Skip to content

A Vault plugin for requesting and renewing ACME certificates

License

Notifications You must be signed in to change notification settings

Boostport/vault-plugin-secrets-acme

 
 

Repository files navigation

Vault ACME

Run tests

Vault ACME is a Vault secret engine that allow users and application to retrieve TLS certificates validated by an ACME provider like Let's Encrypt without having to give each applications permission to modify DNS and using Vault's audit and policy systems.

Discussion: hashicorp/vault#4950

Download Vault ACME

Binary releases can be downloaded at https://github.com/Boostport/vault-plugin-secrets-acme/releases.

Verify Binaries

The checksum for the binaries are signed with cosign. To verify the binaries, download the following files (where ${VERSION} is the version of the release):

  • vault-plugin-secrets-acme_${VERSION}_checksums.txt
  • vault-plugin-secrets-acme_${VERSION}_checksums.txt.pem
  • vault-plugin-secrets-acme_${VERSION}_checksums.txt.sig

Then download the release binaries you need. Here, we just download the linux amd64 binary:

  • vault-plugin-secrets-acme_${VERSION}_linux_amd64

Then run the following commands to verify the checksums and signature:

# Verify checksum signature
$ cosign verify-blob --signature vault-plugin-secrets-acme_${VERSION}_checksums.txt.sig --certificate vault-plugin-secrets-acme_${VERSION}_checksums.txt.pem vault-plugin-secrets-acme_${VERSION}_checksums.txt --certificate-identity "https://github.com/Boostport/vault-plugin-secrets-acme/.github/workflows/release.yml@refs/tags/v${VERSION}" --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

# Verify checksum with binaries
$ sha256sum -c vault-plugin-secrets-acme_${VERSION}_checksums.txt

Documentation

The documentation is available at website/source/docs/secrets/acme/index.html.md.

How to Use

Using this plugin in Docker requires to manually set the mlock file capability to both Vault and the acme plugin:

$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
$ sudo setcap cap_ipc_lock=+ep /vault/plugins/acme-plugin

After setting plugin_directory and setting the correct shasum in Vault (vault write sys/plugins/catalog/secret/acme sha_256=$(sha256sum acme-plugin) command=acme-plugin) you can mount the plugin like any other: vault secrets enable -path acme -plugin-name acme plugin.

Tests

The unit tests will use the pebble ACME test server and pebble-challtestsrv. They can be downloaded at https://github.com/letsencrypt/pebble and must be present in $PATH.

The unit tests can be run with:

$ make test

The acceptance tests needs Vault in addition to pebble and pebble-challtestsrv.

When vault is present in $PATH the acceptance tests can be run with:

$ make testacc

About

A Vault plugin for requesting and renewing ACME certificates

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HTML 69.7%
  • Go 21.7%
  • JavaScript 3.6%
  • CSS 2.5%
  • Ruby 1.2%
  • HCL 0.7%
  • Other 0.6%