lester 1.0.0.pre1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c17183ee2fb1a8f5b7001d8dca46b6d14ab655e5
+  data.tar.gz: 714db6829427e804e423a0012c873eb893c29846
+SHA512:
+  metadata.gz: c3f392540c9b2f5a8d8322eb3e69df96ad068cc756e3dd85c55fdc9b50603686496d5485564d76cc4d70e02d5a4a340491f3e184f930e735a331176b1badb089
+  data.tar.gz: 1acf0d620e036b9d2081af46ec2dda0d3cb708053e102e30cb296515cd73e478a2c6c153fcf1469e0ef69b4d00b5180a6b7e16350169f40545b0e8aa49d73e89

data/README.md

@@ -0,0 +1,63 @@
+# lester
+
+[![Build Status](https://travis-ci.org/mthssdrbrg/lester.svg?branch=master)](https://travis-ci.org/mthssdrbrg/lester)
+
+
+Lester is a small tool for renewing certificates from Let's Encrypt (or any
+ACME-compatible server), for websites set up using S3 and CloudFront.
+
+It uses S3 for storing certificates and expects that the private key for a
+registered account is available from S3. Server side encryption is enabled by
+default for all objects written by Lester, and it's possible to use KMS as well.
+
+Should be noted that even though only a single domain is passed to `lester`, it
+will actually include both the given domain and the `www` subdomain (i.e. `www.<domain>`)
+when requesting a new certificate.
+
+# Installation
+
+```shell
+gem install lester --pre
+```
+
+# Usage
+
+To get started and upload a local private key the following command can be used:
+
+```shell
+lester init --domain example.org \
+            --storage-bucket example-org-backup \
+            --private-key privkey.pem
+```
+
+To generate a new certificate, the simplest invocation of `lester` is the
+following:
+
+```shell
+lester new --domain example.org \
+           --site-bucket example-org \
+           --storage-bucket example-org-backup \
+           --email contact@example.org \
+           --distribution-id ABCDEFGH
+```
+
+To enable server side encryption with KMS, one can specify the `-k / --kms-id`
+with eiither a key ID or alias:
+
+```shell
+lester new --domain example.org \
+           --site-bucket example-org \
+           --storage-bucket example-org-backup \
+           --email contact@example.org \
+           --distribution-id ABCDEFGH \
+           --kms-id alias/letsencrypt
+```
+
+It's also possible to use `renew` rather than `new` if one prefers, the result
+will be the same.
+
+See `lester --help` for information about other command-line parameters.
+
+## Copyright
+
+© 2015 Mathias Söderberg, see LICENSE.txt (MIT).

data/bin/lester

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+$: << 'lib'
+
+require 'lester'
+
+
+exit(Lester::Cli.new(ARGV).run)

data/lib/lester.rb

@@ -0,0 +1,22 @@
+require 'acme-client'
+require 'aws-sdk'
+require 'json'
+require 'pathname'
+
+module Lester
+  Error = Class.new(StandardError)
+  RequestVerificationError = Class.new(Error)
+  RequiredArgumentError = Class.new(Error)
+  UnkownCommandError = Class.new(Error)
+  UnknownKeyFormatError = Class.new(Error)
+
+  KEY_NAME = 'private_key.json'.freeze
+end
+
+require 'lester/authenticator'
+require 'lester/cli'
+require 'lester/command'
+require 'lester/factory'
+require 'lester/private_key'
+require 'lester/s3_store'
+require 'lester/uploader'

data/lib/lester/authenticator.rb

@@ -0,0 +1,42 @@
+module Lester
+  class Authenticator
+    def initialize(bucket, options={})
+      @bucket = bucket
+      @sleeper = options[:sleeper] || Kernel
+    end
+
+    def authenticate(challenge)
+      write(challenge)
+      verify_status(challenge)
+    end
+
+    private
+
+    def write(challenge)
+      object = {
+        key: challenge.filename,
+        body: challenge.file_content,
+        content_type: challenge.content_type,
+        acl: 'public-read'
+      }
+      @bucket.put_object(object)
+    end
+
+    def verify_status(challenge)
+      if challenge.request_verification
+        until challenge.status != 'pending' || challenge.error do
+          @sleeper.sleep(1)
+          challenge.verify_status
+        end
+        if (error = challenge.error)
+          raise RequestVerificationError, sprintf('%s: %s', error['type'], error['detail'])
+        end
+        if (status = challenge.status) != 'valid'
+          raise RequestVerificationError, status
+        end
+      else
+        raise RequestVerificationError
+      end
+    end
+  end
+end

data/lib/lester/cli.rb

@@ -0,0 +1,101 @@
+require 'optparse'
+
+module Lester
+  class Cli
+    def initialize(argv=ARGV, io=$stderr, option={})
+      @command = argv.shift || 'help'
+      @argv = argv
+      @io = io
+      @key_size = 2048
+      @endpoint = 'https://acme-v01.api.letsencrypt.org/'
+    end
+
+    def run
+      parse_argv
+      dispatch
+      0
+    rescue OptionParser::ParseError, RequiredArgumentError, UnkownCommandError => e
+      @io.puts(sprintf('%s (%s)', e.message, e.class.name))
+      @io.puts(option_parser)
+      1
+    rescue => e
+      @io.puts(sprintf('%s (%s)', e.message, e.class.name))
+      1
+    end
+
+    private
+
+    HELP_REGEX = /help|-h/.freeze
+
+    def parse_argv
+      option_parser.parse(@argv)
+      unless @command =~ HELP_REGEX
+        case @command
+        when 'init'
+          validate(@domain, 'domain is required')
+          validate(@storage_bucket, 'storage bucket is required')
+          validate(@private_key_path, 'private key path is required')
+        when 'new', 'renew'
+          validate(@domain, 'domain is required')
+          validate(@storage_bucket, 'storage bucket is required')
+          validate(@site_bucket, 'site bucket is required')
+          validate(@email, 'email is required')
+          validate(@distribution_id, 'distribution id is required')
+        else
+          raise UnkownCommandError, sprintf('Unknown command %p, expected "init" or "re|new"', @command)
+        end
+      end
+    end
+
+    def validate(arg, message)
+      if arg.nil? || arg.empty?
+        raise RequiredArgumentError, message
+      end
+    end
+
+    def dispatch
+      case @command
+      when HELP_REGEX
+        @io.puts(option_parser)
+      when 'init'
+        Command::Init.create(factory).run
+      when 'new', 'renew'
+        Command::Renew.create(@domain, @key_size, factory).run
+      end
+    end
+
+    def option_parser
+      @option_parser ||= OptionParser.new do |opts|
+        opts.banner = %(Usage: lester init [options]\n       lester new [options])
+        opts.separator ''
+        opts.separator 'Common options:'
+        opts.on('-d', '--domain=NAME', 'Domain name (required)') { |d| @domain = d }
+        opts.on('-s', '--storage-bucket=BUCKET', 'S3 bucket for storing keys and certificates (required)') { |b| @storage_bucket = b }
+        opts.on('-K', '--kms-id=KEY_ID', 'AWS KMS Key ID') { |k| @kms_key_id = k }
+        opts.separator ''
+        opts.separator 'init options:'
+        opts.on('-p', '--private-key=PATH', 'Path to private key (required)') { |p| @private_key_path = p }
+        opts.separator ''
+        opts.separator 're|new options:'
+        opts.on('-E', '--endpoint=ENDPOINT', sprintf('ACME endpoint (default: %s)', @endpoint)) { |e| @endpoint = e }
+        opts.on('-b', '--site-bucket=BUCKET', 'S3 bucket for site (required)') { |b| @site_bucket = b }
+        opts.on('-k', '--key-size=BITS', sprintf('Key size (in bits) (default: %d)', @key_size)) { |s| @key_size = s.to_i }
+        opts.on('-e', '--email=ADDRESS', 'Registered email address (required)') { |e| @email = e }
+        opts.on('-D', '--distribution-id=ID', 'CloudFront distribution ID (required)') { |d| @distribution_id = d }
+        opts.separator ''
+      end
+    end
+
+    def factory
+      @factory ||= Factory.new({
+        domain: @domain,
+        storage_bucket: @storage_bucket,
+        kms_key_id: @kms_key_id,
+        endpoint: @endpoint,
+        site_bucket: @site_bucket,
+        private_key_path: @private_key_path,
+        distribution_id: @distribution_id,
+      })
+    end
+  end
+end

data/lib/lester/command.rb

@@ -0,0 +1,7 @@
+module Lester
+  module Command
+  end
+end
+
+require 'lester/command/init'
+require 'lester/command/renew'

data/lib/lester/command/init.rb

@@ -0,0 +1,18 @@
+module Lester
+  module Command
+    class Init
+      def self.create(factory)
+        new(factory.private_key, factory.account_store)
+      end
+
+      def initialize(private_key, store)
+        @private_key = private_key
+        @store = store
+      end
+
+      def run
+        @store.put(KEY_NAME, @private_key.to_jwk.to_json)
+      end
+    end
+  end
+end

