letscert 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 93eea77b95f4023766df113b6fcf0af05cac41f7
-  data.tar.gz: eefe4a0c05303c3c3b7d6cd554aa518b73d3da43
+  metadata.gz: 7794f56c134e1437cbb2d89cf9bcf3b2da6f5bc1
+  data.tar.gz: 735bb555113c95eb110500c3fcd43b435c7e41aa
 SHA512:
-  metadata.gz: 308c8ddba083a0622f81e213fcd31133b5b8161b8571ee437a05cf4bd5695cef031f0beec14945361b197822a075727e57264e12a5ecdbf49d3e23862401f74b
-  data.tar.gz: b4bded7e572fa89fb693d2f511a002a0e1f523272ffeaa0bb3de441bc15dcad2b4de2cee6ebfad35a441fe7d0bfa7796e0b9166cd4c693192fc30762dfac5355
+  metadata.gz: 8d1369f91acfe830d02461a442eeac66d14995944996dac69c1d6120c42077566701eb0aca6bdc34ec9a0a17e82d2765a315086ba5ad0d97b7c58772701e0102
+  data.tar.gz: 5cc07fe0b35bab4b652ac29a1807ae39b62cae562fcbb73dd8fc9320f2bbef3be338471094baca01bdc41c9309fb6c8b375080b01013c91538467ecaddbae05b

data/README.md

@@ -1,10 +1,9 @@
 # letscert
 A simple `Let's Encrypt` client in ruby.
 
-I think `simp_le` do it the right way: it is simple, it is safe as it does not needed to be run as root,
-but it is Python (no one is perfect :-)) So I started to create a clone, but in Ruby.
-
-Work in progress.
+I think `simp_le` do it the right way: it is simple, it is safe as it does not need to be
+run as root, but it is Python (no one is perfect :-)) So I started to create a clone, but
+in Ruby.
 
 # Usage
 
@@ -14,3 +13,21 @@ letscert -d example.com:/var/www/example.com/html -f key.pem -f cert.pem -f full
 ```
 
 The command is the same for certificate renewal.
+
+# What `letscert` do
+
+* Automagically a new ACME account if needed.
+* Issue new certificate if no previous one found.
+* Renew certificate only if needed.
+* Only `http-01` challenge supported. An existing web server must be alreay running. `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
+* Crontab friendly: no promts.
+* No configuration file.
+* Support multiple domains with multiple roots. Always create a single certificate per un
+  (ie a certificate may have multiple SANs).
+* As `simp_le`, check the exit code to known if a renewal has happened:
+  * 0 if certificate data was created or updated;
+  * 1 if renewal not necessary;
+  * 2 in case of errors.
+
+# Todo
+Add support to revocation.

data/bin/letscert

@@ -1,4 +1,26 @@
 #!/usr/bin/ruby
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
 
 require 'acme-client'
 require 'letscert'

data/lib/letscert/certificate.rb

@@ -0,0 +1,209 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+require_relative 'loggable'
+
+module LetsCert
+
+  # Class to handle ACME operations on certificates
+  class Certificate
+    include Loggable
+
+    # Revoke certificates
+    # @param [Array<String>] files
+    def self.revoke(files)
+      logger.warn "revoke not yet implemented"
+    end
+
+    # Get a new certificate, or renew an existing one
+    # @param [Hash] options
+    # @param [Hash] data
+    def self.get(options, data)
+      new.get options, data
+    end
+
+    def get(options, data)
+      logger.info {"create key/cert/chain..." }
+      roots = compute_roots(options)
+      logger.debug { "webroots are: #{roots.inspect}" }
+
+      client = get_acme_client(data[:account_key], options)
+
+      do_challenges client, roots
+
+      if options[:reuse_key] and !data[:key].nil?
