# secure sedge
`sedge` is a collection of convocations that are designed
to serve the following purpose(s):
1. allows you to request certs
from letsencrypt and then upload them to s3
2. allow individual servers to pull their individual certs from
s3 and install them on both linux
and windows.
3. that's it.
sedge is tightly integrated with aws and makes use of route53 and s3
via ``boto3``.
## setup and installation
1. make sure you have python 3.8 installed
a. ubuntu
sudo apt -y update
sudo add-apt-repository -y ppa:deadsnakes/ppa
sudo apt -qq update
sudo apt -y install python3.8 python3.8-dev python3.8-venv
b. powershell
choco install -y python3 --version 3.8.4 --params "/installdir:c:\python38"
$mac = [System.EnvironmentVariableTarget]::Machine
$path = [system.environment]::getenvironmentvariable('path', $mac)
$path = "${path};c:\python38;c:\python38\scripts"
[system.environment]::setenvironmentvariable('path', $path, $mac)
2. install secure_sedge using pip
pip install secure_sedge
3. create one or more config file on your keystore
mkdir -p /etc/sedge
sudo chown -R sedge:sedge /etc/sedge
in a file called `defaults.yml` we can specify defaults to use for all
certs. and then one yaml file per cert that we want sedge to renew.
---
# the namespaces key will specify all of the namespaces in ssm
# parameter store that the cert will be saved into
namespaces:
- dev
- staging
# the name of the profile in aws that we want to use
profile: contoso
# the primary hostname / subject identifier for the cert
# we can specify a wildcard here, but no ip addresses
hostname: computer.contoso.com
bucket: keystore.contoso.com
buckets:
- name: keystore.fabrikam.com
assume_role: arn:aws:iam::0123456789:role/fabrikam-keystore
- name: keystore.example.com
profile: example_profile
# if dns is hosted in cloudflare, use the cloudflare_token parameter
cloudflare_token: token1
tmp_dir: /u/sedge_temp
# any subject alternative domains that we also want secured by the cert
# n.b., there can't be overlapping domains like having a wildcard
# for the hostname and then a specific host.
alt_domains:
- computer.fabrikam.com
certs created by `renew_all` will be stored in s3 at the following path:
`s3://namespace/hostname.crt` and the private key will be
stored at `s3://namespace/hostname.key`.
4. on the system on which the cert will be installed, use sedge to
download the cert from s3
```powershell
sedge.exe install.rds --bucket bucket --key path/to/hostname.pfx
```
5. set up a cron job or scheduled task on your keystore to renew certs
/path/to/sedge renew_all -d /path/to/config/dir
6. set up a cron job or scheduled task on your server to pull down the
cert from ssm at regular intervals and install it
/path/to/sedge install_cert -c /path/to/config/file
## aws permissions
Here is the recommended aws policy that you can setup for using sedge
with a particular route53 domain (below is in cloudformation-style yaml)
```yaml
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Resource: "*"
Action:
- "route53:listhostedzones"
- "route53:gethostedzone"
- "route53:gethostedzonecount"
- "route53:getchange"
- "route53:listhostedzonesbyname"
- "route53:listresourcerecordsets"
- Effect: "Allow"
Resource: !Sub "arn:aws:route53:::hostedzone/${HostedZoneId}"
Action:
- "route53:changeresourcerecordsets"
- "route53:listresourcerecordsets"
- Effect: "Allow"
Resource:
- !Sub "arn:aws:s3:::${Bucket}"
Action:
- "s3:ListBucket"
- "s3:GetBucketLocation"
- "s3:ListBucketMultipartUploads"
- "s3:ListBucketVersions"
- Effect: Allow
Resource:
- !Sub "arn:aws:s3:::${Bucket}/*"
Action:
- "s3:GetObject"
- "s3:PutObject*"
- "s3:DeleteObject"
- "s3:AbortMultipartUpload"
- "s3:ListMultipartUploadParts"
```
Raw data
{
"_id": null,
"home_page": "https://bitbucket.org/dbuy/secure_sedge",
"name": "secure-sedge",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "2ps",
"author_email": "p.shingavi@yahoo.com",
"download_url": "https://files.pythonhosted.org/packages/cd/f7/62177ac6629e6d147052078bc6ca1aedcd572374d76c2178b2bfc00f7945/secure_sedge-1.8.2.tar.gz",
"platform": null,
