Skip to content
/ leapi Public

Lets Encrypt certificate renewal API for server cluster and getssl.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ruhnet/leapi

BranchesTags

Repository files navigation

LEAPI

LEAPI is a clustered server API system, written in Go, for managing Lets Encrypt certificate renewals.

LEAPI uses the excellent getssl Bash script for the actual renewal of certificates.

It can be used on a single server, but is particularly useful for clusters of servers, with many domains. You can use it standalone, for acquiring/renewing certificates for non web services, or with an external webserver like Nginx, Caddy, etc.

LEAPI operates in a multi-master configuration. When you add or delete a server or domain on any server, it automatically replicates the changes to all other servers, and renews your certificate. Replication is accomplished via HTTP.

Endpoints:

[GET] https://leapiserver.tld/api/servers --- List Servers

[PUT] https://leapiserver.tld/api/servers/web1.mybackend.com --- Add New Server

[DELETE] https://leapiserver.tld/api/servers/web1.mybackend.com --- Remove Server

[GET] https://leapiserver.tld/api/domains --- List Domains

[PUT] https://leapiserver.tld/api/domains/mycoolsite.com --- Add New Domain

[DELETE] https://leapiserver.tld/api/domains/mycoolsite.com --- Remove Domain

[POST] https://leapiserver.tld/api/renew --- Force Renewal

[GET] https://leapiserver.tld/up --- Uptime Check

Install

  • Download the LEAPI binary, or build from source.
  • Copy it to /opt/leapi
  • You may use the included SystemD service file if you use a SystemD based distribution.
  • Edit the leapi_config.json file for your needs, leaving production set to false until setup is complete. Set the sync_type to either ssh or https. If you choose ssh you must create and copy keys and verify you can login to all servers that need to share files between each other. Note: if you enable https_server_port in the config file, LEAPI needs a certificate to be able to start (it requires the tls_chain_path and tls_key_path). You can generate a temporary self signed certificate and key with openssl:
openssl req -x509 -nodes -newkey rsa:4096 -keyout privkey.key -out cert.crt -sha256 -days 365
  • Copy the config file to /opt/leapi or /etc.
  • Install getssl
curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > /opt/leapi/getssl ; chmod 700 /opt/leapi/getssl
  • Create the base config for getssl:
/opt/leapi/getssl -w /opt/leapi -c mycoolsite.com
  • Start LEAPI, either from the commandline or with systemctl start leapi
  • Add your servers via the LEAPI API: (You don't necessarily have to do this on the server itself.)
curl -X PUT http://localhost/api/servers/server1.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/servers/server2.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/servers/server3.mydomain.com -H 'Authorization: Bearer mySeCrEtKeY'
  • Add your domains via the LEAPI API:
curl -X PUT http://localhost/api/domains/mycoolsite.com -H 'Authorization: Bearer mySeCrEtKeY'
curl -X PUT http://localhost/api/domains/myothersite.com -H 'Authorization: Bearer mySeCrEtKeY'
  • Assuming there were no errors, edit your leapi_config.json file and change production to true.
  • Force a renewal via the API:
curl -X POST http://localhost/api/renew -H 'Authorization: Bearer mySeCrEtKeY'

About

Lets Encrypt certificate renewal API for server cluster and getssl.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.1.0 Latest
May 10, 2022
+ 1 release

Packages

No packages published

Languages