blix-letsencrypt 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 51750c9fbd2104f084d61f0a07d3bc0be338cacdb935850b35cf3f427659f1c9
+  data.tar.gz: 0ec555ca56aa54faad52f135cb0b5e1bbb87a9c2420d783001a2bec9d64913b0
+SHA512:
+  metadata.gz: 47f6145bfc9b098bfefd2dae95c0124a257060a473ec6922b2e5a9f8577b5623ab4c96ace1b3910abe59b59354c6e96f56968e09483b195deeae476d8988b106
+  data.tar.gz: 75e034dc207dba70fe331275c071a66c067ac07bf0b005a5f10c285aa4b272ba74af501d591e498e26d9d63dccc204d35b7c407ea4bbfbf4db42bfac0e783a52

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Clive Andrews
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,98 @@
+# letsencrypt
+
+a command line utility for managing letsencrypt ssl certificates.
+
+
+## depends
+
+ruby >= 2.4
+
+## install
+
+gem install blix-letsencrypt
+
+## command options:
+
+		Usage: letsencrypt [options]
+			-c, --create                     Create ACME private key
+			-k, --key=FILE                   ACME private key file
+			-e, --email=EMAIL                your contact email
+			-d, --domain=DOMAIN              domain name for certificate
+				--challenge_dir=CDIR         challenge file directory
+				--ssl_dir=SSLDIR             ssl certificate file directory
+				--ssl_key=SSLKEY             ssl private key file
+			-t, --test                       enable test mode
+				--force                      force update even if not expired
+			-l, --logfile=LOGFILE            log to file
+			-h, --hook=HOOK                  script to run on renewal
+
+
+## conventions used
+
+*  the private key is called `privkey.pem`
+
+
+*  the certificate is called `cert.pem` and is placed in a directory named
+   after the main (first) domain name.
+
+## create letsencrypt certificates
+
+* create directory to hold your keys and certificates .. eg:
+
+      mkdir /etc/letsencrypt/account
+      mkdir /etc/letsencrypt/ssl
+
+* create directory to serve challenges from.. eg:
+
+      mkdir /srv/certbot/.well-known
+
+* create a ssl private key if you do not yet have one.. eg:
+
+      openssl genrsa -out /etc/letsencrypt/ssl/privkey.pem 2048
+
+* update your webserver to serve the challengefiles eg for nginx..:
+
+      location /.well-known {
+       alias /srv/certbot/.well-known;
+       add_header "Content-Type" "text/plain";
+       break;
+      }
+
+* now create your certificate
+
+      letsencrypt --key=/etc/letsencrypt/account/key.pem -d"example.com www.example.com" --challenge_dir="/srv/certbot/.well-known" --ssl_dir="/etc/letsencrypt/ssl" --logfile=/var/log/letsencrypt.log --create
+
+* hopefully your certificate has be created  so update your webserver to use it...
+
+      ssl_certificate /etc/letsencrypt/ssl/example.com/cert.pem;
+      ssl_certificate_key /etc/letsencrypt/ssl/privkey.pem;
+
+* reload the webserver and check all is well.
+
+## auto renew letsencrypt certificates
+
+the letsencrypt certificates are valid for 90 days. it is recommended that you
+run a script every day to check if the certificates are due for renewal.
+
+* create two shell scrips, one to renew the certificates and another to
+  restart the webserver.
+
+* ensure that both scripts are executable..
+* copy the first script to /etc/cron.daily directory.
+* link the second script to the `--hook` option of the letsencrypt command.
+
+ eg:
+
+        cat /etc/cron.daily/renew_ssl
+
+    		!/bin/sh
+    		/opt/ruby-2.6.4/bin/letsencrypt --key=/etc/letsencrypt/account/key.pem \
+            -d"example.com www.example.com" \
+            --challenge_dir="/srv/certbot/.well-known" --ssl_dir="/etc/letsencrypt/ssl" \
+            --logfile=/var/log/letsencrypt.log \
+            --hook=/root/bin/reload_nginx
+
+        cat /root/bin/reload_nginx
+
+    		!/bin/sh
+    		/sbin/nginx -t && /sbin/nginx -sreload

data/bin/letsencrypt

@@ -0,0 +1,3 @@
+#!/env/ruby
+
+require_relative '../lib/blix/letsencrypt'

data/lib/blix/letsencrypt.rb

@@ -0,0 +1,319 @@
+# frozen_string_literal: true
+
+# this is a script for renewing letsencrypt certicates. .. to automate the
+# process create a shell script to run this command and a shell script to
+# restart the web server
+#
+# ensure that both scripts are executable..
+# copy the first script to /etc/cron.daily directory.
+# link the second script to the --hook option of this ruby command.
+#
+# eg:
+#
+#    cat /etc/cron.daily/renew_ssl
+#
+#    #!/bin/sh
+#    /opt/ruby-2.6.4/bin/ruby /root/bin/letsencrypt.rb --key=/etc/letsencrypt/account/key.pem \
+#      -d"example.com www.example.com" \
+#      --challenge_dir="/tmp/certbot/public_html/.well-known" \
+#      --ssl_dir="/etc/letsencrypt/ssl" \
+#      --logfile=/var/log/letsencrypt.log \
+#      --hook=/root/bin/reload_nginx
+#
+#
+#    cat /root/bin/reload_nginx
+#    #!/bin/sh
+#    /opt/nginx-1.2.2/sbin/nginx -t && /opt/nginx-1.2.2/sbin/nginx -sreload
+#
+#
+# copyright Clive Andrews 2020
+#
+# licence MIT
+
+
+
+require 'openssl'
+require 'optparse'
+require 'acme-client'
+require 'logger'
+
+# location /.well-known{
+#                rewrite ^\.well-known(.*)$ $1 break;
+#                alias /srv/letsencrypt/challenge;
+#                add_header Content-Type text/plain;
+#           }
+
+CHALLENGE_DIR = '/srv/letsencrypt'
+SSL_DIR       = '/etc/letsencrypt/cert'
+SSL_CERT      = 'cert.pem'
+SSL_KEY       = 'privkey.pem'
+ACME_DIR_S    = 'https://acme-staging-v02.api.letsencrypt.org/directory' # letsencrypt
+ACME_DIR_L    = 'https://acme-v02.api.letsencrypt.org/directory' # letsencrypt live
+
+TIMEOUT = 60
+
+# check if certificate is about to expire.
+def certificate_expiry_is_soon(ssl_dir, certificate_file, days = 30)
+  file = File.join(ssl_dir, certificate_file)
+  return true unless File.file?(file)
+
+  cert = OpenSSL::X509::Certificate.new(File.read(file))
+  cert.not_after < Time.now + days * (24 * 60 * 60)
+end
+
+def tidy_challenge_file(file)
+  file = file[1..-1] if file[0, 1] == '/'
+  str = '.well-known'
+  file = file[str.length..-1] if file[0, str.length] == str
+  file
+end
+
+# write the challenge file and ensure that intermediate dirs exist
+def write_file(dir, file, content)
+  file = tidy_challenge_file(file)
+  parts = file.split('/')
+  last_index = parts.length - 1
+  path = nil
+  parts.each_with_index do |_part, idx|
+    path = File.join(dir, *parts[0, idx + 1])
+    if idx == last_index # the file name
+      File.write(path, content)
+    else
+      if File.file?(path)
+        raise "invalid challenge path: #{path}"
+      elsif File.directory?(path)
+
+      else
+        Dir.mkdir(path)
+      end
+    end
+  end
+  path
+end
+
+def backup_file(dir, file)
+  orig_path = File.join(dir, file)
+  orig_file = File.basename(orig_path)
+  orig_dir  = File.dirname(orig_path)
+
+  raise "backup file does not exist:#{orig_path}" unless File.exist?(orig_path)
+
+  seq = 1
+  loop  do
+    prefix = '%04d_' % seq
+    new_file = prefix + orig_file
+    new_path = File.join(orig_dir, new_file)
+    if File.exist?(new_path)
+      seq += 1
+      next
+    else
+      content = File.read(orig_path)
+      File.write(new_path, content)
+      break new_path
+    end
+  end
+end
+
+# delete the challenge files
+def remove_file(dir, file)
+  file = tidy_challenge_file(file)
+  path = File.join(dir, file)
+  File.unlink(path) if File.file?(path)
+  true
+end
+
+# perform an authorization by creating the challenge files
+# and waiting for validation to occur.
