RubyGems - letscert - Versions diffs - 0.2.4 → 0.3.0 - Mend

letscert 0.2.4 → 0.3.0

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +27 -12
data/lib/letscert.rb +1 -1
data/lib/letscert/certificate.rb +75 -13
data/lib/letscert/runner.rb +15 -49
data/spec/certificate_spec.rb +56 -0
data/spec/certificate_spec.rb~ +8 -0
data/tasks/gem.rake +4 -2
metadata +20 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bc09ae0885a6a70be1512b3819c07899cd84ecab
-  data.tar.gz: 124c5daa4aab3d985d86a1d0fada0c65db0269a2
+  metadata.gz: 4d86e5665c2e35534ded942c0603cb47b927e05e
+  data.tar.gz: f2d9fa631de0f0aee3ec3e051f6c2a78ff85bdf1
 SHA512:
-  metadata.gz: cf9e90399b2277647f72939d7669a0d562add40b1cd3a4a89346d215fe09e7a97bf0eed125342c30bed63096c92945f932276df3d82dc532a83221238cfba0e5
-  data.tar.gz: ce17392296e10b1d45fff709662ec3de25c53f658b28140a895706b65fe8f0f44959a87cc418d33155246af98afe36639623a503f54a77dc015d00462e1b65ff
+  metadata.gz: 103bc74e75d1a69f004951cbd681768a3efd11520c59ed38cc389a81aaf750ec097c94d84a57a9898fc298237309bc84f48d27dc5dd18d371d952ba48eab09e1
+  data.tar.gz: 717dfaff074bd6c3809045e56ff51e7518c2c0f2bc2ce5990e8777121b3ea6dda3f67e4b90dec891534dd0f9e4cba60a3f72bd36e2e26e62b18de77ee23b89e3

data/README.md CHANGED Viewed

@@ -9,32 +9,47 @@ in Ruby.
 # Usage
-Generate a key pair and get signed certificate:
+## Generate a key pair and get signed certificate:
+With full chain support (`fullchain.pem` file will contain all certificates):
 ```bash
-letscert -d example.com:/var/www/example.com/html -f account_key.json -f key.pem -f cert.pem -f fullchain.pem
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld -f account_key.json -f key.pem -f fullchain.pem
 ```
-Generate a key pair and get a signed certificate for multi-domains:
+else (certificate for example.com is in `cert.pem` file, rest of certification chain
+is in `chain.pem`):
 ```bash
-letscert -d example.com -d www.example.com --default_root /var/www/html -f account_key.json -f key.pem -f cert.pem -f fullchain.pem
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld -f account_key.json -f key.pem -f cert.pem -f chain.pem
 ```
 Commands are the sames for certificate renewal.
+## Generate a key pair and get a signed certificate for multi-domains:
+Generate a single certificate for `example.com` and `www.example.com`:
+```bash
+letscert -d example.com -d www.example.com --default-root /var/www/html --email my.name@domain.tld -f account_key.json -f key.pem -f fullchain.pem
+```
+Command is the same for certificate renewal.
+## Revoke a key pair:
+From directory where are stored `account_key.json` and `cert.pem` or `fullchain.pem`:
+```bash
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld --revoke
+```
 # What `letscert` do
-* Automagically a new ACME account if needed.
+* Automagically create a new ACME account if needed.
 * Issue new certificate if no previous one found.
 * Renew certificate only if needed.
-* Only `http-01` challenge supported. An existing web server must be alreay running. `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
+* Only `http-01` challenge supported. An existing web server must be alreay running.
+  `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
 * Crontab friendly: no promts.
 * No configuration file.
-* Support multiple domains with multiple roots. Always create a single certificate per un
-  (ie a certificate may have multiple SANs).
+* Support multiple domains with multiple roots. Always create a single certificate per
+  run (ie a certificate may have multiple SANs).
 * As `simp_le`, check the exit code to known if a renewal has happened:
   * 0 if certificate data was created or updated;
   * 1 if renewal not necessary;
   * 2 in case of errors.
-# Todo
-Add support to revocation.

data/lib/letscert.rb CHANGED Viewed

@@ -24,7 +24,7 @@
 module LetsCert
   # Letscert version number
-  VERSION = '0.2.4'
+  VERSION = '0.3.0'
   # Base error class

