!!!DEPRECATED!!! Please check https://lab.nexedi.com/nexedi/dehydrated-zope-hook instead.

48462209 · Kazuhiko Shiozaki · 86179706 · 86179706 · 86179706 · 86179706
Commit 48462209 authored Sep 19, 2016 by Kazuhiko Shiozaki
7 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
-# Change Log
-This file contains a log of major changes in letsencrypt.sh
-
-## [x.x.x] - xxxx-xx-xx
-## Changed
- Config is now named `config` instead of `config.sh`!
- Location of domains.txt is now configurable via DOMAINS_TXT config variable
- Location of certs directory is now configurable via CERTDIR config variable
- signcsr command now also outputs chain certificate if --full-chain/-fc is set
- Location of account-key(s) changed
- Default WELLKNOWN location is now `/var/www/letsencrypt`
- New version of Let's Encrypt Subscriber Agreement
-
-## Added
- Added option to add CSR-flag indicating OCSP stapling to be mandatory
- Initial support for configuration on per-certificate base
- Support for per-CA account keys and custom config for output cert directory, license, etc.
- Added option to select IP version of name to address resolution
- Added option to run letsencrypt.sh without locks
-
-## Fixed
- letsencrypt.sh no longer stores account keys from invalid registrations
-
-## [0.2.0] - 2016-05-22
-### Changed
- PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys
- deploy_cert hook now also has the certificates timestamp as standalone parameter
- Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX)
- Private keys are now regenerated by default
-
-### Added
- Added documentation to repository
-
-### Fixed
- Fixed bug with uppercase names in domains.txt (script now converts everything to lowercase)
- mktemp no longer uses the deprecated `-t` parameter.
- Compatibility with "pretty" json
-
-## [0.1.0] - 2016-03-25
-### Changed
- This is the first numbered version of letsencrypt.sh
--- a/LICENSE
+++ b/LICENSE
-The MIT License (MIT)
-
-Copyright (c) 2015 Lukas Schauer
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
--- a/README-zope.md
+++ b/README-zope.md
-First, prepare target Zope folder beforehand so that URL like http://example.com/.well-known/acme-challenge/xxx works.
-For example, you can create ".well-known/acme-challenge" in skin folder.
-
-Next, you need to provide Zope's username and password in ~/.netrc like :
-
-```text
-machine example.com
-login zope_username
-password zope_password
-```
-
-You need to prepare "config" file like :
-```text
-# See docs/examples/config for other parameters.
-#
-# We can use any local directory for storing challenge string temporarily.
-WELLKNOWN="${BASEDIR}"
-# We use a special hook script for zope.
-HOOK="${BASEDIR}/zope-hook.sh"
-#This is needed to call hook
-HOOK_CHAIN=yes
-```
-
-You also need "domains.txt" like :
-```text
-www.example.com example.com
-another.example.com
-```
-
-Now you can invoke the script like :
-
-```text
-./letsencrypt.sh -c
-```
-
-And if you have any problems, read https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/troubleshooting.md and read letsencrypt.sh.
--- a/README.md
+++ b/README.md
-# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)
+# DEPRECATED

-This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.
-
-It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed.
-
-Other dependencies are: curl, sed, grep, mktemp (all found on almost any system, curl being the only exception)
-
-Current features:
- Signing of a list of domains
- Signing of a CSR
- Renewal if a certificate is about to expire or SAN (subdomains) changed
- Certificate revocation
-
-Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues.
-Feel free to report any issues you find with this script or contribute by submitting a pullrequest.
-
-### Getting started
-
-For getting started I recommend taking a look at [docs/domains_txt.md](docs/domains_txt.md), [docs/wellknown.md](docs/wellknown.md) and the [Usage](#usage) section on this page (you'll probably only need the `-c` option).
-
-Generally you want to set up your WELLKNOWN path first, and then fill in domains.txt.
-
-**Please note that you should use the staging URL when experimenting with this script to not hit letsencrypts rate limits.** See [docs/staging.md](docs/staging.md).
-
-If you have any problems take a look at our [Troubleshooting](docs/troubleshooting.md) guide.
-
-## Usage:
-
-```text
-Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
-
-Default command: help
-
-Commands:
- --cron (-c)                      Sign/renew non-existant/changed/expiring certificates.
