letscert 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ecc722b11b425c139e92b66d7436be0b818d0d03
-  data.tar.gz: 10b112ecdefce5e90e0c5cf8f99cd8bef961c2c0
+  metadata.gz: 2aaf92c6fdc9f696efb73eae2d3a86577b2dd37e
+  data.tar.gz: ec9885ad548b9ff43a645a2990eff2969326d646
 SHA512:
-  metadata.gz: 32d5b6a6cfe0fd937506fc60791c793cac8024ab13a04531fc4a4bc56529074131d27f80c642f2d9e68a6026f3081b3d5578c0c2d1343f8a07e7b5acc1eb484c
-  data.tar.gz: a2c004cd721d85ce5aec4afe22325eaf9cfd5f70fd173f029bd443826e7cf1361d341ef9db105a69afb91cf6ceca8da37539bdb32e382a629865612101fccbaf
+  metadata.gz: 298d19dda74b12aa3b44d67d80ecbf74f26ed9d68609eb8efe6b82caa5fa7f34e3a48460949350b80c0d4abee890d6b13f0fdf32a89445d4cd25cdbe55c79379
+  data.tar.gz: f2e907cb8c7da052030e5b743419839f45623a2c612e45f0d2e5e042e5ffd2f32480711d15de6bcce09a1717aae1026b30ea1a96ca431b3da307b35621c24e31

data/README.md

@@ -61,7 +61,7 @@ letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld --r
 * Renew certificate only if needed.
 * Only `http-01` challenge supported. An existing web server must be alreay running.
   `letscert` should have write access to `${webroot}/.well-known/acme-challenge`.
-* Crontab friendly: no promts.
+* Crontab friendly: no prompts.
 * No configuration file.
 * Support multiple domains with multiple roots. Always create a single certificate per
   run (ie a certificate may have multiple SANs).

data/lib/letscert/certificate.rb

@@ -56,6 +56,7 @@ module LetsCert
     # @option options [Hash] :roots hash associating domains as keys to web roots as
     #    values
     # @option options [String] :server ACME servel URL
+    # @return [void]
     def get(account_key, key, options)
       logger.info {"create key/cert/chain..." }
       check_roots(options[:roots])
@@ -85,8 +86,12 @@ module LetsCert
 
     # Revoke certificate
     # @param [OpenSSL::PKey::PKey] account_key
+    # @param [Hash] options
+    # @option options [Fixnum] :account_key_size ACME account private key size in bits
+    # @option options [String] :email e-mail used as ACME account
+    # @option options [String] :server ACME servel URL
     # @return [Boolean]
-    def revoke(account_key, options)
+    def revoke(account_key, options={})
       if @cert.nil?
         raise Error, 'no certification data to revoke'
       end
@@ -135,27 +140,12 @@ module LetsCert
       !renewal_necessary?(valid_min)
     end
 
-
-    private
-
-    # check webroots.
-    # @param [Hash] roots
-    # @raise [Error] if some domains have no defined root.
-    def check_roots(roots)
-      no_roots = roots.select { |k,v| v.nil? }
-
-      if !no_roots.empty?
-        raise Error, 'root for the following domain(s) are not specified: ' +
-                     no_roots.keys.join(', ') + ".\nTry --default_root or use " +
-                     '-d example.com:/var/www/html syntax.'
-      end
-    end
-
     # Get ACME client.
     #
     # Client is only created on first call, then it is cached.
     # @param [Hash] account_key
     # @param [Hash] options
+    # @return [Acme::Client]
     def get_acme_client(account_key, options)
       return @client if @client
 
@@ -164,6 +154,8 @@ module LetsCert
       logger.debug { "connect to #{options[:server]}" }
       @client = Acme::Client.new(private_key: key, endpoint: options[:server])
 
+      yield @client if block_given?
+
       if options[:email].nil?
         logger.warn { '--email was not provided. ACME CA will have no way to ' +
                        'contact you!' }
@@ -197,9 +189,26 @@ module LetsCert
       @client
     end
 