data/lib/letscert/certificate.rb CHANGED Viewed

@@ -24,34 +24,31 @@ require_relative 'loggable'
 module LetsCert
   # Class to handle ACME operations on certificates
+  # @author Sylvain Daubert
   class Certificate
     include Loggable
-    # Revoke certificates
-    # @param [Array<String>] files
-    def self.revoke(files)
-      logger.warn "revoke not yet implemented"
+    # @param [OpenSSL::X509::Certificate,nil] cert
+    def initialize(cert)
+      @cert = cert
     end
     # Get a new certificate, or renew an existing one
-    # @param [Hash] options
+    # @param [OpenSSL::PKey::PKey] account_key private key to authenticate to ACME server
+    # @param [OpenSSL::PKey::PKey] key private key from which make a certificate
     # @param [Hash] data
-    def self.get(options, data)
-      new.get options, data
-    end
-    def get(options, data)
+    def get(account_key, key, options)
       logger.info {"create key/cert/chain..." }
       roots = compute_roots(options)
       logger.debug { "webroots are: #{roots.inspect}" }
-      client = get_acme_client(data[:account_key], options)
+      client = get_acme_client(account_key, options)
       do_challenges client, roots
-      if options[:reuse_key] and !data[:key].nil?
+      if options[:reuse_key] and !key.nil?
         logger.info { 'Reuse existing private key' }
-        key = data[:key]
       else
         logger.info { 'Generate new private key' }
         key = OpenSSL::PKey::RSA.generate(options[:cert_key_size])
@@ -68,6 +65,58 @@ module LetsCert
       end
     end
+    # Revoke certificate
+    # @param [OpenSSL::PKey::PKey] account_key
+    # @return [Boolean]
+    def revoke(account_key, options)
+      if @cert.nil?
+        raise Error, 'no certification data to revoke'
+      end
+      client = get_acme_client(account_key, options)
+      begin
+        result = client.revoke_certificate(@cert)
+      rescue Exception => ex
+        raise
+      end
+      if result
+        logger.info { 'certificate is revoked' }
+      else
+        logger.warn { 'certificate is not revoked!' }
+      end
+      result
+    end
+    # Check if certificate is still valid for at least +valid_min+ seconds.
+    # Also checks that +domains+ are certified by certificate.
+    # @param [Array<String>] domains list of certificate domains
+    # @param [Integer] valid_min
+    # @return [Boolean]
+    def valid?(domains, valid_min=0)
+      if @cert.nil?
+        logger.debug { 'no existing certificate' }
+        return false
+      end
+      subjects = []
+      @cert.extensions.each do |ext|
+        if ext.oid == 'subjectAltName'
+          subjects += ext.value.split(/,\s*/).map { |s| s.sub(/DNS:/, '') }
+        end
+      end
+      logger.debug { "cert SANs: #{subjects.join(', ')}" }
+      # Check all domains are subjects of certificate
+      unless domains.all? { |domain| subjects.include? domain }
+        raise Error, "At least one domain is not declared as a certificate subject." +
+                     "Backup and remove existing cert if you want to proceed"
+      end
+      !renewal_necessary?(valid_min)
+    end
     private
@@ -206,6 +255,19 @@ module LetsCert
       end
     end
+    # Check if a renewal is necessary for +cert+
+    # @param [OpenSSL::X509::Certificate] cert
+    # @param [Number] valid_min minimum validity in seconds to ensure
+    # @return [Boolean]
+    def renewal_necessary?(valid_min)
+      now = Time.now.utc
+      diff = (@cert.not_after - now).to_i
+      logger.debug { "Certificate expires in #{diff}s on #{@cert.not_after}" +
+                     " (relative to #{now})" }
+      diff < valid_min
+    end
   end
 end

