Running¶

Alnitak can be run in several modes, each of which define a particular behaviour. These modes are invoked as:

~$ alnitak [mode] [options...]

The mode must be the first argument to the program and may be followed by flags and/or arguments specific to that mode. If no mode is given, then the program runs in default mode.

Modes¶

default¶

After certificates have been renewed, any new DNS record that has been published must be allowed time to propogate before the dane certificate symlink is reverted to pointing to the new live certificate. In default mode the program checks to see if the new DNS record has gone live, and if so performs this last step. With no certificates to process, running the program in default mode will do nothing.

pre¶

The program will move the dane certificate symlinks to point to archive certificates, in preparation for a possible certificate renewal. This mode is indended to be run before a certificate renewal is performed, preferably on certbot’s pre-hook. The synonym prehook is also provided for this mode.

deploy¶

To be run after certificate renewal has taken place, the program will move the dane certificate symlinks back to pointing to live certificates for all certificates that were not renewed. For certificates that were renewed, a TLSA record is published for the new live certificate. The synonyms deployhook, post and posthook are also provided for this mode.

reset¶

In this mode the program will recreate the dane directory (/etc/alnitak/dane/). This effectively means that all dane certificate symlinks will to point back to live certificates. This is the meaning of ‘resetting’ the dane directory.

init¶

A synonym for the reset mode. This mode wil create and populate the dane directory.

configtest¶

Test the configuration file for syntax errors, or targets that cannot be located (i.e., certificates that cannot be found).

print¶

Print TLSA certificate data (usually, hashes) that form the data fields of the TLSA record(s). With no arguments, it will print certificate data for all TLSA specifications indicated in the configuration file. Otherwise, required outputs can be specified by listing them as arguments to the program as follows:

~$ alnitak print 311:/path/to/cert 201:path/to/cert

which will print:

- 3 1 1 123456789abcdef0... /path/to/cert
- 2 0 1 fedcba9876543210... /cwd/path/to/cert

The arguments must be formatted as XYZ:CERT, where XYZ are the concatenated TLSA parameters, and CERT is the file to extract data from.

When dealing with certificates in the Let’s Encrypt directory (/etc/letsencrypt), the output will be slightly different:

~$ alnitak print 311:/etc/letsencrypt/live/example.com/cert.pem

will print:

example.com 3 1 1 123456789abcdef0... /etc/letsencrypt/live/example.com/cert.pem

where the first field is not -, but instead the domain directory the certificate is in (here, example.com).

With Let’s Encrypt certificates, you also do not need to specify the exact file, but can just give the domain folder name:

~$ alnitak print 311:example.com

which will print:

example.com 3 1 1 123456789abcdef0... /etc/letsencrypt/live/example.com/cert.pem

This is the certificate data for the relevant file in the live directory. If you want to print certificate data for all the archive certificates, then you can specify that the archive directory certificates are intended as follows:

~$ alnitak print 302:archive/example.com

which will print:

example.com 3 0 2 123456789abcdef0... /etc/letsencrypt/archive/example.com/cert1.pem
example.com 3 0 2 23456789abcdef01... /etc/letsencrypt/archive/example.com/cert2.pem
example.com 3 0 2 3456789abcdef012... /etc/letsencrypt/archive/example.com/cert3.pem
...

Flags¶

The program accepts the following flags. Not every flag is available in every mode. Pass:

~$ alnitak [mode] --help

to see which flags are accepted by which mode.

configuration file¶

-c CONFIG, --config CONFIG

Will read the configuration specified instead of the default /etc/alnitak.conf.

letsencrypt directory¶

-C DIR, --letsencrypt-directory DIR

Will set the directory the Let’s Encrypt live and archive certificate directories are to be located in to DIR instead of the default /etc/letsencrypt/. This can also be set in the configuration file itself via the command:

letsencrpyt_directory = DIR

dane directory¶

-D DIR, --dane-directory DIR

Will set the directory the dane certificates are to be found in to be DIR instead of the default /etc/alnitak/dane. You may set this to any value you wish, as long as you are consistent, but the default value will normally suffice. This can also be set in the configuration file itself via the command:

dane_directory = DIR

log file¶

-l LOG, --log LOG

Output to log file LOG instead of the default /var/log/alnitak.log. If LOG is a directory, it will log to LOG/alnitak.log. If LOG is given the value - or stdout, then output to stdout instead of to a log file. If LOG is given the value no, then disable logging. (To use any of these special values as literal file names, give them as relative paths; e.g. ./stdout.) See Logging for more details.

log level¶

-L LEVEL, --level LEVEL

Set the level of logging to be performed. The allowed values are no, normal (the default value), verbose and debug. (See Logging for more details on the behaviour of these values.) The logging level can also be set in the configuration file via the command:

log_level = LEVEL

but note that if set in the configuration file, the logging level that is set will not apply to the logging output that might be produced by parsing the configuration file itself. This is not often an issue, but if configuration file output is desired, then the logging level must be set at the command-line.

ttl¶

-t SEC, --ttl SEC

Set the time-to-live value to SEC seconds. The time-to-live value is the maximum time before which no switch to using the renewed certificate is allowed after the TLSA record for the new certificate has been published. In effect, this is the minumum time allotted for the new DNS record to be allowed to propogate before we switch to using the new certificate. The default value of 86400 seconds (1 day) is quite conservative, but should not cause any problems. The danger with setting too low a value is the risk in offering a certificate for which the user’s DNS responses do not serve the new TLSA record, and so DANE authentication will fail. Regardless, any value between 0 and 604800 (7 days), inclusive, is allowed.

quiet¶

-q, --quiet

Do not print any output to stdout or stderr. Error messages from command-line errors are not included: they will always be printed to stderr.

Exit Codes¶

The program will exit with the following codes:

0: program executed without errors.
1: program encountered errors during execution.
2: command-line errors.
3: syntax errors in the configuration file.
4: error in creating a lock file: program aborted.
15: another instance of the program is already running.

If there has been a problem in writing output (e.g. to the logfile), the exit codes above will be increased in value by 16.

Running¶

Modes¶

default¶

pre¶

deploy¶

reset¶

init¶

configtest¶

print¶

Flags¶

configuration file¶

letsencrypt directory¶

dane directory¶

log file¶

log level¶

ttl¶

quiet¶

Exit Codes¶

Table of Contents

Previous topic

Next topic

This Page