Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for LE expiration notification e-mails on API cert #227

Merged
merged 1 commit into from
Jan 11, 2021
Merged

Add support for LE expiration notification e-mails on API cert #227

merged 1 commit into from
Jan 11, 2021

Conversation

blkeller
Copy link
Contributor

Summary:

This PR adds support for setting an e-mail address in the config file that Let's Encrypt can use to send notification e-mails if the API's certificate is expiring soon. When an account at LE is registered and an e-mail address is provided, LE will use this address for this purpose:
https://letsencrypt.org/docs/expiration-emails/

This is a helpful, optional service that LE offers for free, and the e-mails can be useful for an admin to be alerted to potential certificate renewal issues that might otherwise go unnoticed.

The new config option notification_email is an empty string by default, preserving the previous behavior of not registering any address with LE upon account creation. If the user fills in an e-mail address, this value will be used during account creation with LE.

The value of notification_email is passed through to CertMagic and leverages their existing support for this feature.

Example:

Where the config file includes these entries:

[api]
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "letsencryptstaging"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = "myuser@mydomain.com"

This patch yields the following results:

$ sudo rm -Rf /var/lib/acme-dns/api-certs
$ sudo systemctl start acme-dns
$ journalctl -u acme-dns --no-pager | grep -A2 'certificate maintenance'
Apr 28 18:25:38 ns1 acme-dns[13286]: time="2020-04-28T18:25:38-05:00" level=info msg="2020/04/28 18:25:38 [INFO][cache:0xc00008e5f0] Started certificate maintenance routine"
Apr 28 18:25:38 ns1 acme-dns[13286]: time="2020-04-28T18:25:38-05:00" level=info msg="[INFO] acme: Registering account for myuser@mydomain.com"
Apr 28 18:25:38 ns1 acme-dns[13286]: time="2020-04-28T18:25:38-05:00" level=info msg="2020/04/28 18:25:38 [INFO][ns1.certs.mydomain.com] Obtain certificate"

$ sudo ls /var/lib/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org/users
myuser@mydomain.com

$ sudo cat /var/lib/acme-dns/api-certs/acme/acme-staging-v02.api.letsencrypt.org/users/myuser@mydomain.com/myuser.json
{
        "Email": "myuser@mydomain.com",
        "Registration": {
                "body": {
                        "status": "valid",
                        "contact": [
                                "mailto:myuser@mydomain.com"
                        ]
                },
                "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/12345678"
        }
}

@coveralls
Copy link

Coverage Status

Coverage remained the same at 90.559% when pulling f89224a on blkeller:notification-email into 19069f5 on joohoi:master.

@joohoi
Copy link
Owner

joohoi commented Jan 11, 2021

LGTM! Sorry it took so long to get around to review this.

@joohoi joohoi merged commit 035a219 into joohoi:master Jan 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blkeller @coveralls @joohoi