coolaj86/greenlock-cli.js
1
0
Fork 0
Code Issues 4 Pull Requests Releases Activity

Compare commits

base: coolaj86:b9c5a26047cece5172c98843aecccfcbb5ee498c
Branches Tags
coolaj86:master
coolaj86:v3
coolaj86:v2.3
coolaj86:greenlock
coolaj86:v1.x
coolaj86:pull/11/master
coolaj86:v2.3.3
coolaj86:v2.3.2
coolaj86:v2.3.1
coolaj86:v2.3.0
coolaj86:v2.2.13
coolaj86:v2.2.12
coolaj86:v2.2.11
coolaj86:v2.2.9
coolaj86:v2.2.8
coolaj86:v2.2.7
coolaj86:v2.2.6
coolaj86:v2.2.5
coolaj86:v2.2.4
coolaj86:v2.2.3
coolaj86:v2.2.2
coolaj86:v2.2.1
coolaj86:v2.1.3
coolaj86:v2.1.2
coolaj86:v2.1.1
coolaj86:v2.1.0
coolaj86:v2.0.0
coolaj86:v1.0.8
coolaj86:v1.0.7
coolaj86:v1.0.6
coolaj86:v1.0.5
coolaj86:v1.0.4
coolaj86:v1.0.3
coolaj86:v1.0.2
coolaj86:v1.0.1
coolaj86:v1.0.0
..
compare: coolaj86:076528320b557aa93929ee70a6fd4cb98c2d720c
Branches Tags
coolaj86:master
coolaj86:v3
coolaj86:v2.3
coolaj86:greenlock
coolaj86:v1.x
coolaj86:pull/11/master
coolaj86:v2.3.3
coolaj86:v2.3.2
coolaj86:v2.3.1
coolaj86:v2.3.0
coolaj86:v2.2.13
coolaj86:v2.2.12
coolaj86:v2.2.11
coolaj86:v2.2.9
coolaj86:v2.2.8
coolaj86:v2.2.7
coolaj86:v2.2.6
coolaj86:v2.2.5
coolaj86:v2.2.4
coolaj86:v2.2.3
coolaj86:v2.2.2
coolaj86:v2.2.1
coolaj86:v2.1.3
coolaj86:v2.1.2
coolaj86:v2.1.1
coolaj86:v2.1.0
coolaj86:v2.0.0
coolaj86:v1.0.8
coolaj86:v1.0.7
coolaj86:v1.0.6
coolaj86:v1.0.5
coolaj86:v1.0.4
coolaj86:v1.0.3
coolaj86:v1.0.2
coolaj86:v1.0.1
coolaj86:v1.0.0

No commits in common. "b9c5a26047cece5172c98843aecccfcbb5ee498c" and "076528320b557aa93929ee70a6fd4cb98c2d720c" have entirely different histories.
b9c5a26047 ... 076528320b

6 changed files with 197 additions and 377 deletions
Show Stats Expand all files Collapse all files

267
README.md
View File

@ -9,7 +9,6 @@ Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple<br>
!["Lifetime Downloads"](https://img.shields.io/npm/dt/greenlock.svg "Lifetime Download Count can't be shown")
!["Monthly Downloads"](https://img.shields.io/npm/dm/greenlock.svg "Monthly Download Count can't be shown")
!["Weekly Downloads"](https://img.shields.io/npm/dw/greenlock.svg "Weekly Download Count can't be shown")
!["Stackoverflow Questions"](https://img.shields.io/stackexchange/stackoverflow/t/greenlock.svg "S.O. Question count can't be shown")
| Sponsored by [ppl](https://ppl.family)
| **Greenlock for Web Servers**
@ -27,202 +26,168 @@ Features
- [x] One-off standalone registration / renewal
- [x] On-the-fly registration / renewal via webroot
Install
=======
## Install Node
Mac & Linux
-----------
For **Windows**:
Open Terminal and run this install script:
Choose **Stable** from <https://nodejs.org/en/>
For Linux and **OS X**:
```
curl -L bit.ly/nodejs-min | bash
```
# Install Greenlock
```bash
curl -fsS https://get.greenlock.app/ | bash
npm install -g greenlock-cli@2.x
```
This will install greenlock to `/opt/greenlock` and put a symlink to
`/opt/greenlock/bin/greenlock` in `/usr/local/bin/greenlock` for convenience.
