (see `cmd/se
### Concurrency Safety
The background scheduler uses `sync/atomic.Bool` idempotency guards on all 6 loops — if a tick fires while the previous iteration is still running, it skips. A `sync.WaitGroup` tracks all in-flight goroutines. `WaitForCompletion(timeout)` blocks during shutdown until all work finishes or the timeout expires, preventing state corruption from mid-flight database operations during process exit.
The background scheduler uses `sync/atomic.Bool` idempotency guards on all 7 loops — if a tick fires while the previous iteration is still running, it skips. A `sync.WaitGroup` tracks all in-flight goroutines. `WaitForCompletion(timeout)` blocks during shutdown until all work finishes or the timeout expires, preventing state corruption from mid-flight database operations during process exit.
### Logging
@@ -759,7 +770,7 @@ All endpoints are under `/api/v1/` and follow consistent patterns:
Resources: certificates, issuers, targets, agents, jobs, policies, profiles, teams, owners, agent-groups, audit, notifications, discovered-certificates, discovery-scans, network-scan-targets, stats, metrics.
The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml` with 97 endpoints across 20 resource domains (95 under `/api/v1/` + `/.well-known/est/` plus `/health` and `/ready`; includes auth, 7 discovery endpoints from M18b, 6 network scan endpoints from M21, Prometheus metrics from M22, and 4 EST enrollment endpoints from M23), all request/response schemas, and pagination conventions. See the [OpenAPI Guide](openapi.md) for usage with Swagger UI and SDK generation.
The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml` with 99 endpoints across 23 resource domains (97 under `/api/v1/` + `/.well-known/est/` plus `/health` and `/ready`; includes auth, 7 discovery endpoints from M18b, 6 network scan endpoints from M21, Prometheus metrics from M22, 4 EST enrollment endpoints from M23, 2 digest endpoints from M29), all request/response schemas, and pagination conventions. See the [OpenAPI Guide](openapi.md) for usage with Swagger UI and SDK generation.
Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST /api/v1/jobs/{id}/approve`, `POST /api/v1/jobs/{id}/reject`.
@@ -774,6 +785,8 @@ Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST
Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. A JSON-formatted CRL is available at `GET /api/v1/crl`, and a DER-encoded X.509 CRL signed by the issuing CA at `GET /api/v1/crl/{issuer_id}`. An embedded OCSP responder serves signed responses at `GET /api/v1/ocsp/{issuer_id}/{serial}`. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
Certificate export (M27): `GET /api/v1/certificates/{id}/export/pem` returns PEM-encoded certificate and chain, and `POST /api/v1/certificates/{id}/export/pkcs12` returns a PKCS#12 bundle (binary). Private keys are never exported — they remain on agents. All exports are audited with actor, timestamp, and format.
Health checks live outside the API prefix: `GET /health` and `GET /ready`.
## MCP Server
@@ -829,7 +842,9 @@ flowchart TB
**Credentials & Configuration:**
Database and API credentials are managed via environment variables defined in a `.env` file. Copy `deploy/.env.example` to `deploy/.env` for local development and customize credentials for production. The agent key directory (`CERTCTL_KEY_DIR`) is persisted as a named Docker volume (`agent_keys`) at `/var/lib/certctl/keys` for reliable key storage across container restarts.
### Production (Kubernetes)
### Production (Kubernetes with Helm)
A production-ready Helm chart is available under `deploy/helm/certctl/` with full support for multi-replica deployments, persistent PostgreSQL, agent DaemonSet, optional Ingress, and security best practices.
```mermaid
flowchart TB
@@ -855,6 +870,21 @@ flowchart TB
DS --> DEP
```
**Helm Installation:**
```bash
# Add the chart (if published) or install from local directory
helm install certctl deploy/helm/certctl/ \
--set server.auth.apiKey="your-secure-key" \
--set postgresql.auth.password="your-db-password" \
--set ingress.enabled=true \
--set ingress.hosts[0].host="certctl.example.com"
```
The Helm chart includes: server Deployment with configurable replicas, liveness/readiness probes, security context (non-root, read-only rootfs), PostgreSQL StatefulSet with persistent volumes, optional Ingress with TLS, ServiceAccount with configurable RBAC, and agent DaemonSet running one agent per node. All certctl configuration options are exposed in `values.yaml` — issuers, targets, notifiers, scheduler intervals, discovery settings, and SMTP for digest emails.
See `deploy/helm/certctl/values.yaml` for the full configuration reference and `deploy/helm/certctl/Chart.yaml` for version and appVersion details.
For production, you would also add an ingress controller, TLS termination for the certctl API itself, and external PostgreSQL (RDS, Cloud SQL, etc.).
## Discovery Data Flow (M18b + M21)
docs/certctl-for-cert-manager-users.md
+144
View File
@@ -0,0 +1,144 @@
# certctl for cert-manager Users
You run cert-manager inside Kubernetes and it works well for in-cluster certificates. But you also have VMs, bare-metal servers, network appliances, and legacy systems outside the cluster. cert-manager can't reach those. This guide shows how certctl complements cert-manager to give you unified certificate visibility and automation across your entire infrastructure.
## Not a Replacement
cert-manager is the right tool for in-cluster certs. It's tightly integrated with Kubernetes:
- Native CRDs (Certificate, ClusterIssuer, Issuer)
- Automatic cert injection into Ingress and Service objects
- Controller-driven renewal within the cluster
**certctl does not replace this.** Instead, it extends your certificate management to everything outside Kubernetes: VMs, bare metal, network appliances, Windows servers, and legacy systems.
## The Problem
Your setup:
- **cert-manager**: handles all certs in Kubernetes (TLS for Ingress, service-to-service, internal services)
- **Everything else**: NGINX/Apache on VMs, HAProxy load balancers on bare metal, network appliances, Windows servers with IIS — these are managed inconsistently. Maybe Certbot cron jobs, maybe manual renewal, maybe deprecated cert files sitting around.
Result:
- No unified visibility — you don't know when non-Kubernetes certs expire
- Renewal failures go unnoticed until the cert is already expired
- Audit trail fragmented across multiple tools
- Scaling to hundreds of machines becomes impossible
## The Solution
Deploy certctl control plane once (Docker Compose, Kubernetes Helm chart, or self-hosted). Deploy agents on your VMs, bare metal, and network appliances. One dashboard shows:
- **All cert-manager certs** via discovery scanning (agents find cert-manager-issued certs copied to target machines, or scan the cluster directly)
- **All certctl-managed certs** issued by shared issuers (ACME, step-ca, Vault PKI (planned), private CA)
- **Unified renewal and deployment** across both worlds
- **Single pane of glass** with expiration timeline, renewal status, deployment verification, audit trail
## How to Set Up
### 1. Install certctl Control Plane
**Option A: Docker Compose** (quickest for evaluation)
```bash
cd /opt/certctl
docker compose up -d
# Dashboard & API: http://localhost:8443
```
**Option B: Kubernetes** (recommended for prod)
```bash
helm install certctl deploy/helm/certctl/ \
--set auth.apiKey=YOUR_SECURE_KEY
```
### 2. Deploy Agents to Non-Kubernetes Infrastructure
On each VM, bare-metal server, or appliance (via proxy agent):
```bash
# Linux amd64
curl -sSL https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
-o /usr/local/bin/certctl-agent
chmod +x /usr/local/bin/certctl-agent
# Config
sudo tee /etc/certctl/agent.env > /dev/null <<EOF
CERTCTL_SERVER_URL=http://certctl-control-plane:8443
CERTCTL_API_KEY=your-api-key
CERTCTL_DISCOVERY_DIRS=/etc/nginx/certs,/etc/ssl,/etc/letsencrypt/live
CERTCTL_KEY_DIR=/var/lib/certctl/keys
EOF
sudo chmod 600 /etc/certctl/agent.env
# Start
sudo systemctl start certctl-agent
```
### 3. Enable Discovery Scanning
Agents scan configured directories and report back all existing certs. In the dashboard:
- **Discovery** page: all found certs grouped by agent
- Claim cert-manager certs to link them with Kubernetes metadata
- Dismiss obsolete certs
### 4. Configure Shared Issuers
Set up the same issuer certctl uses for non-Kubernetes certs:
- **ACME** (Let's Encrypt, for public certs)
- **step-ca** (Smallstep, for internal certs)
- **Vault PKI** (planned) (HashiCorp Vault, for enterprise PKI)
- **Private CA** (your own internal root CA)
No new CA infrastructure needed. If cert-manager already uses your CA, certctl points to the same one.
### 5. Create Policies for Non-Kubernetes Certs
Go to **Policies****+ New Policy** to create enforcement rules:
- **Name:** e.g., "VM Certificate Policy"
- **Type:** `expiration_window` or `key_algorithm` (enforce renewal thresholds or crypto requirements)
- **Severity:** `high`
- **Config:** set your enforcement parameters
Certificates are linked to issuers and profiles when created or claimed from discovery. Policies add guardrails — enforcing key algorithm requirements, expiration windows, and other compliance rules across your fleet.
### 6. View Unified Inventory
**Dashboard** shows:
- Certificate status heatmap (all 1000 certs: cert-manager + certctl)
- Renewal job trends (both types)
- Expiration timeline (30/60/90 days)
- Agent fleet status (all infrastructure)
**Certificates** page filters by issuer (show me all ACME certs, or all step-ca certs):
- cert-manager certs discovered from Kubernetes nodes
- certctl-managed certs on VMs
- Network appliance certs auto-discovered
## Shared Infrastructure
If cert-manager and certctl both use the same CA:
- **ACME**: cert-manager uses ClusterIssuer + certctl uses ACME connector → same Let's Encrypt account, transparent coexistence
- **step-ca**: cert-manager uses external issuer CRD + certctl uses step-ca connector → same provisioner, shared certificate inventory
- **Vault PKI** (planned): cert-manager uses external issuer CRD + certctl uses Vault connector → same mount, same audit trail
No conflict. They just issue certs through the same CA. certctl's discovery scanning finds cert-manager-issued certs and shows them alongside certctl-managed ones.
## Key Differences from cert-manager
| Feature | cert-manager | certctl |
|---------|--------------|---------|
| Target | In-cluster (Kubernetes) | Out-of-cluster (VMs, bare metal, appliances) |
| Configuration | CRDs (Certificate, ClusterIssuer, Issuer) | API + Dashboard (JSON REST) |
| Deployment | Injected into Secret objects, mounted by pods | Agent pulls work, deploys via target-specific API (file, service restart, proxy agent) |
| Renewal | Controller watches Certificate CRDs, triggers renewal when needed | Scheduler checks thresholds, agents poll for work |
| Audit | Kubernetes event log | Immutable append-only audit trail |
| Visibility | Per-namespace, per-resource | Fleet-wide, unified inventory |
## Future Integration
On the roadmap (V4): **cert-manager external issuer** — certctl acts as a ClusterIssuer backend for Kubernetes. This would allow cert-manager to request certificates from certctl, which could issue them via any of its connectors (step-ca, Vault, private CA, etc.). Pure integration play; no breaking changes.
For now: cert-manager handles Kubernetes, certctl handles everything else. They coexist seamlessly.
## Next Steps
1. Review [Quick Start](./quickstart.md) for a 5-minute demo
2. Explore [Architecture](./architecture.md#agents) for deployment architecture
3. Read about [Discovery Scanning](./quickstart.md#certificate-discovery) to auto-find certs
4. Check [Helm Chart](../deploy/helm/certctl/) for production Kubernetes deployment
docs/compliance-pci-dss.md
+2 -2
View File
@@ -393,7 +393,7 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
**Operator Responsibility**:
- **Issue API keys to users/systems** requiring API access (outside certctl; you maintain key registry).
- **Rotate API keys periodically** (recommendation: annually, or when personnel changes).
- **Rotate API keys using zero-downtime rotation** — `CERTCTL_AUTH_SECRET` supports comma-separated keys (e.g., `new-key,old-key`). Add the new key, migrate clients, then remove the old key. Recommendation: rotate at least annually, or immediately when personnel changes.
- **Revoke API keys immediately** when user leaves or token is compromised (set `enabled=false` in API key management — not yet implemented in v1, owner must track manually).
- **Enforce strong TLS** on control plane: TLS 1.2+, modern ciphers (configure on reverse proxy or `CERTCTL_TLS_*` env vars if operator-controlled).
- **Protect `.env` and credential files** where API key is defined (restrict file system access, no version control).
@@ -452,7 +452,7 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
- **Immutable API Audit Log** (M19) — Middleware captures every API call:
- `audit_events` table (append-only, no UPDATE/DELETE):
- `method`: HTTP method (GET, POST, PUT, DELETE)
- `path`: API endpoint path (e.g., `/api/v1/certificates`)
- `path`: API endpoint path only, excluding query parameters (e.g., `/api/v1/certificates` — query strings intentionally omitted to prevent sensitive data persistence in the append-only audit trail)
- `actor`: authenticated user/service (extracted from API key or context)
- `body_hash`: SHA-256 hash of request body (truncated to 16 chars, first 8 chars shown in logs)
- `status_code`: HTTP response status (200, 201, 400, 401, 404, 500, etc.)
docs/compliance-soc2.md
+5 -3
View File
@@ -49,6 +49,7 @@ Each section includes:
- **Configurable CORS** — API restricts cross-origin requests via `CERTCTL_CORS_ORIGINS` allowlist or wildcard. Preflight caching prevents chatty browser auth flows.
- **Token Bucket Rate Limiting** — Per-IP rate limiting (configurable via `CERTCTL_RATE_LIMIT_RPS` / `CERTCTL_RATE_LIMIT_BURST`) returns 429 Too Many Requests with Retry-After header. Prevents credential stuffing and brute-force attacks.
- **No Password Storage** — certctl does not store user passwords. API keys are the sole authentication mechanism. Your API key generation, distribution, and rotation policies are your responsibility (see "Operator Responsibility" below).
- **Zero-Downtime Key Rotation** — `CERTCTL_AUTH_SECRET` accepts comma-separated keys (e.g., `new-key,old-key`). All listed keys are validated with constant-time comparison. Operators can add a new key, migrate clients, then remove the old key — no service restart required for the client migration phase. A single-key warning is logged at startup to encourage rotation configuration.
**Evidence Locations**:
@@ -182,13 +183,14 @@ Each section includes:
- **Health Endpoint** — `GET /health` returns 200 OK with service status. Consumed by Docker health checks and Kubernetes probes.
- **Readiness Endpoint** — `GET /ready` returns 200 OK when the database is connected and migrations are applied.
- **Background Scheduler Monitoring** — 6 background loops run on a fixed schedule:
- **Background Scheduler Monitoring** — 7 background loops run on a fixed schedule:
- Renewal loop: every 1 hour, scans for certificates approaching renewal threshold
- Job processor loop: every 30 seconds, picks up pending/waiting jobs and advances their state
- Health check loop: every 2 minutes, pings agents to detect downtime
- Notification dispatcher loop: every 1 minute, sends queued alerts
- Short-lived cert expiry loop: every 30 seconds, marks expired short-lived credentials
- Network scanner loop: every 6 hours, scans enabled TLS endpoints for certificate discovery
- Digest emailer loop: every 24 hours, sends scheduled certificate digest email to configured recipients
Each loop includes error handling and logs failures via structured slog.
- **Metrics Endpoints** — Two formats for monitoring integration:
- `GET /api/v1/metrics` — JSON object with gauges, counters, and uptime for custom dashboards
@@ -232,7 +234,7 @@ Each section includes:
**certctl Implementation** (V2):
- **Immutable API Audit Trail** (M19) — Every API call is recorded to `audit_events` table (append-only, no update/delete). Recorded: HTTP method, path, query parameters, actor (user/agent ID), SHA-256 hash of request body (truncated 16 chars for brevity), response status code, latency in milliseconds. Excluded paths (health, ready) are configurable. Audit records are async (non-blocking) and include a timestamp.
- **Immutable API Audit Trail** (M19) — Every API call is recorded to `audit_events` table (append-only, no update/delete). Recorded: HTTP method, URL path (query parameters intentionally excluded — see security note), actor (user/agent ID), SHA-256 hash of request body (truncated 16 chars for brevity), response status code, latency in milliseconds. Excluded paths (health, ready) are configurable. Audit records are async (non-blocking) and include a timestamp. **Security: Query parameters are excluded from the audit path** because they may contain cursor tokens, API keys, or sensitive filter values; since the audit trail is append-only with no deletion, any sensitive data recorded would persist permanently.
- **Audit Trail API** — `GET /api/v1/audit?actor=...&action=...&resource_id=...&created_after=...&created_before=...` allows searching for anomalous patterns (e.g., "who accessed certificate XYZ and when?", "did anyone revoke certs at 2 AM?").
- **Expiration Threshold Alerting** — Certificate renewal policies define alert thresholds (days before expiry): default `[30, 14, 7, 0]`. When a certificate approaches a threshold, a notification is enqueued. Deduplication prevents duplicate alerts for the same cert at the same threshold. Auto status transition: cert moves to `Expiring` status at 30 days, `Expired` at 0 days.
- **Certificate Status Auto-Transitions** — When a cert is issued, it's `Active`. As expiry approaches, status auto-transitions to `Expiring` (at 30d threshold). At expiry, status becomes `Expired`. Revoked certs move to `Revoked`. These transitions are recorded in the audit trail.
@@ -451,7 +453,7 @@ Each section includes:
| | Metrics JSON Endpoint | `GET /api/v1/metrics` (gauges, counters, uptime) | ✅ | ✅ | Set thresholds, configure alerting |
| | Stats API (time-series) | `GET /api/v1/stats/*` (summary, status, expiration, jobs, issuance) | ✅ | ✅ | Integrate into dashboards, SLO tracking |
| | Structured Logging | `slog` middleware with request IDs | ✅ | ✅ | Aggregate logs to SIEM, define retention policy |
| | Background Scheduler | 6 loops (renewal 1h, jobs 30s, health 2m, notifications 1m, short-lived 30s, network scan 6h) | ✅ | ✅ | Alert on scheduler loop failures |
| | Background Scheduler | 7 loops (renewal 1h, jobs 30s, health 2m, notifications 1m, short-lived 30s, network scan 6h, digest 24h) | ✅ | ✅ | Alert on scheduler loop failures |
| **CC7.2** Anomaly Detection | Immutable API Audit Trail | `internal/api/middleware/audit.go`, `GET /api/v1/audit` | ✅ | Enhanced (SIEM export) | Integrate into SIEM, search for anomalies, archive long-term |
| | Expiration Threshold Alerting | Configurable per-policy (default 30/14/7/0 days) | ✅ | ✅ | Configure thresholds, integrate notifications |
| | Status Auto-Transitions | Active → Expiring (30d) → Expired (0d) | ✅ | ✅ | Monitor status changes in audit trail |
docs/concepts.md
+13
View File
@@ -183,6 +183,19 @@ Profiles are managed via the API (`/api/v1/profiles`) and the GUI, and can be as
For policies with `auto_renew` disabled, renewal jobs enter an **AwaitingApproval** state instead of processing immediately. An operator must explicitly approve or reject the renewal via the API or GUI. Approved jobs transition to Pending and are picked up by the scheduler. Rejected jobs are cancelled with an optional reason. This is useful for high-value certificates where you want human oversight before renewal.
### Renewal Timing: Thresholds vs. ARI (RFC 9702)
**Traditional approach (thresholds):** By default, certctl uses static renewal thresholds — renew a certificate at a fixed number of days before expiry (default: 30 days). This simple, predictable model works for most use cases: it avoids unnecessary renewals near expiry and gives you a predictable window to catch failures.
**Advanced approach (ACME ARI):** Some Certificate Authorities support ACME Renewal Information (RFC 9702), which allows the CA to tell certctl the optimal time to renew. Instead of guessing "renew 30 days before expiry," the CA responds with a precise `suggestedWindow` containing start and end times. This is useful when:
- The CA is performing maintenance and wants to batch renewals in a specific window
- The CA is coordinating a mass revocation (e.g., due to a compromise) and needs to control renewal timing
- You want to avoid thundering herd renewal spikes by accepting the CA's suggested timing
**How it works:** Enable with `CERTCTL_ACME_ARI_ENABLED=true` on your ACME issuer. When a certificate approaches expiry, certctl queries the ARI endpoint with the certificate's DER encoding. The CA responds with a suggested renewal window. If the current time is within the window or past the start time, certctl renews immediately. Otherwise, it waits until the window opens.
**Graceful degradation:** If your CA doesn't support ARI (returns 404 from the ARI endpoint), certctl automatically falls back to the traditional threshold-based renewal. No configuration change needed — the fallback is transparent. Errors from the CA are logged as warnings and don't block the renewal process.
### Certificate Revocation
When a private key is compromised, a certificate is superseded, or a service is decommissioned, you need to revoke the certificate immediately — not wait for it to expire. Revocation tells clients "stop trusting this certificate right now."
docs/connectors.md
+68 -6
View File
@@ -147,6 +147,8 @@ The Local CA issuer signs certificates using Go's `crypto/x509` library. It supp
**CRL and OCSP support (M15b):** The Local CA supports DER-encoded X.509 CRL generation via `GET /api/v1/crl/{issuer_id}` with 24-hour validity. An embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}` returns signed OCSP responses for issued certificates (good/revoked/unknown status). Certificates with profile TTL < 1 hour automatically skip CRL/OCSP — expiry is treated as sufficient revocation for short-lived credentials.
**Extended Key Usage (EKU) support (M27):** The Local CA respects EKU constraints from certificate profiles and adjusts key usage flags accordingly. For S/MIME certificates (emailProtection EKU), it uses `DigitalSignature | ContentCommitment` instead of the TLS default. For TLS certificates (serverAuth/clientAuth EKU), it uses `DigitalSignature | KeyEncipherment`. This enables support for multiple certificate types — TLS, S/MIME, code signing, timestamping — from a single CA.
Configuration:
```json
{
@@ -169,6 +171,8 @@ The ACME connector implements the full ACME v2 protocol using Go's `golang.org/x
**DNS-PERSIST-01 (standing record):** Creates a one-time persistent TXT record at `_validation-persist.<domain>` containing the CA's issuer domain and your ACME account URI. Once set, this record authorizes unlimited future certificate issuances without per-renewal DNS updates. Based on [draft-ietf-acme-dns-persist](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/) and CA/Browser Forum ballot SC-088v3. If the CA doesn't offer dns-persist-01 yet, the connector falls back to dns-01 automatically.
**ACME Renewal Information (ARI, RFC 9702):** Instead of using fixed renewal thresholds (e.g., renew 30 days before expiry), certctl can ask the CA when it should renew. Enable with `CERTCTL_ACME_ARI_ENABLED=true`. The ARI protocol lets the CA specify a `suggestedWindow` (start and end times) for when you should renew — useful for distributing load during maintenance windows or coordinating mass revocation scenarios. Cert ID is computed as `base64url(SHA-256(DER cert))`. If the CA doesn't support ARI (404 response), certctl automatically falls back to threshold-based renewal with no operator intervention required.
HTTP-01 configuration:
```json
{
@@ -284,7 +288,7 @@ Script-based issuer connector for organizations with existing CA tooling. Delega
| `CERTCTL_OPENSSL_CRL_SCRIPT` | No | Script that outputs DER-encoded CRL on stdout |
| `CERTCTL_OPENSSL_TIMEOUT_SECONDS` | No | Script execution timeout (default: 30s) |
The sign script receives the CSR PEM on stdin and should output the signed certificate PEM on stdout. The connector parses the certificate to extract serial number, validity dates, and chain information.
The sign script receives the CSR PEM on stdin and should output the signed certificate PEM on stdout. The connector parses the certificate to extract serial number, validity dates, and chain information. Before shell execution, serial numbers are validated as hex-only (`^[0-9a-fA-F]+$`) and revocation reason codes are validated against the RFC 5280 specification to prevent command injection.
### Revocation Across Issuers
@@ -308,12 +312,12 @@ The `GetCACertPEM()` method returns the PEM-encoded CA certificate chain, used b
Note: EST (Enrollment over Secure Transport) is not a connector — it's a protocol handler (`internal/api/handler/est.go`) that delegates certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID`. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
### Planned Issuers
### Coming in V2.1
The following issuer connectors are planned for future milestones:
The following issuer connectors are planned for the v2.1.0 release:
- **Vault PKI** — HashiCorp Vault's PKI secrets engine for organizations using Vault as their internal CA (planned for V4.0+).
- **DigiCert** — Commercial CA integration via DigiCert's REST API (planned).
- **Vault PKI** — HashiCorp Vault's PKI secrets engine (`/v1/{mount}/sign/{role}` API) for organizations using Vault as their internal CA. Token auth, configurable mount and role.
- **DigiCert** — Commercial CA integration via DigiCert CertCentral REST API. Async order model (submit → poll for completion). OV/EV certificate support.
Note: ADCS (Active Directory Certificate Services) integration is handled via the **sub-CA mode** of the Local CA issuer, not as a separate connector. certctl operates as a subordinate CA with its signing certificate issued by ADCS, so all certctl-issued certs chain to the enterprise ADCS root. See the Local CA section above.
@@ -620,11 +624,69 @@ type Connector interface {
Built-in notifiers: **Email** (SMTP), **Webhook** (HTTP POST), **Slack** (incoming webhook), **Microsoft Teams** (MessageCard webhook), **PagerDuty** (Events API v2), and **OpsGenie** (Alert API v2).
### Email (SMTP) Notifier
The Email notifier sends transactional alerts and scheduled digests via SMTP. It bridges the connector-layer SMTP connector to the service-layer `Notifier` interface via the `NotifierAdapter`. Supports both plain text and HTML emails.
Configuration:
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SMTP_HOST` | — | SMTP server hostname (required to enable) |
| `CERTCTL_SMTP_PORT` | 587 | SMTP port (TLS) |
| `CERTCTL_SMTP_USERNAME` | — | SMTP authentication username (optional) |
| `CERTCTL_SMTP_PASSWORD` | — | SMTP authentication password (optional) |
| `CERTCTL_SMTP_FROM_ADDRESS` | — | Email from address (required) |
| `CERTCTL_SMTP_USE_TLS` | true | Enable TLS encryption |
Example:
```bash
export CERTCTL_SMTP_HOST=smtp.gmail.com
export CERTCTL_SMTP_PORT=587
export CERTCTL_SMTP_USERNAME=admin@example.com
export CERTCTL_SMTP_PASSWORD=app-password-123
export CERTCTL_SMTP_FROM_ADDRESS=certctl@example.com
```
### Scheduled Certificate Digest
The `DigestService` generates aggregated certificate digest emails and sends them on a configurable schedule. This is useful for periodic briefings on certificate inventory health — expiring certs, status summary, active agents, job trends.
The digest HTML template includes:
- Total certificates, expiring soon, expired, active agents (stats grid)
- Jobs completed/failed summary (30 days)
- Expiring certificates table (color-coded by urgency: 7d, 14d, 30d)
- Auto-refresh and responsive email layout
**Scheduler Integration:** The 7th scheduler loop runs on configurable interval (default 24 hours). It does NOT run on startup — waits for first scheduled tick. Operation timeout is 5 minutes. Each loop execution is guarded by `sync/atomic.Bool` idempotency.
Configuration:
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_DIGEST_ENABLED` | false | Enable scheduled digest emails |
| `CERTCTL_DIGEST_INTERVAL` | 24h | How often to send digest (any duration, e.g. 12h, 7d) |
| `CERTCTL_DIGEST_RECIPIENTS` | — | Comma-separated email addresses. Falls back to certificate owner emails if empty |
API Endpoints:
- **`GET /api/v1/digest/preview`** — Render digest HTML for preview (no email sent)
- **`POST /api/v1/digest/send`** — Trigger digest send immediately (outside of schedule)
Example:
```bash
# Preview digest
curl http://localhost:8443/api/v1/digest/preview | jq '.html'
# Send digest immediately
curl -X POST http://localhost:8443/api/v1/digest/send
```
Each notifier is enabled by its configuration env var:
| Notifier | Env Var | Description |
|----------|---------|-------------|
| Email | `CERTCTL_EMAIL_SMTP_HOST`, `CERTCTL_EMAIL_SMTP_PORT`, `CERTCTL_EMAIL_FROM` | SMTP email delivery. Optional: `CERTCTL_EMAIL_SMTP_USERNAME`, `CERTCTL_EMAIL_SMTP_PASSWORD` |
| Email | `CERTCTL_SMTP_HOST` | SMTP email delivery. See Email Notifier section above |
| Webhook | `CERTCTL_WEBHOOK_URL` | HTTP POST to any endpoint. Optional: `CERTCTL_WEBHOOK_SECRET` for HMAC signing |
| Slack | `CERTCTL_SLACK_WEBHOOK_URL` | Incoming webhook URL. Optional: `CERTCTL_SLACK_CHANNEL`, `CERTCTL_SLACK_USERNAME` |
| Teams | `CERTCTL_TEAMS_WEBHOOK_URL` | Incoming webhook URL (MessageCard format) |
docs/demo-advanced.md
+1 -1
View File
@@ -1153,7 +1153,7 @@ flowchart TB
API["REST API\nGo net/http"]
SVC["Service Layer\nBusiness Logic"]
REPO["Repository Layer\ndatabase/sql + lib/pq"]
SCHED["Scheduler\n6 background loops"]
SCHED["Scheduler\n7 background loops"]
CONN["Connector Registry\nIssuer + Target + Notifier"]
end
docs/features.md
+219 -15
View File
@@ -7,7 +7,7 @@ Complete reference of all features shipped in the V2 release (as of March 2026).
## API Surface
### Overview
- **97 endpoints** across 21 resource domains under `/api/v1/` + `/.well-known/est/`
- **99 endpoints** across 23 resource domains under `/api/v1/` + `/.well-known/est/`
- REST API with HTTP semantics (GET, POST, PUT, DELETE)
- All endpoints require authentication by default (configurable)
- OpenAPI 3.1 spec with full schema documentation
@@ -78,7 +78,7 @@ curl -H "$AUTH" "$SERVER/api/v1/certificates?expires_before=2026-04-24T00:00:00Z
| Domain | Endpoints | Key Operations |
|--------|-----------|-----------------|
| **Certificates** | 11 | List, create, get, update (archive), versions, deployments, trigger renewal, trigger deployment, revoke |
| **Certificates** | 13 | List, create, get, update (archive), versions, deployments, trigger renewal, trigger deployment, revoke, export (PEM/PKCS#12) |
| **CRL & OCSP** | 3 | JSON CRL, DER CRL per issuer, OCSP responder |
| **Issuers** | 6 | List, create, get, update, delete, test connection |
| **Targets** | 5 | List, create, get, update, delete |
@@ -96,6 +96,7 @@ curl -H "$AUTH" "$SERVER/api/v1/certificates?expires_before=2026-04-24T00:00:00Z
| **Stats** | 5 | Dashboard summary, certificates by status, expiration timeline, job trends, issuance rate |
| **Metrics** | 2 | JSON metrics (gauges, counters, uptime), Prometheus exposition format |
| **Verification** | 2 | Submit verification result, get verification status |
| **Digest** | 2 | Preview HTML digest, send digest immediately |
| **EST (RFC 7030)** | 4 | CA certs (PKCS#7), simple enrollment, re-enrollment, CSR attributes |
| **Health** | 4 | Health check, readiness check, auth info, auth check |
@@ -218,34 +219,86 @@ curl $SERVER/api/v1/ocsp/iss-local/ABC123DEF456
---
## Certificate Export
Operators need to export certificates for use in third-party systems or for compliance audits. certctl provides two export formats: PEM (cert + chain, JSON or file download) and PKCS#12 (cert + chain in a passwordless bundle for compatibility with systems like Java keystores and Windows certificate stores).
**Important:** Private keys are never exported — they remain on agents where they were generated. This is a core security property. Exports only bundle the public certificate material (cert + chain).
```bash
# Export as PEM (returns JSON with base64-encoded data + chain)
curl -H "$AUTH" "$SERVER/api/v1/certificates/mc-api-prod/export/pem"
# {"certificate_pem":"-----BEGIN CERTIFICATE-----\n...", "chain_pem":"-----BEGIN CERTIFICATE-----\n..."}
# Export as PKCS#12 file (binary download, no password)
curl -H "$AUTH" "$SERVER/api/v1/certificates/mc-api-prod/export/pkcs12" > cert.p12
# Via CLI
certctl-cli certs export mc-api-prod --format pem --out cert.pem
certctl-cli certs export mc-api-prod --format pkcs12 --out cert.p12
```
| Field | Details |
|-------|---------|
| **Formats** | PEM (text, cert + chain), PKCS#12 (binary, cert + chain, passwordless) |
| **Private Key Inclusion** | Never — private keys remain on agents |
| **Audit Trail** | All exports recorded with actor, timestamp, export format |
| **API Endpoints** | `GET /api/v1/certificates/{id}/export/pem`, `POST /api/v1/certificates/{id}/export/pkcs12` |
| **GUI** | Export PEM and Export PKCS#12 buttons on certificate detail page |
---
## Certificate Profiles
### Profile Model
Named enrollment profiles defining certificate issuance constraints. Profiles prevent drift — without them, different teams might issue certs with inconsistent key sizes, TTLs, or key algorithms. A profile says "all certs in this category must use ECDSA P-256, max 90-day TTL, serverAuth EKU only."
