🎚 Configuration¶

CertBob allows the configuration over enviornment variables:

The settings module of CertBob.

confirm.certbob.settings.APP_SECRET = 'f9ffcf0ada0030398f36b1298350b6f5b7697c67c68ee13c93f0b92e38f0fdd9'¶: The application secret (if not set explicitly, a random 32-char token will be generated).

confirm.certbob.settings.CA_FINGERPRINT = None¶: The fingerprint of the smallstep CA.

confirm.certbob.settings.CA_URL = None¶: The (https) URL of the smallstep CA.

confirm.certbob.settings.COOLDOWN_FILE = '/data/cooldowns.json'¶: The path to the cooldown file.

confirm.certbob.settings.COOLDOWN_TIME = 3600¶: The certificate cooldown period in seconds (defaults to 1 hour).

confirm.certbob.settings.EXAMPLE_SITE = None¶: Optional URL to example site, provided to the user to check his/her client certificate.

confirm.certbob.settings.JWT_ALGORITHM = 'HS256'¶: The JWT algorithm (shouldn’t be changed).

confirm.certbob.settings.JWT_EXPIRATION = 10¶: The expiration of the short-lived JWT token.

confirm.certbob.settings.JWT_SECRET = '33a063d7e9bb8852ff31d6bad9fe6ea6d49229408afbb4226627d219249c64cd'¶: The JWT secret (if not set explicitly, a random 32-char token will be generated).

confirm.certbob.settings.LOCAL_USERS = None¶: Local users in htpasswd format (e.g. user1:$2y$...\nuser2:$2y$...).

confirm.certbob.settings.LOG_LEVEL = 'INFO'¶: The log level (must match one of the Python logging levels).

confirm.certbob.settings.MATTERMOST_TOKEN = None¶: Shared Mattermost token (only required in case Mattermost integration should be activated).

confirm.certbob.settings.OIDC_CLIENT_ID = None¶: The OIDC client ID.

confirm.certbob.settings.OIDC_CLIENT_SECRET = None¶: The OIDC client secret.

confirm.certbob.settings.OIDC_DISCOVERY_URL = None¶: The OIDC discovery URL (e.g. https://sso.example.com/.well-known/openid-configuration).

confirm.certbob.settings.PKCS12_PASSWORD = 'secret'¶: The password / passphrase for the PKCS12 certificate.

confirm.certbob.settings.PROVISIONER_NAME = 'certbob'¶: The provisioner name to issue the certificate.

confirm.certbob.settings.PROVISIONER_PASSWORD = None¶: The provisioner password to issue the certificate.

confirm.certbob.settings.SMTP_AUTO_APPEND_DOMAIN = None¶: Optional domain which should automatically be appended when a user is missing the email.

confirm.certbob.settings.SMTP_FROM = None¶: The sender email address (required when SMTP_HOST is set).

confirm.certbob.settings.SMTP_HOST = 'smtp.confirm.ch'¶: The hostname of the SMTP server (only required in case email should be activated).

confirm.certbob.settings.SMTP_PASSWORD = None¶: Optional password to authenticate on the SMTP server.

confirm.certbob.settings.SMTP_PORT = 465¶: The port of the SMTP server (defaults to 465, which is smtps).

confirm.certbob.settings.SMTP_USERNAME = None¶: Optional username to authenticate on the SMTP server.

confirm.certbob.settings.USE_OPENSSL = False¶: Use OpenSSL instead of the step CLI to generate the PKCS12 cert (see PKCS12 issue).

confirm.certbob.settings.sanity_checks()¶: Run sanity checks of the settings module.