+        logger.info { 'Reuse existing private key' }
+        key = data[:key]
+      else
+        logger.info { 'Generate new private key' }
+        key = OpenSSL::PKey::RSA.generate(@options[:cert_key_size])
+      end
+
+      csr = Acme::Client::CertificateRequest.new(names: roots.keys, private_key: key)
+      cert = client.new_certificate(csr)
+
+      IOPlugin.registered.each do |name, plugin|
+        plugin.save( account_key: client.private_key, key: key, cert: cert.x509,
+                     chain: cert.x509_chain)
+      end
+    end
+
+
+    private
+
+    # Compute webroots
+    # @return [Hash] whre key are domains and value are their webroot path
+    def compute_roots(options)
+      roots = {}
+      no_roots = []
+
+      options[:domains].each do |domain|
+        match = domain.match(/([\w+\.]+):(.*)/)
+        if match
+          roots[match[1]] = match[2]
+        elsif options[:default_root]
+          roots[domain] = options[:default_root]
+        else
+          no_roots << domain
+        end
+      end
+
+      if !no_roots.empty?
+        raise Error, 'root for the following domain(s) are not specified: ' +
+                     no_roots.join(', ') + ".\nTry --default_root or use " +
+                     '-d example.com:/var/www/html syntax.'
+      end
+
+      roots
+    end
+
+    # Get ACME client.
+    #
+    # Client is only created on first call, then it is cached.
+    # @param [Hash] account_key
+    # @param [Hash] options
+    def get_acme_client(account_key, options)
+      return @client if @client
+
+      key = get_account_key(account_key, options[:account_key_size])
+
+      logger.debug { "connect to #{options[:server]}" }
+      @client = Acme::Client.new(private_key: key, endpoint: options[:server])
+
+      if options[:email].nil?
+        logger.warn { '--email was not provided. ACME CA will have no way to ' +
+                       'contact you!' }
+      end
+
+      begin
+        logger.debug { "register with #{options[:email]}" }
+        registration = @client.register(contact: "mailto:#{options[:email]}")
+      rescue Acme::Client::Error::Malformed => ex
+        if ex.message != 'Registration key is already in use'
+          raise
+        end
+      else
+        # Requesting ToS make acme-client throw an exception: Connection reset by peer
+        # (Faraday::ConnectionFailed). To investigate...
+        #if registration.term_of_service_uri
+        #  @logger.debug { "get terms of service" }
+        #  terms = registration.get_terms
+        #  if !terms.nil?
+        #    tos_digest = OpenSSL::Digest::SHA256.digest(terms)
+        #    if tos_digest != @options[:tos_sha256]
+        #      raise Error, 'Terms Of Service mismatch'
+        #    end
+        
+             @logger.debug { "agree terms of service" }
+             registration.agree_terms
+        #  end
+        #end
+      end
+
+      @client
+    end
+
+    # Generate a new account key if no one is given in +data+
+    # @param [OpenSSL::PKey,nil] key
+    # @param [Hash] options
+    def get_account_key(key, key_size)
+      if key.nil?
+        logger.info { 'No account key. Generate a new one...' }
+        OpenSSL::PKey::RSA.new(key_size)
+      else
+        key
+      end
+    end
+
+    # Do ACME challenges for each requested domain.
+    # @param [Acme::Client] client
+    # @param [Hash] roots
+    def do_challenges(client, roots)
+      logger.debug { 'Get authorization for all domains' }
+      challenges = {}
+
+      roots.keys.each do |domain|
+        authorization = client.authorize(domain: domain)
+         if authorization
+           challenges[domain] = authorization.http01
+         else
+           challenges[domain] = nil
+         end
+      end
+
+      logger.debug { 'Check all challenges are HTTP-01' }
+      if challenges.values.any? { |chall| chall.nil? }
+        raise Error, 'CA did not offer http-01-only challenge. ' +
+                     'This client is unable to solve any other challenges.'
+      end
+
+      challenges.each do |domain, challenge|
+        begin
+          FileUtils.mkdir_p(File.join(roots[domain], File.dirname(challenge.filename)))
+        rescue SystemCallError => ex
+          raise Error, ex.message
+        end
+
+        path = File.join(roots[domain], challenge.filename)
+        logger.debug { "Save validation #{challenge.file_content} to #{path}" }
+        File.write path, challenge.file_content
+
+        challenge.request_verification
+
+        status = 'pending'
+        while(status == 'pending') do
+          sleep(1)
+          status = challenge.verify_status
+        end
+
+        if status != 'valid'
+          logger.warn { "#{domain} was not successfully verified!" }
+        else
+          logger.info { "#{domain} was successfully verified." }
+        end
+
+        File.unlink path
+      end
+    end
+
+  end
+
+end

data/lib/letscert/certificate.rb~

@@ -1,14 +1,8 @@
+
 module LetsCert
 
-  # Class to handle certificates.
