fetchcert/README.md

fetchcert
=========

`fetchcert` is a somewhat overengineered program that fetches certificates from
LDAP servers, installs them if they are new or have changed, and runs commands
after that.

It can be used as a standalone program (e.g. from a cron) or as a server which
uses a UNIX socket to receive commands. This ability could be used to connect
the server to a message bus, for example.

Configuration
-------------

`fetchcert` reads its configuration from a YAML file. The
`fetch-certificates.yml.example` file in this repository contains information
about the specific structure of the file; this section describes the principles
behind it.

### Certificates

 that lists PEM files that
must be maintained. Each PEM file can be generated by:

  * prepending and/or appending local PEM files,
  * adding an end-entity certificate from the LDAP server,
  * adding CA certificates from the LDAP server.

CA certificate chains can be specified directly as a list of LDAP DNs. However
it is also possible to use some LDAP attribute (e.g. `seeAlso`) to represent the
next CA certificate in the chain. `fetchcert` is capable of following these
links.

### Commands and handlers

When a PEM file is replaced by the program, it is capable of running various
commands. Each PEM file section can configure:

  * __pre-commands__, which will be executed right after the certificate is
    replaced ;
  * __handlers__; a handler is only executed once, even if multiple certificates
    triggered it. Handlers are defined as lists of command in another section
    of the configuration file.
  * __post-commands__ are executed for each PEM file after handlers have run.

Execution of commands is interrupted for a given file if a command fails.

### Other configuration elements

In addition to the certificate files and handlers, the configuration file must
also contain the LDAP server(s) configuration, and the configuration for the
UNIX socket if the program is used in client/server mode.

Usage
-----

### Common options

The following options are available in all modes:

  * `-c <file>` / `--config <file>` specifies the path to the configuration
    file; by default `/etc/fetch-certificates.yml` will be used.
  * `-F <log-file>` / `--log-file <log-file>` specifies the path to a log file.
    By default, logs are not written to a file.
  * `-g <server>:<port>` / `--log-graylog <server>:<port>` sends logs to a
    Graylog server using GELF over UDP.
  * `-l <log-level>` / `--log-level <log-level>` can be used to change the log
    level, which defaults to `info`.
  * `-q` / `--quiet` prevents logging to the standard error stream.
  * `-s` / `--syslog` send logs to syslog. Logs will be sent with the
    `fetchcert` application name.

The `-h` / `--help` can be used to display command line help. Finally, the
`-m` / `--mode` option can be used to specify the execution mode (standalone,
client or server). See below for more information.

### Standalone mode

If the `-m standalone` option is specified (or if no `-m` option is used), the
program runs in standalone mode, updating certificate files and running commands
directly.

  * `-f` / `--force` forces the program to replace all certificate files and
    execute the commands and handlers.
  * `-u <dn>` / `--update <dn>` specifies a LDAP DN which will act as a
    selector. Only files which use the certificate from that DN will be
    considered for update.

### Client mode

If the `-m client` option is specified, the program runs in client mode. In this
mode, it will send commands and update requests to the server based on the
command line arguments below.

  * `-C <command>` / `--command <command>` sends the command to the server. The
    command may be either `Q` (which will cause the server to stop) or `R`
    (which will force the server to reload its configuration file). If this
    command line option is used, the client will not send an update request.
  * `-f` / `--force` sends a flag that forces the server to replace all
    certificate files and execute the commands and handlers.
  * `-u <dn>` / `--update <dn>` specifies a LDAP DN which will act as a
    selector. The server will only replace files which use the certificate from
    that DN.

