giuliocalzolari/vault-acme-plugin.sh

## vault-acme-plugin.sh
# source https://github.com/remilapeyre/vault-acme

wget https://github.com/remilapeyre/vault-acme/releases/download/v0.0.8/linux_amd64.zip -O /tmp/acme.zip
unzip /tmp/acme.zip  -d /tmp/
mv /tmp/acme-plugin /opt/vault/plugins/
chmod vault:vault /opt/vault/plugins/acme-plugin
sudo setcap cap_ipc_lock=+ep /opt/vault/plugins/acme-plugin

vault write sys/plugins/catalog/secret/acme sha_256=29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a command=acme-plugin
vault secrets enable -path acme -plugin-name acme plugin
vault secrets tune -max-lease-ttl=2160h acme

# in case you use TF  https://discuss.hashicorp.com/t/can-i-use-the-terraform-provider-for-vault-to-register-a-plugin-e-g-a-new-db-plugin/13409
resource "vault_generic_endpoint" "acme" {
  disable_read         = false
  disable_delete       = true
  path                 = "sys/plugins/catalog/secret/acme"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "sha_256": "29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a",
  "command": "acme-plugin"
}
EOT
}


vault write acme/accounts/example_com \
   contact=acme@example.com \
   server_url=https://acme-staging-v02.api.letsencrypt.org/directory \
   terms_of_service_agreed=true \
   provider=route53 \
   ignore_dns_propagation=true \
   provider_configuration=AWS_HOSTED_ZONE_ID=Z3C8BD3RHP4T5Y

vault write acme/roles/example_com \
    account=example_com \
    allowed_domains=example.com \
    allow_bare_domains=false \
    allow_subdomains=true

vault write acme/certs/example_com \
    common_name=demo.example.com

# remove it
# vault secrets disable /acme
# vault plugin deregister secret acme
	# source https://github.com/remilapeyre/vault-acme

	wget https://github.com/remilapeyre/vault-acme/releases/download/v0.0.8/linux_amd64.zip -O /tmp/acme.zip
	unzip /tmp/acme.zip -d /tmp/
	mv /tmp/acme-plugin /opt/vault/plugins/
	chmod vault:vault /opt/vault/plugins/acme-plugin
	sudo setcap cap_ipc_lock=+ep /opt/vault/plugins/acme-plugin

	vault write sys/plugins/catalog/secret/acme sha_256=29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a command=acme-plugin
	vault secrets enable -path acme -plugin-name acme plugin
	vault secrets tune -max-lease-ttl=2160h acme

	# in case you use TF https://discuss.hashicorp.com/t/can-i-use-the-terraform-provider-for-vault-to-register-a-plugin-e-g-a-new-db-plugin/13409
	resource "vault_generic_endpoint" "acme" {
	disable_read = false
	disable_delete = true
	path = "sys/plugins/catalog/secret/acme"
	ignore_absent_fields = true

	data_json = <<EOT
	{
	"sha_256": "29b5d33532cd55fddd5de199c4717683ccc3957bf8d8fe645974be984c1abd5a",
	"command": "acme-plugin"
	}
	EOT
	}


	vault write acme/accounts/example_com \
	contact=acme@example.com \
	server_url=https://acme-staging-v02.api.letsencrypt.org/directory \
	terms_of_service_agreed=true \
	provider=route53 \
	ignore_dns_propagation=true \
	provider_configuration=AWS_HOSTED_ZONE_ID=Z3C8BD3RHP4T5Y

	vault write acme/roles/example_com \
	account=example_com \
	allowed_domains=example.com \
	allow_bare_domains=false \
	allow_subdomains=true

	vault write acme/certs/example_com \
	common_name=demo.example.com

	# remove it
	# vault secrets disable /acme
	# vault plugin deregister secret acme