Named enrollment profiles defining certificate issuance constraints. Profiles prevent drift — without them, different teams might issue certs with inconsistent key sizes, TTLs, or key algorithms. A profile says "all certs in this category must use ECDSA P-256, max 90-day TTL, serverAuth and clientAuth EKUs only."
Profiles also support **Extended Key Usage (EKU)** constraints, enabling S/MIME and device certificates. Common EKUs:
- `serverAuth` — TLS server certificates (HTTPS, mail servers)
- `clientAuth` — TLS client certificates (mutual TLS, device auth)
- `emailProtection` — S/MIME signing and encryption
- `codeSigning` — Code signing and software updates
- `timeStamping` — Trusted timestamps
```bash
# Create a profile enforcing short-lived certs with ECDSA keys
# Create a TLS profile
curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles -d '{
"name": "Short-Lived Service Mesh",
"name": "Standard TLS",
"allowed_key_algorithms": ["ECDSA"],
"max_ttl_hours": 1,
"max_ttl_hours": 2160,
"allowed_ekus": ["serverAuth"]
}'
# Create an S/MIME profile
curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles -d '{
"name": "S/MIME Email",
"allowed_key_algorithms": ["RSA", "ECDSA"],
"max_ttl_hours": 8760,
"allowed_ekus": ["emailProtection"]
}'
# Create a multi-purpose profile
curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles -d '{
"name": "Multi-Purpose",
"allowed_key_algorithms": ["ECDSA"],
"max_ttl_hours": 2160,
"allowed_ekus": ["serverAuth", "clientAuth"]
}'
# Assign profile to a certificate
curl -X PUT -H "$AUTH" -H "$CT" $SERVER/api/v1/certificates/mc-api-prod -d '{
"profile_id": "prof-short-lived"
"profile_id": "prof-standard-tls"
}'
# List all profiles
curl -H "$AUTH" "$SERVER/api/v1/profiles" | jq '.data[] | {id, name, max_ttl_hours, allowed_key_algorithms}'
curl -H "$AUTH" "$SERVER/api/v1/profiles" | jq '.data[] | {id, name, max_ttl_hours, allowed_key_algorithms, allowed_ekus}'
# Get profile details
curl -H "$AUTH" "$SERVER/api/v1/profiles/prof-standard-tls" | jq .
# Update profile constraints
curl -X PUT -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles/prof-standard-tls -d '{
"name": "Standard TLS", "max_ttl_hours": 2160, "allowed_key_algorithms": ["RSA", "ECDSA"]
"name": "Standard TLS", "max_ttl_hours": 2160, "allowed_key_algorithms": ["RSA", "ECDSA"], "allowed_ekus": ["serverAuth"]
}'
```
@@ -255,14 +308,22 @@ curl -X PUT -H "$AUTH" -H "$CT" $SERVER/api/v1/profiles/prof-standard-tls -d '{
| **Name** | Human-readable profile name |
| **Allowed Key Algorithms** | RSA, ECDSA, Ed25519 with minimum key sizes (e.g., RSA 2048+, ECDSA P-256+) |
| **Max TTL** | Maximum certificate lifetime (days or duration) |
| **Allowed EKUs** | Extended key usage OIDs (serverAuth, clientAuth, etc.) |
| **Allowed EKUs** | Extended key usage OIDs (serverAuth, clientAuth, emailProtection, codeSigning, timeStamping) |
| **Required SANs** | Mandatory Subject Alternative Names (patterns or fixed values) |
| **Short-Lived Support** | TTL < 1 hour triggers CRL/OCSP exemption |
### GUI Management
- Full CRUD page with profile details
- Crypto constraint badges visible in list view
- EKU constraint badges visible in list view (serverAuth, clientAuth, emailProtection, etc.)
- Profile assignment dropdown on certificate detail
- S/MIME profile creation wizard with email SAN configuration
### S/MIME Support
When a profile specifies `emailProtection` EKU, certctl adapts the issuance flow for email certificates:
- **SAN handling** — email addresses in SANs are formatted as `rfc822Name` (not DNS names)
- **Key usage** — S/MIME certs use `DigitalSignature | ContentCommitment` instead of the TLS default `DigitalSignature | KeyEncipherment`
- **Agent CSR generation** — agents correctly distinguish DNS SANs from email SANs based on profile EKU
- **Issuer constraints** — Local CA and other issuers thread EKUs through the signing pipeline
---
@@ -453,6 +514,148 @@ export CERTCTL_PAGERDUTY_SEVERITY="critical"
---
## ACME Renewal Information (ARI, RFC 9702)
Instead of using fixed renewal thresholds (renew 30 days before expiry), ACME ARI lets the CA tell certctl exactly when to renew. This is useful for distributing renewal load across maintenance windows and coordinating mass-revocation scenarios.
**How it works:**
```bash
# Enable ARI on your ACME issuer
export CERTCTL_ACME_ARI_ENABLED=true
# Certificates now query the ARI endpoint for suggested renewal windows
# If the CA doesn't support ARI (404), certctl falls back to threshold-based renewal
```
| Field | Details |
|-------|---------|
| **Protocol** | ACME Renewal Information (RFC 9702) |
| **Cert ID Computation** | base64url(SHA-256(DER cert)) |
| **Suggested Window** | Start and end times provided by CA |
| **Renewal Timing** — If current time is after window start, renew immediately. Otherwise, wait until start time. |
| **Fallback** | 404 from ARI endpoint triggers automatic fallback to threshold-based renewal |
| **Configuration** | `CERTCTL_ACME_ARI_ENABLED=true` on ACME issuer config |
| **Supported CAs** | Let's Encrypt (v2.1.0+), Sectigo, others gradually adopting |
**Benefits:**
- **Load Distribution** — CA specifies renewal window to avoid thundering herd spikes
- **Coordination** — Support for mass revocation scenarios where CA controls timing
- **No Over-Renewal** — Avoid unnecessary early renewals that waste your CA's capacity
---
## Scheduled Certificate Digest Emails
Scheduled HTML digest emails with certificate stats, expiration timeline, job health, and agent fleet overview. Useful for daily ops briefings and compliance reporting.
```bash
# Configure SMTP
export CERTCTL_SMTP_HOST=smtp.example.com
export CERTCTL_SMTP_PORT=587
export CERTCTL_SMTP_USERNAME=admin@example.com
export CERTCTL_SMTP_PASSWORD=your-app-password
export CERTCTL_SMTP_FROM_ADDRESS=certctl@example.com
# Enable digest
export CERTCTL_DIGEST_ENABLED=true
export CERTCTL_DIGEST_INTERVAL=24h
export CERTCTL_DIGEST_RECIPIENTS=ops@example.com,security@example.com
```
| Feature | Details |
|---------|---------|
| **Scheduler Loop** | 7th background loop, default 24-hour interval (configurable: 12h, 7d, etc.) |
| **Startup Behavior** | Does NOT run on startup; waits for first scheduled tick |
| **Operation Timeout** | 5 minutes per digest generation + send |
| **Idempotency**`sync/atomic.Bool` guard prevents concurrent digest executions |
| **HTML Template** | Responsive email with stats grid (total, expiring, expired, agents), jobs summary (30-day), expiring certs table with color-coded urgency (7/14/30 days) |
| **Recipients** | Comma-separated email addresses. Falls back to certificate owner emails if none configured. |
| **API Endpoints**`GET /api/v1/digest/preview` (HTML preview), `POST /api/v1/digest/send` (trigger immediately) |
| **Configuration**`CERTCTL_DIGEST_ENABLED`, `CERTCTL_DIGEST_INTERVAL` (default 24h), `CERTCTL_DIGEST_RECIPIENTS` |
**Digest Contents:**
- **Certificate Stats** — Total, active, expiring soon, expired, revoked
- **Job Health** — Completed, failed (last 30 days)
- **Agent Fleet** — Total agents online, offline, version distribution
- **Expiring Certificates** — Table with CN, SANs, days remaining, owner, status badges
**Use Cases:**
- Daily ops briefing for certificate inventory health
- Compliance reporting (audit trail + digest archive)
- Stakeholder visibility (automated newsletter)
---
## Helm Chart for Kubernetes
Production-ready Helm chart for Kubernetes deployments with secure defaults and comprehensive configurability.
### Chart Components
| Component | Details |
|-----------|---------|
| **Server Deployment** | Configurable replicas (default 2), liveness/readiness probes, security context (non-root, read-only rootfs), resource limits, graceful shutdown |
| **PostgreSQL StatefulSet** | Primary + replica, persistent volumes with configurable storage class/size (default 10Gi), automatic backup (via init container or sidecarsynchronous |
| **Agent DaemonSet** | One agent per infrastructure node, key storage volume (agent_keys), server discovery via internal DNS |
| **ConfigMap** | Issuer, target, and scheduler configuration; all certctl env vars exposed |
| **Secret** — API key, database password, SMTP credentials (base64-encoded) |
| **Ingress** — Optional with TLS, configurable hostname and certificate (via cert-manager or manual) |
| **ServiceAccount** — RBAC with configurable annotations for Kubernetes audit logging |
### Installation
```bash
# Install with custom values
helm install certctl deploy/helm/certctl/ \
--namespace certctl --create-namespace \
--set server.auth.apiKey="your-secure-key" \
--set postgresql.auth.password="your-db-password" \
--set ingress.enabled=true \
--set ingress.hosts[0].host="certctl.example.com" \
--set ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt-prod"
```
### Key Values
| Value | Default | Description |
|-------|---------|-------------|
| `server.replicaCount` | 2 | Number of server replicas |
| `server.auth.apiKey` | — | (required) API key for authentication |
| `postgresql.auth.password` | — | (required) PostgreSQL password |
| `postgresql.storage.size` | 10Gi | Database volume size |
| `ingress.enabled` | false | Enable Ingress for public access |
| `ingress.hosts[0].host` | certctl.example.com | Primary hostname |
| `ingress.tls.enabled` | true | TLS on Ingress (requires cert-manager) |
| `agent.enabled` | true | Deploy agent DaemonSet |
| `smtp.enabled` | false | Enable SMTP for digest emails |
| `smtp.host` | — | SMTP server hostname |
### Security Defaults
- **Non-root containers** — Server and agent run as unprivileged user
- **Read-only filesystem** — Root filesystem mounted read-only (except /tmp)
- **Network policies** — Optional KubernetesNetworkPolicy to restrict traffic
- **Secrets** — API keys and passwords stored in K8s Secrets, never in ConfigMaps or environment defaults
- **RBAC** — ServiceAccount with minimal required permissions
### Upgrade Path
```bash
# Upgrade to a new certctl release
helm upgrade certctl deploy/helm/certctl/ \
--namespace certctl \
-f my-values.yaml
# Rollback if needed
helm rollback certctl [REVISION]
```
---
## Agent Fleet
Agents are lightweight Go binaries deployed on your servers that handle the last mile — generating private keys locally, submitting CSRs, and deploying signed certificates to web servers. The control plane never touches private keys or initiates outbound connections, keeping your security perimeter intact.
@@ -848,7 +1051,7 @@ curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/jobs/j-abc123/approve -d '{"reas
3. **Approve**`POST /api/v1/jobs/{id}/approve` → Job → `Running`
4. **Reject**`POST /api/v1/jobs/{id}/reject` + reason → Job → `Cancelled`
### Background Scheduler (6 loops)
### Background Scheduler (7 loops)
| Loop | Interval | Task |
|------|----------|------|
| **Renewal Checker** | 1 hour | Scan policies; trigger renewals if cert expires soon |
@@ -857,6 +1060,7 @@ curl -X POST -H "$AUTH" -H "$CT" $SERVER/api/v1/jobs/j-abc123/approve -d '{"reas
| **Notification Processor** | 1 minute | Send queued notifications (email, Slack, webhook, etc.) |
| **Short-Lived Cleanup** | 30 seconds | Audit short-lived credential expirations |
| **Network Scanner** | 6 hours | Scan enabled network targets; discover TLS certificates |
| **Digest Emailer** | 24 hours | Send HTML certificate digest email to configured recipients |
All loops have configurable intervals via environment variables (`CERTCTL_SCHEDULER_*_INTERVAL`).
@@ -1064,7 +1268,7 @@ The web dashboard is the primary operational interface for certctl. Built with *
### Docker Compose Deployment
- **Services** — PostgreSQL 16, certctl server, agent
- **Health Checks** — On all services (server health check, database readiness)
- **Seed Data** — Demo dataset with 15 certs, 5 agents, 5 targets, policies, audit events
- **Seed Data** — Demo dataset with 35 certs across 5 issuers, 8 agents, 8 targets, 90 days of job history, discovery data, network scans, policies, audit events
- **Credentials** — Environment variables in `.env` file; app.key for API key
### PostgreSQL Schema
@@ -1265,8 +1469,8 @@ Each guide includes an evidence summary table mapping specific criteria to certc
| **Bulk revocation** | ✗ | ✓ | Planned V3 (paid) |
| **Certificate health scores** | ✗ | ✓ | Planned V3 |
| **Compliance scoring** | ✗ | ✓ | Planned V3 |
| **DigiCert issuer** | ✗ | ✓ | Planned V3 |
| **CT Log monitoring** | ✗ | ✓ | Planned V3 |
| **DigiCert issuer** | ✗ | ✓ | Planned V2.1 (free) |
| **Vault PKI issuer** | ✗ | ✓ | Planned V2.1 (free) |
---
docs/migrate-from-acmesh.md
+274
View File
@@ -0,0 +1,274 @@
# Migrate from acme.sh to certctl
You use acme.sh to automate Let's Encrypt renewal across multiple servers. It works — but without centralized visibility, deployment verification, or policy enforcement.
This guide walks through moving your acme.sh workload to certctl while keeping your existing DNS provider setup.
## Why Migrate
**acme.sh strength:** Lightweight agent, works everywhere, integrates with any DNS provider via shell script hooks.
**acme.sh limitations:**
- No inventory visibility — certificates scattered across servers, no unified view of expiry dates or renewal status
- No deployment verification — cron job succeeds even if cert doesn't actually take effect on the service
- No policy enforcement — no way to require approval, audit who renewed what, or prevent misconfigurations
- No multi-server orchestration — each server manages its own renewals; no way to batch test or rollback
certctl adds a control plane that sees all your certificates, deploys with verification, enforces policy, and provides a complete audit trail. You keep the DNS-01 challenge scripts you already have.
## What You Keep
- **Existing certificates** — discovered automatically during migration, claimed in the dashboard
- **DNS provider scripts** — acme.sh's `dns_*` hooks are shell-script compatible with certctl's DNS-01 implementation
- **Same Let's Encrypt account** — ACME issuer in certctl uses the same account and email
## Migration Steps
### 1. Deploy certctl Server
Start with Docker Compose (5 minutes):
```bash
git clone https://github.com/shankar0123/certctl.git
cd certctl/deploy
docker compose up -d
```
Access the dashboard at `http://localhost:8443` with API key from `.env` file.
### 2. Deploy Agents
On each server running acme.sh certs, install the certctl agent:
```bash
curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
# Prompted for server URL and API key
```
Or manually:
```bash
# Download and install agent binary
wget https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64
chmod +x certctl-agent-linux-amd64
sudo mv certctl-agent-linux-amd64 /usr/local/bin/certctl-agent
# Create systemd unit
sudo tee /etc/systemd/system/certctl-agent.service > /dev/null <<EOF
[Unit]
Description=certctl Agent
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/certctl-agent
Environment="CERTCTL_SERVER_URL=https://certctl.internal:8443"
Environment="CERTCTL_API_KEY=your-api-key-here"
Environment="CERTCTL_DISCOVERY_DIRS=~/.acme.sh"
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now certctl-agent
```
### 3. Discover Existing acme.sh Certificates
acme.sh stores certificates in `~/.acme.sh/<domain>/` (or `/etc/acme.sh/` if installed system-wide).
When you start the agent with `CERTCTL_DISCOVERY_DIRS` pointing to those directories, it scans for existing PEM/DER certificates and reports fingerprints to the control plane. The dashboard's **Discovery** page shows what was found.
Example agent systemd service (using home directory):
```bash
Environment="CERTCTL_DISCOVERY_DIRS=/home/user/.acme.sh"
```
Or for system-wide acme.sh:
```bash
Environment="CERTCTL_DISCOVERY_DIRS=/etc/acme.sh"
```
### 4. Claim Discovered Certificates
In the **Discovery** page:
1. Review the "Unmanaged" certificates found by the agent
2. Click **Claim** on each acme.sh certificate
3. Enter the managed certificate ID to link it (e.g., `mc-api-prod`)
Once claimed, the certificate appears in the main **Certificates** page with ownership, renewal history, and deployment status.
### 5. Create an ACME Issuer
In **Issuers****+ New Issuer:**
1. Select **ACME** from the issuer type grid
2. Fill in the type-specific fields: name, directory URL (`https://acme-v02.api.letsencrypt.org/directory`), and config
Or configure via environment variables:
```bash
export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
export CERTCTL_ACME_EMAIL=your-email@example.com # same as your acme.sh account
export CERTCTL_ACME_CHALLENGE_TYPE=dns-01
```
### 6. Adapt Your DNS Provider Scripts
acme.sh uses `dns_*` hooks (e.g., `dns_cloudflare`) with predictable argument patterns. certctl's DNS-01 uses the same pattern, so your scripts often work with zero changes.
**acme.sh pattern:**
```bash
# acme.sh invokes: dns_cloudflare_add "domain" "record" "value"
dns_cloudflare_add() {
local full_domain=$1
local record_name=$2
local record_value=$3
# ... DNS API call to create TXT record ...
}
```
**certctl pattern:**
```bash
# certctl invokes: /path/to/dns-present-script
# Scripts receive environment variables:
#!/bin/bash
# CERTCTL_DNS_DOMAIN — domain name (e.g., "example.com")
# CERTCTL_DNS_FQDN — full record name (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE — TXT record value (key authorization digest)
# CERTCTL_DNS_TOKEN — ACME challenge token
# Create TXT record at "${CERTCTL_DNS_FQDN}" with value "${CERTCTL_DNS_VALUE}"
```
**Example: Cloudflare DNS-01 adapter**
If you have an acme.sh Cloudflare hook, adapt it:
```bash
#!/bin/bash
# /etc/certctl/dns/cloudflare-present.sh
set -e
# certctl passes these environment variables:
# CERTCTL_DNS_DOMAIN — domain name
# CERTCTL_DNS_FQDN — full record name (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE — TXT record value
# CERTCTL_DNS_TOKEN — ACME challenge token
# Call your existing Cloudflare API (example using curl)
curl -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
-H "X-Auth-Email: ${CF_EMAIL}" \
-H "X-Auth-Key: ${CF_KEY}" \
-H "Content-Type: application/json" \
-d "{\"type\":\"TXT\",\"name\":\"${CERTCTL_DNS_FQDN}\",\"content\":\"${CERTCTL_DNS_VALUE}\"}"
echo "Created ${CERTCTL_DNS_FQDN}"
```
DNS cleanup:
```bash
#!/bin/bash
# /etc/certctl/dns/cloudflare-cleanup.sh
# certctl passes these environment variables:
# CERTCTL_DNS_DOMAIN — domain name
# CERTCTL_DNS_FQDN — full record name (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE — TXT record value
# CERTCTL_DNS_TOKEN — ACME challenge token
# Query and delete the TXT record
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
-H "X-Auth-Email: ${CF_EMAIL}" \
-H "X-Auth-Key: ${CF_KEY}"
```
Configure the ACME issuer via environment variables:
```bash
export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
export CERTCTL_ACME_EMAIL=your-email@example.com
export CERTCTL_ACME_CHALLENGE_TYPE=dns-01
export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/cloudflare-present.sh
export CERTCTL_ACME_DNS_CLEANUP_SCRIPT=/etc/certctl/dns/cloudflare-cleanup.sh
```
Or create the issuer through the dashboard: **Issuers****+ New Issuer** → select **ACME** → fill in the config fields.
### 7. Create Renewal Policies
In **Policies****+ New Policy:**
- **Name:** e.g., "ACME DNS-01 Policy"
- **Type:** `expiration_window` (enforces renewal thresholds)
- **Severity:** `high`
- **Config:** set your renewal window (default: 30 days before expiry)
Renewal scheduling is driven by the certificate's assigned profile and issuer. Policies add enforcement guardrails on top.
### 8. Phase Out acme.sh Cron
Once you verify renewals work via certctl (manually trigger one in the dashboard first), remove the acme.sh cron job:
```bash
# Remove acme.sh from crontab
crontab -e
# Delete the line: "0 0 * * * /home/user/.acme.sh/acme.sh --cron --home /home/user/.acme.sh"
# OR disable the cron service if installed
sudo systemctl disable acme-renew.timer
```
## DNS Script Compatibility
Most acme.sh DNS provider hooks need only minor changes:
| acme.sh | certctl |
|---------|---------|
| Called on every renewal | Called once per challenge window |
| Receives: domain, record name, record value as arguments | Receives: `CERTCTL_DNS_DOMAIN`, `CERTCTL_DNS_FQDN`, `CERTCTL_DNS_VALUE`, `CERTCTL_DNS_TOKEN` as environment variables |
| Must support multiple concurrent records | Same — cleanup removes the specific token |
| Environment variables for credentials | Same — pass via agent systemd `Environment=` or `.env` file |
**Real example:** If you use Route53, acme.sh's `dns_aws` hook submits via AWS CLI. Adapt it to use `${CERTCTL_DNS_FQDN}` and `${CERTCTL_DNS_VALUE}` environment variables instead of positional arguments, and it works with certctl's DNS-01.
## Coexistence Period
During migration, run both acme.sh and certctl in parallel:
1. Keep acme.sh cron running (low overhead, serves as fallback)
2. Configure certctl policies and test renewal on 1-2 non-critical domains
3. Monitor certctl's audit trail and deployment logs
4. Once confident, disable acme.sh cron on those domains
5. Roll out to remaining domains
This way, if certctl renewal fails, acme.sh's cron still renews the cert (you'll see duplicate renewals in the audit trail, but no gap).
## Next: DNS-PERSIST-01 (Zero-Touch Renewals)
After migrating to certctl + DNS-01, consider upgrading to **DNS-PERSIST-01**. Instead of creating/deleting DNS records on every renewal, you create one persistent TXT record at `_validation-persist.<domain>` that never changes. Let's Encrypt then validates against that standing record forever.
Benefits:
- **Zero operational overhead per renewal** — no DNS API calls during renewal
- **Auditable** — DNS record created once, visible to the team, never modified
- **Vendor-agnostic** — works with any DNS provider that supports TXT records
To enable:
```bash
export CERTCTL_ACME_CHALLENGE_TYPE=dns-persist-01
export CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN=letsencrypt.org
export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/cloudflare-present.sh
```
certctl automatically falls back to DNS-01 if the CA doesn't support dns-persist-01 yet.
## Support
See [Connector Configuration](connectors.md) for advanced ACME options (EAB, ARI, custom timeouts).
See [Discovery Guide](concepts.md#certificate-discovery) for managing discovered certificates at scale.
docs/migrate-from-certbot.md
+171
View File
@@ -0,0 +1,171 @@
# Migrating from Certbot to certctl
You have 50 Let's Encrypt certificates across 10 servers, managed by a mix of Certbot cron jobs and manual renewals. Certbot handles issuance, but you lack inventory visibility, centralized alerting, and audit trails. This guide walks you through moving to certctl while keeping your existing certificates and ACME account.
## Why Migrate
Certbot renews certs in isolation. If a renewal fails on one server, you don't know until the cert expires. certctl gives you a single pane of glass: see all certs across all servers, get alerts 30/14/7 days before expiry, track who renewed what when, and verify each deployment succeeded via TLS fingerprint validation.
## What You Keep
- Your existing Certbot ACME account key and Let's Encrypt account
- All issued certificates in `/etc/letsencrypt/live/`
- Certbot's renewal history and hooks
You will not re-issue any certificates. certctl discovers them and takes over renewal scheduling.
## Step-by-Step Migration
### 1. Deploy certctl Control Plane
Option A: Docker Compose (quickest for evaluation)
```bash
cd /opt/certctl
docker compose up -d
# Dashboard & API: http://localhost:8443
# Default API key in logs (grep CERTCTL_API_KEY docker logs certctl-server)
```
Option B: Kubernetes (Helm)
```bash
helm install certctl deploy/helm/certctl/ \
--set auth.apiKey=YOUR_SECURE_KEY
```
### 2. Deploy Agents to Each Server
On each of your 10 servers running Certbot:
```bash
# Linux amd64 (adjust for your architecture)
curl -sSL https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
-o /usr/local/bin/certctl-agent
chmod +x /usr/local/bin/certctl-agent
# Create config
sudo mkdir -p /etc/certctl /var/lib/certctl/keys
sudo tee /etc/certctl/agent.env > /dev/null <<EOF
CERTCTL_SERVER_URL=http://certctl-control-plane.example.com:8443
CERTCTL_API_KEY=your-api-key-here
CERTCTL_DISCOVERY_DIRS=/etc/letsencrypt/live
CERTCTL_KEY_DIR=/var/lib/certctl/keys
EOF
sudo chmod 600 /etc/certctl/agent.env
# Start agent
sudo systemctl start certctl-agent # if installed via script
# OR manually:
sudo certctl-agent --server https://... --api-key ... --discovery-dirs /etc/letsencrypt/live
```
The agent will scan `/etc/letsencrypt/live/` and report all discovered certificates to the control plane.
### 3. Triage Discovered Certificates
In the certctl dashboard, go to **Discovery**:
- See all discovered certs grouped by agent
- Status shows "Unmanaged" for certificates not yet claimed
- For each Certbot cert, click **Claim** and link it to managed inventory
The control plane now knows about all 50 certs and where they live.
### 4. Configure ACME Issuer
Go to **Issuers****+ New Issuer**:
1. Select **ACME** from the issuer type grid
2. Fill in the type-specific fields: name, directory URL (`https://acme-v02.api.letsencrypt.org/directory`), and any required config
Alternatively, configure via environment variables before starting the server:
```bash
export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
export CERTCTL_ACME_EMAIL=your-email@example.com
export CERTCTL_ACME_CHALLENGE_TYPE=http-01 # or dns-01 for wildcard certs
```
For DNS-01, also set:
```bash
export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/present.sh
export CERTCTL_ACME_DNS_CLEANUP_SCRIPT=/etc/certctl/dns/cleanup.sh
```
certctl uses the same Let's Encrypt account; no new credentials needed.
### 5. Create Renewal Policies
Go to **Policies****+ New Policy** to create enforcement rules:
- Name: e.g., "ACME Renewal Policy"
- Type: `expiration_window` (to enforce renewal thresholds)
- Severity: `high`
- Config: set your renewal threshold (default: 30 days before expiry)
Renewal scheduling is driven by the certificate's assigned profile and issuer. Policies add enforcement guardrails (key algorithm requirements, expiration windows, etc.).
### 6. Disable Certbot Cron, One Server at a Time
On the first server (start with a low-traffic one):
```bash
# Stop Certbot renewal
sudo systemctl disable certbot.timer
sudo systemctl stop certbot.timer
# Or remove the cron job
sudo rm /etc/cron.d/certbot # if managed by cron
```
Monitor that server in the certctl dashboard. Certctl will renew the cert ~30 days before expiry.
### 7. Verify First Renewal Succeeds
Wait for the renewal to trigger (or manually trigger it in **Certificates** → select cert → **Renew**). Check the dashboard:
- **Certificates** page: status transitions from `Active` to `Renewing` to `Active`
- **Jobs** page: renewal job shows `Completed` status
- **Verification** tab: TLS check confirms the new cert is deployed and live
After verifying, disable Certbot on the remaining 9 servers.
### 8. Enable Alerting
Configure notifiers via environment variables before starting the server:
```bash
# Example: Slack alerting
export CERTCTL_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
docker compose up -d
# Or email alerting
export CERTCTL_SMTP_HOST=smtp.gmail.com
export CERTCTL_SMTP_PORT=587
export CERTCTL_SMTP_USERNAME=your-email@gmail.com
export CERTCTL_SMTP_PASSWORD=your-app-password
export CERTCTL_SMTP_FROM_ADDRESS=certctl@example.com
docker compose up -d
# Other options: CERTCTL_TEAMS_WEBHOOK_URL, CERTCTL_PAGERDUTY_ROUTING_KEY, CERTCTL_OPSGENIE_API_KEY
```
Now you get 30/14/7-day warnings before any cert expires, across all 10 servers, in one place.
## What Changes
- **Renewal**: Agent polls certctl for work instead of Certbot cron triggering locally. Faster failure detection (agent heartbeat every 60 seconds vs. cron running once a day).
- **Deployment**: certctl verifies post-deployment by probing the live TLS endpoint and comparing SHA-256 fingerprints. Catches reload failures silently.
- **Audit Trail**: Every renewal, deployment, and alert is logged immutably. Answer "who renewed cert X when and why" within seconds.
- **Alerting**: Threshold-based alerts to Slack/email/webhook 30/14/7 days before expiry, not when cert expires.
## Coexistence and Rollback
During migration, certctl and Certbot can run simultaneously. The agent will discover Certbot certs even while Certbot continues renewing them. Run both for a week to build confidence.
**If you need to rollback**: Re-enable Certbot cron on any server:
```bash
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
```
certctl will stop renewing that cert when the policy is disabled. Certbot resumes as before. Your certificates and ACME account remain untouched.
## Next Steps
- Review the [Concepts Guide](./concepts.md) for terminology (profiles, policies, agents, jobs)
- Explore [Network Discovery](./quickstart.md#network-discovery-agentless) to find certificates you didn't know about
- Set up [Kubernetes cert-manager integration](./certctl-for-cert-manager-users.md) if you manage in-cluster certs too
docs/quickstart.md
+65 -13
View File
@@ -43,6 +43,8 @@ On Linux, follow the official Docker install guide for your distribution.
## Start Everything
### Docker Compose (Quick Start)
```bash
git clone https://github.com/shankar0123/certctl.git
cd certctl
@@ -58,6 +60,22 @@ cp deploy/.env.example deploy/.env
docker compose -f deploy/docker-compose.yml up -d --build
```
### Kubernetes with Helm
For production deployments on Kubernetes, use the Helm chart:
```bash
helm install certctl deploy/helm/certctl/ \
--create-namespace --namespace certctl \
--set server.auth.apiKey="your-secure-api-key" \
--set postgresql.auth.password="your-db-password" \
--set ingress.enabled=true \
--set ingress.hosts[0].host="certctl.example.com" \
--set ingress.hosts[0].tls=true
```
The chart includes: server Deployment (with configurable replicas, health probes, security context), PostgreSQL StatefulSet with persistent volumes, agent DaemonSet (one agent per infrastructure node), optional Ingress with TLS, and ServiceAccount with RBAC. All certctl configuration options are exposed in `values.yaml` — customize issuer settings, target connectors, scheduler intervals, and notifier credentials there.
Wait about 30 seconds for PostgreSQL to initialize, then verify:
```bash
@@ -83,7 +101,11 @@ curl http://localhost:8443/health
Open **http://localhost:8443** in your browser.
The dashboard comes pre-loaded with 15 demo certificates across multiple teams, environments, and statuses — expiring certs, expired certs, active certs, failed renewals. A realistic snapshot of what certificate management looks like in a real organization.
> **Note:** The Docker Compose demo runs with authentication disabled (`CERTCTL_AUTH_TYPE=none`) so you can explore immediately. For production, set `CERTCTL_AUTH_TYPE=api-key` and `CERTCTL_AUTH_SECRET=<your-secret>` in your environment, then pass `Authorization: Bearer <your-secret>` on all API requests. The dashboard will prompt for your API key on first load.
>
> **Key rotation:** `CERTCTL_AUTH_SECRET` accepts comma-separated keys (e.g., `CERTCTL_AUTH_SECRET=new-key,old-key`). Both keys are valid simultaneously, enabling zero-downtime rotation: add the new key, roll clients over, then remove the old key.
