CLI Reference

CLI Reference#

The entry point of Certwranger is the certwrangler command, which is documented bellow.

certwrangler#

The certwrangler management cli.

certwrangler [OPTIONS] COMMAND [ARGS]...

Options

--version#

Show the version and exit.

-c, --config <config>#

Config file for certwrangler. Defaults to ${XDG_CONFIG_HOME}/certwrangler.yaml or ~/.config/certwrangler.yaml if ${XDG_CONFIG_HOME} is not set.

Default:

'/github/home/.config/certwrangler.yaml'

-l, --log-level <log_level>#

Logging level for certwrangler.

Default:

'info'

Options:

debug | info | warning | error | critical

-n, --nameserver <nameservers>#

Nameservers that certwrangler should use.

Environment variables

CERTWRANGLER_CONFIG

Provide a default for --config

CERTWRANGLER_LOG_LEVEL

Provide a default for --log-level

CERTWRANGLER_NAMESERVERS

Provide a default for --nameserver

check-config#

Check that the provided config is valid.

certwrangler check-config [OPTIONS]

Options

-i, --initialize#

Initialize state (may create resources, should not be ran while daemon is running).

Default:

False

daemon#

Run certwrangler in daemon mode.

certwrangler daemon [OPTIONS]

dev-shell#

Open an IPython shell with a certwrangler context.

certwrangler dev-shell [OPTIONS] [IPYTHON_ARGS]...

Arguments

IPYTHON_ARGS#

Optional argument(s)

run#

Run a single reconcile loop of certwrangler.

certwrangler run [OPTIONS]

state#

Commands for management of Certwrangler’s state.

Certwrangler should not be running while making modifications to the state!

certwrangler state [OPTIONS] COMMAND [ARGS]...

decrypt#

Decrypt all managed state objects.

certwrangler state decrypt [OPTIONS]

delete#

Delete the state for the given entity.

certwrangler state delete [OPTIONS] {account|cert} ENTITY_NAME

Options

-y, --yes#

Don’t prompt for confirmation.

Default:

False

Arguments

ENTITY_CLASS#

Required argument

ENTITY_NAME#

Required argument

encrypt#

Encrypt all managed state objects with the active (first) key.

Already encrypted objects will be re-encrypted with the active key.

certwrangler state encrypt [OPTIONS]

fingerprint#

Print the active (first) encryption key’s fingerprint.

certwrangler state fingerprint [OPTIONS]

generate-key#

Generate a new key used to encrypt the local state.

The new key should be added to the top of the list of encryption keys to make it the active key, example:

state:
encryption_keys:
- <new key goes here>
- <old key to be rotated out>
certwrangler state generate-key [OPTIONS]

list#

List entities in the state manager.

This includes orphaned entities that are not in the config.

certwrangler state list [OPTIONS]

Options

-o, --orphaned#

Only list orphaned states.

Default:

False

show#

Show the specified entity’s state.

WARNING: This command will output sensitive information!

certwrangler state show [OPTIONS] {account|cert} ENTITY_NAME

Arguments

ENTITY_CLASS#

Required argument

ENTITY_NAME#

Required argument

Contents