+  # Class to handle ACME operations on certificates
   class Certificate
-
-    # Load all certificates passed as arguments
-    # @param [Array<String>] files
-    # @return [Array<Certificate>]
-    def self.load(*files)
-    end
-
   end
 
 end

data/lib/letscert/io_plugin.rb

@@ -1,10 +1,34 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
 require 'json'
 require 'base64'
+require_relative 'loggable'
 
 module LetsCert
 
   # Input/output plugin
+  # @author Sylvain Daubert
   class IOPlugin
+    include Loggable
 
     # Plugin name
     # @return [String]
@@ -15,18 +39,23 @@ module LetsCert
                       %w(fullchain.pem key.der key.pem)
 
 
+    # Registered plugins
     @@registered = {}
 
     # Get empty data
+    # @return [Hash] +{ account_key: nil, key: nil, cert: nil, chain: nil }+
     def self.empty_data
       { account_key: nil, key: nil, cert: nil, chain: nil }
     end
 
     # Register a plugin
+    # @param [Class] klass
+    # @param [Array] args args to pass to +klass+ constructor
+    # @return [IOPlugin]
     def self.register(klass, *args)
       plugin = klass.new(*args)
       if plugin.name =~ /[\/\\]/ or ['.', '..'].include?(plugin.name)
-        raise Error, "plugin name should just ne a file name, without path"
+        raise Error, "plugin name should just be a file name, without path"
       end
 
       @@registered[plugin.name] = plugin
@@ -35,26 +64,16 @@ module LetsCert
     end
 
     # Get registered plugins
+    # @return [Hash] keys are filenames and keys are instances of IOPlugin subclasses.
     def self.registered
       @@registered
     end
 
-    # Set logger
-    def self.logger=(logger)
-      @@logger = logger
-    end
-
     # @param [String] name
     def initialize(name)
       @name = name
     end
 
-    # Get logger instance
-    # @return [Logger]
-    def logger
-      @logger ||= self.class.class_variable_get(:@@logger)
-    end
-    
     # @abstract This method must be overriden in subclasses
     def load
       raise NotImplementedError
@@ -69,6 +88,7 @@ module LetsCert
 
 
   # Mixin for IOPmugin subclasses that handle files
+  # @author Sylvain Daubert
   module FileIOPluginMixin
 
     # Load data from file named {#name}
@@ -116,6 +136,7 @@ module LetsCert
 
 
   # Mixin for IOPlugin subclasses that handle JWK
+  # @author Sylvain Daubert
   module JWKIOPluginMixin
 
     # Load crypto data from JSON-encoded file
@@ -166,18 +187,24 @@ module LetsCert
 
 
   # Account key IO plugin
+  # @author Sylvain Daubert
   class AccountKey < IOPlugin
     include FileIOPluginMixin
     include JWKIOPluginMixin
 
+    # @return [Hash] always get +true+ for +:account_key+ key
     def persisted
       { account_key: true }
     end
 
+    # @return [Hash]
     def load_from_content(content)
       { account_key: load_jwk(content) }
     end
 
+    # Save account key.
+    # @param [Hash] data
+    # @return [void]
     def save(data)
       save_to_file(dump_jwk(data[:account_key]))
     end
@@ -187,15 +214,18 @@ module LetsCert
 
 
   # OpenSSL IOPlugin
+  # @author Sylvain Daubert
   class OpenSSLIOPlugin < IOPlugin
 
-    # @private Regulat expression to discriminate PEM
+    # @private Regular expression to discriminate PEM
     PEM_RE = /
 ^-----BEGIN ((?:[\x21-\x2c\x2e-\x7e](?:[- ]?[\x21-\x2c\x2e-\x7e])*)?)\s*-----$
 .*?
