Last active
June 13, 2022 07:21
-
-
Save giuliocalzolari/3f897fb30685b381228ce6578b9f3ed8 to your computer and use it in GitHub Desktop.
Vault + Let's encrypt integration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# source https://github.com/remilapeyre/vault-acme | |
wget https://github.com/remilapeyre/vault-acme/releases/download/v0.0.8/linux_amd64.zip -O /tmp/acme.zip | |
unzip /tmp/acme.zip -d /tmp/ | |
mv /tmp/acme-plugin /opt/vault/plugins/ | |
chmod vault:vault /opt/vault/plugins/acme-plugin | |
sudo setcap cap_ipc_lock=+ep /opt/vault/plugins/acme-plugin | |
vault write sys/plugins/catalog/secret/acme sha_256=29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a command=acme-plugin | |
vault secrets enable -path acme -plugin-name acme plugin | |
vault secrets tune -max-lease-ttl=2160h acme | |
# in case you use TF https://discuss.hashicorp.com/t/can-i-use-the-terraform-provider-for-vault-to-register-a-plugin-e-g-a-new-db-plugin/13409 | |
resource "vault_generic_endpoint" "acme" { | |
disable_read = false | |
disable_delete = true | |
path = "sys/plugins/catalog/secret/acme" | |
ignore_absent_fields = true | |
data_json = <<EOT | |
{ | |
"sha_256": "29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a", | |
"command": "acme-plugin" | |
} | |
EOT | |
} | |
vault write acme/accounts/example_com \ | |
contact=acme@example.com \ | |
server_url=https://acme-staging-v02.api.letsencrypt.org/directory \ | |
terms_of_service_agreed=true \ | |
provider=route53 \ | |
ignore_dns_propagation=true \ | |
provider_configuration=AWS_HOSTED_ZONE_ID=Z3C8BD3RHP4T5Y | |
vault write acme/roles/example_com \ | |
account=example_com \ | |
allowed_domains=example.com \ | |
allow_bare_domains=false \ | |
allow_subdomains=true | |
vault write acme/certs/example_com \ | |
common_name=demo.example.com | |
# remove it | |
# vault secrets disable /acme | |
# vault plugin deregister secret acme |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment