acme-cli 0.6.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2c369f88a826a9465922871deb4fbd8b3c232414
+  data.tar.gz: c706f4fa29eed7d87f3a3e421e4bcd7cea0fa43c
+SHA512:
+  metadata.gz: bcd2a95fea94d400d9e118c8c68034e12ddf0dd9f6e768367c33f8e0d454ab2e187502191c593c820d558e34da91be8898ba5b4c03ec0e44b0d11b871eba3218
+  data.tar.gz: c9dec9b4a406dc85135d1d746e0bffde678d3fdcfe4fc354496bc6203104ff0e459daa18b3703977405f2c7e70195ec0ca61ecee85c1aaa5ddc397466d5507df

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.pem

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+sudo: false
+cache: bundler
+
+rvm:
+  - ruby-head
+  - 2.3.0
+  - 2.2.4
+  # - 2.1
+  # - 2.0
+
+# before_script:
+#   - "bundle exec rake db:schema:load RAILS_ENV=test"
+
+script:
+  - bundle exec rspec
+  # - ./exe/letsencrypt-cli
+

data/CHANGELOG.md

@@ -0,0 +1,83 @@
+# Change Log
+
+## [v0.6.0](https://github.com/zealot128/ruby-acme-cli/tree/v0.6.0)
+
+* Rename to acme-client for trademark reasons (#22)
+
+## [v0.5.0](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.5.0)
+
+* fix for CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591 (Acme::Client::Error::Malformed) https://github.com/zealot128/ruby-letsencrypt-cli/commit/b7fd1d592e9a74905f5067b64e0ac88a526cfeed
+* explicitly require colorize Gem so color support does work https://github.com/zealot128/ruby-letsencrypt-cli/commit/b43510d1be1a495923ea8e27051b3a0bae4e23b0
+
+## [v0.4.1](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.4.1)
+
+*  fix renewing via manage command when certificate is not expired https://github.com/zealot128/ruby-letsencrypt-cli/commit/8e6b9cd4a2b1d0caa7a85d6ead410b98555cb499
+*  require logger in beginning of file
+
+## [v0.4.0](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.4.0)
+
+* New ``--sub-directory`` option to use that instead of first domain name
+* Solves issue #10 -- certificate_exists_and_valid_and_all_domains_included? returns true when cert is expired
+
+## [v0.3.0](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.3.0)
+
+* Certificate creation checks if existing certificate includes all requested domains. If at least one is missing, a new cert will be requested
+* Added Ruby 2.3.0 and Ruby head to the build matrix
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.2.0...v0.3.0)
+
+## [v0.2.0](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.2.0)
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.4...v0.2.0)
+
+**Closed issues:**
+
+- cf1e0d9 Exit code 2, if certificate is still valid
+
+**Merged pull requests:**
+
+- Apply strict permissions on private key [\#4](https://github.com/zealot128/ruby-letsencrypt-cli/pull/4) ([zygiss](https://github.com/zygiss))
+- Fix typo in README [\#2](https://github.com/zealot128/ruby-letsencrypt-cli/pull/2) ([kenrick](https://github.com/kenrick))
+
+## [v0.1.4](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.4) (2015-12-08)
+
+* require higher acme-client version, that generated correct fullchain certs.
+  fullchain.pem is chain.pem + cert.pem, should be cert.pem + chain.pem [\#1](https://github.com/zealot128/ruby-letsencrypt-cli/issues/1)
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.3...v0.1.4)
+
+## [v0.1.3](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.3) (2015-12-06)
+
+* Fixed registration
+* Added various specs
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.2...v0.1.3)
+
+## [v0.1.2](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.2) (2015-12-05)
+
+* Added manage command
+* Improved nginx doc + Ruby installation
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.1...v0.1.2)
+
+## [v0.1.1](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.1) (2015-12-05)
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.0...v0.1.1)
+
+* b654469 new command: check PATH_TO_CERT
+
+## [v0.1.0](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.0) (2015-12-05)
+
+* released first public version
+* added --version flag
+* added explicit production server
+
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.0.beta1...v0.1.0)
+
+## [v0.1.0.beta1](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.0.beta1) (2015-12-05)
+[Full Changelog](https://github.com/zealot128/ruby-letsencrypt-cli/compare/v0.1.0.pre...v0.1.0.beta1)
+
+## [v0.1.0.pre](https://github.com/zealot128/ruby-letsencrypt-cli/tree/v0.1.0.pre) (2015-12-05)
+
+
+\* *This Change Log was (partially) automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in letsencrypt-cli.gemspec
+gemspec :name => 'acme-cli'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 TODO: Write your name
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,170 @@
+# ACME-Cli
+
+[![Build Status](https://travis-ci.org/zealot128/ruby-acme-cli.svg?branch=travis)](https://travis-ci.org/zealot128/ruby-acme-cli)
+[![Gem Version](https://badge.fury.io/rb/acme-cli.svg)](https://badge.fury.io/rb/acme-cli)
+
+Yet another ACME client (e.g. to use together with Letsencrypt CA to issue TLS certs) for command lines using Ruby.
+
+## Installation
+
+* This tool needs Ruby >= 2.1 (as the dependency ``acme-client`` needs that because of use of keyword arguments).
+* OpenSSL bindings
+* no sudo! (needs access to webserver-root ``/.well-known/acme-challenges`` alias for all domains - See later section for Nginx example)
+
+```
+# check your ruby version:
+$ ruby --version
+ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]
+
+$ gem install acme-cli
+
+$ acme-cli --version
+0.2.0
+```
+
+### Troubleshooting Ruby version
+
+Unfortunately, most Linux distributions does not ship a current Ruby version (Version 1.9.3 or 2.0). Check, if your ruby version is at least 2.2. Otherwise you need to update the Ruby.
+
+If you are installing this as a non-root user, you might want to try RVM. Installation itself needs no root, but needs some packages:
+
+```
+sudo apt-get install curl bison build-essential zlib1g-dev libssl-dev libreadline6-dev libxml2-dev libgmp-dev git-core
+```
+
+To install RVM:
+
+```
+gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
+\curl -sSL https://get.rvm.io | bash -s stable  --autolibs=disable --auto-dotfiles
+
+rvm install 2.2
+source ~/.bashrc # or ~/.profile RVM tells you to reload your shell
+
+ruby --version
+```
+
+Notice: If you are using RVM, all your cronjobs must be run as a login shell, otherwise RVM does not work:
+
+```cron
+* * * * * /bin/bash -l -c "acme-cli manage ..."
+```
+
+Another way, e.g. on Ubuntu 14.04 might be to use the [Brightbox ppa](https://www.brightbox.com/blog/2015/01/05/ruby-2-2-0-packages-for-ubuntu/).
+
+## Usage
+
+Specify ``-t`` to use Letsencrypt test server. Without it, all requests are called against the production server, that might have some more strict rate limiting. If you are just toying around, add the -t flag.
+
+```bash
+# show all commands
+
+acme-cli help
+
+# show options for an individual command
+acme-cli help cert
+
+# creates account_key.json in current_dir
+acme-cli register -t myemail@example.com
+
+# authorize one or more domains/subdomains
+acme-cli authorize -t --webroot-path /var/www/default example.com www.example.com somedir.example.com
+
+# experimental: authorize all server_names in /etc/nginx/sites-enabled/*
+acme-cli authorize_all -t --webroot-path /var/www/default
+
+# create a certificate for domains that are already authorized within the last minutes (1h-2h I think)
+# the first domain will be the cn subject. All other are subjectAlternateName
+# if cert.pem already exists, will only create a new one if the old is expired
+# (30 days before expiration) -> see full help
+acme-cli help cert
+
+acme-cli cert -t example.com www.example.com somdir.example.com
+# will create key.pem fullchain.pem chain.pem and cert.pem in current directory
+
+# checks validation date of given certificate.
+# Exists non-zero if:
+# * not exists (exit 1)
+# * will expire in more than 30 days (exit code 2)
+acme-cli check --days-valid 30 cert.pem
+```
+
+
+And last but not least, the meta command ``manage`` that integrated check + authorize + cert (intended to be run as cronjob):
+
+```bash
+$ acme-cli manage --days-valid 30 \
+                       --account-key /home/acme/account_key.pem \
+                       --webroot-path /home/acme/webroot/.well-known/acme-challenge \
+                       --key-directory /home/acme/certs \
+                       example.com www.example.com
+
+2015-12-05 23:40:04 +0100: Certificate /home/acme/certs/example.com/cert.pem does not exists
+2015-12-05 23:40:04 +0100: Authorizing example.com...
+2015-12-05 23:40:04 +0100: existing account key found
+2015-12-05 23:40:06 +0100: Authorization successful for example.com
+2015-12-05 23:40:06 +0100: Authorizing www.example.com
+2015-12-05 23:40:08 +0100: Authorization successful for www.example.com
+2015-12-05 23:40:08 +0100: creating new private key to /home/acme/certs/example.com/key.pem...
+2015-12-05 23:40:09 +0100: Certificate successfully created to /home/acme/certs/example.com/fullchain.pem /home/acme/certs/example.com/chain.pem and /home/acme/certs/example.com/cert.pem!
+2015-12-05 23:40:09 +0100: Certificate valid until: 2016-03-04 21:40:00 UTC
+
+# Run command again exits immediately:
+$ acme-cli manage --days-valid 30 --account-key /home/acme/account_key.pem --webroot-path /home/acme/webroot/.wel
+l-known/acme-challenge --key-directory /home/acme/certs \
+      example.com www.example.com
+2015-12-05 23:40:17 +0100: Certificate '/home/acme/certs/example.com/cert.pem' valid until 2016-03-04.
+$ echo $?
+1
+```
+
+This had:
+
+1. check if /home/acme/certs/example.com/cert.pem exists and expires in less than 30 days (or exit 1 at this point)
+2. authorize all domains + subdomains
+3. issue one certificate with those domains and place it under /home/acme/certs/example.com/[key.pem,fullchain.pem,chain.pem,cert.pem]
+4. exit 0 -> so can be && with ``service nginx reload`` or mail deliver
+
+For running as cron, reducing log level to fatal might be desirable: ``acme-cli manage --log-level fatal``.
+
+## Example integration Nginx:
+
+```nginx
+server {
+  listen 80;
+  server_name example.com www.example.com somedir.example.com
+  location /.well-known/acme-challenge {
+	  alias /home/acme/webroot/.well-known/acme-challenge;
+	  default_type "text/plain";
+	  try_files $uri =404;
+  }
+```
+
+notice the location - alias. Use this dir with ``--webroot-path`` for authorization.
+
+Afterwards, use the fullchain.pem and key.pem:
+
+```nginx
+server {
+  listen 443 ssl;
+  server_name example.com www.example.com;
+  ssl on;
+  ssl_certificate_key /home/acme/certs/example.com/key.pem;
+  ssl_certificate /home/acme/certs/example.com/fullchain.pem;
+
+  # use the settings from: https://gist.github.com/konklone/6532544
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+1. Fork it ( https://github.com/zealot128/ruby-acme-cli/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,6 @@
+require "rake/clean"
+CLOBBER.include "pkg"
+
+require "bundler/gem_helper"
+Bundler::GemHelper.install_tasks name: 'acme-cli'
+

data/acme-cli.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'letsencrypt/cli/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "acme-cli"
+  spec.version       = Letsencrypt::Cli::VERSION
+  spec.authors       = ["Stefan Wienert"]
+  spec.email         = ["stwienert@gmail.com"]
+
+  spec.summary       = %q{slim ACME (e. g. letsencrypt) client for quickly authorizing (multiple) domains and issuing certificates}
+  spec.homepage      = "https://github.com/zealot28/acme-cli"
+  spec.license       = "MIT"
+  spec.required_ruby_version = '>= 2.0.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'acme-client', '>= 0.2.4'
+  spec.add_runtime_dependency 'thor'
+  spec.add_runtime_dependency 'colorize'
+
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'activesupport', '>= 3.0'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'vcr', "~> 3.0"
+  spec.add_development_dependency 'webmock', "~> 1.22"
+  spec.add_development_dependency 'timecop', "~> 0.8"
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "letsencrypt/cli"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/acme-cli

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "letsencrypt-cli"
+
+Letsencrypt::Cli::App.start

data/letsencrypt-cli.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'letsencrypt/cli/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "letsencrypt-cli"
+  spec.version       = Letsencrypt::Cli::VERSION
+  spec.authors       = ["Stefan Wienert"]
+  spec.email         = ["stwienert@gmail.com"]
+
+  spec.summary       = %q{slim letsencrypt client for quickly authorizing (multiple) domains and issuing certificates}
+  spec.homepage      = "https://github.com/zealot128/letsencrypt-cli"
+  spec.license       = "MIT"
+  spec.required_ruby_version = '>= 2.0.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'acme-client', '>= 0.2.4'
+  spec.add_runtime_dependency 'thor'
+  spec.add_runtime_dependency 'colorize'
+
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'activesupport', '>= 3.0'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'vcr', "~> 3.0"
+  spec.add_development_dependency 'webmock', "~> 1.22"
+  spec.add_development_dependency 'timecop', "~> 0.8"
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/lib/letsencrypt-cli.rb

@@ -0,0 +1 @@
+require 'letsencrypt/cli'

data/lib/letsencrypt/cli.rb

@@ -0,0 +1,10 @@
+require "letsencrypt/cli/version"
+require "letsencrypt/cli/acme_wrapper"
+require "letsencrypt/cli/app"
+
+
+module Letsencrypt
+  module Cli
+    # Your code goes here...
+  end
+end