- --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
- --revoke (-r) path/to/cert.pem   Revoke specified certificate
- --cleanup (-gc)                  Move unused certificate files to archive directory
- --help (-h)                      Show help text
- --env (-e)                       Output configuration variables for use in other scripts
-
-Parameters:
- --full-chain (-fc)               Print full chain when using --signcsr
- --ipv4 (-4)                      Resolve names to IPv4 addresses only
- --ipv6 (-6)                      Resolve names to IPv6 addresses only
- --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
- --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
- --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
- --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
- --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
- --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
- --config (-f) path/to/config     Use specified config file
- --hook (-k) path/to/hook.sh      Use specified script for hooks
- --out (-o) certs/directory       Output certificates into the specified directory
- --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
- --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
-```
+Please check https://lab.nexedi.com/nexedi/dehydrated-zope-hook instead.
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
--- a/test.sh
+++ b/test.sh
-#!/usr/bin/env bash
-
-# Fail early
-set -eu -o pipefail
-
-# Check if running in CI environment
-if [[ ! "${CI:-false}" == "true" ]]; then
-  echo "ERROR: Not running in CI environment!"
-  exit 1
-fi
-
-_TEST() {
-  echo
-  echo "${1} "
-}
-_SUBTEST() {
-  echo -n " + ${1} "
-}
-_PASS() {
-  echo -e "[\u001B[32mPASS\u001B[0m]"
-}
-_FAIL() {
-  echo -e "[\u001B[31mFAIL\u001B[0m]"
-  echo
-  echo "Problem: ${@}"
-  echo
-  echo "STDOUT:"
-  cat tmplog
-  echo
-  echo "STDERR:"
-  cat errorlog
-  exit 1
-}
-_CHECK_FILE() {
-  _SUBTEST "Checking if file '${1}' exists..."
-  if [[ -e "${1}" ]]; then
-    _PASS
-  else
-    _FAIL "Missing file: ${1}"
-  fi
-}
-_CHECK_LOG() {
-  _SUBTEST "Checking if log contains '${1}'..."
-  if grep -- "${1}" tmplog > /dev/null; then
-    _PASS
-  else
-    _FAIL "Missing in log: ${1}"
-  fi
-}
-_CHECK_NOT_LOG() {
-  _SUBTEST "Checking if log doesn't contain '${1}'..."
-  if grep -- "${1}" tmplog > /dev/null; then
-    _FAIL "Found in log: ${1}"
-  else
-    _PASS
-  fi
-}
-_CHECK_ERRORLOG() {
-  _SUBTEST "Checking if errorlog is empty..."
-  if [[ -z "$(cat errorlog)" ]]; then
-    _PASS
-  else
-    _FAIL "Non-empty errorlog"
-  fi
-}
-
-# If not found (should be cached in travis) download ngrok
-if [[ ! -e "ngrok/ngrok" ]]; then
-  (
-    mkdir -p ngrok
-    cd ngrok
-    wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip
-    unzip ngrok.zip ngrok
-    chmod +x ngrok
-  )
-fi
-
-# Run ngrok and grab temporary url from logfile
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log &
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log &
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log &
-sleep 2
-TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)"
-TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
-TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
-if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
-  echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
-  exit 1
-fi
-
-# Run python webserver in .acme-challenges directory to serve challenge responses
-mkdir -p .acme-challenges/.well-known/acme-challenge
-(
-  cd .acme-challenges
-  python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null
-) &
-
-# Generate config and create empty domains.txt
-echo 'CA="https://testca.kurz.pw/directory"' > config
-echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config
-echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config
-echo 'RENEW_DAYS="14"' >> config
-touch domains.txt
-
-# Check if help command is working
-_TEST "Checking if help command is working..."
-./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Default command: help"
-_CHECK_LOG "--help (-h)"
-_CHECK_LOG "--domain (-d) domain.tld"
-_CHECK_ERRORLOG
-
-# Run in cron mode with empty domains.txt (should only generate private key and exit)
-_TEST "First run in cron mode, checking if private key is generated and registered"
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Registering account key"
-_CHECK_FILE accounts/*/account_key.pem
-_CHECK_ERRORLOG
-
-# Temporarily move config out of the way and try signing certificate by using temporary config location
-_TEST "Try signing using temporary config location and with domain as command line parameter"
-mv config tmp_config
-./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Challenge is valid!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-mv tmp_config config
-
-# Add third domain to command-lime, should force renewal.