 ^-----END \1-----\s*
 /x
 
+    # @param [String] name filename
+    # @param [:pem,:der] type
     def initialize(name, type)
       case type
       when :pem
@@ -208,10 +238,16 @@ module LetsCert
       super(name)
     end
 
+    # Load key from raw +data+
+    # @param [String] data
+    # @return [OpenSSL::PKey]
     def load_key(data)
       OpenSSL::PKey::RSA.new data
     end
 
+    # Dump key/cert data
+    # @param [OpenSSL::PKey] key
+    # @return [String]
     def dump_key(key)
       case @type
       when :pem
@@ -222,6 +258,9 @@ module LetsCert
     end
     alias :dump_cert :dump_key
 
+    # Load certificate from raw +data+
+    # @param [String] data
+    # @return [OpenSSL::X509::Certificate]
     def load_cert(data)
       OpenSSL::X509::Certificate.new data
     end
@@ -229,6 +268,9 @@ module LetsCert
 
     private
 
+    # Split concatenated PEMs.
+    # @param [String] data
+    # @yield [String] pem
     def split_pems(data)
       m = data.match(PEM_RE)
       while (m) do
@@ -241,17 +283,23 @@ module LetsCert
 
 
   # Key file plugin
+  # @author Sylvain Daubert
   class KeyFile < OpenSSLIOPlugin
     include FileIOPluginMixin
 
+    # @return [Hash] always get +true+ for +:key+ key
     def persisted
       @persisted ||= { key: true }
     end
 
+    # @return [Hash]
     def load_from_content(content)
       { key: load_key(content) }
     end
 
+    # Save private key.
+    # @param [Hash] data
+    # @return [void]
     def save(data)
       save_to_file(dump_key(data[:key]))
     end
@@ -262,13 +310,16 @@ module LetsCert
 
 
   # Chain file plugin
+  # @author Sylvain Daubert
   class ChainFile < OpenSSLIOPlugin
     include FileIOPluginMixin
 
+    # @return [Hash] always get +true+ for +:chain+ key
     def persisted
       @persisted ||= { chain: true }
     end
 
+    # @return [Hash]
     def load_from_content(content)
       chain = []
       split_pems(content) do |pem|
@@ -277,6 +328,9 @@ module LetsCert
       { chain: chain }
     end
 
+    # Save chain.
+    # @param [Hash] data
+    # @return [void]
     def save(data)
       save_to_file(data[:chain].map { |c| dump_cert(c) }.join)
     end
@@ -286,12 +340,16 @@ module LetsCert
 
 
   # Fullchain file plugin
+  # @author Sylvain Daubert
   class FullChainFile < ChainFile
 
+    # @return [Hash] always get +true+ for +:cert+ and +:chain+ keys
     def persisted
       @persisted ||= { cert: true, chain: true }
     end
 
+    # Load full certificate chain
+    # @return [Hash]
     def load
       data = super
       if data[:chain].nil? or data[:chain].empty?
@@ -303,6 +361,9 @@ module LetsCert
       { account_key: data[:account_key], key: data[:key], cert: cert, chain: chain }
     end
 
+    # Save fullchain.
+    # @param [Hash] data
+    # @return [void]
     def save(data)
       super(account_key: data[:account_key], key: data[:key], cert: nil,
             chain: [data[:cert]] + data[:chain])
@@ -313,17 +374,23 @@ module LetsCert
 
 
   # Cert file plugin
+  # @author Sylvain Daubert
   class CertFile < OpenSSLIOPlugin
     include FileIOPluginMixin
 
+    # @return [Hash] always get +true+ for +:cert+ key
     def persisted
       @persisted ||= { cert: true }
     end
 
+    # @return [Hash]
     def load_from_content(content)
       { cert: load_cert(content) }
     end
 
+    # Save certificate.
+    # @param [Hash] data
+    # @return [void]
     def save(data)
       save_to_file(dump_cert(data[:cert]))
     end

data/lib/letscert/loggable.rb

@@ -0,0 +1,72 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# Namespace for all letcert's classes.
+# @author Sylvain Daubert
+module LetsCert
+
+  # Mixin module to add loggability to a class.