The dashboard comes pre-loaded with 35 demo certificates across 5 issuers, 8 agents, and 90 days of job history — expiring certs, expired certs, active certs, failed renewals, revocations, discovery scans, and approval workflows. A realistic snapshot of what certificate management looks like in a real organization.
### What you're looking at
@@ -105,7 +127,7 @@ Explore the sidebar: Certificates, Agents, Policies, Jobs, Audit Trail, Notifica
**"I need to approve a renewal before it proceeds"** — Click "Jobs" in the sidebar. You'll see an amber banner: "2 jobs awaiting approval." These are renewal jobs for `auth-production` and `payments-production` that require human sign-off before proceeding. Click Approve or Reject with a reason — the decision is recorded in the audit trail.
**"Show me the agent fleet"** — Click "Agents." Four agents online, one offline. Click "Fleet Overview" for OS/architecture grouping, version distribution, and per-platform listing. Agents generate ECDSA P-256 keys locally — private keys never leave your infrastructure.
**"Show me the agent fleet"** — Click "Agents." Eight agents across Linux, macOS, and Windows platforms—most online, showing OS, architecture, IP, and version metadata. A ninth entry (server-scanner) is the sentinel agent used for network certificate discovery. Click "Fleet Overview" for OS/architecture grouping, version distribution, and per-platform listing. Agents generate ECDSA P-256 keys locally — private keys never leave your infrastructure.
**"What about bulk operations?"** — On the Certificates page, select multiple certificates with checkboxes. A bulk action bar appears: trigger renewal, revoke with reason codes, or reassign ownership — all with progress tracking. At 47-day lifespans with hundreds of certs, bulk operations aren't optional.
@@ -342,6 +364,35 @@ export CERTCTL_API_KEY="test-key-123"
./certctl-cli status # Health + stats
```
## Scheduled Certificate Digest Emails
Enable automatic HTML digest emails with certificate stats, expiration timeline, and job health:
```bash
# Set SMTP configuration
export CERTCTL_SMTP_HOST=smtp.gmail.com
export CERTCTL_SMTP_PORT=587
export CERTCTL_SMTP_USERNAME=admin@example.com
export CERTCTL_SMTP_PASSWORD=your-app-password
export CERTCTL_SMTP_FROM_ADDRESS=certctl@example.com
export CERTCTL_SMTP_USE_TLS=true
# Enable digest and set recipients
export CERTCTL_DIGEST_ENABLED=true
export CERTCTL_DIGEST_INTERVAL=24h
export CERTCTL_DIGEST_RECIPIENTS=ops@example.com,security@example.com
```
Preview the digest HTML before enabling scheduled delivery:
```bash
curl http://localhost:8443/api/v1/digest/preview | jq '.html' | grep -o '<html>' # Shows HTML is ready
# Trigger a digest send immediately (outside of schedule)
curl -X POST http://localhost:8443/api/v1/digest/send
```
If no recipients are configured (`CERTCTL_DIGEST_RECIPIENTS` empty), the digest falls back to certificate owner emails. Digests include total certificates, expiring soon, expired, active agents, completed/failed jobs (30-day summary), and a table of expiring certs color-coded by urgency (7/14/30 days).
## MCP Server (AI Integration)
```bash
@@ -359,18 +410,19 @@ Exposes 78 MCP tools covering the REST API via stdio transport. Ask Claude: "Wha
| Resource | Count | Examples |
|----------|-------|---------|
| Teams | 5 | Platform, Security, Payments, Frontend, Data |
| Owners | 5 | Alice, Bob, Carol, Dave, Eve |
| Issuers | 4 | Local Dev CA, Let's Encrypt Staging, step-ca Internal, DigiCert (disabled) |
| Agents | 6 | ag-web-prod, ag-web-staging, ag-lb-prod, ag-iis-prod, ag-data-prod, server-scanner (network discovery) |
| Targets | 5 | NGINX (prod/staging/data), F5 LB, IIS |
| Certificates | 15 | Various statuses: Active, Expiring, Expired, Failed, Wildcard |
| Discovered Certs | 9 | 5 Unmanaged (filesystem + network), 2 Managed (linked), 1 Dismissed, network-discovered expired printer cert |
| Discovery Scans | 3 | Agent filesystem scans + network TLS scan |
| Network Scan Targets | 3 | DC1 Web Servers, DC2 Application Tier, DMZ Public Endpoints |
| Jobs (Approval) | 2 | AwaitingApproval renewal jobs for auth-prod and payments-prod |
| Teams | 6 | Platform, Security, Payments, Frontend, Data, DevOps |
| Owners | 6 | Alice, Bob, Carol, Dave, Eve, Frank |
| Issuers | 5 | Local Dev CA, Let's Encrypt Staging, step-ca Internal, ZeroSSL (EAB), Custom OpenSSL CA |
| Agents | 9 | 8 real agents (linux/darwin/windows, amd64/arm64) + server-scanner (network discovery) |
| Targets | 8 | NGINX prod, NGINX staging, NGINX data, HAProxy, Apache, IIS, Traefik, Caddy |
| Certificates | 35 | Active, Expiring, Expired, Failed, Revoked, RenewalInProgress, Wildcard, S/MIME |
| Jobs | 50+ | 90 days of issuance, renewal, deployment jobs + 2 AwaitingApproval |
| Discovered Certs | 12 | Unmanaged (filesystem + network), Managed (linked), Dismissed |
| Discovery Scans | 8 | Historical + recent agent filesystem scans + network TLS scans |
| Network Scan Targets | 4 | DC1 Web Servers, DC2 Application Tier, DMZ Public Endpoints, Edge Locations |
| Audit Events | 55+ | 90 days of lifecycle events (issuance, renewal, deployment, revocation, discovery) |
| Policies | 4 | Required owner, allowed environments, max lifetime, min renewal window |
| Profiles | 4 | Standard TLS, Internal mTLS, Short-Lived, High Security |
| Profiles | 5 | Standard TLS, Internal mTLS, Short-Lived, High Security, S/MIME Email |
| Agent Groups | 5 | Linux agents, ARM agents, Production subnet, etc. |
## Dashboard Demo Mode
docs/testing-guide.md
+1216 -35
View File
File diff suppressed because it is too large Load Diff
docs/why-certctl.md
+1 -1
View File
@@ -71,7 +71,7 @@ docker compose up -d
open http://localhost:8443
```
The demo seeds 15 certificates, 5 agents, 5 deployment targets, discovery data, network scan targets, and pending approval jobs so you can explore every feature immediately.
The demo seeds 35 certificates across 5 issuers, 8 agents, 8 deployment targets, 90 days of job history, discovery scan data, network scan targets, and pending approval jobs so you can explore every feature immediately.
See the [Quickstart Guide](quickstart.md) for a full walkthrough.
examples/acme-nginx/acme-nginx.md
+370
View File
@@ -0,0 +1,370 @@
# certctl + NGINX + Let's Encrypt
This example demonstrates certctl's core use case: **automatically manage TLS certificates for NGINX using Let's Encrypt (ACME HTTP-01 challenges).**
## What This Does
- Deploys certctl server (control plane) with PostgreSQL
- Deploys certctl agent on the same network (in production: on your NGINX server)
- Configures Let's Encrypt as the certificate issuer via ACME v2
- Demonstrates HTTP-01 challenge solving (requires port 80 open to the internet)
- Shows how to set up 3 example domains for certificate enrollment and renewal
- Automatically renews certificates 30 days before expiration
## Architecture
```
Your Domain (example.com)
↓ [HTTP-01 validation, port 80]
Let's Encrypt ACME
↓ [CSR submission]
certctl Server (control plane)
↓ [API polling]
certctl Agent (on NGINX server)
↓ [deploy cert+key]
NGINX Reverse Proxy
```
## Prerequisites
1. **Docker & Docker Compose** (v20.10+)
2. **A domain name** pointing to your server (e.g., `example.com`)
3. **Ports 80 and 443 open** to the internet (ACME HTTP-01 needs port 80)
4. **Valid email address** for Let's Encrypt account (errors and renewal notices)
If you don't have a real domain or can't open port 80, see [Customization Tips](#customization-tips) below.
## Quick Start
### 1. Clone or copy this example
```bash
cd examples/acme-nginx
```
### 2. Create a `.env` file with your settings
```bash
cat > .env <<'EOF'
# Your email for Let's Encrypt account
ACME_EMAIL=admin@example.com
# Database password (change this in production!)
DB_PASSWORD=certctl-demo-password
# Agent API key (generate a real one in production)
AGENT_API_KEY=agent-demo-key
# Server port (certctl listens here internally on 8443; expose as needed)
SERVER_PORT=8443
EOF
```
### 3. (Optional) Create an NGINX config
If you have a real domain and want NGINX to route traffic:
```bash
cat > nginx.conf <<'EOF'
events {
worker_connections 1024;
}
http {
# HTTP block for ACME challenges
server {
listen 80;
server_name example.com www.example.com api.example.com;
# ACME challenge directory (certctl writes validation files here)
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Redirect HTTP to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
# HTTPS block (certificates deployed here by certctl agent)
server {
listen 443 ssl http2;
server_name example.com www.example.com api.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://upstream-service;
}
}
}
EOF
```
Or just accept the default empty NGINX config for demonstration.
### 4. Start the stack
```bash
docker compose up -d
```
Monitor logs:
```bash
docker compose logs -f certctl-server certctl-agent
```
### 5. Access the dashboard
Navigate to `http://localhost:8443` (or your `SERVER_PORT`)
You should see:
- An empty certificate inventory (no certs issued yet)
- One ACME issuer ("iss-acme") configured and ready
- One agent ("nginx-agent-01") online and heartbeating
### 6. Create a certificate profile
In the certctl dashboard:
1. Go to **Profiles** (sidebar)
2. Click **New Profile**
3. Set:
- Name: `acme-prod`
- Key Type: `RSA-2048` (or `ECDSA-P256`)
- Max TTL: `90 days`
- Allowed Key Types: `RSA-2048, ECDSA-P256`
4. Save
### 7. Request a certificate
In the certctl dashboard:
1. Go to **Certificates** (sidebar)
2. Click **Request New Certificate**
3. Set:
- Common Name: `example.com`
- SANs: `www.example.com`, `api.example.com` (optional)
- Issuer: `iss-acme` (Let's Encrypt)
- Profile: `acme-prod`
4. Click **Request**
Behind the scenes:
- Server creates an `Issuance` job
- Agent polls for work, fetches the job
- Agent generates a P-256 key (never sent to server)
- Agent submits CSR to server
- Server sends CSR to Let's Encrypt ACME
- Let's Encrypt provides HTTP-01 challenge token
- Server downloads ACME challenge, returns to agent
- Agent deploys challenge file to NGINX `/.well-known/acme-challenge/`
- Let's Encrypt validates (HTTP GET to `http://example.com/.well-known/acme-challenge/...`)
- Let's Encrypt issues certificate
- Server receives certificate, passes to agent
- Agent deploys cert+key to `/etc/nginx/ssl/example.com.crt` + `.key`
- Agent reloads NGINX (`nginx -s reload`)
- Certificate is now active
### 8. View the certificate
In the dashboard:
1. Go to **Certificates**
2. Click the certificate to see:
- Common name, SANs, serial number
- Issuer (Let's Encrypt), not-before/after dates
- Status (Active, Expiring in N days, Expired)
- Deployment history (timestamps, agent name, target)
- Next auto-renewal date (30 days before expiration)
### 9. Set up automatic renewal
The server automatically checks for certificates expiring within 30 days and triggers renewal. You can:
- Adjust the threshold in the certificate's policy
- Manually trigger renewal via dashboard button
- View renewal job status and history
## How It Works
### Certificate Lifecycle
1. **Request** — Operator creates certificate request via dashboard or API
2. **CSR Generation** — Agent generates private key locally, submits CSR to server
3. **ACME Challenge** — Server communicates with Let's Encrypt ACME, obtains challenge
4. **Challenge Proof** — Agent deploys challenge proof to NGINX
5. **Issuance** — Let's Encrypt validates, issues certificate
6. **Deployment** — Agent receives certificate, deploys to NGINX SSL directory
7. **Reload** — Agent signals NGINX to reload (`nginx -s reload`)
8. **Verification** — Agent optionally verifies the live TLS endpoint (handshake fingerprint)
9. **Renewal** — 30 days before expiration, process repeats automatically
### HTTP-01 Challenge
ACME HTTP-01 works like this:
1. Let's Encrypt generates random token (e.g., `abc123def456`)
2. Server returns token to agent
3. Agent writes file: `/.well-known/acme-challenge/abc123def456` with value (random key material)
4. Let's Encrypt performs HTTP GET to `http://example.com/.well-known/acme-challenge/abc123def456`
5. If content matches, domain ownership is proven
6. Certificate is issued
**Requirements:**
- Port 80 must be open to the internet
- DNS must resolve your domain to your server
- NGINX must serve `/.well-known/acme-challenge/` (or certctl mounts a separate directory)
### Agent Key Generation
Keys are generated **on the agent**, never on the server:
1. Agent creates ECDSA P-256 keypair using `crypto/ecdsa`
2. Private key is stored locally on agent at `/var/lib/certctl/keys/` (readable only by certctl process)
3. Agent creates CSR (certificate signing request) with private key
4. Agent submits CSR to server
5. Server never sees the private key
6. Certificate is returned, agent stores it alongside key
7. Both key and cert used for NGINX deployment
This keeps private keys in the infrastructure where they're used, following zero-trust principles.
## Adding More Domains
### Option 1: Additional SANs on Same Certificate
Edit the existing certificate in the dashboard:
1. Click the certificate
2. Edit SANs to add `mail.example.com`, `ftp.example.com`, etc.
3. Trigger renewal
4. Agent generates new CSR with all SANs
5. Let's Encrypt validates each SAN (HTTP-01 for each)
6. Single certificate with multiple SANs is issued
### Option 2: Separate Certificates per Domain
If you want separate certificates (different issuance schedules, different targets):
1. Dashboard → **Certificates** → **Request New Certificate**
2. Common Name: `subdomain.example.com`
3. Set same issuer and profile
4. Request
Each domain gets its own cert, key, and renewal schedule.
### Wildcard Certificates (Not HTTP-01)
HTTP-01 does **not** support wildcard (`*.example.com`). To issue wildcards, use DNS-01 challenge (see [acme-wildcard-dns01](../acme-wildcard-dns01/) example).
## Customization Tips
### Using Let's Encrypt Staging (for testing)
Staging has higher rate limits and doesn't require real domains:
```bash
# In .env or docker-compose.yml override:
CERTCTL_ACME_DIRECTORY_URL=https://acme-staging-v02.api.letsencrypt.org/directory
```
Staging certificates won't be trusted by browsers (fake CA), but you can test the full flow without hitting production rate limits.
### Disabling Port 80 Requirement (Demo Mode)
If you can't open port 80, use ACME DNS-01 instead (requires DNS provider integration). See [acme-wildcard-dns01](../acme-wildcard-dns01/) example.
Or use Local CA for internal testing:
```bash
# Switch issuer to Local CA (not public-trusted, but no challenge needed)
CERTCTL_ACME_DIRECTORY_URL= # Leave empty to disable ACME
# (then configure Local CA instead)
```
### Custom NGINX Config
Replace `nginx.conf` with your own before `docker compose up`. The agent doesn't manage the NGINX config — it only deploys certificates. You're responsible for:
- Configuring SSL paths (`ssl_certificate`, `ssl_certificate_key`)
- Setting up challenge directory (`/.well-known/acme-challenge/`)
- Pointing NGINX to agent-deployed certificates
### Database Persistence
PostgreSQL data is stored in the `postgres_data` volume. To reset:
```bash
docker compose down -v # Destroy all volumes
```
### Viewing Agent Logs
```bash
docker compose logs -f certctl-agent
```
Look for:
- `Heartbeat successful` — agent is communicating with server
- `CSR submitted` — key generation and CSR submission worked
- `Deployment succeeded` — certificate deployed to NGINX
- `NGINX reload` — signal sent to reload
### Testing ACME Without Real Domain
Use `nip.io` (free DNS service):
1. Deploy to a server with a public IP
2. Use domain: `<your-ip>.nip.io` (e.g., `203.0.113.45.nip.io`)
3. Let's Encrypt will validate to that IP
4. Change ACME_EMAIL to a real email you control
## Production Checklist
Before running in production:
- [ ] Change `DB_PASSWORD` to a strong random password
- [ ] Generate a real API key for the agent (don't use the demo key)
- [ ] Enable `CERTCTL_AUTH_TYPE=api-key` and enforce authentication
- [ ] Use Let's Encrypt production directory (not staging)
- [ ] Configure `CERTCTL_CORS_ORIGINS` to restrict cross-origin access
- [ ] Use `CERTCTL_KEYGEN_MODE=agent` (default, but verify)
- [ ] Set `CERTCTL_LOG_LEVEL=warn` to reduce log noise
- [ ] Configure email notifications for certificate expiration alerts
- [ ] Set up log aggregation (Datadog, ELK, Splunk, etc.)
- [ ] Use docker secrets or external secret manager for credentials (not .env)
- [ ] Run agent on actual NGINX servers (not co-located with server for HA)
- [ ] Set up monitoring and alerting on agent heartbeat and job completion
- [ ] Implement backup/restore for PostgreSQL
- [ ] Use TLS for certctl server (terminate at reverse proxy or load balancer)
## Troubleshooting
### Agent heartbeat failing
```bash
docker compose logs certctl-agent
# Check: CERTCTL_SERVER_URL, CERTCTL_API_KEY, network connectivity
```
### ACME challenge failing
```bash
# Ensure port 80 is open: curl http://example.com/.well-known/acme-challenge/test
# Check NGINX is running and serving /.well-known/acme-challenge/
# Verify DNS resolves domain to your server: dig example.com
```
### NGINX reload failing
Check agent permissions on NGINX socket and that NGINX is reachable from agent container.
### Let's Encrypt rate limited
Let's Encrypt has rate limits (50 certs per domain per week). Use staging to test, or wait a week.
### Certificate not deployed to NGINX
Check agent logs for deployment errors. Verify `/etc/nginx/ssl` volume is writable by agent container.
## Next Steps
- **Wildcard certificates**: See [acme-wildcard-dns01](../acme-wildcard-dns01/) example
- **Multiple issuers**: See [multi-issuer](../multi-issuer/) example
- **Private CA**: See [private-ca-traefik](../private-ca-traefik/) example
- **Dashboard deep dive**: Read [docs/quickstart.md](../../docs/quickstart.md)
- **REST API**: Explore [api/openapi.yaml](../../api/openapi.yaml)
## Support
For issues or questions:
- Check [docs/troubleshooting.md](../../docs/troubleshooting.md)
- Open an issue on GitHub
- Review server and agent logs: `docker compose logs -f`
examples/acme-nginx/docker-compose.yml
+146
View File
@@ -0,0 +1,146 @@
version: '3.8'
services:
# PostgreSQL database for certctl
postgres:
image: postgres:16-alpine
container_name: certctl-postgres-acme-nginx
environment:
POSTGRES_DB: certctl
POSTGRES_USER: certctl
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
interval: 5s
timeout: 5s
retries: 5
networks:
- certctl-network
restart: unless-stopped
# certctl server (control plane)
certctl-server:
image: ghcr.io/shankar0123/certctl-server:latest
container_name: certctl-server-acme-nginx
environment:
# Database
DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
# Server settings
CERTCTL_SERVER_PORT: 8443
CERTCTL_SERVER_HOST: 0.0.0.0
# Auth (disabled for demo; production should use API keys)
CERTCTL_AUTH_TYPE: none
# CORS (allow agent communication)
CERTCTL_CORS_ORIGINS: '*'
# Key generation mode (agent-side in production, server-side for demo)
CERTCTL_KEYGEN_MODE: agent
# ACME issuer configuration
# This registers the Let's Encrypt ACME issuer
CERTCTL_ACME_DIRECTORY_URL: https://acme-v02.api.letsencrypt.org/directory
CERTCTL_ACME_EMAIL: ${ACME_EMAIL:-admin@example.com}
CERTCTL_ACME_CHALLENGE_TYPE: http-01
# Local CA as fallback for internal services (optional)
CERTCTL_CA_CERT_PATH: /etc/certctl/ca.crt
CERTCTL_CA_KEY_PATH: /etc/certctl/ca.key
# Logging
CERTCTL_LOG_LEVEL: info
ports:
- '${SERVER_PORT:-8443}:8443'
depends_on:
postgres:
condition: service_healthy
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/api/v1/health || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
# certctl agent (runs on the target machine with NGINX)
# In this example, the agent is in the same compose file for simplicity.
# In production, the agent runs on each server that needs certificates.
certctl-agent:
image: ghcr.io/shankar0123/certctl-agent:latest
container_name: certctl-agent-acme-nginx
environment:
# Control plane connection
CERTCTL_SERVER_URL: http://certctl-server:8443
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
# Key generation (agent-side keys, never sent to server)
CERTCTL_KEYGEN_MODE: agent
CERTCTL_KEY_DIR: /var/lib/certctl/keys
# Discovery (scan existing certs so operator knows what's already deployed)
CERTCTL_DISCOVERY_DIRS: /etc/nginx/ssl
# Heartbeat interval
CERTCTL_HEARTBEAT_INTERVAL: 30s
# Agent metadata (self-reported)
CERTCTL_AGENT_NAME: nginx-agent-01
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Mount NGINX config and cert directories
# In production, these would be the actual NGINX paths
- nginx_certs:/etc/nginx/ssl
- nginx_conf:/etc/nginx/conf.d
# Agent key storage (persisted across restarts)
- agent_keys:/var/lib/certctl/keys
depends_on:
certctl-server:
condition: service_healthy
networks:
- certctl-network
restart: unless-stopped
# NGINX reverse proxy / web server
# This is where certificates will be deployed
nginx:
image: nginx:alpine
container_name: certctl-nginx-acme-nginx
ports:
- '80:80'
- '443:443'
volumes:
- nginx_conf:/etc/nginx/conf.d
- nginx_certs:/etc/nginx/ssl
# Default NGINX config (if not provided by agent)
- ./nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- certctl-agent
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost/ || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
networks:
certctl-network:
driver: bridge
volumes:
postgres_data:
driver: local
nginx_certs:
driver: local
nginx_conf:
driver: local
agent_keys:
driver: local
examples/acme-wildcard-dns01/acme-wildcard-dns01.md
+306
View File
@@ -0,0 +1,306 @@
# ACME Wildcard DNS-01 Example
**What this does:** Issues wildcard certificates (e.g., `*.example.com`) from Let's Encrypt using DNS-01 challenge validation.
This example is ideal for:
- Issuing wildcard certificates (`*.example.com`)
- Services behind NAT, firewalls, or non-public networks
- Batch issuance of multiple domains in parallel
- Internal PKI with public DNS names
- Scenarios where you have programmatic access to your DNS provider's API
## Prerequisites
Before running this example, you need:
1. **A domain name** (e.g., `example.com`) that you control and can manage DNS records for
2. **DNS provider credentials:**
- **Cloudflare** (example included): API token with DNS:write permission + Zone ID
- **Route53 (AWS)**: AWS access key + secret key
- **Azure DNS**: Azure subscription ID + credentials
- **Other providers**: See "Adapting for Other DNS Providers" below
3. **Docker and Docker Compose** installed
## Quick Start (Cloudflare)
### Step 1: Get Cloudflare Credentials
1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com)
2. Select your domain (e.g., `example.com`)
3. In the sidebar, find **Zone ID** (copy this)
4. Go to **Account Settings > API Tokens**
5. Create a new token with these scopes:
- **Zone > Zone:Read** (to list DNS records)
- **Zone > DNS:Write** (to create/delete challenge records)
6. Copy the API token
### Step 2: Set Environment Variables
Create a `.env` file in this directory:
```bash
# .env
CLOUDFLARE_API_TOKEN=your-api-token-here
CLOUDFLARE_ZONE_ID=your-zone-id-here
ACME_EMAIL=admin@example.com
DB_PASSWORD=your-secure-db-password
```
Or export them in your shell:
```bash
export CLOUDFLARE_API_TOKEN="your-api-token-here"
export CLOUDFLARE_ZONE_ID="your-zone-id-here"
export ACME_EMAIL="admin@example.com"
export DB_PASSWORD="your-secure-db-password"
```
### Step 3: Make DNS Scripts Executable
```bash
chmod +x dns-hooks/*.sh
```
### Step 4: Start the Stack
```bash
docker compose up -d
```
This starts:
- **certctl-server** (port 8443): Control plane and ACME orchestrator
- **postgres**: Certificate metadata database
- **certctl-agent**: Certificate deployment agent
### Step 5: Access the Dashboard
Open your browser to `http://localhost:8443`
### Step 6: Create a Wildcard Certificate
1. Go to **Issuers** page
2. Verify the ACME issuer is registered
3. Go to **Certificates** > **New Certificate**
4. Fill in:
- **Issuer:** ACME (Let's Encrypt)
- **Common Name:** `*.example.com`
- **Subject Alt Names:** `example.com` (to also cover the root domain)
5. Click **Request**
The renewal job will:
1. Send a request to Let's Encrypt
2. Run `dns-hooks/cloudflare-present.sh` to create `_acme-challenge.example.com` TXT record
3. Wait for Let's Encrypt to verify the TXT record
4. Issue the certificate
5. Run `dns-hooks/cloudflare-cleanup.sh` to delete the temporary TXT record
### Step 7: Monitor the Job
Go to **Jobs** page to see the renewal progress:
- **AwaitingCSR**: Agent is generating the CSR
- **Running**: ACME challenge in progress (DNS record being validated)
- **Completed**: Certificate issued and stored
- **Failed**: Check logs for errors (e.g., DNS provider API issues)
## How DNS-01 Works
The DNS-01 challenge proves you own a domain by creating a DNS TXT record:
```
_acme-challenge.example.com TXT "acme-validation-token-xxxxx"
```
Let's Encrypt then queries this TXT record. Once verified, it issues the certificate and certctl cleans up the TXT record.
**Why DNS-01 is better than HTTP-01 for wildcards:**
- HTTP-01 requires a public web server; DNS-01 works anywhere
- Wildcard certificates require DNS proof (not HTTP)
- DNS challenges can be solved for multiple domains in parallel
- No need for public IP or inbound port 80/443
## Adapting for Other DNS Providers
The example uses Cloudflare, but certctl supports **any DNS provider via pluggable shell scripts**.
### AWS Route53
Replace the `CERTCTL_ACME_DNS_PRESENT_SCRIPT` and `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` in `docker-compose.yml` with:
- `./dns-hooks/route53-present.sh`
- `./dns-hooks/route53-cleanup.sh`
Example script outline (using AWS CLI):
```bash
#!/bin/bash
DOMAIN="$1"
VALIDATION_TOKEN="$2"
# Get Route53 hosted zone ID for the domain
ZONE_ID=$(aws route53 list-hosted-zones --query \
"HostedZones[?Name=='$DOMAIN.'].Id" --output text | cut -d'/' -f3)
# Create TXT record
aws route53 change-resource-record-sets \
--hosted-zone-id "$ZONE_ID" \
--change-batch "{
\"Changes\": [{
\"Action\": \"CREATE\",
\"ResourceRecordSet\": {
\"Name\": \"_acme-challenge.$DOMAIN\",
\"Type\": \"TXT\",
\"TTL\": 120,
\"ResourceRecords\": [{\"Value\": \"\\\"$VALIDATION_TOKEN\\\"\"}]
}
}]
}"
```
### Azure DNS
```bash
#!/bin/bash
DOMAIN="$1"
VALIDATION_TOKEN="$2"
# Set Azure credentials via environment variables
# AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_TENANT_ID, etc.
az network dns record-set txt create \
--resource-group "$AZURE_RESOURCE_GROUP" \
--zone-name "$DOMAIN" \
--name "_acme-challenge" \
--ttl 120 \
--txt-value "$VALIDATION_TOKEN"
```
### Generic DNS Provider (using dig + TSIG)
If your DNS provider supports NSUPDATE (RFC 2136):
```bash
#!/bin/bash
DOMAIN="$1"
VALIDATION_TOKEN="$2"
nsupdate <<EOF
zone $DOMAIN
update add _acme-challenge.$DOMAIN 120 TXT "$VALIDATION_TOKEN"
send
EOF
```
### Manual DNS (for testing)
Replace scripts with no-ops during testing:
```bash
#!/bin/bash
echo "Please create: _acme-challenge.$1 TXT $2"
sleep 60 # Manual wait for you to create the record
```
## Alternative: DNS-PERSIST-01 (Standing Records)
If your DNS provider supports it, use **DNS-PERSIST-01** for zero-maintenance renewals.
Instead of creating a new TXT record for each renewal, you create one standing record once:
```
_validation-persist.example.com TXT "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345678"
```
Then every renewal uses the same record — no cleanup scripts needed!
To enable in `docker-compose.yml`:
```yaml
CERTCTL_ACME_CHALLENGE_TYPE: dns-persist-01
CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN: letsencrypt.org
```
Certctl will:
1. Fetch your ACME account URI
2. Create the standing `_validation-persist` record once
3. Reuse it for all future renewals (no per-renewal DNS updates)
## Security Notes
1. **API Token Scope:** Restrict Cloudflare/AWS tokens to DNS:write only (not full account access)
2. **Key Generation:** This example uses agent-side key generation (`CERTCTL_KEYGEN_MODE=agent`), which is production-standard. Private keys never leave the agent.
3. **Script Safety:** The DNS scripts run in the certctl-server container. For production:
- Validate script inputs (already done in certctl code)
- Log all API calls
- Monitor for failed DNS operations
- Use a separate proxy agent for DNS operations if needed
## Troubleshooting
### DNS record not created
Check the server logs:
```bash
docker logs certctl-server-dns01
```
Look for lines like:
- `[certctl DNS-01] Creating DNS record: _acme-challenge.example.com`
- `Error: Cloudflare API failed: ...`
**Common issues:**
- Missing or invalid `CLOUDFLARE_API_TOKEN`
- Invalid `CLOUDFLARE_ZONE_ID`
- API token doesn't have DNS:write permission
- Domain not in your Cloudflare account
### DNS propagation timeout
If the TLS negotiation fails, it might be DNS caching. Increase the wait time in the script:
```bash
sleep 30 # Increase from 10 to 30 seconds
```
### Let's Encrypt rate limits
Let's Encrypt has strict rate limits:
- 50 certificates per registered domain per week
- 5 duplicate certificates per domain per week
For testing, use the **staging directory**:
```yaml
CERTCTL_ACME_DIRECTORY_URL: https://acme-staging-v02.api.letsencrypt.org/directory
```
(Staging certs won't be trusted by browsers, but don't count against rate limits.)