+
+    private
+
+    # check webroots.
+    # @param [Hash] roots
+    # @raise [Error] if some domains have no defined root.
+    def check_roots(roots)
+      no_roots = roots.select { |k,v| v.nil? }
+
+      if !no_roots.empty?
+        raise Error, 'root for the following domain(s) are not specified: ' +
+                     no_roots.keys.join(', ') + ".\nTry --default_root or use " +
+                     '-d example.com:/var/www/html syntax.'
+      end
+    end
+
     # Generate a new account key if no one is given in +data+
     # @param [OpenSSL::PKey,nil] key
-    # @param [Hash] options
+    # @param [Integer] key_size
+    # @return [OpenSSL::PKey::PKey]
     def get_account_key(key, key_size)
       if key.nil?
         logger.info { 'No account key. Generate a new one...' }
@@ -260,8 +269,7 @@ module LetsCert
       end
     end
 
-    # Check if a renewal is necessary for +cert+
-    # @param [OpenSSL::X509::Certificate] cert
+    # Check if a renewal is necessary
     # @param [Number] valid_min minimum validity in seconds to ensure
     # @return [Boolean]
     def renewal_necessary?(valid_min)

data/lib/letscert/io_plugin.rb

@@ -19,7 +19,7 @@
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
-require 'json/jwt'
+require 'base64'
 require_relative 'loggable'
 
 module LetsCert
@@ -86,7 +86,7 @@ module LetsCert
   # @author Sylvain Daubert
   module FileIOPluginMixin
 
-    # Load data from file named {#name}
+    # Load data from file named +#name+
     # @return [Hash]
     def load
       logger.debug { "Loading #@name" }
@@ -110,7 +110,7 @@ module LetsCert
       raise NotImplementedError
     end
 
-    # Save data to file {#name}
+    # Save data to file +#name+
     # @param [Hash] data
     # @return [void]
     def save_to_file(data)
@@ -134,20 +134,62 @@ module LetsCert
   # @author Sylvain Daubert
   module JWKIOPluginMixin
 
+    # Encode string +data+ to base64
+    # @param [String] data
+    # @return [String]
+    def urlsafe_encode64(data)
+      Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
+    end
+
+    # Decode base64 string +data+
+    # @param [String] data
+    # @return [String]
+    def urlsafe_decode64(data)
+      Base64.urlsafe_decode64(data.sub(/[\s=]*\z/, ''))
+    end
+
     # Load crypto data from JSON-encoded file
     # @param [String] data JSON-encoded data
-    # @return [Hash]
+    # @return [OpenSSL::PKey::PKey]
     def load_jwk(data)
       return nil if data.empty?
 
-      JSON::JWK.new(JSON.parse(data)).to_key
+      h = JSON.parse(data)
+      case h['kty']
+      when 'RSA'
+        pkey = OpenSSL::PKey::RSA.new
+        %w(e n d p q).collect do |key|
+          next if h[key].nil?
+          value = OpenSSL::BN.new(urlsafe_decode64(h[key]), 2)
+          pkey.send "#{key}=".to_sym, value
+        end
+      else
+        raise Error, "unknown account key type '#{k['kty']}'"
+      end
+
+      pkey
     end
 
     # Dump crypto data (key) to a JSON-encoded string
     # @param [OpenSSL::PKey] key
     # @return [String]
     def dump_jwk(key)
-      key.to_jwk.to_json
+      return {}.to_json if key.nil?
+
+      h = { 'kty' => 'RSA' }
+      case key
+      when OpenSSL::PKey::RSA
+        h['e'] = urlsafe_encode64(key.e.to_s(2)) if key.e
+        h['n'] = urlsafe_encode64(key.n.to_s(2)) if key.n
+        if key.private?
+          h['d'] = urlsafe_encode64(key.d.to_s(2))
+          h['p'] = urlsafe_encode64(key.p.to_s(2))
+          h['q'] = urlsafe_encode64(key.q.to_s(2))
+        end
+      else
+        raise Error, "only RSA keys are supported"
+      end
+      h.to_json
     end
   end
 

