RubyGems - letscert - Versions diffs - 0.2.4 → 0.3.0 - Mend

letscert 0.2.4 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +27 -12
data/lib/letscert.rb +1 -1
data/lib/letscert/certificate.rb +75 -13
data/lib/letscert/runner.rb +15 -49
data/spec/certificate_spec.rb +56 -0
data/spec/certificate_spec.rb~ +8 -0
data/tasks/gem.rake +4 -2
metadata +20 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bc09ae0885a6a70be1512b3819c07899cd84ecab
-  data.tar.gz: 124c5daa4aab3d985d86a1d0fada0c65db0269a2
+  metadata.gz: 4d86e5665c2e35534ded942c0603cb47b927e05e
+  data.tar.gz: f2d9fa631de0f0aee3ec3e051f6c2a78ff85bdf1
 SHA512:
-  metadata.gz: cf9e90399b2277647f72939d7669a0d562add40b1cd3a4a89346d215fe09e7a97bf0eed125342c30bed63096c92945f932276df3d82dc532a83221238cfba0e5
-  data.tar.gz: ce17392296e10b1d45fff709662ec3de25c53f658b28140a895706b65fe8f0f44959a87cc418d33155246af98afe36639623a503f54a77dc015d00462e1b65ff
+  metadata.gz: 103bc74e75d1a69f004951cbd681768a3efd11520c59ed38cc389a81aaf750ec097c94d84a57a9898fc298237309bc84f48d27dc5dd18d371d952ba48eab09e1
+  data.tar.gz: 717dfaff074bd6c3809045e56ff51e7518c2c0f2bc2ce5990e8777121b3ea6dda3f67e4b90dec891534dd0f9e4cba60a3f72bd36e2e26e62b18de77ee23b89e3

data/README.md CHANGED Viewed

@@ -9,32 +9,47 @@ in Ruby.
 # Usage
-Generate a key pair and get signed certificate:
+## Generate a key pair and get signed certificate:
+With full chain support (`fullchain.pem` file will contain all certificates):
 ```bash
-letscert -d example.com:/var/www/example.com/html -f account_key.json -f key.pem -f cert.pem -f fullchain.pem
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld -f account_key.json -f key.pem -f fullchain.pem
 ```
-Generate a key pair and get a signed certificate for multi-domains:
+else (certificate for example.com is in `cert.pem` file, rest of certification chain
+is in `chain.pem`):
 ```bash
-letscert -d example.com -d www.example.com --default_root /var/www/html -f account_key.json -f key.pem -f cert.pem -f fullchain.pem
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld -f account_key.json -f key.pem -f cert.pem -f chain.pem
 ```
 Commands are the sames for certificate renewal.
+## Generate a key pair and get a signed certificate for multi-domains:
+Generate a single certificate for `example.com` and `www.example.com`:
+```bash
+letscert -d example.com -d www.example.com --default-root /var/www/html --email my.name@domain.tld -f account_key.json -f key.pem -f fullchain.pem
+```
+Command is the same for certificate renewal.
+## Revoke a key pair:
+From directory where are stored `account_key.json` and `cert.pem` or `fullchain.pem`:
+```bash
+letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld --revoke
+```
 # What `letscert` do
-* Automagically a new ACME account if needed.
+* Automagically create a new ACME account if needed.
 * Issue new certificate if no previous one found.
 * Renew certificate only if needed.
-* Only `http-01` challenge supported. An existing web server must be alreay running. `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
+* Only `http-01` challenge supported. An existing web server must be alreay running.
+  `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
 * Crontab friendly: no promts.
 * No configuration file.
-* Support multiple domains with multiple roots. Always create a single certificate per un
-  (ie a certificate may have multiple SANs).
+* Support multiple domains with multiple roots. Always create a single certificate per
+  run (ie a certificate may have multiple SANs).
 * As `simp_le`, check the exit code to known if a renewal has happened:
   * 0 if certificate data was created or updated;
   * 1 if renewal not necessary;
   * 2 in case of errors.
-# Todo
-Add support to revocation.

data/lib/letscert.rb CHANGED Viewed

@@ -24,7 +24,7 @@
 module LetsCert
   # Letscert version number
-  VERSION = '0.2.4'
+  VERSION = '0.3.0'
   # Base error class

