mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: <! wiki title: Hooks
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
<! wiki title: Hooks
grindsa edited this page 2025-12-30 06:22:30 +00:00
Table of Contents

Hooks

acme2certifier allows for the specification of pre- and post-enrollment hooks. Hooks are disabled by default and must be activated in acme_srv.cfg by specifying a file containing the required Hooks class and methods.

[Hooks]
hooks_file: examples/hooks/skeleton_hooks.py

How to Create Your Own Hooks

Creating your own hook handler is straightforward. All you need to do is create a handler.py file with a Hooks class containing the following methods:

  • pre_hook - Executed before certificate enrollment.
  • post_hook - Executed after certificate enrollment, regardless of the result.
  • success_hook - Executed in case of a successful certificate enrollment; this runs before the post_hook.

The skeleton_hooks.py file contains a template that can be used to create a customized handler.

Further there is an Email Hook sending emails in case of successful or failed certificate enrollments.

The following code describes the different input parameters provided by acme2certifier, as well as the expected return values:

class Hooks:
    """Hooks file handler"""

    def __init__(self, logger) -> None:
        self.logger = logger

    def pre_hook(self, certificate_name, order_name, csr) -> None:
        """Run before obtaining any certificates"""
        self.logger.debug("Hook.pre_hook()")

    def post_hook(self, certificate_name, order_name, csr, error) -> None:
        """Run after *attempting* to obtain/renew certificates"""
        self.logger.debug("Hook.post_hook()")

    def success_hook(
        self,
        certificate_name,
        order_name,
        csr,
        certificate,
        certificate_raw,
        poll_identifier,
    ) -> None:
        """Run after each successful certificate enrollment/renewal"""
        self.logger.debug("Hook.success_hook()")

Input Parameters

  • self.logger - Reference to a logging object.
  • certificate - Certificate in application/pem-certificate-chain format.
  • certificate_name - Name of the certificate resource in acme2certifier.
  • certificate_raw - Certificate in base64-encoded binary format.
  • csr - Certificate Signing Request in base64-encoded binary format.
  • error - Error message in case of certificate enrollment failure.
  • order_name - Name of the order resource in acme2certifier.

The different methods must not return any data. Exceptions during hook execution are handled by acme2certifier, as described below.

Handling Exceptions

By default, certificate enrollment/renewal is aborted (and acme2certifier returns an error code to the client) if either the pre_hook or success_hook fails. In such cases, later hooks are also not executed:

  • If the pre_hook fails, neither the success_hook nor post_hook is executed.
  • If the success_hook fails, the post_hook is not executed.

If the post_hook throws an exception, the error is logged, but it has no effect on the enrollment/renewal process. That is, the process completes successfully as long as no other errors occur.

This behavior can be controlled through the configuration options allow_pre_hook_failure, allow_post_hook_failure, and allow_success_hook_failure. See the configuration table for more details.