## Usage
You can customize the installation:
These commands are shown using the **testing server**.
Want to use the **live server**?
1. change server to `--server https://acme-v01.api.letsencrypt.org/directory`
**Note**: This has really only been tested with single domains so if
multiple domains doesn't work for you, file a bug.
### Standalone (primarily for testing)
You can run standalone mode to get a cert **on the server**. You either use an
http-01 challenge (the default) on port 80. Like so:
```bash
export NODEJS_VER=v8.11.1
export GREENLOCK_PATH=/opt/greenlock
curl -fsS https://get.greenlock.app/ | bash
greenlock certonly \
--agree-tos --email john.doe@example.com \
--standalone \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory \
--config-dir ~/letsencrypt/etc
```
This will change which version of node.js is bundled with greenlock
and the path to which greenlock installs.
Windows & Node.js
-----------------
1. Install [node.js](https://nodejs.org)
2. Open _Node.js_
2. Run the command `npm install -g greenlock-cli`
Usage
=====
We have a few different examples of issuing SSL certificates:
* Standalone (testing): Issue a one-off certificate
* Webroot (production): Automatic certificate renewal for Apache, Nginx, HAProxy, etc
* Manual (debugging): Go through the certificate proccess step-by-step
<!-- * Server (production): Leave it all to Greenlock -->
**Important Note**: Staging vs Production
Each of these examples are using the **staging server**.
Once you've successfully gotten certificates with the staging server
you must **delete** `--config-dir` (i.e. `rm -rf ~/acme`) and then
switch to the **production server**.
Then you can see your certs at `~/letsencrypt/etc/live`.
```
--acme-version draft-11 --server https://acme-v02.api.letsencrypt.org/directory \
ls ~/letsencrypt/etc/live
```
## Standalone
This option is great for testing, but since it requires the use of
the same ports that your webserver needs, it isn't a good choice
for production.
<small>**primarily for testing**</small>
### WebRoot
You can run in standalone mode **on your server** and get a cert instantly.
You can specify the path to where you keep your `index.html` with `webroot`, as
long as your server is serving plain HTTP on port 80.
Note: No other webserver may be running at the time (use Webroot mode for that).
For example, if I want to get a domain for `example.com` and my `index.html` is
at `/srv/www/example.com`, then I would use this command:
```bash
sudo greenlock certonly --standalone \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com,www.example.com \
--community-member \
--config-dir ~/acme/etc
sudo greenlock certonly \
--agree-tos --email john.doe@example.com \
--webroot --webroot-path /srv/www/example.com \
--config-dir /etc/letsencrypt \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory
```
## WebRoot
Note that we use `sudo` because in this example we are using `/etc/letsencrypt`
as the cert directory rather than `~/letsencrypt/etc`, which we used in the previous example.
<small>**for testing and production**</small>
Then see your brand new shiny certs:
With this method you must use **your existing http (port 80) server** (Apache, Nginx, HAProxy, etc).
You will specify the **path or template path** to your `public_html` or `www` webroot.
For example:
* I want to get an SSL cert for `example.com`
* `index.html` lives at `/srv/www/example.com`
* I would use this command:
```bash
sudo greenlock certonly --webroot \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com \
--community-member \
--root /srv/www/example.com \
--config-dir ~/acme/etc
```
ls /etc/letsencrypt/live/
```
Now let's say that
You can use a cron job to run the script above every 80 days (the certificates expire after 90 days)
so that you always have fresh certificates.
* I have many sites in `/srv/www/`, all by their name
* I already store my ssl certs in the format `/etc/apache/ssl/:hostname/{key.pem,ssl.crt}`
* I'll run this command instead:
```bash
sudo greenlock certonly --webroot \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com,whatever.com,foobar.net \
--community-member \
--root "/srv/www/:hostname" \
--privkey-path "/etc/apache/ssl/:hostname/key.pem" \
--fullchain-path "/etc/apache/ssl/:hostname/ssl.crt" \
--config-dir ~/acme/etc
```
### Run with cron
Those commands are safe to be run **daily** with cron.
The certificates will automatically renew 2 weeks before expiring.
## Interactive
<small>**primarily for debugging**</small>
### Interactive (for debugging)
The token (for all challenge types) and keyAuthorization (only for https-01)
will be printed to the screen and you will be given time to copy it wherever
(file, dns record, database, etc) and the process will complete once you hit `enter`.