### Job fails with "CSR generation timeout"
If your DNS provider is very slow, increase the timeout in the cleanup script or add a longer wait time:
```bash
sleep 60 # Wait 1 minute for DNS propagation
```
## Next Steps
1. **Monitor renewals:** Set up notifications (email, Slack, PagerDuty) for renewal events
2. **Deploy certificates:** Configure target connectors (NGINX, HAProxy, Traefik) to automatically deploy issued certs
3. **Multi-domain:** Use certificate profiles to group wildcard + subdomain certs
4. **Backup DNS scripts:** Version control your DNS provider scripts in git
## Files in This Example
- **docker-compose.yml** — Container stack definition with ACME DNS-01 configuration
- **dns-hooks/cloudflare-present.sh** — Creates `_acme-challenge` TXT record (Cloudflare)
- **dns-hooks/cloudflare-cleanup.sh** — Deletes `_acme-challenge` TXT record (Cloudflare)
- **README.md** — This file
## Additional Resources
- [certctl Documentation](../../docs/)
- [ACME Specification (RFC 8555)](https://tools.ietf.org/html/rfc8555)
- [DNS-01 Challenge Details](https://letsencrypt.org/docs/challenge-types/#dns-01)
- [DNS-PERSIST-01 (IETF Draft)](https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-persist)
- [Let's Encrypt Documentation](https://letsencrypt.org/docs/)
examples/acme-wildcard-dns01/dns-hooks/cloudflare-cleanup.sh
+86
View File
@@ -0,0 +1,86 @@
#!/bin/bash
#
# Cloudflare DNS-01 Challenge Script (CLEANUP)
#
# This script removes a DNS TXT record after ACME DNS-01 challenge validation.
# Called by certctl after certificate issuance to clean up temporary challenge records.
#
# certctl sets these environment variables before invoking this script:
# CERTCTL_DNS_DOMAIN - Base domain (e.g., "example.com")
# CERTCTL_DNS_FQDN - Full challenge FQDN (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE - Challenge value/token that was in the TXT record
#
# You must set these environment variables before running:
# CLOUDFLARE_API_TOKEN - Cloudflare API token with DNS:write permission
# CLOUDFLARE_ZONE_ID - Cloudflare zone ID for your domain
#
# Error Handling:
# This script exits 0 on success, non-zero on failure.
# If cleanup fails, certctl logs the error but doesn't block renewals.
#
set -euo pipefail
# Get values from certctl environment variables
DOMAIN="${CERTCTL_DNS_DOMAIN:-}"
RECORD_NAME="${CERTCTL_DNS_FQDN:-}"
VALIDATION_TOKEN="${CERTCTL_DNS_VALUE:-}"
# Validate inputs
if [[ -z "$DOMAIN" || -z "$RECORD_NAME" || -z "$VALIDATION_TOKEN" ]]; then
echo "Error: Required certctl environment variables not set (CERTCTL_DNS_DOMAIN, CERTCTL_DNS_FQDN, CERTCTL_DNS_VALUE)" >&2
exit 1
fi
# Validate environment
if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
echo "Error: CLOUDFLARE_API_TOKEN environment variable not set" >&2
exit 1
fi
if [[ -z "${CLOUDFLARE_ZONE_ID:-}" ]]; then
echo "Error: CLOUDFLARE_ZONE_ID environment variable not set" >&2
exit 1
fi
# Validate RECORD_NAME (set by certctl above)
RECORD_TYPE="TXT"
# Cloudflare API endpoint
CF_API="https://api.cloudflare.com/client/v4"
CF_ZONE="$CLOUDFLARE_ZONE_ID"
CF_TOKEN="$CLOUDFLARE_API_TOKEN"
echo "[certctl DNS-01] Cleaning up DNS record: $RECORD_NAME"
# Step 1: Find the record ID
RECORD_ID=$(curl -s -X GET \
"$CF_API/zones/$CF_ZONE/dns_records?name=$RECORD_NAME&type=$RECORD_TYPE" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
| jq -r '.result | if length > 0 then .[0].id else "" end')
if [[ -z "$RECORD_ID" ]]; then
echo "[certctl DNS-01] Record not found (already deleted?). Skipping cleanup."
exit 0
fi
# Step 2: Delete the record (DELETE /zones/{zone_id}/dns_records/{record_id})
echo "[certctl DNS-01] Deleting DNS record (ID: $RECORD_ID)..."
RESPONSE=$(curl -s -X DELETE \
"$CF_API/zones/$CF_ZONE/dns_records/$RECORD_ID" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json")
# Check response success
SUCCESS=$(echo "$RESPONSE" | jq -r '.success')
if [[ "$SUCCESS" != "true" ]]; then
ERROR=$(echo "$RESPONSE" | jq -r '.errors[0].message // "Unknown error"')
echo "Warning: Cloudflare API failed to delete record: $ERROR" >&2
# Don't exit 1 here — DNS cleanup is best-effort; cleanup failures shouldn't block certs
exit 0
fi
echo "[certctl DNS-01] Successfully deleted DNS record"
exit 0
examples/acme-wildcard-dns01/dns-hooks/cloudflare-present.sh
+108
View File
@@ -0,0 +1,108 @@
#!/bin/bash
#
# Cloudflare DNS-01 Challenge Script (PRESENT)
#
# This script creates a DNS TXT record for ACME DNS-01 challenge validation.
# Called by certctl during the renewal process to prove domain ownership.
#
# certctl sets these environment variables before invoking this script:
# CERTCTL_DNS_DOMAIN - Base domain (e.g., "example.com")
# CERTCTL_DNS_FQDN - Full challenge FQDN (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE - Challenge value/token to place in the TXT record
#
# You must set these environment variables before running:
# CLOUDFLARE_API_TOKEN - Cloudflare API token with DNS:write permission
# CLOUDFLARE_ZONE_ID - Cloudflare zone ID for your domain
# (Find at: https://dash.cloudflare.com > Select Domain > Zone ID in sidebar)
#
# Error Handling:
# This script exits 0 on success, non-zero on failure.
# certctl will retry the renewal if this script fails.
#
set -euo pipefail
# Get values from certctl environment variables
DOMAIN="${CERTCTL_DNS_DOMAIN:-}"
RECORD_NAME="${CERTCTL_DNS_FQDN:-}"
VALIDATION_TOKEN="${CERTCTL_DNS_VALUE:-}"
# Validate inputs
if [[ -z "$DOMAIN" || -z "$RECORD_NAME" || -z "$VALIDATION_TOKEN" ]]; then
echo "Error: Required certctl environment variables not set (CERTCTL_DNS_DOMAIN, CERTCTL_DNS_FQDN, CERTCTL_DNS_VALUE)" >&2
exit 1
fi
# Validate environment
if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
echo "Error: CLOUDFLARE_API_TOKEN environment variable not set" >&2
exit 1
fi
if [[ -z "${CLOUDFLARE_ZONE_ID:-}" ]]; then
echo "Error: CLOUDFLARE_ZONE_ID environment variable not set" >&2
exit 1
fi
# Validate RECORD_NAME (set by certctl above)
RECORD_TYPE="TXT"
RECORD_TTL=120 # Short TTL for challenge records (1-2 min)
# Cloudflare API endpoint
CF_API="https://api.cloudflare.com/client/v4"
CF_ZONE="$CLOUDFLARE_ZONE_ID"
CF_TOKEN="$CLOUDFLARE_API_TOKEN"
echo "[certctl DNS-01] Creating DNS record: $RECORD_NAME = $VALIDATION_TOKEN"
# Step 1: Check if record already exists (GET /zones/{zone_id}/dns_records)
# This is optional but helps with idempotency
EXISTING=$(curl -s -X GET \
"$CF_API/zones/$CF_ZONE/dns_records?name=$RECORD_NAME&type=$RECORD_TYPE" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
| jq -r '.result | if length > 0 then .[0].id else "" end')
if [[ -n "$EXISTING" ]]; then
echo "[certctl DNS-01] Record already exists (ID: $EXISTING). Updating..."
# Update existing record
RESPONSE=$(curl -s -X PUT \
"$CF_API/zones/$CF_ZONE/dns_records/$EXISTING" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"type\": \"$RECORD_TYPE\",
\"name\": \"$RECORD_NAME\",
\"content\": \"$VALIDATION_TOKEN\",
\"ttl\": $RECORD_TTL
}")
else
echo "[certctl DNS-01] Creating new DNS record..."
# Create new record
RESPONSE=$(curl -s -X POST \
"$CF_API/zones/$CF_ZONE/dns_records" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"type\": \"$RECORD_TYPE\",
\"name\": \"$RECORD_NAME\",
\"content\": \"$VALIDATION_TOKEN\",
\"ttl\": $RECORD_TTL
}")
fi
# Check response success
SUCCESS=$(echo "$RESPONSE" | jq -r '.success')
if [[ "$SUCCESS" != "true" ]]; then
ERROR=$(echo "$RESPONSE" | jq -r '.errors[0].message // "Unknown error"')
echo "Error: Cloudflare API failed: $ERROR" >&2
exit 1
fi
RECORD_ID=$(echo "$RESPONSE" | jq -r '.result.id')
echo "[certctl DNS-01] Successfully created/updated DNS record (ID: $RECORD_ID)"
echo "[certctl DNS-01] Waiting for DNS propagation..."
sleep 10
exit 0
examples/acme-wildcard-dns01/docker-compose.yml
+171
View File
@@ -0,0 +1,171 @@
version: '3.8'
# ACME Wildcard DNS-01 Example
#
# This example demonstrates how to use certctl with Let's Encrypt to issue wildcard
# certificates (*.example.com) using DNS-01 challenge validation.
#
# DNS-01 is ideal for:
# - Wildcard certificates (*.domain.com)
# - Services behind NAT or non-public networks
# - Batch certificate issuance (multiple domains in parallel)
#
# It works by:
# 1. certctl creates a renewal job for a wildcard certificate
# 2. Let's Encrypt sends an ACME challenge: "create _acme-challenge TXT record with value X"
# 3. certctl runs the dns-present.sh script to create the TXT record via your DNS provider API
# 4. Let's Encrypt verifies the TXT record exists
# 5. Certificate is issued
# 6. certctl runs dns-cleanup.sh to remove the TXT record
#
# This compose file also demonstrates:
# - ACME issuer with DNS-01 challenge type
# - Pluggable DNS provider scripts (Cloudflare example included; adapt for Route53, Azure DNS, etc.)
# - Wildcard and multi-SAN certificate support
# - Agent-side key generation (production-ready)
services:
# PostgreSQL database for certctl metadata
postgres:
image: postgres:16-alpine
container_name: certctl-postgres-dns01
environment:
POSTGRES_DB: certctl
POSTGRES_USER: certctl
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
interval: 5s
timeout: 5s
retries: 5
networks:
- certctl-network
restart: unless-stopped
# certctl server (control plane + ACME orchestration)
certctl-server:
image: ghcr.io/shankar0123/certctl-server:latest
container_name: certctl-server-dns01
environment:
# Database
DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
# Server settings
CERTCTL_SERVER_PORT: 8443
CERTCTL_SERVER_HOST: 0.0.0.0
# Auth (disabled for demo; production should use API keys with CERTCTL_AUTH_TYPE=api-key)
CERTCTL_AUTH_TYPE: none
# CORS (allow agent communication)
CERTCTL_CORS_ORIGINS: '*'
# Key generation mode (agent-side: keys never leave agents; production standard)
CERTCTL_KEYGEN_MODE: agent
# ===== ACME Issuer Configuration (DNS-01 Wildcard) =====
# Let's Encrypt production directory (ACME v2)
CERTCTL_ACME_DIRECTORY_URL: https://acme-v02.api.letsencrypt.org/directory
# Email for certificate expiration notices and account recovery
CERTCTL_ACME_EMAIL: ${ACME_EMAIL:-admin@example.com}
# Challenge type: dns-01 (not http-01, which doesn't support wildcards)
CERTCTL_ACME_CHALLENGE_TYPE: dns-01
# DNS present script: creates _acme-challenge TXT record
# The script is mounted from ./dns-hooks/cloudflare-present.sh
# Arguments: $1 = domain (e.g., "example.com"), $2 = validation token
CERTCTL_ACME_DNS_PRESENT_SCRIPT: /etc/certctl/dns-hooks/cloudflare-present.sh
# DNS cleanup script: removes _acme-challenge TXT record
# Arguments: $1 = domain, $2 = validation token
CERTCTL_ACME_DNS_CLEANUP_SCRIPT: /etc/certctl/dns-hooks/cloudflare-cleanup.sh
# Optional: DNS propagation wait time (seconds) before proceeding to next challenge
# Default is 30s; increase if your DNS propagates slowly
# Set via CERTCTL_ACME_DNS_PROPAGATION_WAIT in code, or rely on default
# Optional: Let's Encrypt Renewal Information (RFC 9702) for CA-directed renewal timing
# CERTCTL_ACME_ARI_ENABLED: "true"
# Local CA as fallback for internal services (optional)
CERTCTL_CA_CERT_PATH: /etc/certctl/ca.crt
CERTCTL_CA_KEY_PATH: /etc/certctl/ca.key
# Logging
CERTCTL_LOG_LEVEL: info
ports:
- '${SERVER_PORT:-8443}:8443'
volumes:
# Mount DNS provider scripts (adapt these for your DNS provider)
- ./dns-hooks:/etc/certctl/dns-hooks:ro
depends_on:
postgres:
condition: service_healthy
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/api/v1/health || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
# certctl agent (manages certificate deployment on target hosts)
# In production, run agents on each host that needs certificates.
# For demo, we include one agent in this compose.
certctl-agent:
image: ghcr.io/shankar0123/certctl-agent:latest
container_name: certctl-agent-dns01
environment:
# Control plane connection
CERTCTL_SERVER_URL: http://certctl-server:8443
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
# Key generation (agent-side keys: production-standard security model)
CERTCTL_KEYGEN_MODE: agent
CERTCTL_KEY_DIR: /var/lib/certctl/keys
# Discovery (scan existing certs so operator knows what's already deployed)
CERTCTL_DISCOVERY_DIRS: /etc/letsencrypt/live:/etc/ssl/certs
# Heartbeat interval (how often agent checks for work)
CERTCTL_HEARTBEAT_INTERVAL: 30s
# Agent metadata (self-reported to server)
CERTCTL_AGENT_NAME: wildcard-agent-01
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Agent persistent key storage (survives restarts)
- agent_keys:/var/lib/certctl/keys
depends_on:
certctl-server:
condition: service_healthy
networks:
- certctl-network
restart: unless-stopped
networks:
certctl-network:
driver: bridge
volumes:
postgres_data:
driver: local
agent_keys:
driver: local
examples/multi-issuer/docker-compose.yml
+150
View File
@@ -0,0 +1,150 @@
version: '3.8'
services:
# PostgreSQL database for certctl
postgres:
image: postgres:16-alpine
container_name: certctl-postgres-multi-issuer
environment:
POSTGRES_DB: certctl
POSTGRES_USER: certctl
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
interval: 5s
timeout: 5s
retries: 5
networks:
- certctl-network
restart: unless-stopped
# certctl server (control plane)
# Configured with BOTH ACME (Let's Encrypt) and Local CA issuers
certctl-server:
image: ghcr.io/shankar0123/certctl-server:latest
container_name: certctl-server-multi-issuer
environment:
# Database
DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
# Server settings
CERTCTL_SERVER_PORT: 8443
CERTCTL_SERVER_HOST: 0.0.0.0
# Auth (disabled for demo; production should use API keys)
CERTCTL_AUTH_TYPE: none
# CORS (allow agent communication)
CERTCTL_CORS_ORIGINS: '*'
# Key generation mode (agent-side in production, server-side for demo)
CERTCTL_KEYGEN_MODE: server
# ACME issuer (Let's Encrypt for public-facing services)
# Change CERTCTL_ACME_EMAIL to your email and CERTCTL_ACME_CHALLENGE_TYPE as needed
CERTCTL_ACME_DIRECTORY_URL: https://acme-v02.api.letsencrypt.org/directory
CERTCTL_ACME_EMAIL: ${ACME_EMAIL:-admin@example.com}
CERTCTL_ACME_CHALLENGE_TYPE: http-01
# Local CA issuer (for internal services - self-signed or sub-CA)
# Set these paths if you have an existing CA cert+key for sub-CA mode
# Otherwise, leave empty for self-signed CA generation
CERTCTL_CA_CERT_PATH: ${CA_CERT_PATH:-}
CERTCTL_CA_KEY_PATH: ${CA_KEY_PATH:-}
# Logging
CERTCTL_LOG_LEVEL: info
ports:
- '${SERVER_PORT:-8443}:8443'
depends_on:
postgres:
condition: service_healthy
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/api/v1/health || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
# certctl agent (manages certificates on NGINX and application servers)
certctl-agent:
image: ghcr.io/shankar0123/certctl-agent:latest
container_name: certctl-agent-multi-issuer
environment:
# Control plane connection
CERTCTL_SERVER_URL: http://certctl-server:8443
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
# Key generation (agent-side keys, never sent to server)
CERTCTL_KEYGEN_MODE: server
CERTCTL_KEY_DIR: /var/lib/certctl/keys
# Discovery (scan existing certs to track what's already deployed)
CERTCTL_DISCOVERY_DIRS: /etc/nginx/ssl:/etc/app/ssl
# Heartbeat interval
CERTCTL_HEARTBEAT_INTERVAL: 30s
# Agent metadata
CERTCTL_AGENT_NAME: multi-issuer-agent-01
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Mount NGINX cert directories
- nginx_certs:/etc/nginx/ssl
- nginx_conf:/etc/nginx/conf.d
# Mount application service cert directory
- app_certs:/etc/app/ssl
# Agent key storage (persisted across restarts)
- agent_keys:/var/lib/certctl/keys
depends_on:
certctl-server:
condition: service_healthy
networks:
- certctl-network
restart: unless-stopped
# NGINX reverse proxy / web server
# This is where public TLS certs (from ACME) will be deployed
nginx:
image: nginx:alpine
container_name: certctl-nginx-multi-issuer
ports:
- '80:80'
- '443:443'
volumes:
- nginx_conf:/etc/nginx/conf.d
- nginx_certs:/etc/nginx/ssl
# Default NGINX config
- ./nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- certctl-agent
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost/ || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
networks:
certctl-network:
driver: bridge
volumes:
postgres_data:
driver: local
nginx_certs:
driver: local
nginx_conf:
driver: local
app_certs:
driver: local
agent_keys:
driver: local
examples/multi-issuer/multi-issuer.md
+242
View File
@@ -0,0 +1,242 @@
# Multi-Issuer Example: ACME + Local CA
This example demonstrates certctl managing **both public and internal certificates from a single dashboard**. Public-facing services use Let's Encrypt (ACME), while internal services use a private Local CA — all visible and managed in one place.
## The Use Case
You have:
- **Public-facing services** (web app, API, etc.) that need TLS certs signed by a trusted public CA (Let's Encrypt)
- **Internal services** (databases, microservices, middleware) that need TLS certs but don't require public trust
- **One team** managing certs across both, needing unified visibility and automated renewal
With certctl, both issuer types are configured and available. You assign each certificate to the appropriate issuer via its profile or at enrollment time. The dashboard shows all certs together, with renewal status, expiration timelines, and audit trails — regardless of which CA issued them.
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ certctl Server (Control Plane) │
│ - Let's Encrypt ACME issuer (HTTP-01 challenges) │
│ - Local CA issuer (self-signed or sub-CA mode) │
│ - PostgreSQL database (cert inventory, audit, jobs) │
└─────────────────────────────────────────────────────────────────┘
│ API polling
┌─────────────────────────────────────────────────────────────────┐
│ certctl Agent │
│ - Discovers existing certs in /etc/nginx/ssl and /etc/app/ssl │
│ - Polls server for renewal/issuance/deployment jobs │
│ - Generates keys locally (agent-side crypto) │
│ - Deploys certs to NGINX and app service directories │
└─────────────────────────────────────────────────────────────────┘
│ │
▼ ▼
NGINX (public TLS) App Services (internal TLS)
(Let's Encrypt certs) (Local CA certs)
```
## Prerequisites
- **Docker & Docker Compose** — containers run everything
- **Port access** — 80 (HTTP-01 challenges) and 443 (HTTPS) for Let's Encrypt
- **Domain for ACME** (optional) — if using real Let's Encrypt, not needed for demo
- **Internet connectivity** — to reach Let's Encrypt's API (demo can use staging directory)
## Quick Start
### 1. Clone or navigate to this directory
```bash
cd examples/multi-issuer
```
### 2. Set environment variables (optional, defaults provided)
```bash
# Email for Let's Encrypt account
export ACME_EMAIL="your-email@example.com"
# Database password (for demo, default is fine)
export DB_PASSWORD="certctl-dev-password"
# Agent API key
export AGENT_API_KEY="agent-demo-key"
# Server port (default 8443)
export SERVER_PORT="8443"
```
### 3. Start the services
```bash
docker compose up -d
```
This spins up:
- **PostgreSQL** database (certctl data store)
- **certctl server** with ACME and Local CA issuers configured
- **certctl agent** discovering existing certs and polling for work
- **NGINX** web server (target for public TLS certs)
### 4. Access the dashboard
Open your browser to **http://localhost:8443** (or your configured SERVER_PORT)
You should see:
- Empty cert inventory (fresh start)
- Two configured issuers: "ACME" and "Local CA"
- One registered agent ("multi-issuer-agent-01")
### 5. Create test certificates
In the dashboard:
**For a public cert (Let's Encrypt):**
1. Go to **Certificates** > **+ New Certificate**
2. Common Name: `example.com` (or a test domain you control)
3. Issuer: Select "ACME"
4. Profile: Select default or create one (key type: RSA 2048, TTL: 90 days)
5. Create → The server submits an ACME order
**For an internal cert (Local CA):**
1. Go to **Certificates** > **+ New Certificate**
2. Common Name: `internal-api.internal` (or any internal name)
3. Issuer: Select "Local CA"
4. Profile: Select default
5. Create → The server issues immediately from the private CA
### 6. Monitor in the dashboard
- **Dashboard** — see cert counts by status and issuer
- **Certificates** page — filter by issuer, see renewal status, expiration timeline
- **Audit Trail** — track all operations (issuance, renewals, deployments)
- **Agents** — view agent health and pending work
## How Issuer Assignment Works
### Via Profiles
Create a profile for each issuer type:
- Profile **public-tls** → Issuer: ACME, TTL: 90 days, allowed domains: `*.example.com`
- Profile **internal-tls** → Issuer: Local CA, TTL: 1 year, allowed SANs: internal DNS names
Then create certificates using the appropriate profile.
### Via Direct Assignment
When creating a certificate, explicitly select the issuer. The certificate remembers which issuer it belongs to.
## ACME Configuration
The server is configured with Let's Encrypt's production directory:
```yaml
CERTCTL_ACME_DIRECTORY_URL: https://acme-v02.api.letsencrypt.org/directory
CERTCTL_ACME_EMAIL: admin@example.com
CERTCTL_ACME_CHALLENGE_TYPE: http-01
```
**For testing without a real domain**, use Let's Encrypt's staging directory:
```bash
# Edit docker-compose.yml and change:
CERTCTL_ACME_DIRECTORY_URL: https://acme-staging-v02.api.letsencrypt.org/directory
```
Staging certs are untrusted (for testing only) but unlimited rate limits.
## Local CA Configuration
The Local CA issuer can operate in two modes:
### Mode 1: Self-Signed (Default)
Leave `CERTCTL_CA_CERT_PATH` and `CERTCTL_CA_KEY_PATH` empty. The server generates a self-signed root CA on first run.
```yaml
CERTCTL_CA_CERT_PATH: ""
CERTCTL_CA_KEY_PATH: ""
```
**Use case:** Development, testing, internal services that trust a self-signed root.
### Mode 2: Sub-CA (Enterprise)
Provide an existing CA cert + key (e.g., from your organization's PKI). The Local CA issues certs signed by that intermediate.
```bash
# In docker-compose.yml, volume-mount your CA cert+key:
volumes:
- /path/to/ca.crt:/etc/certctl/ca.crt:ro
- /path/to/ca.key:/etc/certctl/ca.key:ro
# And set env vars:
CERTCTL_CA_CERT_PATH: /etc/certctl/ca.crt
CERTCTL_CA_KEY_PATH: /etc/certctl/ca.key
```
**Use case:** Enterprise internal PKI where certs need to chain to a trusted root (e.g., Windows ADCS, OpenSSL, Vault PKI).
## Deployment Flow
When you create a certificate and assign it for deployment:
1. **Issuance** — Server calls the issuer connector (ACME or Local CA)
- ACME: submit challenge, poll until DNS/HTTP validated, retrieve cert
- Local CA: generate and sign immediately
2. **Agent picks up work** — Agent polls `/api/v1/agents/{id}/work`
3. **Agent deployment** — Agent places cert+key in the target directory
- NGINX: `/etc/nginx/ssl/` (mounted volume)
- App services: `/etc/app/ssl/` (mounted volume)
4. **Service reload** — Agent triggers reload (NGINX: `nginx -s reload`, etc.)
5. **Dashboard reflects status** — Job transitions from `Running``Completed`, cert shows as `Active`
## Scaling Beyond Docker Compose
In production:
- **Deploy certctl server** on a single node (or HA cluster with external PostgreSQL)
- **Deploy certctl agents** on each server needing cert management
- **Point agents to server URL** via `CERTCTL_SERVER_URL` env var
- **Configure issuers on server** via env vars or (in V3+) the dashboard UI
- **Use profiles to segment issuers** — operators select a profile at cert creation time
Each agent independently manages its local cert inventory and deployments. The server coordinates all agent work and provides the unified dashboard.
## Troubleshooting
### Certs aren't being issued
- Check server logs: `docker compose logs certctl-server`
- Verify issuer configuration: Dashboard → Issuers, click "Test Connection"
- For ACME, ensure ports 80/443 are open and your domain resolves
### Agent can't reach server
- Check network: `docker compose exec certctl-agent curl http://certctl-server:8443/api/v1/health`
- Verify `CERTCTL_SERVER_URL` environment variable
### No issuers showing up
- Ensure env vars are set on the server container
- Restart server: `docker compose restart certctl-server`
- Check server logs for validation errors
### Let's Encrypt rate limits
- Use the staging directory for testing (unlimited, untrusted certs)
- Production directory: 50 certs per domain per week
- Read more: https://letsencrypt.org/docs/rate-limits/
## Next Steps
- **Create a certificate profile** — Dashboard → Profiles → + New Profile
- **Configure team ownership** — Dashboard → Owners/Teams (assign certs to teams)
- **Set renewal policies** — Dashboard → Policies (expiration thresholds, auto-renewal)
- **Enable notifications** — Configure Slack/Teams webhook to get alerts on renewals and expirations
- **Explore discovery** — Agent scans `/etc/nginx/ssl` and `/etc/app/ssl`, Dashboard → Discovery shows what's already deployed
## Further Reading
- [certctl Architecture](../../docs/architecture.md)
- [ACME Connector Docs](../../docs/connectors.md#acme-letsencrypt)
- [Local CA Connector Docs](../../docs/connectors.md#local-ca)
- [Agent Configuration](../../docs/agent.md)
- [Deployment Targets](../../docs/connectors.md#deployment-targets)
examples/private-ca-traefik/docker-compose.yml
+182
View File
@@ -0,0 +1,182 @@
version: '3.8'
services:
# PostgreSQL database for certctl
postgres:
image: postgres:16-alpine
container_name: certctl-postgres-private-ca
environment:
POSTGRES_DB: certctl
POSTGRES_USER: certctl
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
interval: 5s
timeout: 5s
retries: 5
networks:
- certctl-network
restart: unless-stopped
# certctl server (control plane) with Local CA in sub-CA mode
certctl-server:
image: ghcr.io/shankar0123/certctl-server:latest
container_name: certctl-server-private-ca
environment:
# Database
DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
# Server settings
CERTCTL_SERVER_PORT: 8443
CERTCTL_SERVER_HOST: 0.0.0.0
# Auth (disabled for demo; production should use API keys)
CERTCTL_AUTH_TYPE: none
# CORS (allow agent and Traefik communication)
CERTCTL_CORS_ORIGINS: '*'
# Key generation mode (agent-side in production, server-side for demo)
CERTCTL_KEYGEN_MODE: server
# Local CA configuration
# For self-signed CA (default, no paths set):
# - CA generates a self-signed root certificate
# - All issued certificates chain to this root
#
# For sub-CA mode (provide both paths):
# - Load pre-signed CA certificate and key from these paths
# - All issued certificates chain to your enterprise root CA
# - Requires: CA cert must have IsCA=true and KeyUsageCertSign
# - Supports: RSA, ECDSA, PKCS#8 key formats
#
# To use sub-CA mode:
# 1. Place your enterprise CA cert at ./ca-cert.pem
# 2. Place your enterprise CA key at ./ca-key.pem
# 3. Uncomment the two lines below
# 4. Restart the service
#
# CERTCTL_CA_CERT_PATH: /etc/certctl/ca-cert.pem
# CERTCTL_CA_KEY_PATH: /etc/certctl/ca-key.pem
# Logging
CERTCTL_LOG_LEVEL: info
ports:
- '${SERVER_PORT:-8443}:8443'
volumes:
# Mount directory for CA cert/key (for sub-CA mode)
# Copy your enterprise CA cert+key here:
# cp /path/to/your/ca.pem ./ca-cert.pem
# cp /path/to/your/ca-key.pem ./ca-key.pem
- ./ca-certs:/etc/certctl:ro
depends_on:
postgres:
condition: service_healthy
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/api/v1/health || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
# certctl agent (deploys certs to Traefik)
certctl-agent:
image: ghcr.io/shankar0123/certctl-agent:latest
container_name: certctl-agent-private-ca
environment:
# Control plane connection
CERTCTL_SERVER_URL: http://certctl-server:8443
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
# Key generation (agent-side keys, never sent to server)
CERTCTL_KEYGEN_MODE: server
CERTCTL_KEY_DIR: /var/lib/certctl/keys
# Discovery (scan for existing certs in Traefik's directory)
CERTCTL_DISCOVERY_DIRS: /etc/traefik/certs
# Heartbeat interval
CERTCTL_HEARTBEAT_INTERVAL: 30s
# Agent metadata (self-reported)
CERTCTL_AGENT_NAME: traefik-agent-01
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Mount Traefik cert directory for deployment
- traefik_certs:/etc/traefik/certs
# Agent key storage (persisted across restarts)
- agent_keys:/var/lib/certctl/keys
depends_on:
certctl-server:
condition: service_healthy
networks:
- certctl-network
restart: unless-stopped
# Traefik reverse proxy / edge router
# Certificates deployed by certctl-agent are automatically loaded from the certs directory
traefik:
image: traefik:v3.0
container_name: certctl-traefik-private-ca
command:
# Enable dashboard and API
- '--api.insecure=true'
- '--api.dashboard=true'
# File provider: watch the certs directory for dynamic config updates
- '--providers.file.directory=/etc/traefik/dynamic'
- '--providers.file.watch=true'
# Entry points (HTTP and HTTPS)
- '--entrypoints.web.address=:80'
- '--entrypoints.websecure.address=:443'
- '--entrypoints.websecure.http.tls=true'
# Global TLS settings
- '--entryPoints.websecure.http.tls.certResolver=internal'
# Logging
- '--log.level=info'
- '--accesslog=true'
ports:
# HTTP
- '80:80'
# HTTPS
- '443:443'
# Dashboard (http://localhost:8080)
- '8080:8080'
volumes:
# Mount Traefik config directory
- ./traefik-config:/etc/traefik/dynamic:ro
# Mount cert directory (where certctl deploys certs)
- traefik_certs:/etc/traefik/certs:ro
# Allow Traefik to read Docker socket (optional, for container labeling)
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- certctl-network
depends_on:
- certctl-agent
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8080/ping || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
networks:
certctl-network:
driver: bridge
volumes:
postgres_data:
driver: local
traefik_certs:
driver: local
agent_keys:
driver: local
examples/private-ca-traefik/private-ca-traefik.md
+358
View File
@@ -0,0 +1,358 @@
# Private CA + Traefik Example
This example demonstrates certctl managing certificates for **internal services without public CA dependency**. Ideal for enterprise environments where:
- All services are internal (VPN, private networks)
- You need unified certificate lifecycle management across multiple internal apps
- You want automatic cert deployment to your reverse proxy
- You may have an existing enterprise root CA (ADCS, OpenCA, etc.)
## What's Included
- **certctl server** with Local CA issuer (self-signed or sub-CA mode)
- **certctl agent** that deploys certificates to Traefik
- **Traefik** reverse proxy with file provider for dynamic cert discovery
- **PostgreSQL** database for certificate storage and audit trail
- Automatic certificate discovery for existing certs in Traefik
## Architecture
```
┌──────────────────┐
│ certctl-server │ (Local CA issuer)
│ (control │
│ plane) │
└────────┬─────────┘
│ REST API (job polling)
┌────────▼──────────┐
│ certctl-agent │ (certificate deployer)
└────────┬──────────┘
│ Write cert/key files
┌────────▼──────────────────────┐
│ Traefik │
│ (watches cert directory) │
└────────────────────────────────┘
│ TLS handshakes
[Internal Services]
```
## Quick Start (Self-Signed CA)
The simplest way to get running in 2 minutes:
```bash
# 1. Create directory structure
mkdir -p traefik-config ca-certs
# 2. Create a minimal Traefik dynamic config
cat > traefik-config/default.yaml << 'EOF'
# Traefik will auto-load certificates from /etc/traefik/certs
# Certctl deploys {cert-id}.crt and {cert-id}.key files here
http:
routers:
api:
rule: "Host(`api.internal.local`)"
service: api-service
tls: {}
services:
api-service:
loadBalancer:
servers:
- url: "http://localhost:3000"
EOF
# 3. Start the stack
docker compose up -d
# 4. Access the dashboards
# - certctl: http://localhost:8443 (API only, use the CLI or direct HTTP calls)
# - Traefik dashboard: http://localhost:8080
```
The self-signed CA will be automatically generated on first startup.