+def perform_authorization(challenge_dir, authorization)
+  http_challenge = authorization.http
+
+  # write the challenge to file
+
+  http_challenge.content_type # => 'text/plain'
+  http_challenge.file_content # => example_token.TO1xJ0UDgfQ8WY5zT3txynup87UU3PhcDEIcuPyw4QU
+  http_challenge.filename # => '.well-known/acme-challenge/example_token'
+  http_challenge.token
+
+  challenge_file = tidy_challenge_file(http_challenge.filename)
+  challenge_path = write_file(challenge_dir, challenge_file, http_challenge.file_content)
+
+  puts "challenge has been written to :#{challenge_path}"
+
+  # now wait for the challenge ..
+
+  http_challenge.request_validation
+  timeout_time = Time.now + TIMEOUT
+
+  while http_challenge.status == 'pending'
+    if Time.now > timeout_time
+      remove_file(challenge_dir, challenge_file)
+      raise 'Challenge timeout'
+    end
+    sleep(2)
+    http_challenge.reload
+  end
+
+  remove_file(challenge_dir, challenge_file)
+  raise 'challenge failed' unless http_challenge.status == 'valid' # => 'valid'
+end
+
+# handle options here
+options = {}
+OptionParser.new do |opts|
+  # opts.banner = "Usage: example.rb [options]"
+
+  opts.on('-c', '--create', 'Create ACME private key') do |_v|
+    options[:create] = true
+  end
+
+  opts.on('-k', '--key=FILE', 'ACME private key file') do |v|
+    options[:key] = v
+  end
+
+  opts.on('-e', '--email=EMAIL', 'your contact email') do |v|
+    options[:email] = v
+  end
+
+  opts.on('-d', '--domain=DOMAIN', 'domain name for certificate') do |v|
+    options[:site] = v
+  end
+
+  opts.on('--challenge_dir=CDIR', 'challenge file directory') do |v|
+    options[:challenge_dir] = v
+  end
+
+  opts.on('--ssl_dir=SSLDIR', 'ssl certificate file directory') do |v|
+    options[:ssl_dir] = v
+  end
+
+  opts.on('--ssl_key=SSLKEY', 'ssl private key file') do |v|
+    options[:ssl_dir] = v
+  end
+
+  opts.on('-t', '--test', 'enable test mode') do |v|
+    options[:test] = v
+  end
+
+  opts.on('--force', 'force update even if not expired') do |v|
+    options[:force] = v
+  end
+
+  opts.on('-l', '--logfile=LOGFILE', 'log to file') do |v|
+    options[:logfile] = v
+  end
+
+  opts.on('-h', '--hook=HOOK', 'script to run on renewal') do |v|
+    options[:hook] = v
+  end
+end.parse!
