Status: experimental
A simple robot managing Let's Encrypt certificates.
The current version is very limited and only allows DNS verification via Route53.
The following credentials are expected in environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_HOSTED_ZONE_IDAWS_REGION
That's by lego's design, which lerobot uses for the ACME part for the time being.
Create a separate lerobot user with its own home directory, for example:
sudo adduser --system --disabled-password --home /home/lerobot --shell /bin/bash --gecos '' --group lerobot
sudo chmod 0700 /home/lerobotAdd an environment file /etc/lerobot-env with AWS credentials:
AWS_ACCESS_KEY_ID=ABCD
AWS_SECRET_ACCESS_KEY=1234
AWS_HOSTED_ZONE_ID=ZXXXL
AWS_REGION=eu-central-1Add a lerobot.service systemd unit:
cat <<LEROBOT_SERVICE | sudo tee /etc/systemd/system/lerobot.service
[Unit]
Description=lerobot
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-failure
User=lerobot
Group=lerobot
EnvironmentFile=/etc/lerobot-env
WorkingDirectory=%h
ExecStart=/usr/local/bin/lerobot daemon --authorized-keys-file /home/lerobot/.ssh/authorized_keys
ExecReload=/bin/kill -USR1 $MAINPID
TimeoutStopSec=60
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
[Install]
WantedBy=multi-user.target
LEROBOT_SERVICE
sudo systemctl daemon-reloadCreate a file lets-encrypt.yaml in the home directory of the lerobot
user (here /home/lerobot) with the following structure:
accounts:
- email: [email protected]
ssh_public_key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7GEdUWkBr3zRnb53IKR+KBJRrJ4qxscUe6ZuThcNSnqMQZQWoUPc4fjKMRRoTMqDmH6pA+1N6IduXGa79VodnP+u5QRD7bP5wUFO8J2tY1Oer1wyEnXgOC7kL48KWzLuGdr1M3xEWZVYLgnrbT8HkWj09w01DRXhBaIXeDRpif/XQx5F5XuOlspcQq/9bEqiD0lFg8BFCW9oFYr+h8juyqh2/X0D3eL3nRfXAVGxn3HjfgGm4494fvGimeb4qF8kWKoO7QVndbZDSC2a4BkMhf1prS2EmIs3B3sOfFEYC9M9tkBfV3IIaUtuvXxw4fpRg48qCMGqvlvtl98fWmWPeWoMeDEpffgwGrBJm2yUYub/y7hF9X7dBuKj8ouxoOmN8ZkPMoSE9tNTkWDb1eQBQVZoxxZ4222KLWjgPWNNKNdulRCOB8Meop9/w6YkkXukvKrMHw8k+d5Z2owqzmbiAwfm8xuOeFS2y4twD0Z1R+OsCrHoOdgIZFV3H2jaCEVM= [email protected]
certificates:
- account: [email protected]
common_name: foo.example.com
preferred_chain: ISRG Root X1
subject_alternative_names:
- bar.example.com
- baz.example.comNote: account data must be unique, i.e. do not duplicate email
or ssh_public_key.
All certificates for an account are stored in the same directory and available to the same SSH user. I.e. to separate access to certificates, use different Let's Encrypt users and different SSH keypairs.
Finally, enable and start lerobot.service:
sudo systemctl enable lerobot
sudo systemctl start lerobotWhen testing, make sure to not use the Let's Encrypt production API but
staging (can be set with --le-url):
https://acme-staging-v02.api.letsencrypt.org/directoryExample lerobot daemon invocation for testing:
./bin/lerobot daemon --le-api https://acme-staging-v02.api.letsencrypt.org/directory --le-config lets-encrypt.yamlExample `lets-encrypt.yaml' file for testing:
accounts:
- email: [email protected]
certificates:
- account: [email protected]
common_name: "*.example.com"
preferred_chain: ""
subject_alternative_names: []Users are allowed to rsync all certificates for their account to their
machines. rsync is the only allowed command. In the default configuration,
the remote source path must be set exactly like shown below, i.e.
certificates/<email>/. It's not possible to use a different path or
to only sync a particular file.
Example:
rsync -ave "ssh -i /etc/lerobot.pem" [email protected]:certificates/[email protected]/ /etc/certificates/This can be put into a systemd service triggered by a systemd timer once per day.