## Using Sub-CA Mode (Enterprise Root CA)
If you have an existing enterprise CA (ADCS, OpenCA, etc.) and want issued certs to chain to your root:
```bash
# 1. Create directory structure
mkdir -p traefik-config ca-certs
# 2. Copy your enterprise CA cert and key
cp /path/to/your/enterprise-ca.crt ca-certs/ca-cert.pem
cp /path/to/your/enterprise-ca-key.pem ca-certs/ca-key.pem
# 3. Edit docker-compose.yml and uncomment the sub-CA env vars:
# CERTCTL_CA_CERT_PATH: /etc/certctl/ca-cert.pem
# CERTCTL_CA_KEY_PATH: /etc/certctl/ca-key.pem
# 4. Create the dynamic config (same as above)
mkdir -p traefik-config
cat > traefik-config/default.yaml << 'EOF'
http:
routers:
api:
rule: "Host(`api.internal.local`)"
service: api-service
tls: {}
services:
api-service:
loadBalancer:
servers:
- url: "http://localhost:3000"
EOF
# 5. Start the stack
docker compose up -d
```
**Requirements for sub-CA mode:**
- CA certificate must have `X509v3 Basic Constraints: CA:TRUE`
- CA certificate must have `X509v3 Key Usage: Certificate Sign`
- Key format: RSA, ECDSA, or PKCS#8
- Paths: must be absolute paths to mounted files
## Creating a Certificate
Once the stack is running:
```bash
# 1. Create a certificate profile in certctl (defines allowed key types, TTL, etc.)
curl -X POST http://localhost:8443/api/v1/profiles \
-H "Content-Type: application/json" \
-d '{
"id": "prof-internal",
"name": "Internal Services",
"description": "For internal APIs and web apps",
"max_ttl_hours": 8760,
"key_types": ["rsa-2048", "ecdsa-p256"]
}'
# 2. Create a renewal policy (defines issuer, renewal thresholds, etc.)
curl -X POST http://localhost:8443/api/v1/policies \
-H "Content-Type: application/json" \
-d '{
"id": "pol-internal",
"name": "Internal Renewal Policy",
"issuer_id": "iss-local",
"profile_id": "prof-internal",
"renewal_threshold_days": 30,
"alert_thresholds_days": [30, 14, 7, 0]
}'
# 3. Create a certificate (triggers issuance immediately)
curl -X POST http://localhost:8443/api/v1/certificates \
-H "Content-Type: application/json" \
-d '{
"common_name": "api.internal.local",
"sans": ["app.internal.local", "www.internal.local"],
"policy_id": "pol-internal"
}'
# 4. Create a Traefik target (agent will deploy to this)
curl -X POST http://localhost:8443/api/v1/targets \
-H "Content-Type: application/json" \
-d '{
"id": "target-traefik-01",
"name": "Traefik Primary",
"type": "traefik",
"config": {
"cert_dir": "/etc/traefik/certs"
}
}'
# 5. Create a deployment job (agent picks this up and deploys)
curl -X POST http://localhost:8443/api/v1/certificates/{cert-id}/deploy \
-H "Content-Type: application/json" \
-d '{
"target_ids": ["target-traefik-01"]
}'
```
Once deployed, Traefik automatically loads the new certificate from the certs directory.
## How It Works
### Certificate Lifecycle
1. **Issue** — certctl-server generates certificate from Local CA (self-signed or sub-CA)
2. **Store** — certificate stored in PostgreSQL with full audit trail
3. **Deploy** — certctl-agent writes `{cert-id}.crt` + `{cert-id}.key` to `/etc/traefik/certs`
4. **Reload** — Traefik file provider detects new files and hot-loads them (zero downtime)
5. **Monitor** — certctl tracks deployment status and renewal timelines
### Self-Signed CA
- Generated automatically on first startup if `CERTCTL_CA_CERT_PATH` and `CERTCTL_CA_KEY_PATH` are not set
- Certificate stored in server's in-memory state (not persisted)
- All issued certs chain to this self-signed root
- Use this for: demos, development, internal labs
### Sub-CA Mode
- Requires you to provide an existing CA certificate and key
- Issued certificates chain to your enterprise root CA
- All issued certs are trustworthy to systems with your root CA in their trust store
- Use this for: production internal services, compliance requirements, enterprise PKI
## File Organization
```
private-ca-traefik/
├── docker-compose.yml # Stack definition
├── traefik-config/ # Traefik dynamic config (you create)
│ └── default.yaml # Routing rules and TLS settings
├── ca-certs/ # CA certificate and key (for sub-CA mode)
│ ├── ca-cert.pem # Your enterprise CA certificate
│ └── ca-key.pem # Your enterprise CA private key
└── README.md # This file
```
## Monitoring
### certctl Dashboard
The server provides a REST API on port 8443. Example queries:
```bash
# List all certificates
curl http://localhost:8443/api/v1/certificates
# Check certificate status
curl http://localhost:8443/api/v1/certificates/{cert-id}
# View audit trail
curl http://localhost:8443/api/v1/audit
# Check renewal policy compliance
curl http://localhost:8443/api/v1/policies/{policy-id}
```
### Traefik Dashboard
http://localhost:8080 shows:
- HTTP routers and services
- TLS certificates currently loaded
- Request/response metrics
### Logs
```bash
# certctl server logs
docker compose logs certctl-server
# certctl agent logs
docker compose logs certctl-agent
# Traefik logs
docker compose logs traefik
```
## Customizing Traefik Config
Edit `traefik-config/default.yaml` to add routers for your services:
```yaml
http:
routers:
# Internal API
api:
rule: "Host(`api.internal.local`)"
service: api-service
tls: {}
# Web application
webapp:
rule: "Host(`app.internal.local`)"
service: webapp-service
tls: {}
services:
api-service:
loadBalancer:
servers:
- url: "http://api-backend:3000"
webapp-service:
loadBalancer:
servers:
- url: "http://webapp-backend:3001"
```
Changes are picked up automatically (file watcher enabled).
## Production Considerations
1. **Use sub-CA mode** — chain to your enterprise root for full trust
2. **Enable API key authentication** — set `CERTCTL_AUTH_TYPE: api-key` and `CERTCTL_API_KEY`
3. **Use agent-side key generation** — set `CERTCTL_KEYGEN_MODE: agent` (keys never leave agents)
4. **Back up PostgreSQL** — certificate data is authoritative; database loss means certificate loss
5. **Monitor renewal windows** — set up alerts on policy thresholds
6. **Rotate CA keys regularly** — plan for future CA refresh (sub-CA mode)
7. **Audit certificate usage** — review `certctl_audit_events` for compliance
## Troubleshooting
### Certificates not deploying
```bash
# Check agent is healthy
docker compose logs certctl-agent | grep heartbeat
# Check deployment job status
curl http://localhost:8443/api/v1/jobs | jq '.[] | select(.type == "Deployment")'
# Check Traefik is watching the directory
docker compose exec traefik ls -la /etc/traefik/certs/
```
### Traefik not reloading certs
```bash
# Verify file provider is enabled (check docker-compose.yml command)
# Verify certs volume is mounted at /etc/traefik/certs
# Check Traefik logs
docker compose logs traefik | grep "file"
```
### CA cert not loading in sub-CA mode
```bash
# Verify file permissions
docker compose exec certctl-server ls -la /etc/certctl/
# Check server logs for CA loading errors
docker compose logs certctl-server | grep -i "ca\|cert"
# Verify CA certificate format
openssl x509 -in ca-certs/ca-cert.pem -text -noout | grep -A 3 "Basic Constraints"
```
## Cleanup
```bash
# Stop all services
docker compose down
# Remove all data (certificates, database, etc.)
docker compose down -v
# Remove CA cert files (if using custom CA)
rm -rf ca-certs/
```
## Next Steps
1. **Add more services** — create additional routers and backends in `traefik-config/default.yaml`
2. **Set up renewal automation** — configure renewal policies with thresholds
3. **Integrate with monitoring** — expose certctl metrics to Prometheus
4. **Enable notifications** — configure email/Slack alerts on certificate events
5. **Scale to multiple environments** — deploy separate certctl stacks per environment (dev/staging/prod)
## Related Documentation
- [certctl Architecture](../../docs/architecture.md)
- [Traefik File Provider](https://doc.traefik.io/traefik/providers/file/)
- [Local CA Sub-CA Mode](../../docs/connectors.md#local-ca)
- [Certificate Profiles](../../docs/quickstart.md#profiles)
examples/step-ca-haproxy/docker-compose.yml
+204
View File
@@ -0,0 +1,204 @@
version: '3.8'
services:
# PostgreSQL database for certctl
postgres:
image: postgres:16-alpine
container_name: certctl-postgres-stepca-haproxy
environment:
POSTGRES_DB: certctl
POSTGRES_USER: certctl
POSTGRES_PASSWORD: ${DB_PASSWORD:-certctl-dev-password}
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U certctl -d certctl']
interval: 5s
timeout: 5s
retries: 5
networks:
- certctl-network
restart: unless-stopped
# Smallstep step-ca (internal private CA)
# Initialized with default admin token and provisioner configuration
step-ca:
image: smallstep/step-ca:latest
container_name: step-ca-stepca-haproxy
environment:
# step-ca root password (for key encryption)
STEPPATH: /home/step/step-ca
# Provisioner password will be set up below
volumes:
# Persist step-ca configuration and keys
- step_ca_data:/home/step/step-ca
- ./step-ca-init.sh:/opt/step-ca-init.sh:ro
entrypoint: /bin/sh
command:
- -c
- |
# Initialize step-ca if not already done
if [ ! -f /home/step/step-ca/config/ca.json ]; then
echo "Initializing step-ca..."
step ca init \
--name="certctl-demo-ca" \
--dns=step-ca \
--address=0.0.0.0:9000 \
--provisioner=admin \
--provisioner-password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}") \
--password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}") \
--deployment-type=standalone \
--acme 2>&1 || true
fi
# Add a JWK provisioner for certctl if not present
if ! step ca provisioner list 2>/dev/null | grep -q "certctl"; then
echo "Adding certctl JWK provisioner..."
step ca provisioner add certctl \
--type=JWK \
--password-file=<(echo "${STEP_CA_PROVISIONER_PASSWORD:-certctl-provisioner-demo}") \
2>&1 || true
fi
# Start step-ca
echo "Starting step-ca..."
step-ca /home/step/step-ca/config/ca.json \
--password-file=<(echo "${STEP_CA_PASSWORD:-stepca-demo-password}")
ports:
- '9000:9000'
healthcheck:
test: ['CMD-SHELL', 'step ca health --insecure || exit 1']
interval: 10s
timeout: 5s
retries: 3
networks:
- certctl-network
restart: unless-stopped
# certctl server (control plane)
certctl-server:
image: ghcr.io/shankar0123/certctl-server:latest
container_name: certctl-server-stepca-haproxy
environment:
# Database
DATABASE_URL: postgres://certctl:${DB_PASSWORD:-certctl-dev-password}@postgres:5432/certctl?sslmode=disable
# Server settings
CERTCTL_SERVER_PORT: 8443
CERTCTL_SERVER_HOST: 0.0.0.0
# Auth (disabled for demo; production should use API keys)
CERTCTL_AUTH_TYPE: none
# CORS (allow agent communication)
CERTCTL_CORS_ORIGINS: '*'
# Key generation mode (agent-side in production, server-side for demo)
CERTCTL_KEYGEN_MODE: agent
# step-ca issuer configuration
# step-ca runs on step-ca:9000 in this compose network
CERTCTL_STEPCA_URL: https://step-ca:9000
CERTCTL_STEPCA_ROOT_CERT_PATH: /etc/certctl/step-ca-root.crt
CERTCTL_STEPCA_PROVISIONER: certctl
CERTCTL_STEPCA_KEY_PATH: /etc/certctl/step-ca-provisioner.json
CERTCTL_STEPCA_PASSWORD: ${STEP_CA_PROVISIONER_PASSWORD:-certctl-provisioner-demo}
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Mount step-ca certs for TLS verification (auto-generated by step-ca init)
- step_ca_data:/home/step/step-ca/config:ro
ports:
- '${SERVER_PORT:-8443}:8443'
depends_on:
postgres:
condition: service_healthy
step-ca:
condition: service_healthy
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'curl -sf http://localhost:8443/api/v1/health || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
# certctl agent (runs on the target machine with HAProxy)
certctl-agent:
image: ghcr.io/shankar0123/certctl-agent:latest
container_name: certctl-agent-stepca-haproxy
environment:
# Control plane connection
CERTCTL_SERVER_URL: http://certctl-server:8443
CERTCTL_API_KEY: ${AGENT_API_KEY:-agent-demo-key}
# Key generation (agent-side keys, never sent to server)
CERTCTL_KEYGEN_MODE: agent
CERTCTL_KEY_DIR: /var/lib/certctl/keys
# Discovery (scan existing certs so operator knows what's already deployed)
CERTCTL_DISCOVERY_DIRS: /etc/haproxy/ssl
# Heartbeat interval
CERTCTL_HEARTBEAT_INTERVAL: 30s
# Agent metadata (self-reported)
CERTCTL_AGENT_NAME: haproxy-agent-01
# Logging
CERTCTL_LOG_LEVEL: info
volumes:
# Mount HAProxy config and cert directories
# In production, these would be the actual HAProxy paths
- haproxy_certs:/etc/haproxy/ssl
- haproxy_conf:/etc/haproxy
# Agent key storage (persisted across restarts)
- agent_keys:/var/lib/certctl/keys
depends_on:
certctl-server:
condition: service_healthy
networks:
- certctl-network
restart: unless-stopped
# HAProxy reverse proxy / load balancer
# This is where certificates will be deployed
haproxy:
image: haproxy:2.9-alpine
container_name: certctl-haproxy-stepca-haproxy
ports:
- '80:80'
- '443:443'
volumes:
- haproxy_conf:/etc/haproxy
- haproxy_certs:/etc/haproxy/ssl
# Default HAProxy config
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg:ro
depends_on:
- certctl-agent
networks:
- certctl-network
healthcheck:
test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:8080/stats || exit 1']
interval: 10s
timeout: 5s
retries: 3
restart: unless-stopped
networks:
certctl-network:
driver: bridge
volumes:
postgres_data:
driver: local
step_ca_data:
driver: local
haproxy_certs:
driver: local
haproxy_conf:
driver: local
agent_keys:
driver: local
examples/step-ca-haproxy/haproxy.cfg
+69
View File
@@ -0,0 +1,69 @@
global
log stdout local0
log stdout local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL options for modern TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options ssl-min-ver TLSv1.2
defaults
mode http
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Statistics endpoint (accessible on port 8080)
listen stats
bind *:8080
stats enable
stats uri /stats
stats refresh 30s
stats admin if TRUE
# Example HTTPS frontend with certificate from certctl
# This frontend will serve HTTPS on port 443 using a combined PEM file
# deployed by certctl to /etc/haproxy/ssl/cert.pem
frontend https_in
# HTTP redirect to HTTPS
bind *:80
mode http
acl is_http hdr(X-Forwarded-Proto) http
redirect scheme https code 301 if !is_https
# HTTPS with certificate
# In production, certctl will manage cert.pem and reload HAProxy after deployment
bind *:443 ssl crt /etc/haproxy/ssl/cert.pem strict-sni
mode http
option httplog
# Default backend
default_backend http_backend
# Example backend (simple web service placeholder)
backend http_backend
mode http
option httpchk GET /
server local_app 127.0.0.1:8000 check disabled
# Health endpoint (useful for certctl agent deployment verification)
frontend health
bind *:9999
mode http
monitor-uri /health
examples/step-ca-haproxy/step-ca-haproxy.md
+355
View File
@@ -0,0 +1,355 @@
# step-ca + HAProxy Example
This example demonstrates certctl managing certificates issued by **Smallstep step-ca** and deploying them to **HAProxy**.
## Scenario
You're a Smallstep user running step-ca as your internal PKI. You have HAProxy load balancers that need certificates. This setup:
1. **step-ca** issues certificates (via JWK provisioner, no challenge solving)
2. **certctl** manages the certificate lifecycle (renewal policies, deployment, audit)
3. **HAProxy** serves HTTPS with certificates managed by certctl
This is the natural choice if you're already invested in step-ca and want to consolidate certificate lifecycle management without learning Let's Encrypt, DNS-01 challenges, or external integrations.
## What's Included
| Service | Image | Purpose |
|---------|-------|---------|
| **step-ca** | `smallstep/step-ca:latest` | Private internal CA |
| **certctl-server** | `ghcr.io/shankar0123/certctl-server:latest` | Certificate management control plane |
| **certctl-agent** | `ghcr.io/shankar0123/certctl-agent:latest` | Agent running on HAProxy server |
| **haproxy** | `haproxy:2.9-alpine` | Reverse proxy / load balancer |
| **postgres** | `postgres:16-alpine` | certctl audit trail + config storage |
## Quick Start
### Prerequisites
- Docker and Docker Compose
- Curl (to interact with APIs)
### 1. Start Everything
```bash
docker compose up -d
```
This will:
- Initialize step-ca with a self-signed root CA
- Create a JWK provisioner named `certctl` (pre-configured credentials)
- Start certctl-server (connected to step-ca)
- Start the certctl-agent (ready to deploy certs to HAProxy)
- Start HAProxy with a placeholder config
Monitor logs:
```bash
docker compose logs -f certctl-server
```
Wait for all services to reach healthy state:
```bash
docker compose ps
```
Expected output:
```
NAME STATUS
certctl-postgres-... healthy
certctl-server-... healthy
step-ca-... healthy
certctl-agent-... running
certctl-haproxy-... healthy
```
### 2. Access certctl Dashboard
Open your browser to:
```
http://localhost:8443
```
You should see an empty dashboard. This is expected — no certificates issued yet.
### 3. Create a Certificate Profile
This defines what certificates certctl can issue (key algorithm, max TTL, allowed names).
```bash
curl -X POST http://localhost:8443/api/v1/profiles \
-H 'Content-Type: application/json' \
-d '{
"name": "internal-web",
"key_type": "rsa-2048",
"max_ttl_days": 90,
"description": "Internal web services"
}'
```
### 4. Create an HAProxy Deployment Target
This tells certctl where to deploy certificates on the HAProxy server.
```bash
curl -X POST http://localhost:8443/api/v1/targets \
-H 'Content-Type: application/json' \
-d '{
"name": "haproxy-01",
"type": "haproxy",
"enabled": true,
"config": {
"pem_path": "/etc/haproxy/ssl/cert.pem",
"reload_command": "systemctl reload haproxy",
"validate_command": "haproxy -c -f /etc/haproxy/haproxy.cfg"
}
}'
```
Note: In the Docker Compose environment, reload command can be `kill -HUP $(pidof haproxy)` instead of `systemctl reload haproxy`.
### 5. Create a Renewal Policy
This ties a certificate profile to a deployment target and sets renewal thresholds.
```bash
curl -X POST http://localhost:8443/api/v1/renewal-policies \
-H 'Content-Type: application/json' \
-d '{
"name": "haproxy-internal-web",
"profile_id": "<profile_id_from_step_3>",
"issuer_id": "iss-stepca",
"enabled": true,
"renewal_days_before_expiry": 30,
"alert_thresholds_days": [30, 14, 7, 0]
}'
```
Get the issuer ID:
```bash
curl http://localhost:8443/api/v1/issuers | jq '.'
```
You should see `iss-stepca` in the list.
### 6. Issue a Certificate
Request a certificate via the API. The server will sign it via step-ca.
```bash
curl -X POST http://localhost:8443/api/v1/certificates \
-H 'Content-Type: application/json' \
-d '{
"common_name": "api.internal.example.com",
"sans": ["api.internal.example.com", "api.staging.example.com"],
"issuer_id": "iss-stepca",
"profile_id": "<profile_id_from_step_3>"
}'
```
### 7. Deploy to HAProxy
Get the certificate ID and trigger deployment:
```bash
curl -X POST http://localhost:8443/api/v1/certificates/<cert_id>/deploy \
-H 'Content-Type: application/json' \
-d '{
"target_id": "<target_id_from_step_4>"
}'
```
The agent will:
1. Fetch the deployment job
2. Generate a combined PEM (cert + chain + key) locally
3. Write it to `/etc/haproxy/ssl/cert.pem` on HAProxy
4. Reload HAProxy
5. Report status back to certctl
### 8. Verify in Dashboard
Refresh http://localhost:8443 and you should see:
- 1 certificate (status: Active, expiry in 90 days)
- 1 deployment job (status: Completed)
- 1 agent (heartbeat: recent)
## Configuration Details
### step-ca Integration
step-ca is configured with:
- **Root CA Name**: `certctl-demo-ca`
- **Provisioner**: `certctl` (JWK type)
- **Default Password**: `certctl-provisioner-demo` (override with `STEP_CA_PROVISIONER_PASSWORD`)
To inspect step-ca:
```bash
docker compose exec step-ca step ca provisioner list
docker compose exec step-ca step ca health --insecure
```
### HAProxy Combined PEM Format
HAProxy requires a single file with certificate, chain, and key concatenated:
```
-----BEGIN CERTIFICATE-----
[leaf certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[intermediate CA]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[private key]
-----END RSA PRIVATE KEY-----
```
The agent automatically constructs this file from the issued certificate and step-ca-provided chain.
**Security**: The combined PEM is written with `0600` permissions (owner-readable only) because it contains the private key.
### Environment Variables
Customize behavior with:
| Variable | Default | Purpose |
|----------|---------|---------|
| `DB_PASSWORD` | `certctl-dev-password` | PostgreSQL password |
| `STEP_CA_PASSWORD` | `stepca-demo-password` | step-ca root key password |
| `STEP_CA_PROVISIONER_PASSWORD` | `certctl-provisioner-demo` | certctl JWK provisioner password |
| `AGENT_API_KEY` | `agent-demo-key` | Agent authentication token |
| `SERVER_PORT` | `8443` | certctl server external port |
Example:
```bash
STEP_CA_PASSWORD=myca-password AGENT_API_KEY=secret-key docker compose up -d
```
## Integrating with an Existing step-ca Instance
If you already run step-ca elsewhere (not in this Compose file):
1. **Extract the root certificate** from your step-ca:
```bash
step ca root /tmp/step-ca-root.crt --ca-url https://ca.internal:9000 --insecure
```
2. **Create or retrieve the certctl JWK provisioner key**:
```bash
step ca provisioner list --ca-url https://ca.internal:9000 --insecure
step ca provisioner describe certctl --ca-url https://ca.internal:9000 --insecure
```
3. **Update docker-compose.yml**:
```yaml
certctl-server:
environment:
CERTCTL_STEPCA_URL: https://ca.internal:9000
CERTCTL_STEPCA_ROOT_CERT_PATH: /etc/certctl/step-ca-root.crt
CERTCTL_STEPCA_PROVISIONER_NAME: certctl
CERTCTL_STEPCA_PROVISIONER_KEY_PATH: /etc/certctl/step-ca-provisioner.json
CERTCTL_STEPCA_PROVISIONER_PASSWORD: <your-password>
```
4. **Mount the cert and key**:
```yaml
volumes:
- /path/to/step-ca-root.crt:/etc/certctl/step-ca-root.crt:ro
- /path/to/provisioner.json:/etc/certctl/step-ca-provisioner.json:ro
```
## Cleanup
```bash
docker compose down -v
```
This removes all containers and volumes (step-ca config, certificates, database).
## Next Steps
### Production Deployment
- Replace image tags (`latest` → specific version)
- Use real TLS certificates for step-ca (self-signed is fine internally, but use proper roots for verification)
- Configure persistent storage for step-ca keys (HSM or encrypted filesystem)
- Set `CERTCTL_AUTH_TYPE: api-key` and rotate API keys regularly
- Enable audit trail export for compliance
- Configure renewal alerts (Slack, email, PagerDuty)
- Run agents on separate machines (not in Compose)
### Advanced Features
- **Multiple HAProxy instances**: Create additional targets and agents
- **Policy-based renewal**: Set different renewal windows per environment (staging vs. production)
- **Approval workflows**: Require manual approval before deploying to production
- **Discovery**: Scan existing HAProxy certs and bring them under management
- **Network scanning**: Discover TLS endpoints in your network and inventory them
## Troubleshooting
### step-ca fails to initialize
Check logs:
```bash
docker compose logs step-ca
```
Common issues:
- Permissions on `/home/step/step-ca` volume
- Port 9000 already in use
### Agent can't reach server
Verify network:
```bash
docker compose exec certctl-agent curl http://certctl-server:8443/api/v1/health
```
### HAProxy config validation fails
Check HAProxy config syntax:
```bash
docker compose exec haproxy haproxy -c -f /etc/haproxy/haproxy.cfg
```
### Deployment job stays in "Running" state
Check agent logs:
```bash
docker compose logs certctl-agent
```
Likely causes:
- Agent can't write to `/etc/haproxy/ssl/cert.pem` (permissions)
- Reload command is misconfigured
- HAProxy container is not accessible
## Documentation
- [certctl Architecture](../../docs/architecture.md)
- [step-ca Connector Docs](../../docs/connectors.md#step-ca)
- [HAProxy Target Docs](../../docs/connectors.md#haproxy)
- [API Reference](../../api/openapi.yaml)
## Support
For issues or questions:
1. Check the [troubleshooting guide](../../docs/troubleshooting.md)
2. Review service logs: `docker compose logs <service>`
3. Open an issue on GitHub
go.mod
+1
View File
@@ -63,4 +63,5 @@ require (
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sys v0.40.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
software.sslmate.com/src/go-pkcs12 v0.7.0 // indirect
)
go.sum
+2
View File
@@ -210,3 +210,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
install-agent.sh
+473
View File
@@ -0,0 +1,473 @@
#!/bin/bash
# certctl Agent Install Script
# Detects OS (Linux/macOS) and architecture, downloads binary from GitHub Releases,
# installs to system path, configures service (systemd/launchd), and prompts for config.
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
GITHUB_REPO="shankar0123/certctl"
RELEASE_URL="https://github.com/${GITHUB_REPO}/releases/latest/download"
INSTALL_DIR="/usr/local/bin"
SERVICE_NAME="certctl-agent"
# Detect OS and architecture
detect_platform() {
local os="$(uname -s)"
local arch="$(uname -m)"
case "$os" in
Linux*)
OS_TYPE="linux"
;;
Darwin*)
OS_TYPE="darwin"
;;
*)
echo -e "${RED}Error: Unsupported OS: $os${NC}"
exit 1
;;
esac
case "$arch" in
x86_64)
ARCH_TYPE="amd64"
;;
aarch64|arm64)
ARCH_TYPE="arm64"
;;
*)
echo -e "${RED}Error: Unsupported architecture: $arch${NC}"
exit 1
;;
esac
}
# Print usage information
usage() {
cat <<EOF
Usage: $0 [OPTIONS]
Install and configure the certctl agent on your system.
OPTIONS:
-h, --help Show this help message
--server-url URL Set CERTCTL_SERVER_URL (skips interactive prompt)
--api-key KEY Set CERTCTL_API_KEY (skips interactive prompt)
--no-start Install but don't start the service
EOF
}
# Parse command-line arguments
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
usage
exit 0
;;
--server-url)
SERVER_URL="$2"
shift 2
;;
--api-key)
API_KEY="$2"
shift 2
;;
--no-start)
NO_START=true
shift
;;
*)
echo -e "${RED}Error: Unknown option: $1${NC}"
usage
exit 1
;;
esac
done
}
# Check if running as root/sudo on Linux
check_privileges() {
if [[ "$OS_TYPE" == "linux" && "$EUID" -ne 0 ]]; then
echo -e "${RED}Error: This script must be run as root on Linux. Try: sudo $0${NC}"
exit 1
fi
}
# Download agent binary from GitHub Releases
download_binary() {
local binary_name="certctl-agent-${OS_TYPE}-${ARCH_TYPE}"
local download_url="${RELEASE_URL}/${binary_name}"
echo -e "${YELLOW}Downloading certctl agent (${OS_TYPE}-${ARCH_TYPE})...${NC}"
if ! command -v curl &> /dev/null; then
echo -e "${RED}Error: curl is required but not installed${NC}"
exit 1
fi
local temp_file=$(mktemp)
trap "rm -f $temp_file" EXIT
if ! curl -sSL -f "$download_url" -o "$temp_file"; then
echo -e "${RED}Error: Failed to download binary from $download_url${NC}"
echo "Make sure the latest release exists on GitHub with the binary asset for ${OS_TYPE}-${ARCH_TYPE}."