data/lib/letscert/certificate.rb CHANGED Viewed

@@ -24,34 +24,31 @@ require_relative 'loggable'
 module LetsCert
   # Class to handle ACME operations on certificates
+  # @author Sylvain Daubert
   class Certificate
     include Loggable
-    # Revoke certificates
-    # @param [Array<String>] files
-    def self.revoke(files)
-      logger.warn "revoke not yet implemented"
+    # @param [OpenSSL::X509::Certificate,nil] cert
+    def initialize(cert)
+      @cert = cert
     end
     # Get a new certificate, or renew an existing one
-    # @param [Hash] options
+    # @param [OpenSSL::PKey::PKey] account_key private key to authenticate to ACME server
+    # @param [OpenSSL::PKey::PKey] key private key from which make a certificate
     # @param [Hash] data
-    def self.get(options, data)
-      new.get options, data
-    end
-    def get(options, data)
+    def get(account_key, key, options)
       logger.info {"create key/cert/chain..." }
       roots = compute_roots(options)
       logger.debug { "webroots are: #{roots.inspect}" }
-      client = get_acme_client(data[:account_key], options)
+      client = get_acme_client(account_key, options)
       do_challenges client, roots
-      if options[:reuse_key] and !data[:key].nil?
+      if options[:reuse_key] and !key.nil?
         logger.info { 'Reuse existing private key' }
-        key = data[:key]
       else
         logger.info { 'Generate new private key' }
         key = OpenSSL::PKey::RSA.generate(options[:cert_key_size])
@@ -68,6 +65,58 @@ module LetsCert
       end
     end
+    # Revoke certificate
+    # @param [OpenSSL::PKey::PKey] account_key
+    # @return [Boolean]
+    def revoke(account_key, options)
+      if @cert.nil?
+        raise Error, 'no certification data to revoke'
+      end
+      client = get_acme_client(account_key, options)
+      begin
+        result = client.revoke_certificate(@cert)
+      rescue Exception => ex
+        raise
+      end
+      if result
+        logger.info { 'certificate is revoked' }
+      else
+        logger.warn { 'certificate is not revoked!' }
+      end
+      result
+    end
+    # Check if certificate is still valid for at least +valid_min+ seconds.
+    # Also checks that +domains+ are certified by certificate.
+    # @param [Array<String>] domains list of certificate domains
+    # @param [Integer] valid_min
+    # @return [Boolean]
+    def valid?(domains, valid_min=0)
+      if @cert.nil?
+        logger.debug { 'no existing certificate' }
+        return false
+      end
+      subjects = []
+      @cert.extensions.each do |ext|
+        if ext.oid == 'subjectAltName'
+          subjects += ext.value.split(/,\s*/).map { |s| s.sub(/DNS:/, '') }
+        end
+      end
+      logger.debug { "cert SANs: #{subjects.join(', ')}" }
+      # Check all domains are subjects of certificate
+      unless domains.all? { |domain| subjects.include? domain }
+        raise Error, "At least one domain is not declared as a certificate subject." +
+                     "Backup and remove existing cert if you want to proceed"
+      end
+      !renewal_necessary?(valid_min)
+    end
     private
@@ -206,6 +255,19 @@ module LetsCert
       end
     end
+    # Check if a renewal is necessary for +cert+
+    # @param [OpenSSL::X509::Certificate] cert
+    # @param [Number] valid_min minimum validity in seconds to ensure
+    # @return [Boolean]
+    def renewal_necessary?(valid_min)
+      now = Time.now.utc
+      diff = (@cert.not_after - now).to_i
+      logger.debug { "Certificate expires in #{diff}s on #{@cert.not_after}" +
+                     " (relative to #{now})" }
+      diff < valid_min
+    end
   end
 end