### Server mode

If the `-m server` command line option is specified, the program starts and
runs in server mode. No additional options are needed.
Added documentation and GPL3 licence 2021-12-05 10:13:20 +01:00			`fetchcert`
			`=========`

			`fetchcert` is a somewhat overengineered program that fetches certificates from
			`LDAP servers, installs them if they are new or have changed, and runs commands`
			`after that.`

			`It can be used as a standalone program (e.g. from a cron) or as a server which`
			`uses a UNIX socket to receive commands. This ability could be used to connect`
			`the server to a message bus, for example.`

			`Configuration`
			`-------------`

			`fetchcert` reads its configuration from a YAML file. The
			`fetch-certificates.yml.example` file in this repository contains information
			`about the specific structure of the file; this section describes the principles`
			`behind it.`

			`### Certificates`

			`that lists PEM files that`
			`must be maintained. Each PEM file can be generated by:`

			`* prepending and/or appending local PEM files,`
			`* adding an end-entity certificate from the LDAP server,`
			`* adding CA certificates from the LDAP server.`

			`CA certificate chains can be specified directly as a list of LDAP DNs. However`
			it is also possible to use some LDAP attribute (e.g. `seeAlso`) to represent the
			next CA certificate in the chain. `fetchcert` is capable of following these
			`links.`

			`### Commands and handlers`

			`When a PEM file is replaced by the program, it is capable of running various`
			`commands. Each PEM file section can configure:`

			`* __pre-commands__, which will be executed right after the certificate is`
			`replaced ;`
			`* __handlers__; a handler is only executed once, even if multiple certificates`
			`triggered it. Handlers are defined as lists of command in another section`
			`of the configuration file.`
			`* __post-commands__ are executed for each PEM file after handlers have run.`

			`Execution of commands is interrupted for a given file if a command fails.`

			`### Other configuration elements`

			`In addition to the certificate files and handlers, the configuration file must`
			`also contain the LDAP server(s) configuration, and the configuration for the`
			`UNIX socket if the program is used in client/server mode.`

			`Usage`
			`-----`

			`### Common options`

			`The following options are available in all modes:`

			* `-c <file>` / `--config <file>` specifies the path to the configuration
			file; by default `/etc/fetch-certificates.yml` will be used.
			* `-F <log-file>` / `--log-file <log-file>` specifies the path to a log file.
			`By default, logs are not written to a file.`
			* `-g <server>:<port>` / `--log-graylog <server>:<port>` sends logs to a
			`Graylog server using GELF over UDP.`
			* `-l <log-level>` / `--log-level <log-level>` can be used to change the log
			level, which defaults to `info`.
			* `-q` / `--quiet` prevents logging to the standard error stream.
			* `-s` / `--syslog` send logs to syslog. Logs will be sent with the
			`fetchcert` application name.

			The `-h` / `--help` can be used to display command line help. Finally, the
			`-m` / `--mode` option can be used to specify the execution mode (standalone,
			`client or server). See below for more information.`

			`### Standalone mode`

			If the `-m standalone` option is specified (or if no `-m` option is used), the
			`program runs in standalone mode, updating certificate files and running commands`
			`directly.`

			* `-f` / `--force` forces the program to replace all certificate files and
			`execute the commands and handlers.`
			* `-u <dn>` / `--update <dn>` specifies a LDAP DN which will act as a
			`selector. Only files which use the certificate from that DN will be`
			`considered for update.`

			`### Client mode`

			If the `-m client` option is specified, the program runs in client mode. In this
			`mode, it will send commands and update requests to the server based on the`
			`command line arguments below.`

			* `-C <command>` / `--command <command>` sends the command to the server. The
			command may be either `Q` (which will cause the server to stop) or `R`
			`(which will force the server to reload its configuration file). If this`
			`command line option is used, the client will not send an update request.`
			* `-f` / `--force` sends a flag that forces the server to replace all
			`certificate files and execute the commands and handlers.`
			* `-u <dn>` / `--update <dn>` specifies a LDAP DN which will act as a
			`selector. The server will only replace files which use the certificate from`
			`that DN.`

			`### Server mode`

			If the `-m server` command line option is specified, the program starts and
			`runs in server mode. No additional options are needed.`