ACME-based enrollment
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager into your Linux-based Chef nodes using the ACMEv2 protocol.
The integration involves the following Chef components:
Chef workstation: Local development system where you configure a custom Chef cookbook for requesting certificates from Trust Lifecycle Manager via its ACME service.
Chef server: Centralized hub where you upload the custom Chef cookbook for use by your production Chef nodes.
Chef nodes: Client systems that request certificates from Trust Lifecycle Manager using the custom cookbook on the Chef server.
Each Chef node requires a third-party ACME client like Certbot to send certificate requests and download the resulting certificate files.
DigiCert provides sample files to help you set up the integration for Linux-based Chef nodes, including the option to automatically install the Certbot ACME client on each node as part of the custom Chef cookbook.
警告
Instructions on this page are intended for Linux-based Chef deployments and use the open-source Snap package manager to install the Certbot ACME client on each node. Non-Linux deployments may require additional customization.
For an OS agnostic Chef integration solution, refer to the API-based enrollment instructions.
Before you begin
In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client
enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:
ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.
Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.
HMAC key: Used to encrypt and authenticate your account key during certificate requests.
Integration workflow
Download the Chef integration package to get the following sample files:
recipe/default.rb: Sample recipe file to request certificates from DigiCert via ACME.
attributes/default.rb: Sample attributes file to configure your DigiCert ACME credentials.
注記
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Chef.
Use the sample files to create a custom Chef cookbook for requesting certificates from Trust Lifecycle Manager via its ACME service.
To configure the cookbook on your Chef workstation:
Run the following command to create a custom cookbook, supplying a friendly name for the cookbook as the final argument.
chef generate cookbook <custom_cookbook_name>
Copy the sample recipe/default.rb file into the recipes sub-directory for the custom cookbook, replacing the default default.rb file there.
Copy the sample attributes/default.rb file into the attributes sub-directory for the custom cookbook, replacing the default default.rb file there.
Update the copied attributes/default.rb file in the custom cookbook to supply values for the following parameters:
default['certbot']['eab_kid']
: ACME EAB key identifier (KID) for the target certificate profile in Trust Lifecycle Manager.default['certbot']['eab_hmac_key']
: ACME EAB HMAC key for the certificate profile.default['certbot']['acme_server_url']
: ACME Directory URL for the certificate profile.default['certbot']['domain1']
: Common name of the certificate to issue.
Enclose the parameter values in single quotes in the file. For example:
default['certbot']['eab_kid'] = 'ZZ5ZZ5_yZabcdeFGHij_KLmnoP_a33sNvWwHHnGD3E' default['certbot']['eab_hmac_key'] = 'Z5ZJ3JJJdZaBcDeFgHIJklMn3OoPqRsT3UvWxYZAbCDEfghI3MMJ3KLIdEFGxMMnnJjkeNjliZddwABC3DEFzZA' default['certbot']['acme_server_url'] = 'https://one.digicert.com/mpki/api/v1/acme/v2/directory' default['certbot']['domain1'] = 'my-app.example.com'
Use the following command to upload the custom cookbook to the active Chef server. Supply the custom cookbook name as the final argument.
knife cookbook upload <custom_cookbook_name>
With the custom Chef cookbook in place on the Chef server, you are ready to request certificates from Trust Lifecycle Manager for your Chef nodes.
Use the following command on a Chef node to run the cookbook from the Chef server including the recipe for the custom ACME-based certificate request:
sudo chef-client
What's next
After a successful certificate request, the certificate files are found on the Chef node in the applicable third-party ACME client directory. For Certbot, the certificate files are downloaded to the /etc/letsencrypt/live directory by default.
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.