+  # @author Sylvain Daubert
+  module Loggable
+
+    # Hook called when {Loggable} is included in a class or a module.
+    # This hook adds methods from {ClassMethods} as class methods to +mod+.
+    # @param [Module] mod
+    # @return [void]
+    def self.included(mod)
+      mod.extend(ClassMethods)
+    end
+
+    # Class methods from {Loggable} module to include in target classes.
+    # @author Sylvain Daubert
+    module ClassMethods
+
+      # @private hook called a subclass is created.
+      #  Take care of all subclasses to later properly set @logger class instance variable.
+      # @param [Class] subclass
+      # @return [void]
+      def inherited(subclass)
+        @@subclasses ||= []
+        @@subclasses << subclass
+      end
+
+      # Set logger
+      # @param [Logger] logger
+      # @return [void]
+      def logger=(logger)
+        @logger = logger
+        @@subclasses.each do |subclass|
+          subclass.instance_variable_set(:@logger, logger)
+        end
+      end
+
+    end
+
+    # Get logger instance
+    # @return [Logger]
+    def logger
+      @logger ||= self.class.instance_variable_get(:@logger)
+    end
+
+  end
+
+end

data/lib/letscert/loggable.rb~

@@ -0,0 +1,24 @@
+module LetsCert
+
+  module Loggable
+
+    module ClassMethods
+
+      # Set logger
+      # @param [Logger] logger
+      def self.logger=(logger)
+        @@logger = logger
+      end
+
+    end
+
+
+    # Get logger instance
+    # @return [Logger]
+    def logger
+      @logger ||= self.class.class_variable_get(:@@logger)
+    end
+
+  end
+
+end

data/lib/letscert/runner.rb

@@ -1,17 +1,41 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
 require 'optparse'
 require 'logger'
 require 'fileutils'
 
 require_relative 'io_plugin'
+require_relative 'certificate'
 
 module LetsCert
 
+  # Runner class: analyse and execute CLI commands.
+  # @author Sylvain Daubert
   class Runner
 
     # Custom logger formatter
     class LoggerFormatter < Logger::Formatter
 
-      # @private
+      # @private log format
       FORMAT = "[%s] %5s: %s\n"
 
       # @param [String] severity
@@ -26,8 +50,11 @@ module LetsCert
 
       private
 
+      # @private simple datetime formatter
+      # @param [DateTime] time
+      # @return [String]
       def format_datetime(time)
-        time.strftime("%Y-%d-%d %H:%M:%S")
+        time.strftime("%Y-%m-%d %H:%M:%S")
       end
 
     end
@@ -100,13 +127,15 @@ module LetsCert
       @logger.debug { "options are: #{@options.inspect}" }
 
       IOPlugin.logger = @logger
+      Certificate.logger = @logger
 
       begin
         if @options[:revoke]
-          revoke
+          Certificate.revoke @options[:files]
           RETURN_OK
         elsif @options[:domains].empty?
-          raise Error, 'At leat one domain must be given with --domain option'
+          raise Error, "At leat one domain must be given with --domain option.\n" +
+                       "Try 'letscert --help' for more information."
         else
           # Check all components are covered by plugins
           persisted = IOPlugin.empty_data
@@ -128,7 +157,7 @@ module LetsCert
             RETURN_OK
           else
             # update/create cert
-            new_data(data)
+            Certificate.get @options, data
             RETURN_OK_CERT
           end
         end
@@ -141,6 +170,9 @@ module LetsCert
     end
 
 
+    # Parse line command options
+    # @raise [OptionParser::InvalidOption] on unrecognized or malformed option
+    # @return [void]
     def parse_options
       @opt_parser = OptionParser.new do |opts|
         opts.banner = "Usage: lestcert [options]"
@@ -245,72 +277,12 @@ module LetsCert
       @opt_parser.parse!
     end
 
-    def revoke
-      @logger.info { "load certificates: #{@options[:files].join(', ')}" }
-      if @options[:files].empty?
-        raise Error, 'no certificate to revoke. Pass at least one with '+
-                     ' -f option.'
