Support manual certificate renewal process#5343
Open
desmaraisp wants to merge 7 commits intoNetflix:mainfrom
Open
Support manual certificate renewal process#5343desmaraisp wants to merge 7 commits intoNetflix:mainfrom
desmaraisp wants to merge 7 commits intoNetflix:mainfrom
Conversation
This issuer's role is to bridge the gap with existing pki solutions (or lack thereof) where certs are renewed manually, either in CLI, a third-party system that doesn't support automation, or simply as a migration step towards automation. The way it works is the issuer creates pending certificates (with a csr), and the user has to complete said csr and upload the CA-signed public key
Author
|
There is one thing I wasn't quite sure of and was hoping one of the maintainers could weigh in on. Each plugin can declare additional fields in a couple forms here and there. This PR uses one of those (public_certificate) but there doesn't seem to be a clear naming convention for those, some plugins use camel case, others snake case. Which is preferred? |
desmaraisp
requested review from
charhate,
douglasc-nflx,
hosssha,
jmcrawford45 and
jtschladen
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements and closes #5342
This PR does three things:
Creates a new, barebones plugin. This plugin has a field to insert the associated root CA's public cert in the issuer creation form. Unlike some of the other plugins, the CA cert is a user-provided value. Once the issuer is created, the plugin simply issues a pending certificate, and it's up to the user to complete it with their own process
Adds a new property to the base plugin class that allows async issuer plugins to bypass the acme auto resolve process. This property defaults to the current behavior, but is overriden for the new issuer to avoid errors if ACME_DISABLE_AUTORESOLVE isn't True
Creates unit tests and documentation for the above items