+
+# check that we have sensible values four our options before we start the
+# whole [rpcess]
+domains = options[:site].to_s
+domains.gsub!(',', ' ')
+domains.gsub!(';', ' ')
+domains.gsub!(/  +/, ' ')
+names = domains.split(' ')
+site = names[0]
+ssl_dir = File.expand_path(options[:ssl_dir] || SSL_DIR)
+challenge_dir = File.expand_path(options[:challenge_dir] || CHALLENGE_DIR)
+ssl_key_path  = options[:ssl_key] || File.join(ssl_dir, SSL_KEY)
+hook_path     = options[:hook]
+
+raise 'domain name missing'               unless site
+raise 'invalid challenge directory'       unless File.directory?(challenge_dir)
+raise 'invalid ssl certificate directory'       unless File.directory?(ssl_dir)
+raise "ssl private key invalid:#{ssl_key_path}" unless File.file?(ssl_key_path)
+raise "script missing or not executable:#{hook_path}" unless !hook_path || File.executable?(hook_path)
+
+certificate_file = File.join(site, SSL_CERT)
+acme_key = File.expand_path(options[:key])
+ssl_key = OpenSSL::PKey::RSA.new(File.read(ssl_key_path))
+
+logger = Logger.new(options[:logfile] || STDOUT)
+
+# check to see if the certificate is due for renewal. if the
+# certificate expires within 30 days then renew otherwise exit
+# unless the force option is set.
+unless options[:force]
+  unless certificate_expiry_is_soon(ssl_dir, certificate_file)
+    logger.info "certificate:#{certificate_file} not due for renewal"
+    exit
+  end
+end
+
+# first read our private key..
+if File.file?(acme_key)
+  private_key = OpenSSL::PKey::RSA.new(File.read(acme_key)) # read
+elsif options[:create]
+  private_key = OpenSSL::PKey::RSA.new(4096) # generate
+  File.write(acme_key, private_key)
+else
+  raise "acme key file:#{acme_key} not found"
+end
+
+client = if options[:test]
+           Acme::Client.new(:private_key => private_key, :directory => ACME_DIR_S)
+         else
+           Acme::Client.new(:private_key => private_key, :directory => ACME_DIR_L)
+         end
+
+# ensure that we hav an account.
+kid = begin
+        client.kid
+      rescue StandardError
+        nil
+      end
+
+unless kid
+  email = options[:email] || begin
+    print('enter your email:')
+    gets.strip
+  end
+  raise "invalid email:#{email}" unless email && email =~ /^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$/
+
+  account = client.new_account(:contact => "mailto:#{email}", :terms_of_service_agreed => true)
+end
+
+puts 'account found..'
+
+# now set up our order ..
+
+puts "setting up domain #{site}:#{names.join(',')}:"
+
+order = client.new_order(:identifiers => names)
+order.authorizations.each { |auth| perform_authorization(challenge_dir, auth) }
+
+# download the certificate
+
+puts 'now obtaining certificate..'
+
+csr = Acme::Client::CertificateRequest.new(:private_key => ssl_key, :names => names, :subject => { :common_name => site })
+order.finalize(:csr => csr)
+
+timeout_time = Time.now + TIMEOUT
+while order.status == 'processing'
+  raise 'certificate timeout' if Time.now > timeout_time
+
+  sleep(1)
+  order.reload
+end
+
+# now write the certificate to file
+
+# backup the old file if it exists.
+
+if File.file?(File.join(ssl_dir, certificate_file))
+  backup_file(ssl_dir, certificate_file)
+end
+
+ssl_path = write_file(ssl_dir, certificate_file, order.certificate)
+logger.info "ssl certificate has been written to :#{ssl_path}"
+
+if hook_path
+  if system(hook_path)
+    logger.info "script :#{hook_path} succeeded"
+  else
+    logger.info "script :#{hook_path} failed !!"
+  end
+end

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: blix-letsencrypt
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Clive Andrews
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-05-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Command line utilities for letsencrypt
+email:
+- gems@realitybites.eu
+executables:
+- letsencrypt
+extensions: []
+extra_rdoc_files:
+- README.md
+- LICENSE
+files:
+- LICENSE
+- README.md
+- bin/letsencrypt
+- lib/blix/letsencrypt.rb
+homepage: https://github.com/realbite/blix-letsencrypt
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Command line utilities for managing  letsencrypt ssl certificates
+test_files: []