data/lib/letsencrypt/cli/acme_wrapper.rb

@@ -0,0 +1,177 @@
+require 'json'
+require 'acme-client'
+require 'logger'
+require 'colorize'
+
+class AcmeWrapper
+  def initialize(options)
+    @options = options
+    if !@options[:color]
+      String.disable_colorization = true
+    end
+  end
+
+  def log(message, severity=:info)
+    @logger ||= Logger.new(STDOUT).tap {|logger|
+      logger.level = Logger::SEV_LABEL.index(@options[:log_level].upcase)
+      logger.formatter = proc do |sev, datetime, progname, msg|
+        "#{datetime.to_s.light_black}: #{msg}\n"
+      end
+    }
+    @logger.send(severity, message)
+  end
+
+  def client
+    @client ||= Acme::Client.new(private_key: account_key, endpoint: endpoint)
+  end
+
+  def authorize(domain)
+    FileUtils.mkdir_p(@options[:webroot_path])
+    log "Authorizing #{domain.blue}.."
+    authorization = client.authorize(domain: domain)
+
+    challenge = authorization.http01
+
+    challenge_file = File.join(@options[:webroot_path], challenge.filename.split('/').last)
+    log "Writing challenge to #{challenge_file}", :debug
+    File.write(challenge_file, challenge.file_content)
+
+    challenge.request_verification
+
+    5.times do
+      log "Checking verification...", :debug
+      sleep 1
+      break if challenge.verify_status != 'pending'
+    end
+    if challenge.verify_status == 'valid'
+      log "Authorization successful for #{domain.green}"
+      File.unlink(challenge_file)
+      true
+    else
+      log "Authorization error for #{domain.red}", :error
+      log challenge.error['detail']
+      false
+    end
+  end
+
+  def cert(domains)
+    return if certificate_exists_and_valid_and_all_domains_included?(domains)
+    csr = OpenSSL::X509::Request.new
+    certificate_private_key = find_or_create_pkey(@options[:private_key_path], "private key", @options[:key_length] || 2048)
+
+    csr.subject = OpenSSL::X509::Name.new([
+      # ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
+      # ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
+      # ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
+      # ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
+      # ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
+      # ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
+      # ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
+      ['CN', domains.first, OpenSSL::ASN1::UTF8STRING]
+    ])
+    if domains.count > 1
+      ef = OpenSSL::X509::ExtensionFactory.new
+      exts = [ ef.create_extension( "subjectAltName", domains.map{|domain| "DNS:#{domain}"}.join(','), false  ) ]
+      attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+      attrs = [
+        OpenSSL::X509::Attribute.new('extReq', attrval),
+        OpenSSL::X509::Attribute.new('msExtReq', attrval),
+      ]
+      attrs.each do |attr|
+        csr.add_attribute(attr)
+      end
+    end
+    csr.version = 2
+    csr.public_key = certificate_private_key.public_key
+    csr.sign(certificate_private_key, OpenSSL::Digest::SHA256.new)
+    certificate = client.new_certificate(csr)
+    File.write(@options[:fullchain_path], certificate.fullchain_to_pem)
+    File.write(@options[:chain_path], certificate.chain_to_pem)
+    File.write(@options[:certificate_path], certificate.to_pem)
+    log "Certificate successfully created to #{@options[:fullchain_path]} #{@options[:chain_path]} and #{@options[:certificate_path]}!".green
+    log "Certificate valid until: #{certificate.x509.not_after}"
+  end
+
+  def check_certificate(path)
+    unless File.exists?(path)
+      log "Certificate #{path} does not exists", :warn
+      return false
+    end
+    cert = OpenSSL::X509::Certificate.new(File.read(path))
+    renew_on = cert.not_after.to_date - @options[:days_valid]
+    log "Certificate '#{path}' valid until #{cert.not_after.to_date}.", :info
+    if Date.today >= renew_on
+      log "Certificate '#{path}' should be renewed!", :warn
+      return false
+    else
+      true
+    end
+  end
+
+  def revoke_certificate(path)
+    unless File.exists?(path)
+      log "Certificate #{path} does not exists", :warn
+      return false
+    end
+    cert = OpenSSL::X509::Certificate.new(File.read(path))
+    if client.revoke_certificate(cert)
+      log "Certificate '#{path}' was revoked", :info
+    end
+    true
+  rescue Acme::Client::Error::Malformed => e
+    log e.message, :error
+    return false
+  end
+
+  private
+
+  def certificate_exists_and_valid_and_all_domains_included?(domains)
+    return false if !File.exists?(@options[:certificate_path])
+    cert = OpenSSL::X509::Certificate.new(File.read(@options[:certificate_path]))
+    domains_in_cert = cert.extensions.map(&:to_h).select{|i| i['oid'] == 'subjectAltName' }.map{|i| i['value']}.join(', ').split(/, */).map{|i| i.sub(/^DNS:/, '') }  +
+      [ cert.subject.to_s.sub(%r{/CN=}, '') ].uniq.sort
+    missing_domains = domains.sort.uniq - domains_in_cert
+    if missing_domains != []
+      log "Certificate '#{@options[:certificate_path]}' missing domains #{missing_domains.join(' ')}. Existing: #{domains_in_cert.join(' ')}", :warn
+      return false
+    end
+    expires_on = cert.not_after.to_date
+    if expires_on <= Date.today
+      log "Certificate '#{@options[:certificate_path]}' has expired on #{expires_on}.", :warn
+      return false
+    end
+    renew_on = expires_on - @options[:days_valid]
+    if renew_on > Date.today
+      log "Certificate '#{@options[:certificate_path]}' still valid till #{cert.not_after.to_date}.", :warn
+      log "Won't renew until #{renew_on} (#{@options[:days_valid]} days before)", :warn
+      exit 2
+    end
+
+    false 
+  end
+
+  def endpoint
+    if @options[:test]
+      "https://acme-staging.api.letsencrypt.org"
+    else
+      "https://acme-v01.api.letsencrypt.org"
+    end
+  end
+
+  def account_key
+    @account_key ||= find_or_create_pkey(@options[:account_key], "account key", @options[:key_length] || 4096)
+  end
+
+  def find_or_create_pkey(file_path, name, length)
+    if File.exists?(file_path)
+      log "existing account key found"
+      OpenSSL::PKey::RSA.new File.read file_path
+    else
+      log "creating new private key to #{file_path}..."
+      private_key = OpenSSL::PKey::RSA.new(length)
+      File.write(file_path, private_key.to_s)
+      File.chmod(0400, file_path)
+      private_key
+    end
+  end
+end