```bash
sudo greenlock certonly --manual \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com \
--community-member \
--config-dir ~/acme/etc
sudo greenlock certonly \
--agree-tos --email john.doe@example.com \
--manual
--config-dir /etc/letsencrypt \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory
```
Certificate Locations
=====================
Then you can see your certs at `~/acme/etc/live`.
```
~/acme/etc/
└── example.com
├── cert.pem
├── chain.pem
├── fullchain.pem (Apache, Nginx, node.js)
├── privkey.pem (Apache, Nginx, node.js)
└── bundle.pem (HAProxy)
```
## Run without root (no sudo)
`sudo` is used to allow greenlock to use port 80 and write to httpd-owned directories.
Allow greenlock to bind on system ports without root:
## Test with a free domain
```bash
sudo setcap cap_net_bind_service=+ep /opt/greenlock/bin/node
# Install Daplie DNS
npm install -g ddns-cli
# see terms of use
ddns --help
# agree to terms and get domain
ddns --random --email user@example.com --agree
# the default is to use the ip address from which
# you can the command, but you can also assign the
# ip manually
ddns --random --email user@example.com --agree -a '127.0.0.1'
```
To allow greenlock to write to folders owned by another user, set it to run as that user.
Example domain:
Otherwise, you can change the permissions on the folders, which is
**probably a BAD IDEA**. Probabry a **security risk**.
But since some of you are going to do it anyway I might as well tell you how:
```
rubber-duck-42.daplie.me
```
## Run without Root
If you'd like to allow node.js to use privileged ports `80` and `443`
(and everything under 1024 really) without being run as `root` or `sudo`,
you can use `setcap` to do so. (it may need to be run any time you reinstall node as well)
```bash
sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
```
By default `node-greenlock` assumes your home directory `~/letsencrypt/`, but if
you really want to use `/etc/letsencrypt`, `/var/lib/letsencrypt/`, and `/var/log/letsencrypt`
you could change the permissions on them. **Probably a BAD IDEA**. Probabry a security risk.
```
# PROBABLY A BAD IDEA
sudo chown -R $(whoami) /etc/ssl /etc/acme
sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt
```
Command Line Options
====================
## Command Line Options
```
Usage:
greenlock [OPTIONS] [ARGS]
Options:
--acme-version [STRING] 'draft-11' for Let's Encrypt v2 or 'v01' for Let's Encrypt v1. (default: null)
--acme-url [URL] Directory URL for ACME API. Let's Encrypt URLs are:
draft-11
https://acme-staging-v02.api.letsencrypt.org/directory
https://acme-v02.api.letsencrypt.org/directory
v01
https://acme-staging.api.letsencrypt.org/directory
https://acme-v01.api.letsencrypt.org/directory
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--email EMAIL Email used for registration and recovery contact. (default: null)
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
--community-member Submit stats to and receive updates from Greenlock
--domains HOSTNAME Domain names to apply. For multiple domains you can enter a comma
--domains URL Domain names to apply. For multiple domains you can enter a comma
separated list of domains as a parameter. (default: [])
--renew-within [NUMBER] Renew certificates this many days before expiry. (default: 10)
--renew-within [NUMBER] Renew certificates this many days before expiry. (default: 7)
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is
an early renewal.
--rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048)
--cert-path STRING Path to where new cert.pem is saved
(Default is :conf/live/:hostname/cert.pem)
@ -233,9 +198,6 @@ Options:
--chain-path [STRING] Path to where new chain.pem is saved
(Default is :conf/live/:hostname/chain.pem)
--bundle-path [STRING] Path to where new bundle.pem (fullchain + privkey) is saved
(Default is :conf/live/:hostname/bundle.pem)
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
--account-key-path STRING Path to privkey.pem to use for account (default: generate new)
@ -252,26 +214,13 @@ Options:
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
--debug BOOLEAN show traces and logs
-h, --help Display help and usage details
```
Certbot Command Line Options
============================
These options are maintained for compatability with certbot:
```
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is
an early renewal.
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
```
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.

