# fetchcert configuration example / documentation
# ===============================================

# Default command execution timeout (seconds). 5 seconds is the default.
command_timeout: 5

# The UNIX socket the main program listens on. May be omitted if the program
# is intended to run in standalone mode only.
socket:
  # The path to the UNIX socket.
  path: /tmp/socket
  # A group name to set as the socket's owner. No group change will occur if
  # this entry is not set.
  group: users
  # The socket's access mode. Defaults to 0640.
  mode: 0640

# Configuration for the LDAP servers and structure.
ldap:

  structure:
    # Base DN that will be appended to certificate DNs
    base_dn: ou=certificates,dc=example,dc=org
    # Name of the attribute that will contain an end entity certificate
    # in the LDAP objects.
    end_entity: userCertificate;binary
    # Name of the attribute that will contain a CA certificate in the LDAP
    # objects.
    ca_certificate: cACertificate;binary
    # Attribute that will contain the DN of the next certificate in the chain.
    ca_chaining: seeAlso

  # These are the defaults for the LDAP server connections. May be completely
  # omitted.
  defaults:
    # Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
    # 389.
    port: 636
    # TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
    # "starttls" for TLS over a clear connection, or "no" to use a clear
    # connection. Defaults to "no".
    tls: yes
    # Skip server certificate check. Defaults to false.
    tls_skip_verify: false
    # CA certificate chain. Can be omitted if the systems' trusted CAs must be
    # used, or if no TLS is being used.
    ca_chain: /path/to/ca/chain.pem
    # LDAP user (as a DN) and password to bind with. Both fields may be
    # omitted if anonymous binds are to be used.
    bind_user: cn=fetchcert,ou=automation,dc=example,dc=org
    bind_password: drowssap

  # Configurations for each LDAP server. Each entry must incluse a "host"
  # field which defines the host name for the server ; it may also redefine
  # any of the defaults above.
  servers:
    - host: ldap1.example.org
    - host: ldap2.example.org

# Handlers. Certificate updates can specify that a handler must be executed
# if the PEM file is replaced. A handler will only be executed once for all
# triggered updates. Each handler is a list of commands. When a handler runs,
# the first command that fails will stop the execution.
handlers:
  apache:
    - /usr/sbin/apache2ctl configtest
    - /usr/sbin/apache2ctl graceful

# Handler command timeouts. If this section is missing, or if no entry is
# present for a handler, the default command timeout will be used.
handler_timeouts:
  apache: 1

# Certificates that must be updated
certificates:

    # Path to the file to generate
  - path: /etc/ssl/private/cert1.pem
    # Access mode, owner and group for the file. May be omitted. The mode
    # will default to 0644 if unspecified.
    mode: 0640
    owner: root
    group: somegroup
    # A list of files to prepend. Can be used to e.g. copy the private key
    # into this file.
    prepend_files:
      - /some/file.pem
    # DN of the certificate itself. If a base DN is defined in the LDAP
    # section, it will be appended to this value. Can be omitted if either
    # the ca or ca_chain_of fields below are in use.
    certificate: cn=www.example.org,ou=webservers
    # A list of DNs of CA certificates. The base DN from the LDAP section will
    # be appended to each entry if defined. If this list is empty and the
    # ca_chain_of field below is undefined as well, the certificate field
    # above must be defined.
    ca: ['cn=root,ou=ca','cn=interm,ou=ca']
    # Alternatively, CA chaining using the LDAP attribute defined above can
    # be used by specifying the DN of a certificate here. The certificate
    # matching the DN will be ignored, it will only be used as the start of
    # the chain. Using this mechanism is incompatible with usage of the ca
    # field above.
    ca_chain_of: cn=www.example.org,ou=webservers
    # Reverse order. If this is false, the main certificate will be written
    # first, followed by the first intermediary certificate, and so on until
    # the root CA certificate is found. If this is true, the first certificate
    # in the file will be the root CA certificate.
    reverse: false
    # A list of files to append to the output.
    append_files:
      - /some/other/file.pem
    # Define what must be done after an update.
    after_update:
      # Command execution timeout for pre- and post-commands. If this entry is
      # missing, the default from command_timeout above will be used. This does
      # not affect handlers.
      command_timeout: 1
      # Commands to execute before handlers are run. The order of the commands
      # is respected. If a command fails to run, execution stops.
      pre_commands: []
      # Handlers to trigger. Handlers will still be executed if a pre-command
      # had failed but they were triggered by more than one update. Execution
      # order is arbitrary.
      handlers:
        - apache
      # Commands to execute after handlers are run.
      post_commands: []