data/lib/letscert/runner.rb

@@ -203,8 +203,10 @@ module LetsCert
         end
 
       rescue Error, Acme::Client::Error => ex
-        @logger.error ex.message
-        puts "Error: #{ex.message}"
+        msg = ex.message
+        msg = "[Acme] #{msg}" if ex.is_a?(Acme::Client::Error)
+        @logger.error msg
+        puts "Error: #{msg}"
         RETURN_ERROR
       end
     end

data/lib/letscert.rb

@@ -24,7 +24,7 @@
 module LetsCert
 
   # Letscert version number
-  VERSION = '0.3.1'
+  VERSION = '0.4.0'
 
 
   # Base error class

data/spec/certificate_spec.rb

@@ -44,9 +44,11 @@ module LetsCert
         ARGV << '-d' << 'example.com:/var/ww/html'
         ARGV << '--server' << 'https://acme-staging.api.letsencrypt.org/directory'
         runner.parse_options
-        # raise error because no e-mail address was given
-        expect { certificate.get(nil, nil, runner.options) }.
-          to raise_error(Acme::Client::Error)
+        VCR.use_cassette('single-domain') do
+          # raise error because no e-mail address was given
+          expect { certificate.get(nil, nil, runner.options) }.
+            to raise_error(Acme::Client::Error)
+        end
 
         ARGV.clear
         ARGV << '-d' << 'example.com:/var/www/html'
@@ -64,9 +66,11 @@ module LetsCert
         ARGV << '--default-root' << '/opt/www'
         ARGV << '--server' << 'https://acme-staging.api.letsencrypt.org/directory'
         runner.parse_options
-        # raise error because no e-mail address was given
-        expect { certificate.get(nil, nil, runner.options) }.
-          to raise_error(Acme::Client::Error)
+        VCR.use_cassette('default-root') do
+          # raise error because no e-mail address was given
+          expect { certificate.get(nil, nil, runner.options) }.
+            to raise_error(Acme::Client::Error)
+        end
         expect(runner.options[:roots]['example.com']).to eq('/var/www/html')
         expect(runner.options[:roots]['www.example.com']).to eq('/opt/www')
       end
@@ -74,9 +78,11 @@ module LetsCert
       it 'uses existing account key' do
         options = { roots: { 'example.com' => '/var/www/html' } }
 
-        # Connection error: no server to connect to
-        expect { certificate.get(@account_key2048, nil, options) }.
-          to raise_error(Faraday::ConnectionFailed)
+        VCR.use_cassette('no-server') do
+          # Connection error: no server to connect to
+          expect { certificate.get(@account_key2048, nil, options) }.
+            to raise_error(Faraday::ConnectionFailed)
+        end
         expect(certificate.client.private_key).to eq(@account_key2048)
       end
 
@@ -86,9 +92,11 @@ module LetsCert
           account_key_size: 128,
         }
 
-        # Connection error: no server to connect to
-        expect { certificate.get(nil, nil, options) }.
-          to raise_error(Faraday::ConnectionFailed)
+        VCR.use_cassette('no-server') do
+          # Connection error: no server to connect to
+          expect { certificate.get(nil, nil, options) }.
+            to raise_error(Faraday::ConnectionFailed)
+        end
         expect(certificate.client.private_key).to be_a(OpenSSL::PKey::RSA)
       end
 
@@ -98,9 +106,11 @@ module LetsCert
           server: 'https://acme-staging.api.letsencrypt.org/directory',
         }
 
-        # Acme error: not valid e-mail address
-        expect { certificate.get(@account_key2048, nil, options) }.
-          to raise_error(Acme::Client::Error)
+        VCR.use_cassette('create-acme-client') do
+          # Acme error: not valid e-mail address
+          expect { certificate.get(@account_key2048, nil, options) }.
+            to raise_error(Acme::Client::Error)
+        end
         expect(certificate.client.private_key).to eq(@account_key2048)
         expect(certificate.client.instance_eval { @endpoint }).to eq(options[:server])
       end
@@ -111,12 +121,44 @@ module LetsCert
           server: 'https://acme-staging.api.letsencrypt.org/directory',
         }
 
