Merge remote-tracking branch 'upstream/master'

.gitignore

@@ -5,4 +5,4 @@ config
 hook.sh
 certs/*
 archive/*
-.acme-challenges/*
+accounts/*

CHANGELOG

@@ -5,6 +5,21 @@ This file contains a log of major changes in letsencrypt.sh
 ## Changed
 - Config is now named `config` instead of `config.sh`!
 - Location of domains.txt is now configurable via DOMAINS_TXT config variable
+- Location of certs directory is now configurable via CERTDIR config variable
+- signcsr command now also outputs chain certificate if --full-chain/-fc is set
+- Location of account-key(s) changed
+- Default WELLKNOWN location is now `/var/www/letsencrypt`
+- New version of Let's Encrypt Subscriber Agreement
+
+## Added
+- Added option to add CSR-flag indicating OCSP stapling to be mandatory
+- Initial support for configuration on per-certificate base
+- Support for per-CA account keys and custom config for output cert directory, license, etc.
+- Added option to select IP version of name to address resolution
+- Added option to run letsencrypt.sh without locks
+
+## Fixed
+- letsencrypt.sh no longer stores account keys from invalid registrations
 
 ## [0.2.0] - 2016-05-22
 ### Changed

README.md

@@ -41,11 +41,18 @@ Commands:
  --env (-e)                       Output configuration variables for use in other scripts
 
 Parameters:
+ --full-chain (-fc)               Print full chain when using --signcsr
+ --ipv4 (-4)                      Resolve names to IPv4 addresses only
+ --ipv6 (-6)                      Resolve names to IPv6 addresses only
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
+ --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
  --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
+ --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
  --config (-f) path/to/config     Use specified config file
  --hook (-k) path/to/hook.sh      Use specified script for hooks
+ --out (-o) certs/directory       Output certificates into the specified directory
  --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
  --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
 ```

docs/ecc.md

 ### Elliptic Curve Cryptography (ECC)
 
 This script also supports certificates with Elliptic Curve public keys!
-Be aware that at the moment this is not available on the production servers from letsencrypt.
-Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.
+Simply set the `KEY_ALGO` variable in one of the config files.

docs/examples/config

@@ -10,11 +10,16 @@
 # Default values of this config are in comments        #
 ########################################################
 
+# Resolve names to addresses of IP version only. (curl)
+# supported values: 4, 6
+# default: <unset>
+#IP_VERSION=
+
 # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
 #CA="https://acme-v01.api.letsencrypt.org/directory"
 
-# Path to license agreement (default: https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf)
-#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
+# Path to license agreement (default: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
+#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
 
 # Which challenge should be used? Currently http-01 and dns-01 are supported
 #CHALLENGETYPE="http-01"
@@ -31,14 +36,14 @@
 # File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
 #DOMAINS_TXT="${BASEDIR}/domains.txt"
 
-# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges)
-#WELLKNOWN="${BASEDIR}/.acme-challenges"
+# Output directory for generated certificates
+#CERTDIR="${BASEDIR}/certs"
 
-# Location of private account key (default: $BASEDIR/private_key.pem)
-#ACCOUNT_KEY="${BASEDIR}/private_key.pem"
+# Directory for account keys and registration information
+#ACCOUNTDIR="${BASEDIR}/accounts"
 
-# Location of private account registration information (default: $BASEDIR/private_key.json)
-#ACCOUNT_KEY_JSON="${BASEDIR}/private_key.json"
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/letsencrypt)
+#WELLKNOWN="/var/www/letsencrypt"
 
 # Default keysize for private keys (default: 4096)
 #KEYSIZE="4096"
@@ -75,3 +80,6 @@
 
 # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
 #LOCKFILE="${BASEDIR}/lock"
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"

docs/per-certificate-config.md

+# Config on per-certificate base
+
+letsencrypt.sh allows a few configuration variables to be set on a per-certificate base.
+
+To use this feature create a `config` file in the certificates output directory (e.g. `certs/example.org/config`).
+
+Currently supported options:
+
+- PRIVATE_KEY_RENEW
+- KEY_ALGO
+- KEYSIZE
+- OCSP_MUST_STAPLE
+- CHALLENGETYPE
+- HOOK
+- HOOK_CHAIN
+- WELLKNOWN
+- OPENSSL_CNF
+- RENEW_DAYS

docs/staging.md

 # Staging
 
-Let’s Encrypt has stringent rate limits in place during the public beta period.
+Let’s Encrypt has stringent rate limits in place.
 
 If you start testing using the production endpoint (which is the default),
 you will quickly hit these limits and find yourself locked out.
@@ -10,6 +10,3 @@ To avoid this, please set the CA property to the Let’s Encrypt staging server
 ```bash
 CA="https://acme-staging.api.letsencrypt.org/directory"
 ```
-
-Please keep in mind that at the time of writing this letsencrypt.sh doesn't have support for registration management,
-so if you change CA you'll have to move your `private_key.pem` (and, if you care, `private_key.json`) out of the way.

docs/wellknown.md

@@ -54,3 +54,15 @@ Alias /.well-known/acme-challenge /var/www/letsencrypt
         </IfModule>
 </Directory>
 ```
+
+### Lighttpd example config
+
+With Lighttpd just add this to your config and it should work in any VHost:
+
+```lighttpd
+modules += "alias"
+
+alias.url += (
+ "/.well-known/acme-challenge/" => "/var/www/letsencrypt/"
+)
+```

test.sh

@@ -114,7 +114,7 @@ _CHECK_ERRORLOG
 _TEST "First run in cron mode, checking if private key is generated and registered"
 ./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
 _CHECK_LOG "Registering account key"
-_CHECK_FILE "private_key.pem"
+_CHECK_FILE accounts/*/account_key.pem
 _CHECK_ERRORLOG
 
 # Temporarily move config out of the way and try signing certificate by using temporary config location
@@ -131,10 +131,6 @@ _CHECK_LOG "Done!"
 _CHECK_ERRORLOG
 mv tmp_config config
 
-# Move private key and add new location to config
-mv private_key.pem account_key.pem
-echo 'PRIVATE_KEY="./account_key.pem"' >> config
-
 # Add third domain to command-lime, should force renewal.
 _TEST "Run in cron mode again, this time adding third domain, should force renewal."
 ./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
@@ -184,9 +180,6 @@ _CHECK_LOG "BEGIN CERTIFICATE"
 _CHECK_LOG "END CERTIFICATE"
 _CHECK_NOT_LOG "ERROR"
 
-# Delete account key (not needed anymore)
-rm account_key.pem
-
 # Check if renewal works
 _TEST "Run in cron mode again, to check if renewal works"
 echo 'RENEW_DAYS="300"' >> config