-      end
-
-      # Temp
-      @logger.warn "Not yet implemented"
-    end
-
 
     private
 
-    def get_account_key(data)
-      if data.nil?
-        logger.info { 'No account key. Generate a new one...' }
-        OpenSSL::PKey::RSA.new(@options[:account_key_size])
-      else
-        data
-      end
-    end
-
-    # Get ACME client.
-    #
-    # Client is only created on first call, then it is cached.
-    def get_acme_client(account_key)
-      return @client if @client
-
-      key = get_account_key(account_key)
-
-      @logger.debug { "connect to #{@options[:server]}" }
-      @client = Acme::Client.new(private_key: key, endpoint: @options[:server])
-
-      if @options[:email].nil?
-        @logger.warn { '--email was not provided. ACME CA will have no way to ' +
-                       'contact you!' }
-      end
-
-      begin
-        @logger.debug { "register with #{@options[:email]}" }
-        registration = @client.register(contact: "mailto:#{@options[:email]}")
-      rescue Acme::Client::Error::Malformed => ex
-        if ex.message != 'Registration key is already in use'
-          raise
-        end
-      else
-        #if registration.term_of_service_uri
-        #  @logger.debug { "get terms of service" }
-        #  terms = registration.get_terms
-        #  if !terms.nil?
-        #    tos_digest = OpenSSL::Digest::SHA256.digest(terms)
-        #    if tos_digest != @options[:tos_sha256]
-        #      raise Error, 'Terms Of Service mismatch'
-        #    end
-        
-             @logger.debug { "agree terms of service" }
-             registration.agree_terms
-        #  end
-        #end
-      end
-
-      @client
-    end
-
     # Load existing data from disk
+    # @param [Array<String>] files
+    # @return [Hash]
     def load_data_from_disk(files)
       all_data = IOPlugin.empty_data
 
@@ -335,6 +307,10 @@ module LetsCert
 
     # Check if +cert+ exists and is always valid
     # @todo For now, only check exitence.
+    # @param [nil, OpenSSL::X509::Certificate] cert certificate to valid
+    # @param [Array<String>] domains list if domains to valid
+    # @param [Number] valid_min minimum validity in seconds to ensure
+    # @return [Boolean]
     def valid_existing_cert(cert, domains, valid_min)
       if cert.nil?
         @logger.debug { 'no existing cert' }
@@ -359,6 +335,9 @@ module LetsCert
     end
 
     # Check if a renewal is necessary for +cert+
+    # @param [OpenSSL::X509::Certificate] cert
+    # @param [Number] valid_min minimum validity in seconds to ensure
+    # @return [Boolean]
     def renewal_necessary?(cert, valid_min)
       now = Time.now.utc
       diff = (cert.not_after - now).to_i
@@ -368,102 +347,6 @@ module LetsCert
       diff < valid_min
     end
 
-    # Create/renew key/cert/chain
-    def new_data(data)
-      @logger.info {"create key/cert/chain..." }
-      roots = compute_roots
-      @logger.debug { "webroots are: #{roots.inspect}" }
-
-      client = get_acme_client(data[:account_key])
-
-      @logger.debug { 'Get authorization for all domains' }
-      challenges = {}
-      roots.keys.each do |domain|
-        authorization = client.authorize(domain: domain)
-         if authorization
-           challenges[domain] = authorization.http01
-         else
-           challenges[domain] = nil
-         end
-      end
-
-      @logger.debug { 'Check all challenges are HTTP-01' }
-      if challenges.values.any? { |chall| chall.nil? }
-        raise Error, 'CA did not offer http-01-only challenge. ' +
-                     'This client is unable to solve any other challenges.'
-      end
-
-      challenges.each do |domain, challenge|
-        begin
-          FileUtils.mkdir_p(File.join(roots[domain], File.dirname(challenge.filename)))
-        rescue SystemCallError => ex
-          raise Error, ex.message
-        end
-
-        path = File.join(roots[domain], challenge.filename)
-        logger.debug { "Save validation #{challenge.file_content} to #{path}" }
-        File.write path, challenge.file_content
-
-        challenge.request_verification
-
-        status = 'pending'
-        while(status == 'pending') do
-          sleep(1)
-          status = challenge.verify_status
-        end
-
-        if status != 'valid'
-          @logger.warn { "#{domain} was not successfully verified!" }
-        else
-          @logger.info { "#{domain} was successfully verified." }
-        end
-
-        File.unlink path
-      end
-
-      if @options[:reuse_key] and !data[:key].nil?
