fetchcert/fetch-certificates.yml.example

125 lines
5.1 KiB
Text

# fetchcert configuration example / documentation
# ===============================================
# Default command execution timeout (seconds). 5 seconds is the default.
command_timeout: 5
# The UNIX socket the main program listens on. May be omitted if the program
# is intended to run in standalone mode only.
socket:
# The path to the UNIX socket.
path: /tmp/socket
# A group name to set as the socket's owner. No group change will occur if
# this entry is not set.
group: users
# The socket's access mode. Defaults to 0640.
mode: 0640
# Configuration for the LDAP servers and structure.
ldap:
structure:
# Base DN that will be appended to certificate DNs
base_dn: ou=certificates,dc=example,dc=org
# Name of the attribute that will contain an end entity certificate
# in the LDAP objects.
end_entity: userCertificate;binary
# Name of the attribute that will contain a CA certificate in the LDAP
# objects.
ca_certificate: cACertificate;binary
# Attribute that will contain the DN of the next certificate in the chain.
ca_chaining: seeAlso
# These are the defaults for the LDAP server connections. May be completely
# omitted.
defaults:
# Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
# 389.
port: 636
# TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
# "starttls" for TLS over a clear connection, or "no" to use a clear
# connection. Defaults to "no".
tls: yes
# Skip server certificate check. Defaults to false.
tls_skip_verify: false
# CA certificate chain. Can be omitted if the systems' trusted CAs must be
# used, or if no TLS is being used.
ca_chain: /path/to/ca/chain.pem
# LDAP user (as a DN) and password to bind with. Both fields may be
# omitted if anonymous binds are to be used.
bind_user: cn=fetchcert,ou=automation,dc=example,dc=org
bind_password: drowssap
# Configurations for each LDAP server. Each entry must incluse a "host"
# field which defines the host name for the server ; it may also redefine
# any of the defaults above.
servers:
- host: ldap1.example.org
- host: ldap2.example.org
# Handlers. Certificate updates can specify that a handler must be executed
# if the PEM file is replaced. A handler will only be executed once for all
# triggered updates. Each handler is a list of commands. When a handler runs,
# the first command that fails will stop the execution.
handlers:
apache:
- /usr/sbin/apache2ctl configtest
- /usr/sbin/apache2ctl graceful
# Handler command timeouts. If this section is missing, or if no entry is
# present for a handler, the default command timeout will be used.
handler_timeouts:
apache: 1
# Certificates that must be updated
certificates:
# Path to the file to generate
- path: /etc/ssl/private/cert1.pem
# Access mode, owner and group for the file. May be omitted.
mode: 0640
owner: root
group: somegroup
# A list of files to prepend. Can be used to e.g. copy the private key
# into this file.
prepend_files:
- /some/file.pem
# DN of the certificate itself. If a base DN is defined in the LDAP
# section, it will be appended to this value. Can be omitted if either
# the ca or ca_chain_of fields below are in use.
certificate: cn=www.example.org,ou=webservers
# A list of DNs of CA certificates. The base DN from the LDAP section will
# be appended to each entry if defined. If this list is empty and the
# ca_chain_of field below is undefined as well, the certificate field
# above must be defined.
ca: ['cn=root,ou=ca','cn=interm,ou=ca']
# Alternatively, CA chaining using the LDAP attribute defined above can
# be used by specifying the DN of a certificate here. The certificate
# matching the DN will be ignored, it will only be used as the start of
# the chain. Using this mechanism is incompatible with usage of the ca
# field above.
ca_chain_of: cn=www.example.org,ou=webservers
# Reverse order. If this is false, the main certificate will be written
# first, followed by the first intermediary certificate, and so on until
# the root CA certificate is found. If this is true, the first certificate
# in the file will be the root CA certificate.
reverse: false
# A list of files to append to the output.
append_files:
- /some/other/file.pem
# Define what must be done after an update.
after_update:
# Command execution timeout for pre- and post-commands. If this entry is
# missing, the default from command_timeout above will be used. This does
# not affect handlers.
command_timeout: 1
# Commands to execute before handlers are run. The order of the commands
# is respected. If a command fails to run, execution stops.
pre_commands: []
# Handlers to trigger. Handlers will still be executed if a pre-command
# had failed but they were triggered by more than one update. Execution
# order is arbitrary.
handlers:
- apache
# Commands to execute after handlers are run.
post_commands: []