data/lib/letscert/runner.rb CHANGED Viewed

@@ -130,12 +130,19 @@ module LetsCert
       Certificate.logger = @logger
       begin
-        if @options[:revoke]
-          Certificate.revoke @options[:files]
-          RETURN_OK
-        elsif @options[:domains].empty?
+        if @options[:domains].empty?
           raise Error, "At leat one domain must be given with --domain option.\n" +
                        "Try 'letscert --help' for more information."
+        end
+        if @options[:revoke]
+          data = load_data_from_disk(IOPlugin.registered.keys)
+          certificate = Certificate.new(data[:cert])
+          if certificate.revoke(data[:account_key], @options)
+            RETURN_OK
+          else
+            RETURN_ERROR
+          end
         else
           # Check all components are covered by plugins
           persisted = IOPlugin.empty_data
@@ -152,12 +159,13 @@ module LetsCert
           data = load_data_from_disk(@options[:files])
-          if valid_existing_cert(data[:cert], @options[:domains], @options[:valid_min])
+          certificate = Certificate.new(data[:cert])
+          if certificate.valid?(@options[:domains], @options[:valid_min])
             @logger.info { 'no need to update cert' }
             RETURN_OK
           else
             # update/create cert
-            Certificate.get @options, data
+            certificate.get data[:account_key], data[:key], @options
             RETURN_OK_CERT
           end
         end
@@ -197,7 +205,7 @@ module LetsCert
           @options[:domains] << domain
         end
-        opts.on('--default_root PATH', 'Default webroot path',
+        opts.on('--default-root PATH', 'Default webroot path',
                 'Use for domains without PATH part.') do |path|
           @options[:default_root] = path
         end
@@ -305,48 +313,6 @@ module LetsCert
       all_data
     end
-    # Check if +cert+ exists and is always valid
-    # @todo For now, only check exitence.
-    # @param [nil, OpenSSL::X509::Certificate] cert certificate to valid
-    # @param [Array<String>] domains list if domains to valid
-    # @param [Number] valid_min minimum validity in seconds to ensure
-    # @return [Boolean]
-    def valid_existing_cert(cert, domains, valid_min)
-      if cert.nil?
-        @logger.debug { 'no existing cert' }
-        return false
-      end
-      subjects = []
-      cert.extensions.each do |ext|
-        if ext.oid == 'subjectAltName'
-          subjects += ext.value.split(/,\s*/).map { |s| s.sub(/DNS:/, '') }
-        end
-      end
-      @logger.debug { "cert SANs: #{subjects.join(', ')}" }
-      # Check all domains are subjects of certificate
-      unless domains.all? { |domain| subjects.include? domain }
-        raise Error, "At least one domain is not declared as a certificate subject." +
-                     "Backup and remove existing cert if you want to proceed"
-      end
-      !renewal_necessary?(cert, valid_min)
-    end
-    # Check if a renewal is necessary for +cert+
-    # @param [OpenSSL::X509::Certificate] cert
-    # @param [Number] valid_min minimum validity in seconds to ensure
-    # @return [Boolean]
-    def renewal_necessary?(cert, valid_min)
-      now = Time.now.utc
-      diff = (cert.not_after - now).to_i
-      @logger.debug { "Certificate expires in #{diff}s on #{cert.not_after}" +
-                      " (relative to #{now})" }
-      diff < valid_min
-    end
   end
 end

data/spec/certificate_spec.rb ADDED Viewed

@@ -0,0 +1,56 @@
+require_relative 'spec_helper'
+module LetsCert
+  describe Certificate do
+    before(:all) { Certificate.logger = Logger.new('/dev/null') }
+    context '#valid?' do
+      before(:all) do
+        root_key = OpenSSL::PKey::RSA.new(512)
+        @domains = %w(example.org www.example.org)
+        key = OpenSSL::PKey::RSA.new(512)
+        @cert = OpenSSL::X509::Certificate.new
+        @cert.version = 2
+        @cert.serial = 2
+        @cert.issuer = OpenSSL::X509::Name.parse "/DC=letscert/CN=CA"
+        @cert.public_key = key.public_key
+        @cert.not_before = Time.now
+        # 20 days validity
+        @cert.not_after = @cert.not_before + 20 * 24 * 60 * 60
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = @cert
+        @domains.each do |domain|
+          @cert.add_extension(ef.create_extension('subjectAltName',
+                                                  "DNS:#{domain}",
+                                                  false))
+        end
+        @cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+      end
+      let(:certificate) { Certificate.new(@cert) }
+      it 'checks whether a certificate is valid given a minimum valid duration' do
+        expect(certificate.valid?(@domains)).to be(true)
+        expect(certificate.valid?(@domains, 19)).to be(true)
+        expect(certificate.valid?(@domains, 21 * 24 * 3600)).to be(false)
+      end
+      it 'raises whether a certificate does not validate a given domain' do
+        expect(certificate.valid?(@domains)).to be(true)
+        expect(certificate.valid?(@domains[0, 1])).to be(true)
+        domains = @domains + %w(another.tld)
+        expect { certificate.valid?(domains) }.to raise_error(LetsCert::Error)
+        expect { certificate.valid?(%w(another.tld)) }.to raise_error(LetsCert::Error)
+      end
+    end
+  end
+end

data/spec/certificate_spec.rb~ ADDED Viewed

@@ -0,0 +1,8 @@
+require_relative 'spec_helper'
+module LetsCert
+  describe Certificate do
+  end
+end

data/tasks/gem.rake CHANGED Viewed

@@ -21,11 +21,13 @@ EOF
   s.files = files
   s.executables = ['letscert']
+  s.required_ruby_version = '>= 2.1.0'
   s.add_dependency 'acme-client', '~>0.3.0'
   s.add_dependency 'json-jwt', '~>1.5'
-  s.add_dependency 'yard', '~>0.8'
-  #s.add_development_dependency 'rspec', '~>3.4'
+  s.add_development_dependency 'rspec', '~>3.4'
+  s.add_development_dependency 'yard', '~>0.8'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: letscert
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Sylvain Daubert
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-02-14 00:00:00.000000000 Z
+date: 2016-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -45,7 +59,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -73,6 +87,8 @@ files:
 - spec/account_key.json
 - spec/cert.der
 - spec/cert.pem
+- spec/certificate_spec.rb
+- spec/certificate_spec.rb~
 - spec/chain.pem
 - spec/fullchain.pem
 - spec/io_plugin_spec.rb
@@ -96,7 +112,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="