-        @logger.info { 'Reuse existing private key' }
-        key = data[:key]
-      else
-        @logger.info { 'Generate new private key' }
-        key = OpenSSL::PKey::RSA.generate(@options[:cert_key_size])
-      end
-
-      csr = Acme::Client::CertificateRequest.new(names: roots.keys, private_key: key)
-      cert = client.new_certificate(csr)
-
-      IOPlugin.registered.each do |name, plugin|
-        plugin.save( account_key: client.private_key, key: key, cert: cert.x509,
-                     chain: cert.x509_chain)
-      end
-    end
-
-    # Compute webroots
-    # @return [Hash] whre key are domains and value are their webroot path
-    def compute_roots
-      roots = {}
-      no_roots = []
-
-      @options[:domains].each do |domain|
-        match = domain.match(/([\w+\.]+):(.*)/)
-        if match
-          roots[match[1]] = match[2]
-        elsif @options[:default_root]
-          roots[domain] = @options[:default_root]
-        else
-          no_roots << domain
-        end
-      end
-
-      if !no_roots.empty?
-        raise Error, 'root for the following domain(s) are not specified: ' +
-                     no_roots.join(', ') + ".\nTry --default_root or use " +
-                     '-d example.com:/var/www/html syntax.'
-      end
-
-      roots
-    end
-
   end
 
 end

data/lib/letscert.rb

@@ -1,8 +1,30 @@
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Sylvain Daubert
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
 # Namespace for all letcert's classes.
 module LetsCert
 
   # Letscert version number
-  VERSION = '0.2.1'
+  VERSION = '0.2.2'
 
 
   # Base error class

data/tasks/gem.rake

@@ -21,8 +21,8 @@ EOF
   s.files = files
   s.executables = ['letscert']
 
-  s.add_dependency 'acme-client', '~>0.2.4'
-  s.add_dependency 'yard', '~>0.8.7'
+  s.add_dependency 'acme-client', '~>0.3.0'
+  s.add_dependency 'yard', '~>0.8'
 
   #s.add_development_dependency 'rspec', '~>3.4'
 end

data/tasks/yard.rake

@@ -2,5 +2,5 @@ require 'yard'
 
 YARD::Rake::YardocTask.new do |t|
   t.options = ['--no-private']
-  t.files = ['lib/**/*.rb']
+  t.files = ['lib/**/*.rb', '-', 'LICENSE']
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: letscert
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Sylvain Daubert
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-04 00:00:00.000000000 Z
+date: 2016-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.4
+        version: 0.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.4
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.7
+        version: '0.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.7
+        version: '0.8'
 description: |
   letscert is a simple Let's Encrypt client written in Ruby. It aims at be as clean as
   simp_le.
@@ -54,11 +54,12 @@ files:
 - bin/letscert~
 - lib/letscert.rb
 - lib/letscert.rb~
+- lib/letscert/certificate.rb
 - lib/letscert/certificate.rb~
 - lib/letscert/io_plugin.rb
-- lib/letscert/io_plugin.rb~
+- lib/letscert/loggable.rb
+- lib/letscert/loggable.rb~
 - lib/letscert/runner.rb
-- lib/letscert/runner.rb~
 - tasks/gem.rake
 - tasks/gem.rake~
 - tasks/yard.rake

data/lib/letscert/io_plugin.rb~

@@ -1,9 +0,0 @@
-module LetsCert
-
-  class IOPlugin
-
-    ALLOWED_PLUGINS = %w(account_key.json cert.der cert.pem chain.pem full.pem) +
-                      %w(fullchain.pem key.der key.pem)
-  end
-
-end

data/lib/letscert/runner.rb~

@@ -1,10 +0,0 @@
-module LetsCert
-
-  class Runner
-
-    def self.run
-    end
-
-  end
-
-end