data/lib/letsencrypt/cli/app.rb

@@ -0,0 +1,116 @@
+require 'thor'
+require 'colorize'
+require 'fileutils'
+module Letsencrypt
+  module Cli
+    class App < Thor
+      class_option :account_key, desc: "Path to private key file (will be created if not exists)", aliases: "-a", default: 'account_key.pem'
+      class_option :test, desc: "Use staging url of Letsencrypt instead of production server", aliases: "-t", type: :boolean
+      class_option :log_level, desc: "Log Level (debug, info, warn, error, fatal)", default: "info"
+      class_option :color, desc: "Disable colorize", default: true, type: :boolean
+
+      desc 'register EMAIL', 'Register account'
+      method_option :key_length, desc: "Length of generated private key", type: :numeric, default: 4096
+      def register(email)
+        if email.nil? || email == ""
+          wrapper.log "no E-Mail specified!", :fatal
+          exit 1
+        end
+        if !email[/.*@.*/]
+          wrapper.log "not an email", :fatal
+          exit 1
+        end
+        registration = wrapper.client.register(contact: "mailto:" + email)
+        registration.agree_terms
+        wrapper.log "Account created, Terms accepted"
+      end
+
+      desc 'authorize_all', "Verify all server_names in /etc/nginx/sites-enabled/* (needs read access)"
+      method_option :webroot_path, desc: "Path to mapped .acme-challenge folder (no subdir)", aliases: '-w', required: true
+      method_option :webserver_dir, desc: "Path to webserver configs", default: "/etc/nginx/sites-enabled"
+      def authorize_all
+        lines = Dir[ File.join(@options[:webserver_dir], "*")].map{|file| File.read(file).lines.grep(/^\s*server_name/) }.flatten
+        domains = lines.flatten.map{|i| i.strip.split(/[; ]/).drop(1) }.flatten.reject{|i| i.length < 3 }.uniq
+        authorize(*domains)
+      end
+
+      desc 'authorize [DOMAINS]', 'Authorize all domains'
+      method_option :webroot_path, desc: "Path to mapped .well-known/acme-challenge folder (no subdirs will be created)", aliases: '-w', required: true
+      def authorize(*domains)
+        rc = 0
+        domains.each do |domain|
+          if !wrapper.authorize(domain)
+            rc = 1
+          end
+        end
+        if rc != 0
+          exit rc
+        end
+      end
+
+      desc "cert [DOMAINS]", "create certificate and private key pair for domains. The first domain is the main CN domain, the reset will be added as SAN. If the given certificate-path already exists, script will exit non-zero if the certificate is still valid until the given number of days before."
+      method_option :private_key_path, desc: "Path to private key. Will be created if non existant", aliases: '-k', default: 'key.pem'
+      method_option :key_length, desc: "Length of private key", default: 2048, type: :numeric
+      method_option :fullchain_path, desc: "Path to fullchain certificate (Nginx) (will be overwritten if exists!)", aliases: '-f', default: 'fullchain.pem'
+      method_option :certificate_path, desc: "Path to certificate (Apache)", aliases: '-c', default: 'cert.pem'
+      method_option :chain_path, desc: "Path to chain (Apache)", aliases: '-n', default: 'chain.pem'
+      method_option :days_valid, desc: "If the --certificate-path already exists, only create new stuff, if that certificate isn't valid for less than the given number of days", default: 30, type: :numeric
+      def cert(*domains)
+        if domains.length == 0
+          wrapper.log "no domains given", :fatal
+          exit 1
+        end
+        wrapper.cert(domains)
