ACM agents provides functionality to request and confirm ACM certificates using the CLI interface
$ pip install acmagent
In order to approve ACM certificates, create and configure acmagent IMAP credentials file. By default acmagent loads configuration .acmagent file from the user's home folder for example: /home/john.doe/.acmagent. However, you have an option to specify a custom path to the credentials file.
# /home/john.doe/.acmagent username: [email protected] server: imap.example.com password: mysecretpassword
The simplest option to request ACM certificate is to specify --domain-name and/or --validation-domain parameters.
$ acmagent request-certificate --domain-name *.dev.example.com 12345678-1234-1234-1234-123456789012
$ acmagent request-certificate --domain-name *.dev.example.com --validation-domain example.com 12345678-1234-1234-1234-123456789012
Optionally, if you need to generate a certificate for multiple domain names you can provide the --alternative-names parameter to specify space separated alternative domain names.
$ acmagent request-certificate --domain-name dev.example.com --validation-domain example.com --alternative-names www.dev.example.com ftp.dev.example.com 12345678-1234-1234-1234-123456789012
ACMAgent offers an option to specify JSON input file instead of typing them at the command line using --cli-input-json parameter.
- Generate CLI skeleton output
$ acmagent request-certificate --generate-cli-skeleton &> certificate.json
$ cat certificate.json
{
"DomainName": "",
"SubjectAlternativeNames": [],
"ValidationDomain": ""
}
- Modify generated skeleton file using your preferred method
- Using
--cli-input-jsonparameter specify path fo thecertificate.jsonfile
$ acmagent request-certificate --cli-input-json file:./certificate.json
Output
The request-certificate outputs ACM certificate id, it's the last part of the ARN arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 you will need that id for a certificate approval process.
Before approving ACM issued certificate, please ensure that the credentials file has been setup. For gmail and yahoo enable access for 'less secure apps' (https://support.google.com/accounts/answer/6010255?hl=en-GB&authuser=1)
$ acmagent confirm-certificate --help
usage: acmagent confirm-certificate [-h] --certificate-id CERTIFICATE_ID
[--wait WAIT] [--attempts ATTEMPTS]
[--debug] [--credentials CREDENTIALS]
optional arguments:
-h, --help show this help message and exit
--certificate-id CERTIFICATE_ID Certificate id
--wait WAIT Timeout in seconds between querying IMAP server
--attempts ATTEMPTS Number of attempts to query IMAP server
--debug (boolean) Send logging to standard output
--credentials CREDENTIALS Explicitly provide IMAP credentials file
Confirming a certificate using the default settings:
$ acmagent confirm-certificate --certificate-id 12345678-1234-1234-1234-123456789012
However, for most scenarios the recommended approach to specify custom values for --wait and --attempts parameters tailored for your IMAP server.
$ acmagent confirm-certificate --wait 10 --attempts 6 --certificate-id 12345678-1234-1234-1234-123456789012
In the situations when you can't use the default IMAP credentials file provide the --credentials parameter
$ acmagent confirm-certificate --certificate-id 12345678-1234-1234-1234-123456789012 --credentials file:///var/lib/jenkins/.acmagent