exit 1
fi
chmod +x "$temp_file"
echo "$temp_file"
}
# Install binary to system path
install_binary() {
local binary_path="$1"
echo -e "${YELLOW}Installing to $INSTALL_DIR/$SERVICE_NAME...${NC}"
if [[ "$OS_TYPE" == "linux" ]]; then
cp "$binary_path" "$INSTALL_DIR/$SERVICE_NAME"
else
# macOS: use sudo if not already running as root
if [[ "$EUID" -ne 0 ]]; then
sudo cp "$binary_path" "$INSTALL_DIR/$SERVICE_NAME"
else
cp "$binary_path" "$INSTALL_DIR/$SERVICE_NAME"
fi
fi
chmod +x "$INSTALL_DIR/$SERVICE_NAME"
echo -e "${GREEN}Binary installed: $INSTALL_DIR/$SERVICE_NAME${NC}"
}
# Prompt for configuration (unless --server-url and --api-key provided)
prompt_for_config() {
if [[ -z "${SERVER_URL:-}" ]]; then
echo ""
echo -e "${YELLOW}Enter certctl server URL (e.g., https://certctl.example.com):${NC}"
read -r SERVER_URL
if [[ -z "$SERVER_URL" ]]; then
echo -e "${RED}Error: Server URL is required${NC}"
exit 1
fi
fi
if [[ -z "${API_KEY:-}" ]]; then
echo -e "${YELLOW}Enter certctl API key:${NC}"
read -sr API_KEY
echo ""
if [[ -z "$API_KEY" ]]; then
echo -e "${RED}Error: API key is required${NC}"
exit 1
fi
fi
if [[ -z "${AGENT_ID:-}" ]]; then
local default_agent_id="$(hostname)"
echo -e "${YELLOW}Enter agent ID (default: $default_agent_id):${NC}"
read -r AGENT_ID
if [[ -z "$AGENT_ID" ]]; then
AGENT_ID="$default_agent_id"
fi
fi
}
# Create configuration directory and env file (Linux)
setup_linux_config() {
local config_dir="/etc/certctl"
local config_file="$config_dir/agent.env"
local key_dir="/var/lib/certctl/keys"
echo -e "${YELLOW}Creating configuration directory...${NC}"
# Create /etc/certctl with restrictive permissions
mkdir -p "$config_dir"
chmod 755 "$config_dir"
# Create key storage directory with 0700 permissions
mkdir -p "$key_dir"
chmod 700 "$key_dir"
# Write agent configuration (overwrite if exists)
cat > "$config_file" <<EOF
# certctl Agent Configuration
# Generated by install-agent.sh on $(date)
# Agent ID (unique identifier in the fleet)
CERTCTL_AGENT_ID=$AGENT_ID
# Control plane server URL
CERTCTL_SERVER_URL=$SERVER_URL
# API authentication key
CERTCTL_API_KEY=$API_KEY
# Key generation mode (agent = agent-side keygen, server = server-side for demo only)
CERTCTL_KEYGEN_MODE=agent
# Key storage directory (agent-side keygen)
CERTCTL_KEY_DIR=$key_dir
# Logging level (debug, info, warn, error)
# CERTCTL_LOG_LEVEL=info
# Discovery directories (comma-separated paths to scan for existing certs)
# CERTCTL_DISCOVERY_DIRS=/etc/letsencrypt/live,/etc/ssl/certs
# Enable deployment verification (TLS endpoint check post-deployment)
# CERTCTL_VERIFY_DEPLOYMENT=true
EOF
# Restrict permissions on env file (contains API key)
chmod 600 "$config_file"
echo -e "${GREEN}Configuration written to: $config_file${NC}"
}
# Create configuration directory and env file (macOS)
setup_macos_config() {
local config_dir="$HOME/.certctl"
local config_file="$config_dir/agent.env"
local key_dir="$config_dir/keys"
echo -e "${YELLOW}Creating configuration directory...${NC}"
# Create ~/.certctl with restrictive permissions
mkdir -p "$config_dir"
chmod 700 "$config_dir"
# Create key storage directory
mkdir -p "$key_dir"
chmod 700 "$key_dir"
# Write agent configuration (overwrite if exists)
cat > "$config_file" <<EOF
# certctl Agent Configuration
# Generated by install-agent.sh on $(date)
# Agent ID (unique identifier in the fleet)
CERTCTL_AGENT_ID=$AGENT_ID
# Control plane server URL
CERTCTL_SERVER_URL=$SERVER_URL
# API authentication key
CERTCTL_API_KEY=$API_KEY
# Key generation mode (agent = agent-side keygen, server = server-side for demo only)
CERTCTL_KEYGEN_MODE=agent
# Key storage directory (agent-side keygen)
CERTCTL_KEY_DIR=$key_dir
# Logging level (debug, info, warn, error)
# CERTCTL_LOG_LEVEL=info
# Discovery directories (comma-separated paths to scan for existing certs)
# CERTCTL_DISCOVERY_DIRS=/etc/letsencrypt/live,/etc/ssl/certs
# Enable deployment verification (TLS endpoint check post-deployment)
# CERTCTL_VERIFY_DEPLOYMENT=true
EOF
# Restrict permissions on env file (contains API key)
chmod 600 "$config_file"
echo -e "${GREEN}Configuration written to: $config_file${NC}"
}
# Create and enable systemd service (Linux only)
setup_systemd_service() {
local service_file="/etc/systemd/system/${SERVICE_NAME}.service"
echo -e "${YELLOW}Creating systemd service file...${NC}"
cat > "$service_file" <<'EOF'
[Unit]
Description=certctl Agent - Certificate Lifecycle Management
Documentation=https://github.com/shankar0123/certctl
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=root
Restart=on-failure
RestartSec=10s
StandardOutput=journal
StandardError=journal
# Load environment from /etc/certctl/agent.env
EnvironmentFile=/etc/certctl/agent.env
# Command to start the agent
ExecStart=/usr/local/bin/certctl-agent
[Install]
WantedBy=multi-user.target
EOF
chmod 644 "$service_file"
echo -e "${GREEN}Service file created: $service_file${NC}"
# Reload systemd daemon
systemctl daemon-reload
}
# Create and enable launchd plist (macOS only)
setup_launchd_service() {
local plist_file="$HOME/Library/LaunchAgents/com.certctl.agent.plist"
local config_file="$HOME/.certctl/agent.env"
local launcher_script="$HOME/.certctl/launcher.sh"
local home_dir="$HOME"
echo -e "${YELLOW}Creating launchd service file...${NC}"
mkdir -p "$(dirname "$plist_file")"
# Create wrapper script that sources env file before executing agent
cat > "$launcher_script" <<'LAUNCHER_SCRIPT'
#!/bin/bash
set -a
source "$HOME/.certctl/agent.env"
set +a
exec /usr/local/bin/certctl-agent
LAUNCHER_SCRIPT
chmod 755 "$launcher_script"
# Create plist that references the launcher script
cat > "$plist_file" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.certctl.agent</string>
<key>ProgramArguments</key>
<array>
<string>$home_dir/.certctl/launcher.sh</string>
</array>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
<key>HOME</key>
<string>$home_dir</string>
</dict>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>$home_dir/.certctl/agent.log</string>
<key>StandardOutPath</key>
<string>$home_dir/.certctl/agent.log</string>
</dict>
</plist>
EOF
chmod 644 "$plist_file"
echo -e "${GREEN}Service file created: $plist_file${NC}"
echo -e "${GREEN}Launcher script created: $launcher_script${NC}"
}
# Start the agent service
start_service() {
if [[ "${NO_START:-false}" == "true" ]]; then
echo -e "${YELLOW}Service not started (--no-start flag used)${NC}"
return
fi
echo -e "${YELLOW}Starting certctl agent service...${NC}"
if [[ "$OS_TYPE" == "linux" ]]; then
systemctl enable "$SERVICE_NAME"
systemctl start "$SERVICE_NAME"
sleep 2
if systemctl is-active --quiet "$SERVICE_NAME"; then
echo -e "${GREEN}Service started successfully${NC}"
else
echo -e "${RED}Warning: Service may not have started. Check logs with: systemctl status $SERVICE_NAME${NC}"
fi
else
# macOS: load launchd service for current user
launchctl load "$HOME/Library/LaunchAgents/com.certctl.agent.plist" 2>/dev/null || true
sleep 1
echo -e "${GREEN}Service loaded into launchd${NC}"
fi
}
# Print success message with next steps
print_summary() {
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN}certctl Agent Installation Complete${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo "Configuration:"
if [[ "$OS_TYPE" == "linux" ]]; then
echo " Config file: /etc/certctl/agent.env"
echo " Key storage: /var/lib/certctl/keys"
echo " Service: /etc/systemd/system/${SERVICE_NAME}.service"
echo " View logs: journalctl -u ${SERVICE_NAME} -f"
else
echo " Config file: $HOME/.certctl/agent.env"
echo " Key storage: $HOME/.certctl/keys"
echo " Service: $HOME/Library/LaunchAgents/com.certctl.agent.plist"
echo " View logs: tail -f $HOME/.certctl/agent.log"
fi
echo ""
echo "Next steps:"
echo " 1. Verify the service is running"
if [[ "$OS_TYPE" == "linux" ]]; then
echo " systemctl status ${SERVICE_NAME}"
else
echo " launchctl list | grep certctl"
fi
echo ""
echo " 2. Visit your certctl dashboard: $SERVER_URL"
echo " 3. The agent should appear in the fleet overview within 30 seconds"
echo ""
}
# Main installation flow
main() {
parse_args "$@"
detect_platform
check_privileges
echo -e "${GREEN}certctl Agent Installer${NC}"
echo "Detected platform: ${OS_TYPE}-${ARCH_TYPE}"
echo ""
prompt_for_config
# Download and install binary
local binary_path
binary_path=$(download_binary)
install_binary "$binary_path"
# Setup OS-specific configuration
if [[ "$OS_TYPE" == "linux" ]]; then
setup_linux_config
setup_systemd_service
else
setup_macos_config
setup_launchd_service
fi
# Start the service
start_service
# Print summary
print_summary
}
main "$@"
internal/api/handler/agents.go
+11
View File
@@ -3,6 +3,7 @@ package handler
import (
"context"
"encoding/json"
"log/slog"
"net/http"
"strconv"
"strings"
@@ -134,6 +135,11 @@ func (h AgentHandler) RegisterAgent(w http.ResponseWriter, r *http.Request) {
created, err := h.svc.RegisterAgent(r.Context(), agent)
if err != nil {
errMsg := err.Error()
if strings.Contains(errMsg, "unique") || strings.Contains(errMsg, "duplicate") || strings.Contains(errMsg, "already exists") {
ErrorWithRequestID(w, http.StatusConflict, "Agent with this name already exists", requestID)
return
}
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to register agent", requestID)
return
}
@@ -184,6 +190,11 @@ func (h AgentHandler) Heartbeat(w http.ResponseWriter, r *http.Request) {
}
if err := h.svc.Heartbeat(r.Context(), agentID, metadata); err != nil {
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Agent not found", requestID)
return
}
slog.Error("Heartbeat failed", "agent_id", agentID, "error", err.Error())
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to record heartbeat", requestID)
return
}
internal/api/handler/certificate_handler_test.go
+14 -12
View File
@@ -353,11 +353,12 @@ func TestCreateCertificate_Success(t *testing.T) {
handler := NewCertificateHandler(mock)
certBody := domain.ManagedCertificate{
Name: "Production Cert",
CommonName: "example.com",
OwnerID: "o-alice",
TeamID: "t-platform",
IssuerID: "iss-local",
Name: "Production Cert",
CommonName: "example.com",
OwnerID: "o-alice",
TeamID: "t-platform",
IssuerID: "iss-local",
RenewalPolicyID: "rp-standard",
}
body, _ := json.Marshal(certBody)
@@ -410,11 +411,12 @@ func TestCreateCertificate_ServiceError(t *testing.T) {
handler := NewCertificateHandler(mock)
certBody := domain.ManagedCertificate{
Name: "Production Cert",
CommonName: "example.com",
OwnerID: "o-alice",
TeamID: "t-platform",
IssuerID: "iss-local",
Name: "Production Cert",
CommonName: "example.com",
OwnerID: "o-alice",
TeamID: "t-platform",
IssuerID: "iss-local",
RenewalPolicyID: "rp-standard",
}
body, _ := json.Marshal(certBody)
@@ -534,8 +536,8 @@ func TestArchiveCertificate_NotFound(t *testing.T) {
handler.ArchiveCertificate(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
if w.Code != http.StatusNotFound {
t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
}
}
internal/api/handler/certificates.go
+38 -2
View File
@@ -2,6 +2,7 @@ package handler
import (
"encoding/json"
"log/slog"
"net/http"
"strconv"
"strings"
@@ -231,6 +232,14 @@ func (h CertificateHandler) CreateCertificate(w http.ResponseWriter, r *http.Req
ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
return
}
if err := ValidateRequired("name", cert.Name); err != nil {
ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
return
}
if err := ValidateRequired("renewal_policy_id", cert.RenewalPolicyID); err != nil {
ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
return
}
created, err := h.svc.CreateCertificate(cert)
if err != nil {
@@ -287,6 +296,11 @@ func (h CertificateHandler) UpdateCertificate(w http.ResponseWriter, r *http.Req
updated, err := h.svc.UpdateCertificate(id, cert)
if err != nil {
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
slog.Error("UpdateCertificate failed", "cert_id", id, "error", err.Error())
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update certificate", requestID)
return
}
@@ -311,6 +325,10 @@ func (h CertificateHandler) ArchiveCertificate(w http.ResponseWriter, r *http.Re
}
if err := h.svc.ArchiveCertificate(id); err != nil {
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to archive certificate", requestID)
return
}
@@ -353,7 +371,12 @@ func (h CertificateHandler) GetCertificateVersions(w http.ResponseWriter, r *htt
versions, total, err := h.svc.GetCertificateVersions(certID, page, perPage)
if err != nil {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
slog.Error("GetCertificateVersions failed", "cert_id", certID, "error", err.Error())
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to get certificate versions", requestID)
return
}
@@ -387,6 +410,19 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
certID := parts[0]
if err := h.svc.TriggerRenewal(certID); err != nil {
errMsg := err.Error()
if strings.Contains(errMsg, "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
if strings.Contains(errMsg, "cannot renew") {
ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
return
}
if strings.Contains(errMsg, "already in progress") {
ErrorWithRequestID(w, http.StatusConflict, errMsg, requestID)
return
}
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger renewal", requestID)
return
}
@@ -480,7 +516,7 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
return
}
if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "failed to fetch") {
if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "failed to fetch") || strings.Contains(errMsg, "failed to get") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
internal/api/handler/digest.go
+76
View File
@@ -0,0 +1,76 @@
package handler
import (
"context"
"encoding/json"
"net/http"
)
// DigestServicer defines the interface for digest operations used by the handler.
type DigestServicer interface {
PreviewDigest(ctx context.Context) (string, error)
SendDigest(ctx context.Context) error
}
// DigestHandler provides HTTP endpoints for certificate digest operations.
type DigestHandler struct {
service DigestServicer
}
// NewDigestHandler creates a new digest handler.
func NewDigestHandler(service DigestServicer) *DigestHandler {
return &DigestHandler{service: service}
}
// PreviewDigest renders the digest HTML without sending it.
// GET /api/v1/digest/preview
func (h *DigestHandler) PreviewDigest(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
if h.service == nil {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusServiceUnavailable)
json.NewEncoder(w).Encode(map[string]string{"error": "digest service not configured"})
return
}
html, err := h.service.PreviewDigest(r.Context())
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusOK)
w.Write([]byte(html))
}
// SendDigest triggers an immediate digest send.
// POST /api/v1/digest/send
func (h *DigestHandler) SendDigest(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
if h.service == nil {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusServiceUnavailable)
json.NewEncoder(w).Encode(map[string]string{"error": "digest service not configured"})
return
}
if err := h.service.SendDigest(r.Context()); err != nil {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusInternalServerError)
json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string]string{"status": "sent"})
}
internal/api/handler/digest_handler_test.go
+157
View File
@@ -0,0 +1,157 @@
package handler
import (
"context"
"errors"
"net/http"
"net/http/httptest"
"testing"
)
// mockDigestService implements DigestServicer for testing.
type mockDigestService struct {
previewHTML string
previewErr error
sendErr error
sendCalled bool
}
func (m *mockDigestService) PreviewDigest(ctx context.Context) (string, error) {
if m.previewErr != nil {
return "", m.previewErr
}
return m.previewHTML, nil
}
func (m *mockDigestService) SendDigest(ctx context.Context) error {
m.sendCalled = true
return m.sendErr
}
func TestDigestHandler_PreviewDigest_Success(t *testing.T) {
svc := &mockDigestService{
previewHTML: "<html><body>Digest Preview</body></html>",
}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/digest/preview", nil)
w := httptest.NewRecorder()
h.PreviewDigest(w, req)
if w.Code != http.StatusOK {
t.Errorf("expected status 200, got %d", w.Code)
}
if w.Header().Get("Content-Type") != "text/html; charset=utf-8" {
t.Errorf("expected Content-Type text/html, got %s", w.Header().Get("Content-Type"))
}
if w.Body.String() != "<html><body>Digest Preview</body></html>" {
t.Errorf("unexpected body: %s", w.Body.String())
}
}
func TestDigestHandler_PreviewDigest_MethodNotAllowed(t *testing.T) {
svc := &mockDigestService{}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/digest/preview", nil)
w := httptest.NewRecorder()
h.PreviewDigest(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected status 405, got %d", w.Code)
}
}
func TestDigestHandler_PreviewDigest_ServiceError(t *testing.T) {
svc := &mockDigestService{
previewErr: errors.New("stats unavailable"),
}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/digest/preview", nil)
w := httptest.NewRecorder()
h.PreviewDigest(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status 500, got %d", w.Code)
}
}
func TestDigestHandler_PreviewDigest_NotConfigured(t *testing.T) {
h := NewDigestHandler(nil)
req := httptest.NewRequest(http.MethodGet, "/api/v1/digest/preview", nil)
w := httptest.NewRecorder()
h.PreviewDigest(w, req)
if w.Code != http.StatusServiceUnavailable {
t.Errorf("expected status 503, got %d", w.Code)
}
}
func TestDigestHandler_SendDigest_Success(t *testing.T) {
svc := &mockDigestService{}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/digest/send", nil)
w := httptest.NewRecorder()
h.SendDigest(w, req)
if w.Code != http.StatusOK {
t.Errorf("expected status 200, got %d", w.Code)
}
if !svc.sendCalled {
t.Error("expected SendDigest to be called")
}
}
func TestDigestHandler_SendDigest_MethodNotAllowed(t *testing.T) {
svc := &mockDigestService{}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/digest/send", nil)
w := httptest.NewRecorder()
h.SendDigest(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected status 405, got %d", w.Code)
}
}
func TestDigestHandler_SendDigest_ServiceError(t *testing.T) {
svc := &mockDigestService{
sendErr: errors.New("SMTP connection refused"),
}
h := NewDigestHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/digest/send", nil)
w := httptest.NewRecorder()
h.SendDigest(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status 500, got %d", w.Code)
}
}
func TestDigestHandler_SendDigest_NotConfigured(t *testing.T) {
h := NewDigestHandler(nil)
req := httptest.NewRequest(http.MethodPost, "/api/v1/digest/send", nil)
w := httptest.NewRecorder()
h.SendDigest(w, req)
if w.Code != http.StatusServiceUnavailable {
t.Errorf("expected status 503, got %d", w.Code)
}
}
internal/api/handler/discovery_handler_test.go
+119
View File
@@ -610,3 +610,122 @@ func TestGetDiscoverySummary_MethodNotAllowed(t *testing.T) {
t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
}
}
// Test DismissDiscovered - service error
func TestDismissDiscovered_ServiceError(t *testing.T) {
mock := &MockDiscoveryService{
DismissDiscoveredFn: func(ctx context.Context, id string) error {
return fmt.Errorf("database error")
},
}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/discovered-certificates/dcert-1/dismiss", nil)
req = req.WithContext(discoveryContextWithRequestID())
req.SetPathValue("id", "dcert-1")
w := httptest.NewRecorder()
handler.DismissDiscovered(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
}
}
// Test ClaimDiscovered - invalid body (malformed JSON)
func TestClaimDiscovered_InvalidJSON(t *testing.T) {
mock := &MockDiscoveryService{}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/discovered-certificates/dcert-1/claim", bytes.NewReader([]byte("invalid json")))
req = req.WithContext(discoveryContextWithRequestID())
req.SetPathValue("id", "dcert-1")
w := httptest.NewRecorder()
handler.ClaimDiscovered(w, req)
if w.Code != http.StatusBadRequest {
t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
}
}
// Test ClaimDiscovered - method not allowed
func TestClaimDiscovered_MethodNotAllowed(t *testing.T) {
mock := &MockDiscoveryService{}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/discovered-certificates/dcert-1/claim", nil)
req = req.WithContext(discoveryContextWithRequestID())
req.SetPathValue("id", "dcert-1")
w := httptest.NewRecorder()
handler.ClaimDiscovered(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
}
}
// Test ListDiscovered - service error
func TestListDiscovered_ServiceError(t *testing.T) {
mock := &MockDiscoveryService{
ListDiscoveredFn: func(ctx context.Context, agentID, status string, page, perPage int) ([]*domain.DiscoveredCertificate, int, error) {
return nil, 0, fmt.Errorf("database error")
},
}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/discovered-certificates", nil)
req = req.WithContext(discoveryContextWithRequestID())
w := httptest.NewRecorder()
handler.ListDiscovered(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
}
}
// Test ListScans - service error
func TestListScans_ServiceError(t *testing.T) {
mock := &MockDiscoveryService{
ListScansFn: func(ctx context.Context, agentID string, page, perPage int) ([]*domain.DiscoveryScan, int, error) {
return nil, 0, fmt.Errorf("database error")
},
}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/discovery-scans", nil)
req = req.WithContext(discoveryContextWithRequestID())
w := httptest.NewRecorder()
handler.ListScans(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
}
}
// Test GetDiscoverySummary - service error
func TestGetDiscoverySummary_ServiceError(t *testing.T) {
mock := &MockDiscoveryService{
GetDiscoverySummaryFn: func(ctx context.Context) (map[string]int, error) {
return nil, fmt.Errorf("database error")
},
}
handler := NewDiscoveryHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/discovery-summary", nil)
req = req.WithContext(discoveryContextWithRequestID())
w := httptest.NewRecorder()
handler.GetDiscoverySummary(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
}
}
internal/api/handler/est_handler_test.go
+46
View File
@@ -396,3 +396,49 @@ func TestASN1EncodeLength(t *testing.T) {
}
}
}
func TestESTCSRAttrs_ServiceError(t *testing.T) {
svc := &mockESTService{
CSRAttrsErr: errors.New("service error"),
}
h := NewESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
w := httptest.NewRecorder()
h.CSRAttrs(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
func TestESTSimpleReEnroll_ServiceError(t *testing.T) {
csrPEM := generateTestCSRPEM(t)
svc := &mockESTService{
EnrollErr: errors.New("renewal failed"),
}
h := NewESTHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simplereenroll", strings.NewReader(csrPEM))
w := httptest.NewRecorder()
h.SimpleReEnroll(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
func TestESTCACerts_UnableToGetCerts(t *testing.T) {
svc := &mockESTService{
CACertErr: errors.New("CA unavailable"),
}
h := NewESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/.well-known/est/cacerts", nil)
w := httptest.NewRecorder()
h.CACerts(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
internal/api/handler/export.go
+139
View File
@@ -0,0 +1,139 @@
package handler
import (
"context"
"encoding/json"
"log/slog"
"net/http"
"strings"
"github.com/shankar0123/certctl/internal/api/middleware"
"github.com/shankar0123/certctl/internal/service"
)
// ExportService defines the service interface for certificate export operations.
type ExportService interface {
ExportPEM(ctx context.Context, certID string) (*service.ExportPEMResult, error)
ExportPKCS12(ctx context.Context, certID string, password string) ([]byte, error)
}
// ExportHandler handles HTTP requests for certificate export operations.
type ExportHandler struct {
svc ExportService
}
// NewExportHandler creates a new ExportHandler with a service dependency.
func NewExportHandler(svc ExportService) ExportHandler {
return ExportHandler{svc: svc}
}
// ExportPEM exports a certificate and its chain in PEM format.
// GET /api/v1/certificates/{id}/export/pem
func (h ExportHandler) ExportPEM(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
return
}
requestID := middleware.GetRequestID(r.Context())
// Extract certificate ID from path: /api/v1/certificates/{id}/export/pem
id := extractCertIDFromExportPath(r.URL.Path)
if id == "" {
ErrorWithRequestID(w, http.StatusBadRequest, "Certificate ID is required", requestID)
return
}
result, err := h.svc.ExportPEM(r.Context(), id)
if err != nil {
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
slog.Error("ExportPEM failed", "cert_id", id, "error", err.Error())
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to export certificate", requestID)
return
}
// Check if client wants file download via Accept header or ?download=true query param
if r.URL.Query().Get("download") == "true" {
w.Header().Set("Content-Type", "application/x-pem-file")
w.Header().Set("Content-Disposition", "attachment; filename=\"certificate.pem\"")
w.WriteHeader(http.StatusOK)
w.Write([]byte(result.FullPEM))
return
}
JSON(w, http.StatusOK, result)
}
// ExportPKCS12 exports a certificate and chain in PKCS#12 format.
// POST /api/v1/certificates/{id}/export/pkcs12
// Body: { "password": "optional-password" }
func (h ExportHandler) ExportPKCS12(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
return
}
requestID := middleware.GetRequestID(r.Context())
// Extract certificate ID from path: /api/v1/certificates/{id}/export/pkcs12
id := extractCertIDFromExportPath(r.URL.Path)
if id == "" {
ErrorWithRequestID(w, http.StatusBadRequest, "Certificate ID is required", requestID)
return
}
// Parse optional password from request body (may be empty)
var req struct {
Password string `json:"password"`
}
// Body is optional — empty body means empty password
_ = parseJSONBody(r, &req)
pfxData, err := h.svc.ExportPKCS12(r.Context(), id, req.Password)
if err != nil {
if strings.Contains(err.Error(), "not found") {
ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
return
}
if strings.Contains(err.Error(), "cannot be parsed") || strings.Contains(err.Error(), "no certificates found") {
ErrorWithRequestID(w, http.StatusUnprocessableEntity, "Certificate data cannot be parsed as X.509", requestID)
return
}
slog.Error("ExportPKCS12 failed", "cert_id", id, "error", err.Error())
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to export PKCS#12", requestID)
return
}
w.Header().Set("Content-Type", "application/x-pkcs12")
w.Header().Set("Content-Disposition", "attachment; filename=\"certificate.p12\"")
w.WriteHeader(http.StatusOK)
w.Write(pfxData)
}
// extractCertIDFromExportPath extracts the certificate ID from an export path.
// Path format: /api/v1/certificates/{id}/export/pem or /api/v1/certificates/{id}/export/pkcs12
func extractCertIDFromExportPath(path string) string {
prefix := "/api/v1/certificates/"
if !strings.HasPrefix(path, prefix) {
return ""
}
rest := strings.TrimPrefix(path, prefix)
// rest should be "{id}/export/pem" or "{id}/export/pkcs12"
parts := strings.Split(rest, "/")
if len(parts) < 3 || parts[1] != "export" {
return ""
}
return parts[0]
}
// parseJSONBody is a helper that decodes JSON from the request body.
// Returns an error if the body is malformed, nil if body is empty.
func parseJSONBody(r *http.Request, v interface{}) error {
if r.Body == nil {
return nil
}
return json.NewDecoder(r.Body).Decode(v)
}
internal/api/handler/export_handler_test.go
+319
View File
@@ -0,0 +1,319 @@
package handler
import (
"context"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/shankar0123/certctl/internal/service"
)
// Add context import was already there — verify import is present above
// MockExportService is a mock implementation of ExportService interface.
type MockExportService struct {
ExportPEMFn func(ctx context.Context, certID string) (*service.ExportPEMResult, error)
ExportPKCS12Fn func(ctx context.Context, certID string, password string) ([]byte, error)
}
func (m *MockExportService) ExportPEM(ctx context.Context, certID string) (*service.ExportPEMResult, error) {
if m.ExportPEMFn != nil {
return m.ExportPEMFn(ctx, certID)
}
return nil, nil
}
func (m *MockExportService) ExportPKCS12(ctx context.Context, certID string, password string) ([]byte, error) {
if m.ExportPKCS12Fn != nil {
return m.ExportPKCS12Fn(ctx, certID, password)
}
return nil, nil
}
func TestExportPEM_Success(t *testing.T) {
mockSvc := &MockExportService{
ExportPEMFn: func(_ context.Context, certID string) (*service.ExportPEMResult, error) {
if certID != "mc-test-1" {
t.Errorf("expected certID mc-test-1, got %s", certID)
}
return &service.ExportPEMResult{
CertPEM: "-----BEGIN CERTIFICATE-----\nAAA\n-----END CERTIFICATE-----\n",
ChainPEM: "-----BEGIN CERTIFICATE-----\nBBB\n-----END CERTIFICATE-----\n",
FullPEM: "-----BEGIN CERTIFICATE-----\nAAA\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nBBB\n-----END CERTIFICATE-----\n",
}, nil
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/mc-test-1/export/pem", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
if ct := w.Header().Get("Content-Type"); ct != "application/json" {
t.Errorf("expected application/json content type, got %s", ct)
}
var result service.ExportPEMResult
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.CertPEM == "" {
t.Error("expected non-empty CertPEM")
}
if result.ChainPEM == "" {
t.Error("expected non-empty ChainPEM")
}
if result.FullPEM == "" {
t.Error("expected non-empty FullPEM")
}
}
func TestExportPEM_Download(t *testing.T) {
mockSvc := &MockExportService{
ExportPEMFn: func(_ context.Context, _ string) (*service.ExportPEMResult, error) {
return &service.ExportPEMResult{
CertPEM: "cert",
ChainPEM: "chain",
FullPEM: "full-pem-content",
}, nil
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/mc-test-1/export/pem?download=true", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
if ct := w.Header().Get("Content-Type"); ct != "application/x-pem-file" {
t.Errorf("expected application/x-pem-file, got %s", ct)
}
if cd := w.Header().Get("Content-Disposition"); cd != `attachment; filename="certificate.pem"` {
t.Errorf("expected Content-Disposition attachment, got %s", cd)
}
if w.Body.String() != "full-pem-content" {
t.Errorf("expected full-pem-content body, got %s", w.Body.String())
}
}
func TestExportPEM_NotFound(t *testing.T) {
mockSvc := &MockExportService{
ExportPEMFn: func(_ context.Context, _ string) (*service.ExportPEMResult, error) {
return nil, fmt.Errorf("certificate not found")
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/nonexistent/export/pem", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusNotFound {
t.Fatalf("expected 404, got %d", w.Code)
}
}
func TestExportPEM_ServiceError(t *testing.T) {
mockSvc := &MockExportService{
ExportPEMFn: func(_ context.Context, _ string) (*service.ExportPEMResult, error) {
return nil, fmt.Errorf("internal error")
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/mc-test-1/export/pem", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusInternalServerError {
t.Fatalf("expected 500, got %d", w.Code)
}
}
func TestExportPEM_MethodNotAllowed(t *testing.T) {
h := NewExportHandler(&MockExportService{})
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-test-1/export/pem", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Fatalf("expected 405, got %d", w.Code)
}
}
func TestExportPKCS12_Success(t *testing.T) {
pfxData := []byte{0x30, 0x82, 0x01, 0x00} // mock PKCS#12 data
mockSvc := &MockExportService{
ExportPKCS12Fn: func(_ context.Context, certID string, password string) ([]byte, error) {
if certID != "mc-test-1" {
t.Errorf("expected certID mc-test-1, got %s", certID)
}
if password != "mysecret" {
t.Errorf("expected password mysecret, got %s", password)
}
return pfxData, nil
},
}
h := NewExportHandler(mockSvc)
body := strings.NewReader(`{"password":"mysecret"}`)
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-test-1/export/pkcs12", body)
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
if ct := w.Header().Get("Content-Type"); ct != "application/x-pkcs12" {
t.Errorf("expected application/x-pkcs12, got %s", ct)
}
if cd := w.Header().Get("Content-Disposition"); cd != `attachment; filename="certificate.p12"` {
t.Errorf("expected Content-Disposition attachment, got %s", cd)
}
if len(w.Body.Bytes()) != len(pfxData) {
t.Errorf("expected %d bytes, got %d", len(pfxData), len(w.Body.Bytes()))
}
}
func TestExportPKCS12_EmptyPassword(t *testing.T) {
mockSvc := &MockExportService{
ExportPKCS12Fn: func(_ context.Context, _ string, password string) ([]byte, error) {
if password != "" {
t.Errorf("expected empty password, got %s", password)
}
return []byte{0x30}, nil
},
}
h := NewExportHandler(mockSvc)
// Empty body — password defaults to ""
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-test-1/export/pkcs12", nil)
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
}
func TestExportPKCS12_NotFound(t *testing.T) {
mockSvc := &MockExportService{
ExportPKCS12Fn: func(_ context.Context, _ string, _ string) ([]byte, error) {
return nil, fmt.Errorf("certificate not found")
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/nonexistent/export/pkcs12", nil)
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusNotFound {
t.Fatalf("expected 404, got %d", w.Code)
}
}
func TestExportPKCS12_ServiceError(t *testing.T) {
mockSvc := &MockExportService{
ExportPKCS12Fn: func(_ context.Context, _ string, _ string) ([]byte, error) {
return nil, fmt.Errorf("encoding error")
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-test-1/export/pkcs12", nil)
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusInternalServerError {
t.Fatalf("expected 500, got %d", w.Code)
}
}
func TestExportPKCS12_MethodNotAllowed(t *testing.T) {
h := NewExportHandler(&MockExportService{})
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/mc-test-1/export/pkcs12", nil)
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Fatalf("expected 405, got %d", w.Code)
}
}
func TestExtractCertIDFromExportPath(t *testing.T) {
tests := []struct {
path string
expected string
}{
{"/api/v1/certificates/mc-test-1/export/pem", "mc-test-1"},
{"/api/v1/certificates/mc-api-prod/export/pkcs12", "mc-api-prod"},
{"/api/v1/certificates//export/pem", ""},
{"/api/v1/other/mc-test-1/export/pem", ""},
{"/api/v1/certificates/mc-test-1", ""},
{"", ""},
}
for _, tt := range tests {
got := extractCertIDFromExportPath(tt.path)
if got != tt.expected {
t.Errorf("extractCertIDFromExportPath(%q) = %q, want %q", tt.path, got, tt.expected)
}
}
}
func TestExportPKCS12_InvalidJSON(t *testing.T) {
mockSvc := &MockExportService{
ExportPKCS12Fn: func(_ context.Context, _ string, password string) ([]byte, error) {
// Invalid JSON is silently ignored, defaults to empty password
if password != "" {
t.Errorf("expected empty password (invalid JSON ignored), got %s", password)
}
return []byte{0x30}, nil
},
}
h := NewExportHandler(mockSvc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-test-1/export/pkcs12", strings.NewReader(`{"invalid json`))
w := httptest.NewRecorder()
h.ExportPKCS12(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200 (invalid JSON ignored), got %d", w.Code)
}
}
func TestExportPEM_MethodNotAllowedDelete(t *testing.T) {
h := NewExportHandler(&MockExportService{})
req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/mc-test-1/export/pem", nil)
w := httptest.NewRecorder()
h.ExportPEM(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Fatalf("expected 405, got %d", w.Code)
}
}
internal/api/handler/stats_handler_test.go
+112
View File
@@ -316,3 +316,115 @@ func TestGetPrometheusMetrics_ZeroValues(t *testing.T) {
func containsLine(text, substr string) bool {
return strings.Contains(text, substr)
}
// Test GetCertificatesByStatus - method not allowed
func TestGetCertificatesByStatus_MethodNotAllowed(t *testing.T) {
mock := &MockStatsService{}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/stats/certificates-by-status", nil)
w := httptest.NewRecorder()
h.GetCertificatesByStatus(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected 405, got %d", w.Code)
}
}
// Test GetCertificatesByStatus - service error
func TestGetCertificatesByStatus_ServiceError(t *testing.T) {
mock := &MockStatsService{
GetCertificatesByStatusFn: func(ctx context.Context) (interface{}, error) {
return nil, fmt.Errorf("db error")
},
}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/stats/certificates-by-status", nil)
w := httptest.NewRecorder()
h.GetCertificatesByStatus(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
// Test GetExpirationTimeline - method not allowed
func TestGetExpirationTimeline_MethodNotAllowed(t *testing.T) {
mock := &MockStatsService{}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/stats/expiration-timeline", nil)
w := httptest.NewRecorder()
h.GetExpirationTimeline(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected 405, got %d", w.Code)
}
}
// Test GetExpirationTimeline - service error
func TestGetExpirationTimeline_ServiceError(t *testing.T) {
mock := &MockStatsService{
GetExpirationTimelineFn: func(ctx context.Context, days int) (interface{}, error) {
return nil, fmt.Errorf("db error")
},
}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/stats/expiration-timeline?days=30", nil)
w := httptest.NewRecorder()
h.GetExpirationTimeline(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
// Test GetJobTrends - method not allowed
func TestGetJobTrends_MethodNotAllowed(t *testing.T) {
mock := &MockStatsService{}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/stats/job-trends", nil)
w := httptest.NewRecorder()
h.GetJobTrends(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected 405, got %d", w.Code)
}
}
// Test GetJobTrends - service error
func TestGetJobTrends_ServiceError(t *testing.T) {
mock := &MockStatsService{
GetJobStatsFn: func(ctx context.Context, days int) (interface{}, error) {
return nil, fmt.Errorf("db error")
},
}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/stats/job-trends?days=14", nil)
w := httptest.NewRecorder()
h.GetJobTrends(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
// Test GetIssuanceRate - method not allowed
func TestGetIssuanceRate_MethodNotAllowed(t *testing.T) {
mock := &MockStatsService{}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodPost, "/api/v1/stats/issuance-rate", nil)
w := httptest.NewRecorder()
h.GetIssuanceRate(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("expected 405, got %d", w.Code)
}
}
// Test GetIssuanceRate - service error
func TestGetIssuanceRate_ServiceError(t *testing.T) {
mock := &MockStatsService{
GetIssuanceRateFn: func(ctx context.Context, days int) (interface{}, error) {
return nil, fmt.Errorf("db error")
},
}
h := NewStatsHandler(mock)
req := httptest.NewRequest(http.MethodGet, "/api/v1/stats/issuance-rate?days=7", nil)
w := httptest.NewRecorder()
h.GetIssuanceRate(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected 500, got %d", w.Code)
}
}
internal/api/handler/verification_handler_test.go
+52
View File
@@ -249,6 +249,58 @@ func TestVerifyDeployment_ServiceError(t *testing.T) {
}
}
func TestVerifyDeployment_EmptyBody(t *testing.T) {
mockSvc := &mockVerificationService{}
handler := NewVerificationHandler(mockSvc)
httpReq := httptest.NewRequest("POST", "/api/v1/jobs/j-test10/verify", bytes.NewBufferString(""))
w := httptest.NewRecorder()
handler.VerifyDeployment(w, httpReq)
if w.Code != http.StatusBadRequest {
t.Errorf("expected status 400, got %d", w.Code)
}
}
func TestGetVerificationStatus_ServiceError(t *testing.T) {
mockSvc := &mockVerificationService{
getErr: ErrServiceUnavailable,
}
handler := NewVerificationHandler(mockSvc)
httpReq := httptest.NewRequest("GET", "/api/v1/jobs/j-test11/verification", nil)
w := httptest.NewRecorder()
handler.GetVerificationStatus(w, httpReq)
if w.Code != http.StatusInternalServerError {
t.Errorf("expected status 500, got %d", w.Code)
}
}
func TestGetVerificationStatus_NotFound(t *testing.T) {
mockSvc := &mockVerificationService{
results: make(map[string]*domain.VerificationResult),
}
handler := NewVerificationHandler(mockSvc)
httpReq := httptest.NewRequest("GET", "/api/v1/jobs/j-nonexistent/verification", nil)
w := httptest.NewRecorder()
handler.GetVerificationStatus(w, httpReq)
if w.Code != http.StatusOK {
t.Errorf("expected status 200, got %d", w.Code)
}
var result *domain.VerificationResult
json.NewDecoder(w.Body).Decode(&result)
if result != nil {
t.Error("expected nil result for nonexistent job")
}
}
var ErrServiceUnavailable = NewServiceError("service unavailable")
func NewServiceError(msg string) error {
internal/api/middleware/audit.go
+6 -1
View File
@@ -78,7 +78,12 @@ func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) htt
latency := time.Since(start).Milliseconds()
// Record audit event asynchronously (best-effort, don't block response)
// Record audit event asynchronously (best-effort, don't block response).
// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
// to prevent query parameters from being recorded in the immutable audit trail.
// Query strings may contain cursor tokens, API keys passed as params, or other
// sensitive filter values. Since the audit trail is append-only with no deletion
// capability, any sensitive data recorded would persist permanently.
go func() {
if err := recorder.RecordAPICall(
context.Background(),
internal/api/middleware/audit_test.go
+40
View File
@@ -328,6 +328,46 @@ func TestAuditLog_CapturesLatency(t *testing.T) {
}
}
func TestAuditLog_ExcludesQueryParamsFromPath(t *testing.T) {
recorder := newWaitableAuditRecorder()
mw := NewAuditLog(recorder, AuditConfig{})
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
// Send a request with sensitive query parameters
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates?api_key=secret123&cursor=abc&status=active", nil)
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if !recorder.Wait(1 * time.Second) {
t.Fatal("timeout waiting for audit record")
}
calls := recorder.getCalls()
if len(calls) != 1 {
t.Fatalf("expected 1 audit call, got %d", len(calls))
}
// Path should contain ONLY the path, no query parameters
if calls[0].Path != "/api/v1/certificates" {
t.Errorf("expected path /api/v1/certificates (no query params), got %s", calls[0].Path)
}
if strings.Contains(calls[0].Path, "api_key") {
t.Error("audit path contains 'api_key' — query parameters leaked into audit trail")
}
if strings.Contains(calls[0].Path, "secret123") {
t.Error("audit path contains sensitive value 'secret123' — query parameters leaked into audit trail")
}
if strings.Contains(calls[0].Path, "cursor") {
t.Error("audit path contains 'cursor' — query parameters leaked into audit trail")
}
if strings.Contains(calls[0].Path, "?") {
t.Error("audit path contains '?' — query string leaked into audit trail")
}
}
func TestAuditServiceAdapter_TranslatesCallToEvent(t *testing.T) {
var capturedActor, capturedActorType, capturedAction, capturedResourceType, capturedResourceID string
var capturedDetails map[string]interface{}
internal/api/middleware/auth_test.go
+189
View File
@@ -0,0 +1,189 @@
package middleware
import (
"net/http"
"net/http/httptest"
"testing"
)
func TestNewAuth_MultiKeyAcceptsBothKeys(t *testing.T) {
cfg := AuthConfig{
Type: "api-key",
Secret: "key-one,key-two",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
// First key should work
req1 := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req1.Header.Set("Authorization", "Bearer key-one")
rr1 := httptest.NewRecorder()
handler.ServeHTTP(rr1, req1)
if rr1.Code != http.StatusOK {
t.Errorf("expected 200 for first key, got %d", rr1.Code)
}
// Second key should work
req2 := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req2.Header.Set("Authorization", "Bearer key-two")
rr2 := httptest.NewRecorder()
handler.ServeHTTP(rr2, req2)
if rr2.Code != http.StatusOK {
t.Errorf("expected 200 for second key, got %d", rr2.Code)
}
}
func TestNewAuth_MultiKeyRejectsInvalidKey(t *testing.T) {
cfg := AuthConfig{
Type: "api-key",
Secret: "key-one,key-two",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
// Invalid key should be rejected
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req.Header.Set("Authorization", "Bearer wrong-key")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401 for invalid key, got %d", rr.Code)
}
}
func TestNewAuth_MultiKeyWithSpaces(t *testing.T) {
// Keys with leading/trailing spaces should be trimmed
cfg := AuthConfig{
Type: "api-key",
Secret: " key-one , key-two ",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req.Header.Set("Authorization", "Bearer key-one")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200 for trimmed key, got %d", rr.Code)
}
}
func TestNewAuth_SingleKeyStillWorks(t *testing.T) {
cfg := AuthConfig{
Type: "api-key",
Secret: "my-single-key",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req.Header.Set("Authorization", "Bearer my-single-key")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200 for single key, got %d", rr.Code)
}
}
func TestNewAuth_NoneMode(t *testing.T) {
cfg := AuthConfig{
Type: "none",
Secret: "",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
// No auth header needed in none mode
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200 in none mode, got %d", rr.Code)
}
}
func TestNewAuth_MissingAuthHeader(t *testing.T) {
cfg := AuthConfig{
Type: "api-key",
Secret: "test-key",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401 for missing auth, got %d", rr.Code)
}
}
func TestNewAuth_InvalidBearerFormat(t *testing.T) {
cfg := AuthConfig{
Type: "api-key",
Secret: "test-key",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req.Header.Set("Authorization", "Basic dGVzdDp0ZXN0")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401 for non-Bearer auth, got %d", rr.Code)
}
}
func TestNewAuth_RemovedKeyIsRejected(t *testing.T) {
// Simulate key rotation: only key-two is configured (key-one was removed)
cfg := AuthConfig{
Type: "api-key",
Secret: "key-two",
}
mw := NewAuth(cfg)
handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
// Old key should be rejected
req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req.Header.Set("Authorization", "Bearer key-one")
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401 for removed key, got %d", rr.Code)
}
// New key should work
req2 := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
req2.Header.Set("Authorization", "Bearer key-two")
rr2 := httptest.NewRecorder()
handler.ServeHTTP(rr2, req2)
if rr2.Code != http.StatusOK {
t.Errorf("expected 200 for current key, got %d", rr2.Code)
}
}
internal/api/middleware/middleware.go
+32 -5
View File
@@ -8,6 +8,7 @@ import (
"log"
"log/slog"
"net/http"
"strings"
"sync"
"time"
@@ -100,12 +101,17 @@ func HashAPIKey(key string) string {
// AuthConfig holds configuration for the Auth middleware.
type AuthConfig struct {
Type string // "api-key", "jwt", "none"
Secret string // The raw API key (server compares against this)
Secret string // The raw API key or comma-separated list of valid API keys
}
// NewAuth creates an authentication middleware based on config.
// When Type is "none", all requests pass through (demo/development mode).
// When Type is "api-key", requests must include a valid Bearer token.
// The Secret field supports a comma-separated list of valid API keys for
// zero-downtime key rotation. Rotation workflow:
// 1. Add new key to comma-separated list, restart server
// 2. Update all agents/clients to use new key
// 3. Remove old key from list, restart server
func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
if cfg.Type == "none" {
return func(next http.Handler) http.Handler {
@@ -113,8 +119,21 @@ func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
}
}
// Pre-compute hash of the expected key for constant-time comparison
expectedHash := HashAPIKey(cfg.Secret)
// Pre-compute hashes of all valid keys for constant-time comparison.
// Supports comma-separated list for zero-downtime key rotation.
keys := strings.Split(cfg.Secret, ",")
var expectedHashes []string
for _, k := range keys {
k = strings.TrimSpace(k)
if k != "" {
expectedHashes = append(expectedHashes, HashAPIKey(k))
}
}
// Warn if only one key is configured in production mode
if len(expectedHashes) == 1 {
slog.Warn("only one API key configured — consider adding a rotation key via comma-separated CERTCTL_AUTH_SECRET for zero-downtime rotation")
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -136,8 +155,16 @@ func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
token := authHeader[7:]
tokenHash := HashAPIKey(token)
// Constant-time comparison to prevent timing attacks
if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(expectedHash)) != 1 {
// Check against all valid keys using constant-time comparison
authorized := false
for _, expectedHash := range expectedHashes {
if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(expectedHash)) == 1 {
authorized = true
break
}
}
if !authorized {
w.Header().Set("Content-Type", "application/json; charset=utf-8")
http.Error(w, `{"error":"Invalid API key"}`, http.StatusUnauthorized)
return
internal/api/router/router.go
+10
View File
@@ -63,6 +63,8 @@ type HandlerRegistry struct {
Discovery handler.DiscoveryHandler
NetworkScan handler.NetworkScanHandler
Verification handler.VerificationHandler
Export handler.ExportHandler
Digest handler.DigestHandler
}
// RegisterHandlers sets up all API routes with their handlers.
@@ -99,6 +101,10 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
r.Register("POST /api/v1/certificates/{id}/deploy", http.HandlerFunc(reg.Certificates.TriggerDeployment))
r.Register("POST /api/v1/certificates/{id}/revoke", http.HandlerFunc(reg.Certificates.RevokeCertificate))
// Export endpoints: /api/v1/certificates/{id}/export/{format}
r.Register("GET /api/v1/certificates/{id}/export/pem", http.HandlerFunc(reg.Export.ExportPEM))
r.Register("POST /api/v1/certificates/{id}/export/pkcs12", http.HandlerFunc(reg.Export.ExportPKCS12))
// CRL endpoints: /api/v1/crl (JSON) and /api/v1/crl/{issuer_id} (DER)
r.Register("GET /api/v1/crl", http.HandlerFunc(reg.Certificates.GetCRL))
r.Register("GET /api/v1/crl/{issuer_id}", http.HandlerFunc(reg.Certificates.GetDERCRL))
@@ -215,6 +221,10 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
// Verification routes: /api/v1/jobs/{id}/verify and /api/v1/jobs/{id}/verification
r.Register("POST /api/v1/jobs/{id}/verify", http.HandlerFunc(reg.Verification.VerifyDeployment))
r.Register("GET /api/v1/jobs/{id}/verification", http.HandlerFunc(reg.Verification.GetVerificationStatus))
// Digest routes: /api/v1/digest
r.Register("GET /api/v1/digest/preview", http.HandlerFunc(reg.Digest.PreviewDigest))
r.Register("POST /api/v1/digest/send", http.HandlerFunc(reg.Digest.SendDigest))
}
// RegisterESTHandlers sets up EST (RFC 7030) routes under /.well-known/est/.
internal/config/config.go
+81 -2
View File
@@ -24,6 +24,8 @@ type Config struct {
NetworkScan NetworkScanConfig
EST ESTConfig
Verification VerificationConfig
ACME ACMEConfig
Digest DigestConfig
}
// NotifierConfig contains configuration for notification connectors.
@@ -64,6 +66,34 @@ type NotifierConfig struct {
// OpsGeniePriority sets the default priority for OpsGenie alerts.
// Valid values: "P1", "P2", "P3", "P4", "P5". Default: "P3".
OpsGeniePriority string
// SMTPHost is the SMTP server hostname for sending email notifications.
// Example: "smtp.gmail.com", "smtp.sendgrid.net". Required for email notifications.
// Setting: CERTCTL_SMTP_HOST environment variable.
SMTPHost string
// SMTPPort is the SMTP server port. Default: 587 (STARTTLS).
// Common values: 25 (plain), 465 (implicit TLS), 587 (STARTTLS).
// Setting: CERTCTL_SMTP_PORT environment variable.
SMTPPort int
// SMTPUsername is the SMTP authentication username.
// Setting: CERTCTL_SMTP_USERNAME environment variable.
SMTPUsername string
// SMTPPassword is the SMTP authentication password or app-specific password.
// Setting: CERTCTL_SMTP_PASSWORD environment variable.
SMTPPassword string
// SMTPFromAddress is the sender email address for outbound notifications.
// Example: "certctl@example.com", "noreply@company.com".
// Setting: CERTCTL_SMTP_FROM_ADDRESS environment variable.
SMTPFromAddress string
// SMTPUseTLS enables TLS for the SMTP connection.
// Default: true. Set to false for plain SMTP (not recommended).
// Setting: CERTCTL_SMTP_USE_TLS environment variable.
SMTPUseTLS bool
}
// KeygenConfig controls where private keys are generated.
@@ -111,6 +141,24 @@ type StepCAConfig struct {
ProvisionerPassword string
}
// DigestConfig controls the scheduled certificate digest email feature.
type DigestConfig struct {
// Enabled controls whether periodic digest emails are generated and sent.
// Default: false. When enabled, requires SMTP to be configured.
// Setting: CERTCTL_DIGEST_ENABLED environment variable.
Enabled bool
// Interval is how often digest emails are generated and sent.
// Default: 24 hours. Minimum: 1 hour.
// Setting: CERTCTL_DIGEST_INTERVAL environment variable.
Interval time.Duration
// Recipients is a comma-separated list of email addresses to receive digest emails.
// If empty, digests are sent to all certificate owners.
// Setting: CERTCTL_DIGEST_RECIPIENTS environment variable.
Recipients []string
}
// ACMEConfig contains ACME issuer connector configuration.
type ACMEConfig struct {
// DirectoryURL is the ACME directory URL for certificate issuance.
@@ -130,13 +178,17 @@ type ACMEConfig struct {
// DNSPresentScript is the path to a shell script that creates DNS TXT records.
// Required for dns-01 and dns-persist-01 challenge types.
// Script receives: DOMAIN_NAME, VALIDATION_TOKEN, RECORD_NAME as env vars.
// Script receives these environment variables:
// - CERTCTL_DNS_DOMAIN: domain being validated (e.g., "example.com")
// - CERTCTL_DNS_FQDN: full record name (e.g., "_acme-challenge.example.com" or "_validation-persist.example.com")
// - CERTCTL_DNS_VALUE: TXT record value (key authorization digest for dns-01, or issuer domain info for dns-persist-01)
// - CERTCTL_DNS_TOKEN: ACME challenge token
// Example: /opt/dns-scripts/add-record.sh
DNSPresentScript string
// DNSCleanUpScript is the path to a shell script that removes DNS TXT records.
// Used only for dns-01 challenges to clean up temporary validation records.
// Script receives: DOMAIN_NAME, RECORD_NAME as env vars.
// Script receives the same environment variables as DNSPresentScript.
// Leave empty if cleanup is not needed (e.g., dns-persist-01).
DNSCleanUpScript string
@@ -144,6 +196,13 @@ type ACMEConfig struct {
// Example: "letsencrypt.org" or "zerossl.com". Only used if ChallengeType is "dns-persist-01".
// The record value becomes: "<issuer_domain>; accounturi=<acme_account_uri>"
DNSPersistIssuerDomain string
// ARIEnabled enables ACME Renewal Information (RFC 9702) support.
// When enabled, the renewal scheduler queries the CA for suggested renewal windows
// instead of relying solely on static expiration thresholds.
// Default: false. Requires a CA that supports ARI (e.g., Let's Encrypt).
// Setting: CERTCTL_ACME_ARI_ENABLED environment variable.
ARIEnabled bool
}
// OpenSSLConfig contains OpenSSL/Custom CA issuer connector configuration.
@@ -349,6 +408,12 @@ func Load() (*Config, error) {
PagerDutySeverity: getEnv("CERTCTL_PAGERDUTY_SEVERITY", "warning"),
OpsGenieAPIKey: getEnv("CERTCTL_OPSGENIE_API_KEY", ""),
OpsGeniePriority: getEnv("CERTCTL_OPSGENIE_PRIORITY", "P3"),
SMTPHost: getEnv("CERTCTL_SMTP_HOST", ""),
SMTPPort: getEnvInt("CERTCTL_SMTP_PORT", 587),
SMTPUsername: getEnv("CERTCTL_SMTP_USERNAME", ""),
SMTPPassword: getEnv("CERTCTL_SMTP_PASSWORD", ""),
SMTPFromAddress: getEnv("CERTCTL_SMTP_FROM_ADDRESS", ""),
SMTPUseTLS: getEnvBool("CERTCTL_SMTP_USE_TLS", true),
},
NetworkScan: NetworkScanConfig{
Enabled: getEnvBool("CERTCTL_NETWORK_SCAN_ENABLED", false),
@@ -364,6 +429,20 @@ func Load() (*Config, error) {
Timeout: getEnvDuration("CERTCTL_VERIFY_TIMEOUT", 10*time.Second),
Delay: getEnvDuration("CERTCTL_VERIFY_DELAY", 2*time.Second),
},
ACME: ACMEConfig{
DirectoryURL: getEnv("CERTCTL_ACME_DIRECTORY_URL", ""),
Email: getEnv("CERTCTL_ACME_EMAIL", ""),
ChallengeType: getEnv("CERTCTL_ACME_CHALLENGE_TYPE", "http-01"),
DNSPresentScript: getEnv("CERTCTL_ACME_DNS_PRESENT_SCRIPT", ""),
DNSCleanUpScript: getEnv("CERTCTL_ACME_DNS_CLEANUP_SCRIPT", ""),
DNSPersistIssuerDomain: getEnv("CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN", ""),
ARIEnabled: getEnvBool("CERTCTL_ACME_ARI_ENABLED", false),
},
Digest: DigestConfig{
Enabled: getEnvBool("CERTCTL_DIGEST_ENABLED", false),
Interval: getEnvDuration("CERTCTL_DIGEST_INTERVAL", 24*time.Hour),
Recipients: getEnvList("CERTCTL_DIGEST_RECIPIENTS", nil),
},
}
if err := cfg.Validate(); err != nil {
internal/connector/issuer/acme/acme.go
+4
View File
@@ -54,6 +54,10 @@ type Config struct {
// Used to construct the TXT record value: "<issuer-domain>; accounturi=<account-uri>".
// Required when ChallengeType is "dns-persist-01". For Let's Encrypt, use "letsencrypt.org".
DNSPersistIssuerDomain string `json:"dns_persist_issuer_domain,omitempty"`
// ARIEnabled enables ACME Renewal Information (RFC 9702) support per CERTCTL_ACME_ARI_ENABLED.
// When enabled, the connector queries the CA's ARI endpoint to get CA-directed renewal timing.
ARIEnabled bool `json:"ari_enabled,omitempty"`
}
// Connector implements the issuer.Connector interface for ACME-compatible CAs
internal/connector/issuer/acme/ari.go
+167
View File
@@ -0,0 +1,167 @@
package acme
import (
"context"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"encoding/pem"
"fmt"
"io"
"net/http"
"strings"
"time"
"github.com/shankar0123/certctl/internal/connector/issuer"
)
// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9702 for a certificate.
// certPEM is the PEM-encoded certificate. Returns nil, nil if the CA does not support ARI.
func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
if !c.config.ARIEnabled {
return nil, nil
}
if err := c.ensureClient(ctx); err != nil {
return nil, fmt.Errorf("ACME client init: %w", err)
}
// Parse the certificate to compute the ARI certificate ID
certID, err := computeARICertID(certPEM)
if err != nil {
return nil, fmt.Errorf("failed to compute ARI cert ID: %w", err)
}
c.logger.Debug("retrieving ARI for certificate",
"cert_id", certID)
// Fetch the ACME directory to find the renewalInfo endpoint
renewalInfoURL, err := c.getARIEndpoint(ctx, certID)
if err != nil {
return nil, fmt.Errorf("failed to construct ARI endpoint: %w", err)
}
c.logger.Debug("querying ARI endpoint", "url", renewalInfoURL)
// Make GET request to the ARI endpoint
req, err := http.NewRequestWithContext(ctx, http.MethodGet, renewalInfoURL, nil)
if err != nil {
return nil, fmt.Errorf("create ARI request: %w", err)
}
httpClient := &http.Client{Timeout: 15 * time.Second}
resp, err := httpClient.Do(req)
if err != nil {
return nil, fmt.Errorf("ARI request failed: %w", err)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("read ARI response: %w", err)
}
// 404 means the CA doesn't support ARI or the cert doesn't exist
if resp.StatusCode == http.StatusNotFound {
c.logger.Debug("ARI not supported by CA or cert not found")
return nil, nil
}
// Other non-2xx errors
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
return nil, fmt.Errorf("ARI endpoint returned status %d: %s", resp.StatusCode, string(body))
}
// Parse the ARI response
var ariResp struct {
SuggestedWindow struct {
Start time.Time `json:"start"`
End time.Time `json:"end"`
} `json:"suggestedWindow"`
RetryAfter time.Time `json:"retryAfter,omitempty"`
ExplanationURL string `json:"explanationURL,omitempty"`
}
if err := json.Unmarshal(body, &ariResp); err != nil {
return nil, fmt.Errorf("parse ARI response: %w", err)
}
if ariResp.SuggestedWindow.Start.IsZero() || ariResp.SuggestedWindow.End.IsZero() {
return nil, fmt.Errorf("invalid ARI response: missing or empty suggestedWindow")
}
c.logger.Info("retrieved ARI",
"window_start", ariResp.SuggestedWindow.Start,
"window_end", ariResp.SuggestedWindow.End)
return &issuer.RenewalInfoResult{
SuggestedWindowStart: ariResp.SuggestedWindow.Start,
SuggestedWindowEnd: ariResp.SuggestedWindow.End,
RetryAfter: ariResp.RetryAfter,
ExplanationURL: ariResp.ExplanationURL,
}, nil
}
// computeARICertID computes the ARI certificate ID as defined in RFC 9702.
// The cert ID is base64url(SHA256(DER encoding of the certificate)).
func computeARICertID(certPEM string) (string, error) {
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
return "", fmt.Errorf("invalid PEM: no certificate block found")
}
hash := sha256.Sum256(block.Bytes)
certID := base64.RawURLEncoding.EncodeToString(hash[:])
return certID, nil
}
// getARIEndpoint constructs the ARI endpoint URL from the ACME directory.
// It fetches the directory JSON and extracts the "renewalInfo" field if available.
// Falls back to a standard URL pattern if the directory doesn't advertise renewalInfo.
func (c *Connector) getARIEndpoint(ctx context.Context, certID string) (string, error) {
// Try to fetch and parse the directory
httpClient := &http.Client{Timeout: 15 * time.Second}
req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.config.DirectoryURL, nil)
if err != nil {
return "", fmt.Errorf("create directory request: %w", err)
}
resp, err := httpClient.Do(req)
if err != nil {
// If we can't fetch the directory, try the standard Let's Encrypt pattern
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
}
var dir struct {
RenewalInfo string `json:"renewalInfo,omitempty"`
}
if err := json.Unmarshal(body, &dir); err != nil {
// Malformed directory; use fallback
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
}
if dir.RenewalInfo != "" {
// Directory advertises renewalInfo endpoint
return dir.RenewalInfo + "/" + certID, nil
}
// No renewalInfo in directory; use standard fallback
return constructARIURLFallback(c.config.DirectoryURL, certID), nil
}
// constructARIURLFallback builds an ARI endpoint URL using a standard pattern.
// It replaces "/directory" with "/renewalInfo" in the URL.
func constructARIURLFallback(directoryURL, certID string) string {
// Replace "/directory" with "/renewalInfo/{certID}"
// For Let's Encrypt: https://acme-v02.api.letsencrypt.org/directory
// becomes: https://acme-v02.api.letsencrypt.org/renewalInfo/{certID}
baseURL := strings.TrimSuffix(directoryURL, "/directory")
return baseURL + "/renewalInfo/" + certID
}
internal/connector/issuer/acme/ari_test.go
+251
View File
@@ -0,0 +1,251 @@
package acme
import (
"context"
"encoding/json"
"io"
"log/slog"
"net/http"
"net/http/httptest"
"testing"
)
// TestComputeARICertID_InvalidPEM_Input tests the ARI certificate ID computation with invalid PEM.
func TestComputeARICertID_InvalidPEM_Input(t *testing.T) {
// Test with invalid PEM data
_, err := computeARICertID("not a valid pem")
if err == nil {
t.Error("expected error for invalid PEM")
}
}
func TestConstructARIURLFallback_LetsEncrypt(t *testing.T) {
directoryURL := "https://acme-v02.api.letsencrypt.org/directory"
certID := "abc123"
url := constructARIURLFallback(directoryURL, certID)
expected := "https://acme-v02.api.letsencrypt.org/renewalInfo/abc123"
if url != expected {
t.Errorf("constructARIURLFallback: expected %s, got %s", expected, url)
}
}
func TestConstructARIURLFallback_NoDirectory(t *testing.T) {
directoryURL := "https://example.com/acme"
certID := "xyz789"
url := constructARIURLFallback(directoryURL, certID)
expected := "https://example.com/acme/renewalInfo/xyz789"
if url != expected {
t.Errorf("constructARIURLFallback: expected %s, got %s", expected, url)
}
}
// TestGetRenewalInfo_Disabled tests that ARI returns nil when disabled.
func TestGetRenewalInfo_Disabled(t *testing.T) {
config := &Config{
DirectoryURL: "https://acme.invalid/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: false,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
result, err := connector.GetRenewalInfo(ctx, "any-cert-pem")
if err != nil {
t.Fatalf("GetRenewalInfo failed: %v", err)
}
if result != nil {
t.Error("GetRenewalInfo should return nil when ARI is disabled")
}
}
// TestGetRenewalInfo_NotFound tests handling of 404 response (CA doesn't support ARI).
func TestGetRenewalInfo_NotFound(t *testing.T) {
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mock directory endpoint
if r.URL.Path == "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"newOrder": "/acme/new-order",
"newAccount": "/acme/new-account",
})
return
}
// All other endpoints return 404
http.Error(w, "not found", http.StatusNotFound)
}))
defer mockServer.Close()
config := &Config{
DirectoryURL: mockServer.URL + "/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: true,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
// GetRenewalInfo will fail when parsing the cert PEM, which is expected
result, err := connector.GetRenewalInfo(ctx, "invalid-cert-pem")
if err == nil {
// If it doesn't fail on cert parsing, that's also okay
// The 404 handling happens after cert ID computation
if result != nil {
t.Error("GetRenewalInfo should return nil for 404 response")
}
}
}
// TestGetRenewalInfo_ServerError tests handling of server errors.
func TestGetRenewalInfo_ServerError(t *testing.T) {
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mock directory endpoint
if r.URL.Path == "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"newOrder": "/acme/new-order",
"newAccount": "/acme/new-account",
})
return
}
// All other endpoints return 500
http.Error(w, "internal server error", http.StatusInternalServerError)
}))
defer mockServer.Close()
config := &Config{
DirectoryURL: mockServer.URL + "/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: true,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
_, err := connector.GetRenewalInfo(ctx, "invalid-cert-pem")
// Error is expected because cert parsing fails first
if err == nil {
// If we get here, the server error handling should catch it
t.Error("expected error for invalid cert or 500 response")
}
}
// TestGetRenewalInfo_InvalidPEM tests handling of invalid PEM input.
func TestGetRenewalInfo_InvalidPEM(t *testing.T) {
config := &Config{
DirectoryURL: "https://acme.invalid/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: true,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
_, err := connector.GetRenewalInfo(ctx, "invalid pem data")
if err == nil {
t.Error("GetRenewalInfo should return error for invalid PEM")
}
}
// TestGetRenewalInfo_MalformedResponse tests handling of malformed JSON response.
func TestGetRenewalInfo_MalformedResponse(t *testing.T) {
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mock directory endpoint
if r.URL.Path == "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"renewalInfo": "/acme/renewalInfo",
})
return
}
// Mock renewalInfo with malformed JSON
if r.URL.Path != "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"suggestedWindow": invalid json}`))
return
}
http.Error(w, "not found", http.StatusNotFound)
}))
defer mockServer.Close()
config := &Config{
DirectoryURL: mockServer.URL + "/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: true,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
_, err := connector.GetRenewalInfo(ctx, "invalid-cert-pem")
// Error is expected
if err == nil {
t.Error("GetRenewalInfo should return error for malformed response or invalid cert")
}
}
// TestGetRenewalInfo_MissingWindow tests handling of missing suggestedWindow.
func TestGetRenewalInfo_MissingWindow(t *testing.T) {
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mock directory endpoint
if r.URL.Path == "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"renewalInfo": "/acme/renewalInfo",
})
return
}
// Mock renewalInfo without suggestedWindow
if r.URL.Path != "/directory" && r.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{})
return
}
http.Error(w, "not found", http.StatusNotFound)
}))
defer mockServer.Close()
config := &Config{
DirectoryURL: mockServer.URL + "/directory",
Email: "test@example.com",
ChallengeType: "http-01",
ARIEnabled: true,
}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
connector := New(config, logger)
ctx := context.Background()
_, err := connector.GetRenewalInfo(ctx, "invalid-cert-pem")
// Error is expected due to invalid cert PEM
if err == nil {
t.Error("expected error for invalid cert or missing window")
}
}
internal/connector/issuer/interface.go
+14
View File
@@ -35,6 +35,18 @@ type Connector interface {
// GetCACertPEM returns the PEM-encoded CA certificate chain for this issuer.
// Used by the EST /cacerts endpoint. Returns empty string if not available.
GetCACertPEM(ctx context.Context) (string, error)
// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9702 for a certificate.
// certPEM is the PEM-encoded certificate. Returns nil, nil if the CA does not support ARI.
GetRenewalInfo(ctx context.Context, certPEM string) (*RenewalInfoResult, error)
}
// RenewalInfoResult holds the ACME ARI response from a CA.
type RenewalInfoResult struct {
SuggestedWindowStart time.Time
SuggestedWindowEnd time.Time
RetryAfter time.Time
ExplanationURL string
}
// IssuanceRequest contains the parameters for issuing a new certificate.
@@ -42,6 +54,7 @@ type IssuanceRequest struct {
CommonName string `json:"common_name"`
SANs []string `json:"sans"`
CSRPEM string `json:"csr_pem"`
EKUs []string `json:"ekus,omitempty"` // e.g., "serverAuth", "clientAuth", "emailProtection"
}
// IssuanceResult contains the result of a successful certificate issuance.
