README
¶
acme-cli
acme-cli is a shell script interface to the acme-go library. It provides a high-level API to automate ACME interactions, but is not intended as an end-user interface.
Distributed under the MIT license.
Building
go get github.com/tommie/acme-cli
go build src/github.com/tommie/acme-cli/acmeclient/*.go
Examples
Some use-cases for letsencrypt.org.
Setup
The code below assumes the following variables are set to something sensible. Sensible example values given.
CONTACT=me@example.com
DIR=https://acme-v01.api.letsencrypt.org/directory
KEY=myaccount.key
REG=myaccount.txt
CSR=mycert.csr
CERTKEY=mycert.key
CERTBUDNLE=mycertbundle.pem
set -e
Create a new account
To create an account, first create an RSA key:
openssl genrsa -out "$KEY" 2048
Then register is as an account key:
acmeclient -dir="$DIR" -key="$KEY" newreg -contact="$CONTACT" >"$REG"
The ACME server may require you to accept the terms of service, indicated by the existence of a Terms-Of-Service header in the registration output. If you see one, you read it and set it as the agreement:
reg=$(sed 's/^URI: *\(.*\)/\1/ p ; d' <"$REG")
tos=$(sed 's/^Terms-Of-Service: *\(.*\)/\1/ p ; d' <"$REG")
acmeclient -dir="$DIR" -reg="$reg" -key="$KEY" \
-agreement="$tos" updatereg
Now you have a registered account ready for use.
Issue a certificate
This snippet issues a signed certificate. First create a key and signing request:
openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout "$CERTKEY" -outform DER -out "$CSR"
Then pass it to the ACME server for authorization and signing:
reg=$(sed 's/^URI: (.*)/\1/ p ; d' <"$REG")
acmeclient -dir="$DIR" -reg="$reg" -key="$KEY" \
-certformat=chain:pem \
issuecert "$CSR" ./solver/apachesolver >"$CERTBUNDLE"
We assume the existence of a program called
apachesolver. This program must support the API
described in issuecert below. Other possible solvers include
setting up a proxy for TCP ports 80 and/or 443, configuring another
web server or using firewall rules to redirect the TCP ports.
Now you can use $KEY as your server private key and $CERTBUNDLE as
your certificate (which includes the full chain of CA
certificates). Some programs may require you to split off you
certificate from the CA chain. This can be accomplished with openssl
(see source
post):
openssl crl2pkcs7 -nocrl -certfile "$CERTBUNDLE" | \
openssl pkcs7 -print_certs -out ca-bundle.pem
openssl x509 -in "$CERTBUNDLE" -outform PEM -out cert.pem
The files ca-bundle.pem and cert.pem now have what you want.
apachesolver
This is an example solver program for Apache web servers, written in Bash. It supports solving the http-01 challenge with cost 1.
For http-01, a file is created in a directory, and Apache is expected
to be configured to publish this directory as
http://$name/.well-known/acme-challenge. An example configuration is
Alias /.well-known/acme-challenge/ /var/www/localhost/acme-challenge/
<Location "/.well-known/acme-challenge/">
Options None
Order allow,deny
Allow from all
</Location>
This directory should normally be empty. It should be publicly
accessible, and directory listings are disabled by Options None
above.
You can change the paths using environment variables:
ACME_CHALLENGE_DIRis where to store the http-01 files.
See the top of the script file for more information.
Commands
help
Show a short version of this documentation.
newreg
Register a new account. -dir and -key are required. Outputs
registration URI. If a ToS has to be accepted, its URI is also
listed.
reg
Show information about the account registration. -dir, -reg and
-key are required.
updatereg
Update an account. -dir, -reg and -key are required. Can be used
to e.g. accept the ToS.
issuecert ...
Issue a certificate for a given X.509 certificate signing request in
DER format. -dir, -reg, and -key are required. The certificate
is output on stdout on success. Use -certformat=chain:pem to output
the entire CA chain as a PEM file.
The solver command is executed with environment variables
ACME_MODE={cost, solve}Indicating the mode of operation. See below.ACME_ACCOUNT_JWK=<JWK>Being the base64-encoded JSON web key for the current account. This is needed for the proofOfPossession-01 challenge.
In all modes, the solver receives CSV records on stdin, one record per challenge. The final record is empty (an empty line). The first field is the challenge type. Remaining fields depend on the type:
{dns-01, http-01} <token> <key-authorization>
proofOfPossession-01 <base64-DER-cert>...
tls-alpn-01 <base64-validation-string>
All base64 data use the URL-safe character set in RFC 4648. All CSV records use tab as the field separator and new-line as the record separator.
Mode cost should compute a solving cost for all the challenges
combined. It writes the (64-bit float) cost to stdout if it can solve
all challenges, and nothing if it cannot solve them.
Mode solve should start solvers for all challenges. It must write
one response CSV-record per challenge, once the solver is able to
accept validation for that challenge. When stdin is closed, the
process must terminate and clean up after the solvers. Responses start
with the challenge type, and the formats are
{dns-01, http-01} <key-authorization>
proofOfPossession-01 <compact-JWS-authorization>
tls-alpn-01
Returning non-zero exit status causes the command to fail.
certs
List URIs of issued certificates. -dir, -reg and -key are
required. Use -v to also display some certificate details in human
readable form.
certs ...
Output certificates for the given URIs. -dir, -reg and -key are
required. Use -certformat=chain:pem to output the entire CA chain as
a PEM file.
revokecert
Revoke the given certificate. -dir, -reg and -key are required.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ProcessSolver ¶
type ProcessSolver struct {
// contains filtered or unexported fields
}
A ProcessSolver is an acme.Solver that uses a child process to solve challenges. Note an individual solver may be instantiated multiple times. It is up to calling code and the solver child to block or handle concurrency.
The parent communicates to the child via environment variables, stdin and stdout. ACME_MODE is one of the SolverMode constants. ACME_ACCOUNT_JWK is a base64-encoded jose.JSONWebKey.
For stdin and stdout, CSV with new-line (record) and tab (field) separators are used. stdin receives challenges where the first field is the challenge type. stdout provides responses, also with the first field being the challenge type.
A non-zero exit code will cause the solver to return failure.
func NewProcessSolver ¶
func NewProcessSolver(accKey *jose.JSONWebKey, name string, argv []string, attr *os.ProcAttr) *ProcessSolver
NewProcessSolver creates a new process solver. name, argv and attr follow the os.StartProcess semantics.
func (*ProcessSolver) Cost ¶
func (s *ProcessSolver) Cost(cs []protocol.Challenge) (cost float64, errRet error)
Cost computes the cost of solving the challenges.
It runs the solver in ModeCost, feeds the challenges as CSV records and expects a single float64 on stdout. If stdout is empty, it is assumed the challenges cannot be solved together.
func (*ProcessSolver) Solve ¶
Solve instantiates the solver for the given challenges.
It passes the challenges to the child, emits the blank trailing record and waits for responses. The child must output one response per challenge, in order.
To stop the instance, call the returned stop function. This will close stdin, signaling the child to exit.
type SolverMode ¶
type SolverMode string
A SolverMode is an identifier passed in the ACME_MODE environment variable. It corresponds with acme.Solver methods.
const ( ModeCost SolverMode = "cost" ModeSolve SolverMode = "solve" )
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Command acmecli is a shell-script interface to the acme-go library.
|
Command acmecli is a shell-script interface to the acme-go library. |