"description": "# secure sedge\n\n`sedge` is a collection of convocations that are designed\nto serve the following purpose(s):\n\n1. allows you to request certs\n from letsencrypt and then upload them to s3\n\n2. allow individual servers to pull their individual certs from\n s3 and install them on both linux\n and windows.\n\n3. that's it.\n\nsedge is tightly integrated with aws and makes use of route53 and s3 \nvia ``boto3``.\n\n## setup and installation\n\n1. make sure you have python 3.8 installed\n\n a. ubuntu\n\n sudo apt -y update\n sudo add-apt-repository -y ppa:deadsnakes/ppa\n sudo apt -qq update\n sudo apt -y install python3.8 python3.8-dev python3.8-venv\n\n b. powershell\n\n choco install -y python3 --version 3.8.4 --params \"/installdir:c:\\python38\"\n $mac = [System.EnvironmentVariableTarget]::Machine\n $path = [system.environment]::getenvironmentvariable('path', $mac)\n $path = \"${path};c:\\python38;c:\\python38\\scripts\"\n [system.environment]::setenvironmentvariable('path', $path, $mac)\n\n2. install secure_sedge using pip\n\n pip install secure_sedge\n\n\n3. create one or more config file on your keystore\n\n mkdir -p /etc/sedge\n sudo chown -R sedge:sedge /etc/sedge\n\n in a file called `defaults.yml` we can specify defaults to use for all\n certs. and then one yaml file per cert that we want sedge to renew.\n\n ---\n # the namespaces key will specify all of the namespaces in ssm\n # parameter store that the cert will be saved into\n namespaces:\n - dev\n - staging\n \n # the name of the profile in aws that we want to use\n profile: contoso\n \n # the primary hostname / subject identifier for the cert\n # we can specify a wildcard here, but no ip addresses\n hostname: computer.contoso.com\n bucket: keystore.contoso.com \n buckets:\n - name: keystore.fabrikam.com\n assume_role: arn:aws:iam::0123456789:role/fabrikam-keystore \n - name: keystore.example.com\n profile: example_profile\n\n # if dns is hosted in cloudflare, use the cloudflare_token parameter \n cloudflare_token: token1 \n\n tmp_dir: /u/sedge_temp\n # any subject alternative domains that we also want secured by the cert\n # n.b., there can't be overlapping domains like having a wildcard\n # for the hostname and then a specific host.\n alt_domains:\n - computer.fabrikam.com\n \n\n certs created by `renew_all` will be stored in s3 at the following path:\n `s3://namespace/hostname.crt` and the private key will be\n stored at `s3://namespace/hostname.key`.\n\n4. on the system on which the cert will be installed, use sedge to \n download the cert from s3\n\n ```powershell\n sedge.exe install.rds --bucket bucket --key path/to/hostname.pfx\n ```\n\n5. set up a cron job or scheduled task on your keystore to renew certs\n\n /path/to/sedge renew_all -d /path/to/config/dir\n\n6. set up a cron job or scheduled task on your server to pull down the\n cert from ssm at regular intervals and install it\n\n /path/to/sedge install_cert -c /path/to/config/file\n\n## aws permissions\n\nHere is the recommended aws policy that you can setup for using sedge\nwith a particular route53 domain (below is in cloudformation-style yaml)\n\n```yaml\n PolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: \"Allow\"\n Resource: \"*\"\n Action:\n - \"route53:listhostedzones\"\n - \"route53:gethostedzone\"\n - \"route53:gethostedzonecount\"\n - \"route53:getchange\"\n - \"route53:listhostedzonesbyname\"\n - \"route53:listresourcerecordsets\"\n - Effect: \"Allow\"\n Resource: !Sub \"arn:aws:route53:::hostedzone/${HostedZoneId}\"\n Action:\n - \"route53:changeresourcerecordsets\"\n - \"route53:listresourcerecordsets\"\n - Effect: \"Allow\"\n Resource:\n - !Sub \"arn:aws:s3:::${Bucket}\"\n Action:\n - \"s3:ListBucket\"\n - \"s3:GetBucketLocation\"\n - \"s3:ListBucketMultipartUploads\"\n - \"s3:ListBucketVersions\"\n - Effect: Allow\n Resource:\n - !Sub \"arn:aws:s3:::${Bucket}/*\"\n Action:\n - \"s3:GetObject\"\n - \"s3:PutObject*\"\n - \"s3:DeleteObject\"\n - \"s3:AbortMultipartUpload\"\n - \"s3:ListMultipartUploadParts\"\n```\n\n",
"bugtrack_url": null,
"license": "BSD",
"summary": "a helpful set of convocations to create certs",
"version": "1.8.2",
"project_urls": {
"Homepage": "https://bitbucket.org/dbuy/secure_sedge"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "cdf762177ac6629e6d147052078bc6ca1aedcd572374d76c2178b2bfc00f7945",
"md5": "e27a5e01f3ceea36633cc57821c62c18",
"sha256": "f59d8094313d586aa03397515bb236b37bd2707977daa784d997cd564c85fde9"
},
"downloads": -1,
"filename": "secure_sedge-1.8.2.tar.gz",
"has_sig": false,
"md5_digest": "e27a5e01f3ceea36633cc57821c62c18",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 20759,
"upload_time": "2024-02-11T20:09:24",
"upload_time_iso_8601": "2024-02-11T20:09:24.202099Z",
"url": "https://files.pythonhosted.org/packages/cd/f7/62177ac6629e6d147052078bc6ca1aedcd572374d76c2178b2bfc00f7945/secure_sedge-1.8.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-11 20:09:24",
"github": false,
"gitlab": false,
"bitbucket": true,
"codeberg": false,
"bitbucket_user": "dbuy",
"bitbucket_project": "secure_sedge",
"lcname": "secure-sedge"
}
JSON