@@ -59,6 +72,7 @@ type RenewalRequest struct {
CommonName string `json:"common_name"`
SANs []string `json:"sans"`
CSRPEM string `json:"csr_pem"`
EKUs []string `json:"ekus,omitempty"` // e.g., "serverAuth", "clientAuth", "emailProtection"
OrderID *string `json:"order_id,omitempty"`
}
internal/connector/issuer/local/local.go
+81 -14
View File
@@ -184,8 +184,8 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
return nil, fmt.Errorf("CSR signature verification failed: %w", err)
}
// Generate certificate
cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs)
// Generate certificate with EKUs from request
cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs)
if err != nil {
c.logger.Error("failed to generate certificate", "error", err)
return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -242,8 +242,8 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
return nil, fmt.Errorf("CSR signature verification failed: %w", err)
}
// Generate certificate
cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs)
// Generate certificate with EKUs from request
cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs)
if err != nil {
c.logger.Error("failed to generate certificate", "error", err)
return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -467,7 +467,8 @@ func parsePrivateKey(block *pem.Block) (crypto.Signer, error) {
// generateCertificate creates an X.509 certificate signed by the local CA.
// It uses the CSR subject and adds any additional SANs from the request.
func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string) (*x509.Certificate, string, string, error) {
// If ekus is non-empty, those EKUs are used instead of the default serverAuth+clientAuth.
func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string, ekus []string) (*x509.Certificate, string, string, error) {
// Generate random serial number
serialNum, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 159))
if err != nil {
@@ -506,18 +507,18 @@ func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additional
}
}
// Resolve EKUs: use provided list or fall back to default TLS EKUs
resolvedEKUs, keyUsage := resolveEKUsAndKeyUsage(ekus)
// Create certificate template
now := time.Now()
template := &x509.Certificate{
SerialNumber: serialNum,
Subject: csr.Subject,
NotBefore: now,
NotAfter: now.AddDate(0, 0, c.config.ValidityDays),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageClientAuth,
},
SerialNumber: serialNum,
Subject: csr.Subject,
NotBefore: now,
NotAfter: now.AddDate(0, 0, c.config.ValidityDays),
KeyUsage: keyUsage,
ExtKeyUsage: resolvedEKUs,
DNSNames: dnsNames,
EmailAddresses: emails,
SubjectKeyId: hashPublicKey(csr.PublicKey),
@@ -580,6 +581,67 @@ func isEmail(s string) bool {
return false
}
// ekuNameToX509 maps EKU string names (from domain.ValidEKUs) to x509.ExtKeyUsage constants.
var ekuNameToX509 = map[string]x509.ExtKeyUsage{
"serverAuth": x509.ExtKeyUsageServerAuth,
"clientAuth": x509.ExtKeyUsageClientAuth,
"codeSigning": x509.ExtKeyUsageCodeSigning,
"emailProtection": x509.ExtKeyUsageEmailProtection,
"timeStamping": x509.ExtKeyUsageTimeStamping,
}
// resolveEKUsAndKeyUsage maps EKU string names to x509.ExtKeyUsage constants and computes
// appropriate KeyUsage flags. If ekus is empty/nil, falls back to default TLS EKUs.
//
// Key usage selection:
// - TLS (serverAuth/clientAuth): DigitalSignature | KeyEncipherment
// - S/MIME (emailProtection): DigitalSignature | ContentCommitment (for non-repudiation)
// - Mixed: union of both
func resolveEKUsAndKeyUsage(ekus []string) ([]x509.ExtKeyUsage, x509.KeyUsage) {
if len(ekus) == 0 {
// Default: TLS server + client
return []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageClientAuth,
}, x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
}
var resolved []x509.ExtKeyUsage
hasEmail := false
hasTLS := false
for _, name := range ekus {
if eku, ok := ekuNameToX509[name]; ok {
resolved = append(resolved, eku)
if name == "emailProtection" {
hasEmail = true
}
if name == "serverAuth" || name == "clientAuth" {
hasTLS = true
}
}
}
// If no valid EKUs were resolved, fall back to default
if len(resolved) == 0 {
return []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageClientAuth,
}, x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
}
// Compute KeyUsage based on EKU mix
keyUsage := x509.KeyUsageDigitalSignature
if hasTLS {
keyUsage |= x509.KeyUsageKeyEncipherment
}
if hasEmail {
keyUsage |= x509.KeyUsageContentCommitment // non-repudiation for S/MIME
}
return resolved, keyUsage
}
// hashPublicKey generates a subject key identifier from a public key.
func hashPublicKey(pub interface{}) []byte {
h := sha256.New()
@@ -673,3 +735,8 @@ func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
}
return c.caCertPEM, nil
}
// GetRenewalInfo returns nil, nil as the Local CA does not support ACME Renewal Information (ARI).
func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
return nil, nil
}
internal/connector/issuer/openssl/openssl.go
+46
View File
@@ -32,9 +32,12 @@ import (
"os"
"os/exec"
"path/filepath"
"regexp"
"time"
"github.com/shankar0123/certctl/internal/connector/issuer"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/validation"
)
// Config represents the OpenSSL/Custom CA issuer connector configuration.
@@ -258,6 +261,36 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
return result, nil
}
// hexSerialRegex validates that a serial number contains only hexadecimal characters.
// Certificate serial numbers are integers represented in hex (RFC 5280).
var hexSerialRegex = regexp.MustCompile(`^[0-9a-fA-F]+$`)
// validateSerial validates a certificate serial number for safe use in shell commands.
// Serial numbers must be non-empty, hex-only strings with no shell metacharacters.
func validateSerial(serial string) error {
if serial == "" {
return fmt.Errorf("serial number cannot be empty")
}
if !hexSerialRegex.MatchString(serial) {
return fmt.Errorf("serial number %q contains non-hex characters (expected ^[0-9a-fA-F]+$)", serial)
}
if err := validation.ValidateShellCommand(serial); err != nil {
return fmt.Errorf("serial number failed shell safety validation: %w", err)
}
return nil
}
// validateRevocationReason validates a revocation reason against RFC 5280 reason codes.
func validateRevocationReason(reason string) error {
if !domain.IsValidRevocationReason(reason) {
return fmt.Errorf("invalid revocation reason %q (must be a valid RFC 5280 reason code)", reason)
}
if err := validation.ValidateShellCommand(reason); err != nil {
return fmt.Errorf("revocation reason failed shell safety validation: %w", err)
}
return nil
}
// RevokeCertificate revokes a certificate by calling the revoke script if configured.
func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.RevocationRequest) error {
if c.config.RevokeScript == "" {
@@ -270,6 +303,14 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca
reason = *request.Reason
}
// Validate serial number (hex-only) and reason code (RFC 5280) before shell execution
if err := validateSerial(request.Serial); err != nil {
return fmt.Errorf("revocation input validation failed: %w", err)
}
if err := validateRevocationReason(reason); err != nil {
return fmt.Errorf("revocation input validation failed: %w", err)
}
c.logger.Info("revoking certificate via revoke script",
"serial", request.Serial,
"reason", reason)
@@ -369,6 +410,11 @@ func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
return "", fmt.Errorf("custom CA connector does not provide CA certificate access")
}
// GetRenewalInfo returns nil, nil as the custom CA connector does not support ACME Renewal Information (ARI).
func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
return nil, nil
}
// --- Helper Methods ---
// writeTempFile writes data to a temporary file and returns its path.
internal/connector/issuer/openssl/openssl_test.go
+137 -2
View File
@@ -289,7 +289,7 @@ func TestOpenSSLConnector(t *testing.T) {
}
revokeReq := issuer.RevocationRequest{
Serial: "test-serial-12345",
Serial: "ABCDEF1234567890",
}
// Should return nil (no-op) when revoke script not configured
@@ -324,8 +324,10 @@ func TestOpenSSLConnector(t *testing.T) {
t.Fatalf("ValidateConfig failed: %v", err)
}
reason := "keyCompromise"
revokeReq := issuer.RevocationRequest{
Serial: "test-serial-12345",
Serial: "ABCDEF1234567890",
Reason: &reason,
}
err := connector.RevokeCertificate(ctx, revokeReq)
@@ -334,6 +336,139 @@ func TestOpenSSLConnector(t *testing.T) {
}
})
// Test 15: RevokeCertificate rejects injection payloads in serial number
t.Run("RevokeCertificate_InjectionSerial", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
revokeScript := filepath.Join(tmpDir, "revoke.sh")
if err := os.WriteFile(revokeScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create revoke script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
RevokeScript: revokeScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
injectionPayloads := []string{
"1234;rm -rf /",
"1234|cat /etc/passwd",
"1234&whoami",
"$(id)",
"`id`",
"1234\nid",
"../../../etc/passwd",
"test-serial-12345", // hyphens not allowed (not hex)
}
for _, payload := range injectionPayloads {
t.Run(payload, func(t *testing.T) {
req := issuer.RevocationRequest{Serial: payload}
err := connector.RevokeCertificate(ctx, req)
if err == nil {
t.Errorf("Expected injection payload %q to be rejected, but it was accepted", payload)
}
})
}
})
// Test 16: RevokeCertificate rejects invalid reason codes
t.Run("RevokeCertificate_InvalidReason", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
revokeScript := filepath.Join(tmpDir, "revoke.sh")
if err := os.WriteFile(revokeScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create revoke script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
RevokeScript: revokeScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
invalidReasons := []string{
"notARealReason",
"keyCompromise;rm -rf /",
"$(whoami)",
"`id`",
}
for _, reason := range invalidReasons {
t.Run(reason, func(t *testing.T) {
r := reason
req := issuer.RevocationRequest{
Serial: "ABCDEF1234567890",
Reason: &r,
}
err := connector.RevokeCertificate(ctx, req)
if err == nil {
t.Errorf("Expected invalid reason %q to be rejected, but it was accepted", reason)
}
})
}
})
// Test 17: RevokeCertificate accepts all valid RFC 5280 reason codes
t.Run("RevokeCertificate_ValidReasons", func(t *testing.T) {
tmpDir := t.TempDir()
signScript := filepath.Join(tmpDir, "sign.sh")
if err := os.WriteFile(signScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create sign script: %v", err)
}
revokeScript := filepath.Join(tmpDir, "revoke.sh")
if err := os.WriteFile(revokeScript, []byte("#!/bin/sh\nexit 0"), 0755); err != nil {
t.Fatalf("Failed to create revoke script: %v", err)
}
config := &openssl.Config{
SignScript: signScript,
RevokeScript: revokeScript,
}
connector := openssl.New(config, logger)
rawConfig, _ := json.Marshal(config)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
validReasons := []string{
"unspecified", "keyCompromise", "caCompromise", "affiliationChanged",
"superseded", "cessationOfOperation", "certificateHold", "privilegeWithdrawn",
}
for _, reason := range validReasons {
t.Run(reason, func(t *testing.T) {
r := reason
req := issuer.RevocationRequest{
Serial: "ABCDEF1234567890",
Reason: &r,
}
err := connector.RevokeCertificate(ctx, req)
if err != nil {
t.Errorf("Expected valid reason %q to be accepted, got error: %v", reason, err)
}
})
}
})
// Test 10: GetOrderStatus always returns "completed"
t.Run("GetOrderStatus", func(t *testing.T) {
tmpDir := t.TempDir()
internal/connector/issuer/stepca/stepca.go
+5
View File
@@ -472,5 +472,10 @@ func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
return "", fmt.Errorf("step-ca serves its own CA certificate at /root; use step-ca's endpoint directly")
}
// GetRenewalInfo returns nil, nil as step-ca does not support ACME Renewal Information (ARI).
func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
return nil, nil
}
// Ensure Connector implements the issuer.Connector interface.
var _ issuer.Connector = (*Connector)(nil)
internal/connector/notifier/email/adapter.go
+42
View File
@@ -0,0 +1,42 @@
package email
import (
"context"
"fmt"
)
// NotifierAdapter bridges the email.Connector (notifier.Connector interface) to the
// service.Notifier interface used by the notification registry. This adapter allows
// the existing email SMTP connector to be registered alongside Slack, Teams, etc.
type NotifierAdapter struct {
connector *Connector
}
// NewNotifierAdapter wraps an email.Connector to implement service.Notifier.
func NewNotifierAdapter(c *Connector) *NotifierAdapter {
return &NotifierAdapter{connector: c}
}
// Channel returns the notification channel identifier.
func (a *NotifierAdapter) Channel() string {
return "Email"
}
// Send delivers a notification via SMTP email.
// The recipient is the email address, subject is used as the email subject,
// and body is the email body content.
func (a *NotifierAdapter) Send(ctx context.Context, recipient string, subject string, body string) error {
if recipient == "" {
return fmt.Errorf("email: recipient address is required")
}
return a.connector.sendEmail(ctx, recipient, subject, body)
}
// SendHTML delivers an HTML email notification via SMTP.
// Used by the digest service for rich HTML digest emails.
func (a *NotifierAdapter) SendHTML(ctx context.Context, recipient string, subject string, htmlBody string) error {
if recipient == "" {
return fmt.Errorf("email: recipient address is required")
}
return a.connector.sendHTMLEmail(ctx, recipient, subject, htmlBody)
}
internal/connector/notifier/email/adapter_test.go
+47
View File
@@ -0,0 +1,47 @@
package email
import (
"context"
"testing"
)
func TestNotifierAdapter_Channel(t *testing.T) {
connector := New(&Config{
SMTPHost: "smtp.example.com",
SMTPPort: 587,
FromAddress: "test@example.com",
}, nil)
adapter := NewNotifierAdapter(connector)
if adapter.Channel() != "Email" {
t.Errorf("expected channel 'Email', got '%s'", adapter.Channel())
}
}
func TestNotifierAdapter_Send_EmptyRecipient(t *testing.T) {
connector := New(&Config{
SMTPHost: "smtp.example.com",
SMTPPort: 587,
FromAddress: "test@example.com",
}, nil)
adapter := NewNotifierAdapter(connector)
err := adapter.Send(context.Background(), "", "test subject", "test body")
if err == nil {
t.Fatal("expected error for empty recipient")
}
}
func TestNotifierAdapter_SendHTML_EmptyRecipient(t *testing.T) {
connector := New(&Config{
SMTPHost: "smtp.example.com",
SMTPPort: 587,
FromAddress: "test@example.com",
}, nil)
adapter := NewNotifierAdapter(connector)
err := adapter.SendHTML(context.Background(), "", "test subject", "<html>test</html>")
if err == nil {
t.Fatal("expected error for empty recipient")
}
}
internal/connector/notifier/email/email.go
+80
View File
@@ -195,6 +195,73 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
return nil
}
// sendHTMLEmail sends an HTML email message using the configured SMTP server.
// Used by the digest service for rich HTML digest emails.
func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody string) error {
addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))
var auth smtp.Auth
if c.config.Username != "" && c.config.Password != "" {
auth = smtp.PlainAuth("", c.config.Username, c.config.Password, c.config.SMTPHost)
}
var conn net.Conn
var err error
if c.config.UseTLS {
tlsConfig := &tls.Config{
ServerName: c.config.SMTPHost,
}
conn, err = tls.Dial("tcp", addr, tlsConfig)
if err != nil {
return fmt.Errorf("failed to connect via TLS: %w", err)
}
} else {
conn, err = net.Dial("tcp", addr)
if err != nil {
return fmt.Errorf("failed to connect: %w", err)
}
}
defer conn.Close()
client, err := smtp.NewClient(conn, c.config.SMTPHost)
if err != nil {
return fmt.Errorf("failed to create SMTP client: %w", err)
}
defer client.Close()
if auth != nil {
if err := client.Auth(auth); err != nil {
return fmt.Errorf("SMTP authentication failed: %w", err)
}
}
if err := client.Mail(c.config.FromAddress); err != nil {
return fmt.Errorf("failed to set sender: %w", err)
}
if err := client.Rcpt(to); err != nil {
return fmt.Errorf("failed to set recipient: %w", err)
}
wc, err := client.Data()
if err != nil {
return fmt.Errorf("failed to get data writer: %w", err)
}
defer wc.Close()
message := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
if _, err := wc.Write(message); err != nil {
return fmt.Errorf("failed to write message: %w", err)
}
if err := client.Quit(); err != nil {
return fmt.Errorf("failed to quit SMTP: %w", err)
}
return nil
}
// formatEmailMessage formats an email message with standard headers.
func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
message := fmt.Sprintf(
@@ -208,6 +275,19 @@ func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
return []byte(message)
}
// formatHTMLEmailMessage formats an HTML email message with MIME headers.
func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) []byte {
message := fmt.Sprintf(
"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n%s",
from,
to,
subject,
time.Now().Format(time.RFC1123Z),
htmlBody,
)
return []byte(message)
}
// formatAlertBody formats an alert notification as email body text.
func (c *Connector) formatAlertBody(alert notifier.Alert) string {
body := fmt.Sprintf(`
internal/domain/agent_group_test.go
+166
View File
@@ -0,0 +1,166 @@
package domain
import "testing"
func TestAgentGroup_HasDynamicCriteria_True(t *testing.T) {
tests := []AgentGroup{
{MatchOS: "linux"},
{MatchArchitecture: "amd64"},
{MatchIPCIDR: "192.168.1.0/24"},
{MatchVersion: "1.0.0"},
{MatchOS: "linux", MatchArchitecture: "amd64"},
}
for i, g := range tests {
if !g.HasDynamicCriteria() {
t.Errorf("test %d: expected HasDynamicCriteria=true, got false", i)
}
}
}
func TestAgentGroup_HasDynamicCriteria_False(t *testing.T) {
tests := []AgentGroup{
{},
{Name: "test-group"},
{Description: "some description"},
{Name: "test-group", Description: "description", Enabled: true},
}
for i, g := range tests {
if g.HasDynamicCriteria() {
t.Errorf("test %d: expected HasDynamicCriteria=false, got true", i)
}
}
}
func TestAgentGroup_MatchesAgent_AllCriteriaMatch(t *testing.T) {
group := &AgentGroup{
MatchOS: "linux",
MatchArchitecture: "amd64",
MatchVersion: "1.0.0",
MatchIPCIDR: "192.168.1.1",
}
agent := &Agent{
OS: "linux",
Architecture: "amd64",
Version: "1.0.0",
IPAddress: "192.168.1.1",
}
if !group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=true, got false")
}
}
func TestAgentGroup_MatchesAgent_OSMismatch(t *testing.T) {
group := &AgentGroup{
MatchOS: "linux",
}
agent := &Agent{
OS: "darwin",
}
if group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=false (OS mismatch), got true")
}
}
func TestAgentGroup_MatchesAgent_ArchMismatch(t *testing.T) {
group := &AgentGroup{
MatchArchitecture: "amd64",
}
agent := &Agent{
Architecture: "arm64",
}
if group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=false (architecture mismatch), got true")
}
}
func TestAgentGroup_MatchesAgent_VersionMismatch(t *testing.T) {
group := &AgentGroup{
MatchVersion: "1.0.0",
}
agent := &Agent{
Version: "2.0.0",
}
if group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=false (version mismatch), got true")
}
}
func TestAgentGroup_MatchesAgent_IPMismatch(t *testing.T) {
group := &AgentGroup{
MatchIPCIDR: "192.168.1.1",
}
agent := &Agent{
IPAddress: "192.168.1.2",
}
if group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=false (IP mismatch), got true")
}
}
func TestAgentGroup_MatchesAgent_EmptyCriteriaMatchesAll(t *testing.T) {
group := &AgentGroup{}
agent := &Agent{
OS: "linux",
Architecture: "amd64",
Version: "1.0.0",
IPAddress: "192.168.1.1",
}
if !group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=true (empty criteria matches all), got false")
}
}
func TestAgentGroup_MatchesAgent_PartialCriteria(t *testing.T) {
group := &AgentGroup{
MatchOS: "linux",
MatchArchitecture: "amd64",
}
agent := &Agent{
OS: "linux",
Architecture: "amd64",
Version: "1.0.0",
IPAddress: "192.168.1.1",
}
if !group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=true (partial criteria), got false")
}
}
func TestAgentGroup_MatchesAgent_MultipleMatches(t *testing.T) {
group := &AgentGroup{
MatchOS: "linux",
MatchArchitecture: "amd64",
MatchVersion: "1.0.0",
}
// Matching agent
agent := &Agent{
OS: "linux",
Architecture: "amd64",
Version: "1.0.0",
}
if !group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=true for matching agent, got false")
}
// Non-matching agent (version mismatch)
agent.Version = "0.9.0"
if group.MatchesAgent(agent) {
t.Errorf("expected MatchesAgent=false for non-matching agent, got true")
}
}
internal/domain/ari.go
+35
View File
@@ -0,0 +1,35 @@
package domain
import "time"
// RenewalInfo represents ACME Renewal Information (ARI) per RFC 9702.
// It provides CA-directed renewal timing via a suggested renewal window.
type RenewalInfo struct {
// SuggestedWindowStart is the beginning of the time window during which the CA suggests renewal.
SuggestedWindowStart time.Time `json:"suggested_window_start"`
// SuggestedWindowEnd is the end of the time window during which the CA suggests renewal.
SuggestedWindowEnd time.Time `json:"suggested_window_end"`
// RetryAfter is the earliest time the client should re-poll for updated ARI.
// Zero value means no retry constraint.
RetryAfter time.Time `json:"retry_after,omitempty"`
// ExplanationURL is an optional URL with human-readable explanation for the renewal timing.
ExplanationURL string `json:"explanation_url,omitempty"`
}
// ShouldRenewNow returns true if the current time is within or past the suggested renewal window.
// This is the primary decision point: if true, renewal should proceed immediately.
func (r *RenewalInfo) ShouldRenewNow() bool {
now := time.Now()
return !now.Before(r.SuggestedWindowStart)
}
// OptimalRenewalTime returns the midpoint of the suggested renewal window,
// which is the recommended time to initiate renewal per RFC 9702.
// This can be used for scheduling if the current time is before the window.
func (r *RenewalInfo) OptimalRenewalTime() time.Time {
duration := r.SuggestedWindowEnd.Sub(r.SuggestedWindowStart)
return r.SuggestedWindowStart.Add(duration / 2)
}
internal/domain/ari_test.go
+100
View File
@@ -0,0 +1,100 @@
package domain
import (
"testing"
"time"
)
func TestRenewalInfo_ShouldRenewNow_BeforeWindow(t *testing.T) {
now := time.Now()
windowStart := now.Add(1 * time.Hour)
windowEnd := now.Add(2 * time.Hour)
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
if ri.ShouldRenewNow() {
t.Error("ShouldRenewNow should be false before window start")
}
}
func TestRenewalInfo_ShouldRenewNow_AtWindowStart(t *testing.T) {
now := time.Now()
windowStart := now
windowEnd := now.Add(1 * time.Hour)
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
if !ri.ShouldRenewNow() {
t.Error("ShouldRenewNow should be true at window start")
}
}
func TestRenewalInfo_ShouldRenewNow_DuringWindow(t *testing.T) {
now := time.Now()
windowStart := now.Add(-30 * time.Minute)
windowEnd := now.Add(30 * time.Minute)
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
if !ri.ShouldRenewNow() {
t.Error("ShouldRenewNow should be true during window")
}
}
func TestRenewalInfo_ShouldRenewNow_AfterWindowEnd(t *testing.T) {
now := time.Now()
windowStart := now.Add(-2 * time.Hour)
windowEnd := now.Add(-1 * time.Hour)
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
if !ri.ShouldRenewNow() {
t.Error("ShouldRenewNow should be true after window end")
}
}
func TestRenewalInfo_OptimalRenewalTime_Midpoint(t *testing.T) {
windowStart := time.Unix(1000, 0)
windowEnd := time.Unix(3000, 0)
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
optimal := ri.OptimalRenewalTime()
expected := time.Unix(2000, 0) // (1000 + 3000) / 2
if !optimal.Equal(expected) {
t.Errorf("OptimalRenewalTime: expected %v, got %v", expected, optimal)
}
}
func TestRenewalInfo_OptimalRenewalTime_AsymmetricWindow(t *testing.T) {
windowStart := time.Unix(1000, 0)
windowEnd := time.Unix(1300, 0) // 300 second window
ri := &RenewalInfo{
SuggestedWindowStart: windowStart,
SuggestedWindowEnd: windowEnd,
}
optimal := ri.OptimalRenewalTime()
expected := time.Unix(1150, 0) // start + 150 seconds
if !optimal.Equal(expected) {
t.Errorf("OptimalRenewalTime: expected %v, got %v", expected, optimal)
}
}
internal/domain/certificate_test.go
+80
View File
@@ -0,0 +1,80 @@
package domain
import "testing"
func TestCertificateStatus_Constants(t *testing.T) {
tests := map[string]CertificateStatus{
"Pending": CertificateStatusPending,
"Active": CertificateStatusActive,
"Expiring": CertificateStatusExpiring,
"Expired": CertificateStatusExpired,
"RenewalInProgress": CertificateStatusRenewalInProgress,
"Failed": CertificateStatusFailed,
"Revoked": CertificateStatusRevoked,
"Archived": CertificateStatusArchived,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestDefaultAlertThresholds(t *testing.T) {
defaults := DefaultAlertThresholds()
expected := []int{30, 14, 7, 0}
if len(defaults) != len(expected) {
t.Errorf("expected %d thresholds, got %d", len(expected), len(defaults))
}
for i, v := range expected {
if i >= len(defaults) {
break
}
if defaults[i] != v {
t.Errorf("threshold[%d]: expected %d, got %d", i, v, defaults[i])
}
}
}
func TestRenewalPolicy_EffectiveAlertThresholds_Custom(t *testing.T) {
policy := &RenewalPolicy{
AlertThresholdsDays: []int{60, 30, 14, 7},
}
result := policy.EffectiveAlertThresholds()
if len(result) != 4 {
t.Errorf("expected 4 thresholds, got %d", len(result))
}
if result[0] != 60 {
t.Errorf("expected first threshold 60, got %d", result[0])
}
}
func TestRenewalPolicy_EffectiveAlertThresholds_Default(t *testing.T) {
policy := &RenewalPolicy{
AlertThresholdsDays: []int{},
}
result := policy.EffectiveAlertThresholds()
expected := DefaultAlertThresholds()
if len(result) != len(expected) {
t.Errorf("expected %d thresholds, got %d", len(expected), len(result))
}
for i, v := range expected {
if i >= len(result) {
break
}
if result[i] != v {
t.Errorf("threshold[%d]: expected %d, got %d", i, v, result[i])
}
}
}
func TestRenewalPolicy_EffectiveAlertThresholds_Nil(t *testing.T) {
policy := &RenewalPolicy{
AlertThresholdsDays: nil,
}
result := policy.EffectiveAlertThresholds()
expected := DefaultAlertThresholds()
if len(result) != len(expected) {
t.Errorf("expected %d thresholds, got %d", len(expected), len(result))
}
}
internal/domain/job_test.go
+34
View File
@@ -0,0 +1,34 @@
package domain
import "testing"
func TestJobType_Constants(t *testing.T) {
tests := map[string]JobType{
"Issuance": JobTypeIssuance,
"Renewal": JobTypeRenewal,
"Deployment": JobTypeDeployment,
"Validation": JobTypeValidation,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestJobStatus_Constants(t *testing.T) {
tests := map[string]JobStatus{
"Pending": JobStatusPending,
"AwaitingCSR": JobStatusAwaitingCSR,
"AwaitingApproval": JobStatusAwaitingApproval,
"Running": JobStatusRunning,
"Completed": JobStatusCompleted,
"Failed": JobStatusFailed,
"Cancelled": JobStatusCancelled,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
internal/domain/notification_test.go
+73
View File
@@ -0,0 +1,73 @@
package domain
import "testing"
func TestNotificationType_Constants(t *testing.T) {
tests := map[string]NotificationType{
"ExpirationWarning": NotificationTypeExpirationWarning,
"RenewalSuccess": NotificationTypeRenewalSuccess,
"RenewalFailure": NotificationTypeRenewalFailure,
"DeploymentSuccess": NotificationTypeDeploymentSuccess,
"DeploymentFailure": NotificationTypeDeploymentFailure,
"PolicyViolation": NotificationTypePolicyViolation,
"Revocation": NotificationTypeRevocation,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestNotificationChannel_Constants(t *testing.T) {
tests := map[string]NotificationChannel{
"Email": NotificationChannelEmail,
"Webhook": NotificationChannelWebhook,
"Slack": NotificationChannelSlack,
"Teams": NotificationChannelTeams,
"PagerDuty": NotificationChannelPagerDuty,
"OpsGenie": NotificationChannelOpsGenie,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestNotificationEvent_Fields(t *testing.T) {
// This test verifies the NotificationEvent struct can be instantiated
// with all expected fields.
certID := "mc-123"
errorMsg := "failed to send"
event := &NotificationEvent{
ID: "notif-1",
Type: NotificationTypeExpirationWarning,
CertificateID: &certID,
Channel: NotificationChannelSlack,
Recipient: "alerts@example.com",
Message: "Certificate expiring in 30 days",
Status: "sent",
Error: &errorMsg,
}
if event.ID != "notif-1" {
t.Errorf("expected ID 'notif-1', got %s", event.ID)
}
if event.Type != NotificationTypeExpirationWarning {
t.Errorf("expected type ExpirationWarning, got %s", string(event.Type))
}
if event.Channel != NotificationChannelSlack {
t.Errorf("expected channel Slack, got %s", string(event.Channel))
}
if event.CertificateID == nil || *event.CertificateID != "mc-123" {
t.Errorf("expected CertificateID mc-123, got %v", event.CertificateID)
}
if event.Error == nil || *event.Error != "failed to send" {
t.Errorf("expected error 'failed to send', got %v", event.Error)
}
}
internal/domain/policy_test.go
+102
View File
@@ -0,0 +1,102 @@
package domain
import "testing"
func TestPolicyType_Constants(t *testing.T) {
tests := map[string]PolicyType{
"AllowedIssuers": PolicyTypeAllowedIssuers,
"AllowedDomains": PolicyTypeAllowedDomains,
"RequiredMetadata": PolicyTypeRequiredMetadata,
"AllowedEnvironments": PolicyTypeAllowedEnvironments,
"RenewalLeadTime": PolicyTypeRenewalLeadTime,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestPolicySeverity_Constants(t *testing.T) {
tests := map[string]PolicySeverity{
"Warning": PolicySeverityWarning,
"Error": PolicySeverityError,
"Critical": PolicySeverityCritical,
}
for expected, got := range tests {
if string(got) != expected {
t.Errorf("expected %q, got %q", expected, string(got))
}
}
}
func TestPolicyRule_Fields(t *testing.T) {
// This test verifies the PolicyRule struct can be instantiated
// with all expected fields.
rule := &PolicyRule{
ID: "rule-1",
Name: "Allowed Issuers",
Type: PolicyTypeAllowedIssuers,
Enabled: true,
}
if rule.ID != "rule-1" {
t.Errorf("expected ID 'rule-1', got %s", rule.ID)
}
if rule.Name != "Allowed Issuers" {
t.Errorf("expected Name 'Allowed Issuers', got %s", rule.Name)
}
if rule.Type != PolicyTypeAllowedIssuers {
t.Errorf("expected Type AllowedIssuers, got %s", string(rule.Type))
}
if !rule.Enabled {
t.Errorf("expected Enabled=true, got false")
}
}
func TestPolicyViolation_Fields(t *testing.T) {
// This test verifies the PolicyViolation struct can be instantiated
// with all expected fields.
violation := &PolicyViolation{
ID: "violation-1",
CertificateID: "mc-123",
RuleID: "rule-1",
Message: "Certificate issued by unauthorized CA",
Severity: PolicySeverityCritical,
}
if violation.ID != "violation-1" {
t.Errorf("expected ID 'violation-1', got %s", violation.ID)
}
if violation.CertificateID != "mc-123" {
t.Errorf("expected CertificateID 'mc-123', got %s", violation.CertificateID)
}
if violation.RuleID != "rule-1" {
t.Errorf("expected RuleID 'rule-1', got %s", violation.RuleID)
}
if violation.Severity != PolicySeverityCritical {
t.Errorf("expected Severity Critical, got %s", string(violation.Severity))
}
}
func TestPolicySeverity_Ordering(t *testing.T) {
// This test verifies severity ordering is correct (for potential future use
// in ranking violations by impact).
severities := []PolicySeverity{
PolicySeverityWarning,
PolicySeverityError,
PolicySeverityCritical,
}
for i, severity := range severities {
if string(severity) == "" {
t.Errorf("severity %d has empty string value", i)
}
}
}

Some files were not shown because too many files have changed in this diff Show More