data/lib/letscert/runner.rb CHANGED Viewed

@@ -130,12 +130,19 @@ module LetsCert
       Certificate.logger = @logger
       begin
-        if @options[:revoke]
-          Certificate.revoke @options[:files]
-          RETURN_OK
-        elsif @options[:domains].empty?
+        if @options[:domains].empty?
           raise Error, "At leat one domain must be given with --domain option.\n" +
                        "Try 'letscert --help' for more information."
+        end
+        if @options[:revoke]
+          data = load_data_from_disk(IOPlugin.registered.keys)
+          certificate = Certificate.new(data[:cert])
+          if certificate.revoke(data[:account_key], @options)
+            RETURN_OK
+          else
+            RETURN_ERROR
+          end
         else
           # Check all components are covered by plugins
           persisted = IOPlugin.empty_data
@@ -152,12 +159,13 @@ module LetsCert
           data = load_data_from_disk(@options[:files])
-          if valid_existing_cert(data[:cert], @options[:domains], @options[:valid_min])
+          certificate = Certificate.new(data[:cert])
+          if certificate.valid?(@options[:domains], @options[:valid_min])
             @logger.info { 'no need to update cert' }
             RETURN_OK
           else
             # update/create cert
-            Certificate.get @options, data
+            certificate.get data[:account_key], data[:key], @options
             RETURN_OK_CERT
           end
         end
@@ -197,7 +205,7 @@ module LetsCert
           @options[:domains] << domain
         end
-        opts.on('--default_root PATH', 'Default webroot path',
+        opts.on('--default-root PATH', 'Default webroot path',
                 'Use for domains without PATH part.') do |path|
           @options[:default_root] = path
         end
@@ -305,48 +313,6 @@ module LetsCert
       all_data
     end
-    # Check if +cert+ exists and is always valid
-    # @todo For now, only check exitence.
-    # @param [nil, OpenSSL::X509::Certificate] cert certificate to valid
-    # @param [Array<String>] domains list if domains to valid
-    # @param [Number] valid_min minimum validity in seconds to ensure
-    # @return [Boolean]
-    def valid_existing_cert(cert, domains, valid_min)
-      if cert.nil?
-        @logger.debug { 'no existing cert' }
-        return false
-      end
-      subjects = []
-      cert.extensions.each do |ext|
-        if ext.oid == 'subjectAltName'
-          subjects += ext.value.split(/,\s*/).map { |s| s.sub(/DNS:/, '') }
-        end
-      end
-      @logger.debug { "cert SANs: #{subjects.join(', ')}" }
-      # Check all domains are subjects of certificate
-      unless domains.all? { |domain| subjects.include? domain }
-        raise Error, "At least one domain is not declared as a certificate subject." +
-                     "Backup and remove existing cert if you want to proceed"
-      end
-      !renewal_necessary?(cert, valid_min)
-    end
-    # Check if a renewal is necessary for +cert+
-    # @param [OpenSSL::X509::Certificate] cert
-    # @param [Number] valid_min minimum validity in seconds to ensure
-    # @return [Boolean]
-    def renewal_necessary?(cert, valid_min)
-      now = Time.now.utc
-      diff = (cert.not_after - now).to_i
-      @logger.debug { "Certificate expires in #{diff}s on #{cert.not_after}" +
-                      " (relative to #{now})" }
-      diff < valid_min
-    end
   end
 end

data/spec/certificate_spec.rb ADDED Viewed

@@ -0,0 +1,56 @@
+require_relative 'spec_helper'
+module LetsCert
+  describe Certificate do
+    before(:all) { Certificate.logger = Logger.new('/dev/null') }
+    context '#valid?' do
+      before(:all) do
+        root_key = OpenSSL::PKey::RSA.new(512)
+        @domains = %w(example.org www.example.org)
+        key = OpenSSL::PKey::RSA.new(512)
+        @cert = OpenSSL::X509::Certificate.new
+        @cert.version = 2
+        @cert.serial = 2
+        @cert.issuer = OpenSSL::X509::Name.parse "/DC=letscert/CN=CA"
+        @cert.public_key = key.public_key
+        @cert.not_before = Time.now
+        # 20 days validity
+        @cert.not_after = @cert.not_before + 20 * 24 * 60 * 60
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = @cert
+        @domains.each do |domain|
+          @cert.add_extension(ef.create_extension('subjectAltName',
+                                                  "DNS:#{domain}",
+                                                  false))
+        end
+        @cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+      end
+      let(:certificate) { Certificate.new(@cert) }
+      it 'checks whether a certificate is valid given a minimum valid duration' do
+        expect(certificate.valid?(@domains)).to be(true)
+        expect(certificate.valid?(@domains, 19)).to be(true)
+        expect(certificate.valid?(@domains, 21 * 24 * 3600)).to be(false)
+      end
+      it 'raises whether a certificate does not validate a given domain' do
+        expect(certificate.valid?(@domains)).to be(true)
+        expect(certificate.valid?(@domains[0, 1])).to be(true)
+        domains = @domains + %w(another.tld)
+        expect { certificate.valid?(domains) }.to raise_error(LetsCert::Error)
+        expect { certificate.valid?(%w(another.tld)) }.to raise_error(LetsCert::Error)
+      end
+    end
+  end
+end

data/spec/certificate_spec.rb~ ADDED Viewed

@@ -0,0 +1,8 @@
+require_relative 'spec_helper'
+module LetsCert
+  describe Certificate do
+  end
+end

data/tasks/gem.rake CHANGED Viewed

@@ -21,11 +21,13 @@ EOF
   s.files = files
   s.executables = ['letscert']
+  s.required_ruby_version = '>= 2.1.0'
   s.add_dependency 'acme-client', '~>0.3.0'
   s.add_dependency 'json-jwt', '~>1.5'
-  s.add_dependency 'yard', '~>0.8'
-  #s.add_development_dependency 'rspec', '~>3.4'
+  s.add_development_dependency 'rspec', '~>3.4'
+  s.add_development_dependency 'yard', '~>0.8'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: letscert
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Sylvain Daubert
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-02-14 00:00:00.000000000 Z
+date: 2016-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -45,7 +59,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -73,6 +87,8 @@ files:
 - spec/account_key.json
 - spec/cert.der
 - spec/cert.pem
+- spec/certificate_spec.rb
+- spec/certificate_spec.rb~
 - spec/chain.pem
 - spec/fullchain.pem
 - spec/io_plugin_spec.rb
@@ -96,7 +112,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="