93
bin/greenlock.js
View File

@ -5,67 +5,49 @@ var cli = require('cli');
var mkdirp = require('mkdirp');
cli.parse({
'acme-version':
[ false, " ACME / Let's Encrypt version. v01 or draft-11 (aka v02)", 'string', 'draft-11' ]
, 'acme-url':
[ false, " ACME Directory Resource URL", 'string', '' ]
, email:
[ false, " Email used for registration and recovery contact. (default: null)", 'email' ]
server: [ false, " ACME Directory Resource URI.", 'string', '' ]
, email: [ false, " Email used for registration and recovery contact. (default: null)", 'email' ]
, 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ]
, 'community-member': [ false, " Submit stats to and get updates from Greenlock", 'boolean', false ]
, domains:
[ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ]
, domains: [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ]
, 'renew-within': [ false, " Renew certificates this many days before expiry", 'int', 7 ]
, 'cert-path':
[ false, " Path to where new cert.pem is saved", 'string'
, ':configDir/live/:hostname/cert.pem' ]
, 'fullchain-path':
[ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string'
, ':configDir/live/:hostname/fullchain.pem' ]
, 'bundle-path':
[ false, " Path to where new bundle.pem (fullchain + privkey) is saved", 'string'
, ':configDir/live/:hostname/bundle.pem' ]
, 'chain-path':
[ false, " Path to where new chain.pem is saved", 'string'
, ':configDir/live/:hostname/chain.pem' ]
, 'privkey-path':
[ false, " Path to where privkey.pem is saved", 'string'
, ':configDir/live/:hostname/privkey.pem' ]
, 'config-dir':
[ false, " Configuration directory.", 'string'
, '~/letsencrypt/etc/' ]
, duplicate: [ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ]
, 'rsa-key-size': [ false, " Size (in bits) of the RSA key.", 'int', 2048 ]
, 'cert-path': [ false, " Path to where new cert.pem is saved", 'string',':configDir/live/:hostname/cert.pem' ]
, 'fullchain-path': [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string', ':configDir/live/:hostname/fullchain.pem' ]
, 'chain-path': [ false, " Path to where new chain.pem is saved", 'string', ':configDir/live/:hostname/chain.pem' ]
, 'domain-key-path': [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ]
, 'account-key-path': [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ]
, 'config-dir': [ false, " Configuration directory.", 'string', '~/letsencrypt/etc/' ]
, 'tls-sni-01-port': [ false, " Use TLS-SNI-01 challenge type with this port (only port 443 is valid with most production servers)", 'int' ]
, 'http-01-port': [ false, " Use HTTP-01 challenge type with this port (only port 80 is valid with most production servers) (default: 80)", 'int' ]
, 'dns-01': [ false, " Use DNS-01 challange type", 'boolean', false ]
, standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ]
, manual: [ false, " Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (default: false)", 'boolean', false ]
, debug: [ false, " show traces and logs", 'boolean', false ]
, 'root': [ false, " public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)", 'string' ]
//
// backwards compat
//
, duplicate:
[ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ]
, 'rsa-key-size':
[ false, " Size (in bits) of the RSA key.", 'int', 2048 ]
, server:
[ false, " alias of acme-url for certbot compatibility", 'string', '' ]
, 'domain-key-path':
[ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ]
, 'account-key-path':
[ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ]
, webroot: [ false, " for certbot compatibility", 'boolean', false ]
, 'webroot-path': [ false, "alias of '--root' for certbot compatibility", 'string' ]
, webroot: [ false, " Obtain certs by placing files in a webroot directory.", 'boolean', false ]
, 'webroot-path': [ false, " public_html / webroot path.", 'string' ]
, hooks: [ false, " Obtain certs with hooks that configure a webserver to meet TLS-SNI-01 challenges.", 'boolean', false ]
, 'hooks-path': [ false, " Path in which to store files for hooks.", 'string' ]
, 'hooks-server': [ false, " Type of webserver to configure.", 'string' ]
, 'hooks-template': [ false, " Template to use for hooks configuration file.", 'string' ]
, 'hooks-bind': [ false, " IP address to use in configuration for hooks.", 'string' ]
, 'hooks-port': [ false, " Port to use in configuration for hooks.", 'string' ]
, 'hooks-webroot': [ false, " Webroot to use in configuration for hooks (e.g. empty dir).", 'string' ]