-        # Acme error: not valid e-mail address
-        expect { certificate.get(@account_key2048, nil, options) }.
-          to raise_error(Acme::Client::Error).
-              with_message('not a valid e-mail address')
+        VCR.use_cassette('create-acme-client-but-bad-email') do
+          # Acme error: not valid e-mail address
+          expect { certificate.get(@account_key2048, nil, options) }.
+            to raise_error(Acme::Client::Error).
+                with_message('not a valid e-mail address')
+        end
+      end
+
+      it 'responds to HTTP-01 challenge'
+
+      it 'raises if HTTP-01 challenge is unavailable' do
+        options = {
+          roots: { 'example.com' => '/var/www/html' },
+          server: 'https://acme-staging.api.letsencrypt.org/directory',
+          email: 'test@example.org',
+        }
+
+        VCR.use_cassette('no-http-01-challenge') do
+          certificate.get_acme_client(@account_key2048, options) do |client|
+            client.connection.builder.insert 0, RemoveHttp01Middleware
+          end
+          expect { certificate.get(@account_key2048, nil, options) }.
+            to raise_error(LetsCert::Error).with_message(/not offer http-01/)
+        end
+      end
+
+      it 'reuses existing private key if --reuse-key is present'
+
+    end
+
+    context '#revoke' do
+      it 'raises if no certificate is given' do
+        certificate = Certificate.new(nil)
+        expect { certificate.revoke(@account_key2048) }.
+          to raise_error(LetsCert::Error)
       end
 
+      it 'revokes an existing certificate'
     end
 
     context '#valid?' do

data/spec/spec_helper.rb

@@ -1,2 +1,28 @@
 $:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
 require 'letscert'
+
+require 'vcr'
+require 'faraday'
+
+VCR.configure do |config|
+  config.cassette_library_dir = "fixtures/vcr_cassettes"
+  config.hook_into :faraday
+end
+
+
+# Faraday Middleware to remove HTTP-01 challenge
+class RemoveHttp01Middleware < Faraday::Middleware
+  def call(request_env)
+    @app.call(request_env).on_complete do |response_env|
+      body = response_env.response.body
+      if body['challenges'] and !body['challenges'].empty?
+        body['challenges'].each_with_index do |challenge, index|
+          if challenge['type'] == 'http-01'
+            body['challenges'].delete_at(index)
+            break
+          end
+        end
+      end
+    end
+  end
+end

data/tasks/gem.rake

@@ -23,10 +23,12 @@ EOF
 
   s.required_ruby_version = '>= 2.1.0'
 
-  s.add_dependency 'acme-client', '~>0.3.0'
-  s.add_dependency 'json-jwt', '~>1.5'
+  s.add_dependency 'acme-client', '~>0.4.0'
+  s.add_dependency 'json', '~>1.8.3'
 
   s.add_development_dependency 'rspec', '~>3.4'
+  s.add_development_dependency 'vcr', '~>3.0'
+  s.add_development_dependency 'faraday', '~>0.9'
   s.add_development_dependency 'yard', '~>0.8'
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: letscert
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Sylvain Daubert
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-22 00:00:00.000000000 Z
+date: 2016-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
-  name: json-jwt
+  name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.8.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.8.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -88,7 +116,6 @@ files:
 - spec/cert.der
 - spec/cert.pem
 - spec/certificate_spec.rb
-- spec/certificate_spec.rb~
 - spec/chain.pem
 - spec/fullchain.pem
 - spec/io_plugin_spec.rb
@@ -96,7 +123,6 @@ files:
 - spec/key.pem
 - spec/loggable_spec.rb
 - spec/runner_spec.rb
-- spec/runner_spec.rb~
 - spec/spec_helper.rb
 - spec/test.json
 - tasks/gem.rake
@@ -122,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: letscert, a simple Let's Encrypt client

data/spec/certificate_spec.rb~

@@ -1,8 +0,0 @@
-require_relative 'spec_helper'
-
-module LetsCert
-
-  describe Certificate do
-  end
-
-end

data/spec/runner_spec.rb~

@@ -1,8 +0,0 @@
-require_relative 'spec_helper'
-
-module LetsCert
-
-  describe Runner do
-  end
-
-end