🎚 Configuration¶

CertBob can be configured via environment variables:

All settings of CertBob.

Note

Settings marked with 🔴 are explicitly required.
Settings marked with ⭕ are implicitly required, but have an overridable default.

confirm.certbob.settings.APP_SECRET = '63c7829b318d013a3e8939fb69880571dadd3bfbf02a3116661b6987c31dcebf'¶: ⭕ The application secret.

Hint

If not set explicitly, a random 32-char token will be generated.

confirm.certbob.settings.CA_FINGERPRINT = None¶: 🔴 The fingerprint of the smallstep CA.

See also

Check out 🏛️ CA on how to get the CA fingerprint.

confirm.certbob.settings.CA_URL = None¶: 🔴 The (https) URL of the smallstep CA.

confirm.certbob.settings.COOLDOWN_FILE = '/data/cooldowns.json'¶: ⭕ The path to the cooldown file.

confirm.certbob.settings.COOLDOWN_TIME = 3600¶: ⭕ The certificate cooldown period in seconds (0 will disable cooldown).

confirm.certbob.settings.CUSTOM_HELP = None¶: Optional custom help text rendered as an additional paragraph after the install & verification help.

Hint

Markdown formatting is supported.

confirm.certbob.settings.EXAMPLE_SITE = None¶: Optional URL to example site, provided to the user to check his/her client certificate.

confirm.certbob.settings.JWT_ALGORITHM = 'HS256'¶: ⭕ The JWT algorithm.

Warning

Usually this algorithm shouldn’t be changed.

confirm.certbob.settings.JWT_EXPIRATION = 10¶: ⭕ The expiration of the short-lived JWT token in seconds.

confirm.certbob.settings.JWT_SECRET = '63c7829b318d013a3e8939fb69880571dadd3bfbf02a3116661b6987c31dcebf'¶: ⭕ The JWT secret.

Hint

If not set explicitly, the APP_SECRET is used instead.

confirm.certbob.settings.LOCAL_USERS = None¶: Local users in htpasswd format (e.g. user1:$2y$...\nuser2:$2y$...).

Hint

For email support, SMTP_AUTO_APPEND_DOMAIN is required.

confirm.certbob.settings.LOG_LEVEL = 'INFO'¶: ⭕ The log level (must match one of the Python logging levels).

confirm.certbob.settings.MATTERMOST_TOKEN = None¶: Shared Mattermost token generated in Mattermost’s «Slash Command» integration.

Hint

Mattermost doesn’t provide the email address via slash command. Thus, if email support is desired, and usernames don't already match email addresses, SMTP_AUTO_APPEND_DOMAIN is required.

confirm.certbob.settings.OIDC_CLIENT_ID = 'certbob'¶: The OIDC client ID.

confirm.certbob.settings.OIDC_CLIENT_SECRET = None¶: The OIDC client secret.

confirm.certbob.settings.OIDC_DISCOVERY_URL = None¶: The OIDC discovery URL (e.g. https://sso.example.com/.well-known/openid-configuration).

confirm.certbob.settings.PKCS12_PASSWORD = None¶: The password / passphrase for the PKCS12 certificate.

Hint

When unset, a random password is generated and shown to the user — once per browser session, or once per chat request.

confirm.certbob.settings.PROVISIONER_NAME = 'certbob'¶: ⭕ The provisioner name to issue the certificate.

See also

Check out CA provisioner on how to create a new provisioner in the CA.

confirm.certbob.settings.PROVISIONER_PASSWORD = None¶: 🔴 The provisioner password to issue the certificate.

See also

Check out CA provisioner on how to create a new provisioner in the CA.

confirm.certbob.settings.SMTP_AUTO_APPEND_DOMAIN = None¶: Domain which should automatically be appended to the username when the email is missing (optional).

confirm.certbob.settings.SMTP_FROM = None¶: The sender email address.

Hint

This is required when SMTP_HOST is set.

confirm.certbob.settings.SMTP_HOST = 'smtp.confirm.ch'¶: The hostname of the SMTP server (only required in case email should be activated).

confirm.certbob.settings.SMTP_PASSWORD = None¶: Password to authenticate on the SMTP server (optional).

confirm.certbob.settings.SMTP_PORT = 465¶: The port of the SMTP server (defaults to 465, which is smtps).

confirm.certbob.settings.SMTP_SECURITY = 'ssl'¶: SMTP security mode: ssl (implicit TLS, default, port 465), starttls (explicit TLS, port 587), or none (plain, port 25).

confirm.certbob.settings.SMTP_USERNAME = None¶: Username to authenticate on the SMTP server (optional).

confirm.certbob.settings.USE_OPENSSL = False¶: Use OpenSSL instead of the step CLI to generate the PKCS12 cert (see 🔐 PKCS #12).

confirm.certbob.settings.sanity_checks()¶: Run sanity checks of the settings module.