, 'hooks-pre-enable': [ false, " Hook to check the webserver configuration prior to enabling.", 'string' ]
, 'hooks-enable': [ false, " Hook to enable the webserver configuration.", 'string' ]
, 'hooks-pre-reload': [ false, " Hook to check the webserver configuration prior to reloading.", 'string' ]
, 'hooks-reload': [ false, " Hook to reload the webserver.", 'string' ]
, 'hooks-disable': [ false, " Hook to disable the webserver configuration.", 'string' ]
//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01']
, 'work-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/lib/' ]
, 'logs-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/log/' ]
, debug: [ false, " show traces and logs", 'boolean', false ]
, 'work-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/lib/' ]
, 'logs-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/log/' ]
});
// ignore certonly and extraneous arguments
cli.main(function(_, options) {
console.log('');
var args = {};
var homedir = require('os').homedir();
var homedir = require('homedir')();
Object.keys(options).forEach(function (key) {
var val = options[key];
@ -92,15 +74,20 @@ cli.main(function(_, options) {
args.domains = args.domains.split(',');
}
if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos || !args.acmeVersion || (!args.server && !args.acmeUrl)) {
console.error("\nUsage:\n\ngreenlock certonly --standalone \\");
console.error("\t--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \\");
console.error("\t--agree-tos --email user@example.com --domains example.com \\");
console.error("\t--config-dir ~/acme/etc \\");
if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos) {
console.error("\nUsage: greenlock certonly --standalone --domains example.com --email user@example.com --agree-tos");
console.error("\nSee greenlock --help for more details\n");
return;
}
if (args.tlsSni01Port) {
// [@agnat]: Coerce to string. cli returns a number although we request a string.
args.tlsSni01Port = "" + args.tlsSni01Port;
args.tlsSni01Port = args.tlsSni01Port.split(',').map(function (port) {
return parseInt(port, 10);
});
}
if (args.http01Port) {
// [@agnat]: Coerce to string. cli returns a number although we request a string.
args.http01Port = "" + args.http01Port;

56
index.js
View File

@ -2,21 +2,22 @@
var DAY = 24 * 60 * 60 * 1000;
var Greenlock = require('greenlock');
var LE = require('greenlock');
module.exports.run = function (args) {
var leChallenge;
var leStore;
var servers;
var USE_DNS = {};
var challengeType;
args.acmeUrl = args.server = (args.acmeUrl || args.server);
args.root = args.webrootPath = (args.root || args.webrootPath);
var challengeType;
if (args.dns01) {
challengeType = 'dns-01';
args.webrootPath = '';
args.standalone = USE_DNS;
} else if (args.tlsSni01Port || args.hooks) {
challengeType = 'tls-sni-01';
args.webrootPath = '';
} else /*if (args.http01Port)*/ {
challengeType = 'http-01';
}
@ -24,43 +25,57 @@ module.exports.run = function (args) {
if (args.manual) {
leChallenge = require('le-challenge-manual').create({});
}
else if (args.hooks) {
leChallenge = require('le-challenge-hooks').create({
hooksPath: args.hooksPath
, hooksServer: args.hooksServer
, hooksTemplate: args.hooksTemplate
, hooksBind: args.hooksBind
, hooksPort: args.hooksPort
, hooksWebroot: args.hooksWebroot
, hooksPreEnable: args.hooksPreEnable
, hooksEnable: args.hooksEnable
, hooksPreReload: args.hooksPreReload
, hooksReload: args.hooksReload
, hooksDisable: args.hooksDisable
});
}
else if (args.webrootPath) {
// webrootPath is all that really matters here
// TODO rename le-challenge-fs to le-challenge-webroot
leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath });
}
else if (args.tlsSni01Port) {
leChallenge = require('le-challenge-sni').create({});
servers = require('./lib/servers').create(leChallenge);
}
else if (USE_DNS !== args.standalone) {
leChallenge = require('le-challenge-standalone').create({});
servers = require('./lib/servers').create(leChallenge);
}
var privkeyPath = args.privkeyPath || args.domainKeyPath || ':configDir/live/:hostname/privkey.pem'; //args.privkeyPath
var privkeyPath = args.domainKeyPath || ':configDir/live/:hostname/privkey.pem'; //args.privkeyPath
leStore = require('le-store-certbot').create({
configDir: args.configDir
, privkeyPath: privkeyPath
, fullchainPath: args.fullchainPath
, certPath: args.certPath
, chainPath: args.chainPath
, bundlePath: args.bundlePath
, webrootPath: args.root
, webrootPath: args.webrootPath