data/lib/lester/command/renew.rb

@@ -0,0 +1,63 @@
+module Lester
+  module Command
+    class Renew
+      def self.create(domain, key_size, factory)
+        new(domain, factory.acme_client, factory.authenticator, factory.uploader, factory.certificate_store, key_size: key_size)
+      end
+
+      def initialize(domain, acme_client, authenticator, uploader, store, options={})
+        @domain = domain
+        @acme_client = acme_client
+        @authenticator = authenticator
+        @uploader = uploader
+        @store = store
+        @key_size = options[:key_size] || 2048
+        @key_class = options[:key_class] || OpenSSL::PKey::RSA
+        @csr_class = options[:csr_class] || Acme::CertificateRequest
+      end
+
+      def run
+        auth
+        renew
+        upload
+        store
+      end
+
+      private
+
+      def auth
+        domains.each do |domain|
+          authorization = @acme_client.authorize(domain: domain)
+          @authenticator.authenticate(authorization.http01)
+        end
+      end
+
+      def renew
+        key = @key_class.new(@key_size)
+        @csr = @csr_class.new(names: domains, private_key: key)
+        @certificate = @acme_client.new_certificate(@csr)
+      end
+
+      def upload
+        certificate_name = sprintf('%s-%s', @domain, issue_date)
+        @uploader.upload(certificate_name, @certificate, @csr.private_key)
+      end
+
+      def store
+        @store.put(sprintf('%s/cert.pem', issue_date), @certificate.to_pem)
+        @store.put(sprintf('%s/chain.pem', issue_date), @certificate.chain_to_pem)
+        @store.put(sprintf('%s/fullchain.pem', issue_date), @certificate.fullchain_to_pem)
+        @store.put(sprintf('%s/csr.pem', issue_date), @csr.to_pem)
+        @store.put(sprintf('%s/privkey.pem', issue_date), @csr.private_key.to_pem)
+      end
+
+      def issue_date
+        @issue_date ||= @certificate.x509.not_before.strftime('%Y%m%d%H%M')
+      end
+
+      def domains
+        @domains ||= [@domain, sprintf('www.%s', @domain)]
+      end
+    end
+  end
+end

data/lib/lester/factory.rb

@@ -0,0 +1,70 @@
+module Lester
+  class Factory
+    def initialize(config)
+      @config = config
+    end
+
+    def authenticator
+      @authenticator ||= Authenticator.new(site_bucket)
+    end
+
+    def uploader
+      @uploader ||= Uploader.new(iam, cloudfront, @config[:distribution_id])
+    end
+
+    def acme_client
+      @acme_client ||= Acme::Client.new(private_key: private_key, endpoint: @config[:endpoint])
+    end
+
+    def account_store
+      @account_store ||= create_store('account')
+    end
+
+    def certificate_store
+      @certificate_store ||= create_store('certificates')
+    end
+
+    def private_key
+      @private_key ||= begin
+        if (key_path = @config[:private_key_path])
+          PrivateKey.new(Pathname.new(key_path)).load
+        else
+          PrivateKey.new(account_store.get(KEY_NAME)).load
+        end
+      end
+    end
+
+    private
+
+    def create_store(suffix)
+      S3Store.new(storage_bucket, sprintf('%s/%s', @config[:domain], suffix), store_options)
+    end
+
+    def store_options
+      @store_options ||= begin
+        options = {server_side_encryption: 'AES256'}
+        if (kms_key_id = @config[:kms_key_id])
+          options[:server_side_encryption] = 'aws:kms'
+          options[:ssekms_key_id] = kms_key_id
+        end
+        options
+      end
+    end
+
+    def site_bucket
+      @site_bucket ||= Aws::S3::Bucket.new(@config[:site_bucket])
+    end
+
+    def storage_bucket
+      @storage_bucket ||= Aws::S3::Bucket.new(@config[:storage_bucket])
+    end
+
+    def iam
+      @iam ||= Aws::IAM::Client.new
+    end
+
+    def cloudfront
+      @cloudfront ||= Aws::CloudFront::Client.new
+    end
+  end
+end

data/lib/lester/private_key.rb

@@ -0,0 +1,18 @@
+module Lester
+  class PrivateKey
+    def initialize(path)
+      @path = path
+    end
+
+    def load
+      case @path.extname
+      when '.json'
+        JSON::JWK.new(JSON.parse(@path.read)).to_key
+      when '.pem'
+        OpenSSL::PKey::RSA.new(@path.read)
+      else
+        raise UnknownKeyFormatError, @path
+      end
+    end
+  end
+end

data/lib/lester/s3_store.rb

@@ -0,0 +1,42 @@
+module Lester
+  class S3Store
+    def initialize(bucket, prefix, options={})
+      @bucket = bucket
+      @prefix = prefix
+      @options = options
+    end
+
+    def get(name)
+      Proxy.new(@bucket.object(format_name(name)))
+    end
+
+    def put(name, contents)
+      @bucket.put_object(@options.merge(key: format_name(name), body: contents))
+    end
+
+    private
+
+    def format_name(name)
+      sprintf('%s/%s', @prefix, name)
+    end
+
+    class Proxy
+      def initialize(object)
+        @path = Pathname.new(object.key)
+        @object = object
+      end
+
+      def exists?
+        @object.exists?
+      end
+
+      def read
+        @object.get.body.read
+      end
+
+      def extname
+        @path.extname
+      end
+    end
+  end
+end