+      end
+
+      desc "check PATH_TO_CERTIFICATE", "checks, if a given certificate exists and is valid until DAYS_VALID"
+      method_option :days_valid, desc: "If the --certificate-path already exists, only create new stuff, if that certificate isn't valid for less than the given number of days", default: 30, type: :numeric
+      def check(path)
+        if !wrapper.check_certificate(path)
+          exit 1
+        end
+      end
+
+      desc "revoke PATH_TO_CERTIFICATE", "revokes a given certificate"
+      def revoke(path)
+        if !wrapper.revoke_certificate(path)
+          exit 1
+        end
+      end
+
+      desc "manage DOMAINS", "meta command that will: check if cert already exists / still valid (exits zero if nothing todo, exits 2 if certificate is still valid) + authorize given domains + issue certificate for given domains"
+      method_option :key_length, desc: "Length of private key", default: 2048, type: :numeric
+      method_option :days_valid, desc: "If the --certificate-path already exists, only create new stuff, if that certificate isn't valid for less than the given number of days", default: 30, type: :numeric
+      method_option :webroot_path, desc: "Path to mapped .well-known/acme-challenge folder (no subdirs will be created)", aliases: '-w', required: true
+      method_option :key_directory, desc: "Base directory for certificate storage.", default: "~/certs/"
+      method_option :sub_directory, desc: "Sub-directory name in base directory where all certs + key are stored. If not set, the first domain name will be used", default: nil
+      def manage(*domains)
+        key_dir = File.join(@options[:key_directory], @options[:sub_directory] || domains.first)
+        FileUtils.mkdir_p(key_dir)
+        @options = @options.merge(
+          :private_key_path  => File.join(key_dir, 'key.pem'),
+          :fullchain_path    => File.join(key_dir, 'fullchain.pem'),
+          :certificate_path  => File.join(key_dir, 'cert.pem'),
+          :chain_path        => File.join(key_dir, 'chain.pem'),
+        )
+        if wrapper.check_certificate(@options[:certificate_path])
+          exit 2
+        end
+        authorize(*domains)
+        cert(*domains)
+      end
+
+      map %w[--version -v] => :__print_version
+      desc "--version, -v", "print the version"
+      def __print_version
+        puts Letsencrypt::Cli::VERSION
+      end
+
+      private
+
+      def wrapper
+        @wrapper ||= AcmeWrapper.new(options)
+      end
+    end
+  end
+end

data/lib/letsencrypt/cli/version.rb

@@ -0,0 +1,5 @@
+module Letsencrypt
+  module Cli
+    VERSION = "0.6.1"
+  end
+end

metadata

@@ -0,0 +1,232 @@
+--- !ruby/object:Gem::Specification
+name: acme-cli
+version: !ruby/object:Gem::Version
+  version: 0.6.1
+platform: ruby
+authors:
+- Stefan Wienert
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-02-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.4
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- stwienert@gmail.com
+executables:
+- acme-cli
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- acme-cli.gemspec
+- bin/console
+- bin/setup
+- exe/acme-cli
+- letsencrypt-cli.gemspec
+- lib/letsencrypt-cli.rb
+- lib/letsencrypt/cli.rb
+- lib/letsencrypt/cli/acme_wrapper.rb
+- lib/letsencrypt/cli/app.rb
+- lib/letsencrypt/cli/version.rb
+homepage: https://github.com/zealot28/acme-cli
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: slim ACME (e. g. letsencrypt) client for quickly authorizing (multiple) domains
+  and issuing certificates
+test_files: []