, domainKeyPath: args.domainKeyPath
, accountKeyPath: args.accountKeyPath
});
if (!args.acmeUrl) {
throw new Error("You must specify the ACME server url with --acme-url");
}
if (!args.acmeVersion) {
throw new Error("You must specify the ACME API version with --acme-version");
if (!args.server) {
throw new Error("You must specify a server to use with --server");
}
// let Greenlock know that we're handling standalone / webroot here
// let LE know that we're handling standalone / webroot here
var leChallenges = {};
leChallenges[challengeType] = leChallenge;
var greenlock = Greenlock.create({
var le = LE.create({
debug: args.debug
, server: args.acmeUrl
, version: args.acmeVersion
, server: args.server
, store: leStore
, challenges: leChallenges
, renewWithin: args.renewWithin * DAY
@ -71,7 +86,7 @@ module.exports.run = function (args) {
if (args.tlsSni01Port) {
servers.startServers(
[], args.tlsSni01Port
, { debug: args.debug, tlsOptions: greenlock.tlsOptions }
, { debug: args.debug, httpsOptions: le.httpsOptions }
);
}
else {
@ -83,11 +98,10 @@ module.exports.run = function (args) {
}
// Note: can't use args directly as null values will overwrite template values
return greenlock.register({
return le.register({
debug: args.debug
, email: args.email
, agreeTos: args.agreeTos
, communityMember: args.communityMember
, domains: args.domains
, rsaKeySize: args.rsaKeySize
, challengeType: challengeType
@ -120,12 +134,10 @@ module.exports.run = function (args) {
console.log('Certificates installed at:');
console.log(
[
// args.privkeyPath
args.certPath
, args.chainPath
, args.fullchainPath
, args.bundlePath || ''
].join('\n').replace(/\n+/g, '\n')
].join('\n')
.replace(/:configDir/g, args.configDir)
.replace(/:hostname/g, args.domains[0])
);

128
installer/get.sh
View File

@ -1,128 +0,0 @@
#!/bin/bash
# This is a 3 step process
# 1. First we need to figure out whether to use wget or curl for fetching remote files
# 2. Next we need to figure out whether to use unzip or tar for downloading releases
# 3. We need to actually install the stuff
set -e
set -u
###############################
# #
# http_get #
# boilerplate for curl / wget #
# #
###############################
# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
_my_http_get=""
_my_http_opts=""
_my_http_out=""
detect_http_get()
{
set +e
if type -p curl >/dev/null 2>&1; then
_my_http_get="curl"
_my_http_opts="-fsSL"
_my_http_out="-o"
elif type -p wget >/dev/null 2>&1; then
_my_http_get="wget"
_my_http_opts="--quiet"
_my_http_out="-O"
else
echo "Aborted, could not find curl or wget"
return 7
fi
set -e
}
http_get()
{
$_my_http_get $_my_http_opts $_my_http_out "$2" "$1"
touch "$2"
}
http_bash()
{
_http_url=$1
my_args=${2:-}
rm -rf my-tmp-runner.sh
$_my_http_get $_my_http_opts $_my_http_out my-tmp-runner.sh "$_http_url"; bash my-tmp-runner.sh $my_args; rm my-tmp-runner.sh
}
detect_http_get
###############################
## END HTTP_GET ##
###############################
echo ""
echo ""
echo ""
if [ -z "${GREENLOCK_PATH:-}" ]; then
echo 'GREENLOCK_PATH="'${GREENLOCK_PATH:-}'"'
GREENLOCK_PATH=/opt/greenlock
fi
echo "Installing Greenlock to '$GREENLOCK_PATH'"
echo ""
echo "sudo mkdir -p '$GREENLOCK_PATH'"
sudo mkdir -p "$GREENLOCK_PATH"
echo "sudo chown -R $(whoami) '$GREENLOCK_PATH'"
sudo chown -R $(whoami) "$GREENLOCK_PATH"
# until node v10.x gets fix for ursa we have no advantage to switching from 8.x
export NODEJS_VER=v8.11.1
export NODE_PATH="$GREENLOCK_PATH/lib/node_modules"
export NPM_CONFIG_PREFIX="$GREENLOCK_PATH"
export PATH="$GREENLOCK_PATH/bin:$PATH"
sleep 1
http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps
my_tree="master"
my_node="$GREENLOCK_PATH/bin/node"
my_npm="$my_node $GREENLOCK_PATH/bin/npm"
my_tmp="$GREENLOCK_PATH/tmp"
mkdir -p $my_tmp
echo "blah"
set +e
my_unzip=$(type -p unzip)
my_tar=$(type -p tar)
if [ -n "$my_unzip" ]; then
rm -f $my_tmp/greenlock-$my_tree.zip
http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.zip $my_tmp/greenlock-$my_tree.zip
# -j is the same as --strip 1, it nixes the top-level directory
$my_unzip -j $my_tmp/greenlock-$my_tree.zip -d $GREENLOCK_PATH/
elif [ -n "$my_tar" ]; then
rm -f $my_tmp/greenlock-$my_tree.tar.gz
http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.tar.gz $my_tmp/greenlock-$my_tree.tar.gz
ls -lah $my_tmp/greenlock-$my_tree.tar.gz
$my_tar -xzf $my_tmp/greenlock-$my_tree.tar.gz --strip 1 -C $GREENLOCK_PATH/
else
echo "Neither tar nor unzip found. Abort."