-_TEST "Run in cron mode again, this time adding third domain, should force renewal."
-./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Domain name(s) are not matching!"
-_CHECK_LOG "Forcing renew."
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
-_CHECK_LOG "Challenge is valid!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-
-# Prepare domains.txt
-# Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs
-echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt
-
-# Run in cron mode again (should find a non-expiring certificate and do nothing)
-_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Skipping renew"
-_CHECK_ERRORLOG
-
-# Disable private key renew
-echo 'PRIVATE_KEY_RENEW="no"' >> config
-
-# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
-_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
-./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Ignoring because renew was forced!"
-_CHECK_NOT_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
-_CHECK_LOG "Challenge is valid!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-
-# Check if signcsr command is working
-_TEST "Running signcsr command"
-./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "BEGIN CERTIFICATE"
-_CHECK_LOG "END CERTIFICATE"
-_CHECK_NOT_LOG "ERROR"
-
-# Check if renewal works
-_TEST "Run in cron mode again, to check if renewal works"
-echo 'RENEW_DAYS="300"' >> config
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Renewing!"
-_CHECK_ERRORLOG
-
-# Check if certificate is valid in various ways
-_TEST "Verifying certificate..."
-_SUBTEST "Verifying certificate on its own..."
-openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL
-_CHECK_LOG "CN=${TMP_URL}"
-_CHECK_LOG "${TMP2_URL}"
-_SUBTEST "Verifying file with full chain..."
-openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
-_SUBTEST "Verifying certificate against CA certificate..."
-(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
-_CHECK_ERRORLOG
-
-# Revoke certificate using certificate key
-_TEST "Revoking certificate..."
-./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
-REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
-_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
-_CHECK_LOG "Done."
-_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
-_CHECK_ERRORLOG
-
-# Test cleanup command
-_TEST "Cleaning up certificates"
-./letsencrypt.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"
-_CHECK_ERRORLOG
-
-# All done
-exit 0
--- a/zope-hook.sh
+++ b/zope-hook.sh
-#!/usr/bin/env bash
-set -e
-set -u
-set -o pipefail
-
-domain="${2}"
-token_id="${3}"
-token="${4}"
-
-case "${1}" in
-    "deploy_challenge")
-        statuscode="$(curl -s -k -n -L -o /dev/null -w "%{http_code}" "https://${domain}/.well-known/acme-challenge/manage_addFile?id=${token_id}")"
-        if [[ ! "${statuscode:0:1}" = "2" ]]; then
-            statuscode="$(curl -s -n -L -o /dev/null -w "%{http_code}" "http://${domain}/.well-known/acme-challenge/manage_addFile?id=${token_id}")"
-            if [[ ! "${statuscode:0:1}" = "2" ]]; then
-                echo 'Failed'
-                exit 1
-            fi
-        fi
-        statuscode="$(curl -s -k -n -L -o /dev/null -w "%{http_code}" "https://${domain}/.well-known/acme-challenge/${token_id}/manage_edit?title=&content_type=text/plain&filedata=${token}")"
-        if [[ ! "${statuscode:0:1}" = "2" ]]; then
-            statuscode="$(curl -s -n -L -o /dev/null -w "%{http_code}" "http://${domain}/.well-known/acme-challenge/${token_id}/manage_edit?title=&content_type=text/plain&filedata=${token}")"
-            if [[ ! "${statuscode:0:1}" = "2" ]]; then
-                echo 'Failed'
-                exit 1
-            fi
-        fi
-    ;;
-    "clean_challenge")
-        statuscode="$(curl -s -k -n -L -o /dev/null -w "%{http_code}" "https://${domain}/.well-known/acme-challenge/manage_delObjects?ids:list=${token_id}")"
-        if [[ ! "${statuscode:0:1}" = "2" ]]; then
-            statuscode="$(curl -s -n -L -o /dev/null -w "%{http_code}" "http://${domain}/.well-known/acme-challenge/manage_delObjects?ids:list=${token_id}")"
-            if [[ ! "${statuscode:0:1}" = "2" ]]; then
-                echo 'Failed'
-                exit 1
-            fi
-        fi
-    ;;
-esac
-
-exit 0