exit 13
fi
set -e
pushd $GREENLOCK_PATH
$my_npm install
popd
cat << EOF > $GREENLOCK_PATH/bin/greenlock
!#/bin/bash
$my_node $GREENLOCK_PATH/bin/greenlock.js
EOF
chmod a+x $GREENLOCK_PATH/bin/greenlock
ln -sf $GREENLOCK_PATH/bin/greenlock /usr/local/bin/greenlock
#sudo setcap cap_net_bind_service=+ep $GREENLOCK_PATH/bin/node
#https://git.coolaj86.com/coolaj86/greenlock-cli.js.git
#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.tar.gz
#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.zip

13
lib/servers.js
View File

@ -7,22 +7,17 @@ module.exports.create = function (challenge) {
_servers: []
, httpResponder: function (req, res) {
console.info(req.method + ' ' + req.headers.host + req.url);
console.log('[LE-CLI] httpResponder');
var acmeChallengePrefix = '/.well-known/acme-challenge/';
if (0 !== req.url.indexOf(acmeChallengePrefix)) {
res.end("Greenlock™ Commandline: https://git.coolaj86.com/coolaj86/greenlock-cli.js");
res.end("Let's Encrypt! Command line tool");
return;
}
var token = req.url.slice(acmeChallengePrefix.length);
challenge.get(NOBJ, req.headers.host.replace(/:.*/, ''), token, function (err, val) {
if (val) {
console.info("Responding with authorization token '" + val + "'");
} else {
console.info("No authorization token found");
}
res.end(val || '_ ERROR challenge not found _');
});
}
@ -30,7 +25,7 @@ module.exports.create = function (challenge) {
, startServers: function (plainPorts, tlsPorts, opts) {
opts = opts || {};
var tlsOptions = opts.tlsOptions || {};
var httpsOptions = opts.httpsOptions || require('localhost.daplie.me-certificates');
var https = require('https');
var http = require('http');
@ -61,7 +56,7 @@ module.exports.create = function (challenge) {
// tls-sni-01-port
tlsPorts.forEach(function (port) {
var server = https.createServer(tlsOptions, servers.httpResponder);
var server = https.createServer(httpsOptions, servers.httpResponder);
servers._servers.push(server);
server.listen(port, function () {

17
package.json
View File

@ -1,6 +1,6 @@
{
"name": "greenlock-cli",
"version": "2.3.0",
"version": "2.2.13",
"description": "CLI for node-greenlock modeled after the official ACME client",
"main": "index.js",
"bin": {
@ -34,11 +34,16 @@
},
"homepage": "https://git.coolaj86.com/coolaj86/greenlock-cli.js",
"dependencies": {
"cli": "^1.0.1",
"greenlock": "^2.2.15",
"le-challenge-manual": "^2.1.0",
"le-challenge-standalone": "^2.1.0",
"le-store-certbot": "^2.1.0",
"cli": "^0.11.1",
"greenlock": "^2.1.16",
"homedir": "^0.6.0",
"le-acme-core": "^2.0.5",
"le-challenge-hooks": "^2.0.0",
"le-challenge-manual": "^2.0.0",
"le-challenge-sni": "^2.0.0",
"le-challenge-standalone": "^2.0.0",
"le-store-certbot": "^2.0.2",
"localhost.daplie.me-certificates": "^1.3.2",
"mkdirp": "^0.5.1"
}
}