letscert 0.5.0 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.md +4 -1
- data/letscert.gemspec +1 -1
- data/lib/letscert/certificate.rb +28 -7
- data/lib/letscert/runner.rb +25 -2
- data/lib/letscert/version.rb +1 -1
- metadata +4 -4
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 510c269bc1fe51684e676d4b566f03535f5d8a58
|
|
4
|
+
data.tar.gz: 241b3100db0e5bf7682273adceed0a6ed164bb4a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f14a0d228cd125277d4c55df41417e62d761492496b5cd02bc43a2c333f8c47329206c39a1bd579030059601da6c40c0aac8701f2b148642c766c90e8e18bedc
|
|
7
|
+
data.tar.gz: be1d7083454b4e65580e6de083e020ee7705ac59a652fe6c44cea85f5ab3195a634576597bcd0ddc28825848c3c1816b703e3f25ab6643addd3811567a387051
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/README.md
CHANGED
|
@@ -26,8 +26,11 @@ letscert -d example.org:/var/www/example.org/html --email my.name@example.org \
|
|
|
26
26
|
-f account_key.json -f key.pem -f cert.pem -f chain.pem
|
|
27
27
|
```
|
|
28
28
|
|
|
29
|
-
|
|
29
|
+
Theses commands generate RSA certificates, using a RSA account key. To generate ECDSA
|
|
30
|
+
keys and certificates, use `--cert-ecdsa CURVE` (CURVE: `prime256v1` or `sec384r1`)
|
|
31
|
+
and/or `--account-key-type ecdsa` options.
|
|
30
32
|
|
|
33
|
+
Commands are the sames for certificate renewal.
|
|
31
34
|
|
|
32
35
|
## Generate a key pair and get a signed certificate for multi-domains:
|
|
33
36
|
Generate a single certificate for `example.org` and `www.example.org`:
|
data/letscert.gemspec
CHANGED
data/lib/letscert/certificate.rb
CHANGED
|
@@ -50,7 +50,7 @@ module LetsCert
|
|
|
50
50
|
# @param [OpenSSL::PKey::PKey,nil] account_key private key to
|
|
51
51
|
# authenticate to ACME server
|
|
52
52
|
# @param [OpenSSL::PKey::PKey, nil] key private key from which make a
|
|
53
|
-
# certificate. If +nil+, generate a new one with +options[:
|
|
53
|
+
# certificate. If +nil+, generate a new one with +options[:cert_key_size]+
|
|
54
54
|
# bits.
|
|
55
55
|
# @param [Hash] options option hash
|
|
56
56
|
# @option options [Fixnum] :account_key_size ACME account private key size
|
|
@@ -72,6 +72,9 @@ module LetsCert
|
|
|
72
72
|
check_roots(options[:roots])
|
|
73
73
|
logger.debug { "webroots are: #{options[:roots].inspect}" }
|
|
74
74
|
|
|
75
|
+
account_key = get_account_key(account_key, options[:account_key_type],
|
|
76
|
+
options[:account_key_size])
|
|
77
|
+
|
|
75
78
|
client = get_acme_client(account_key, options)
|
|
76
79
|
|
|
77
80
|
do_challenges client, options[:roots]
|
|
@@ -88,7 +91,7 @@ module LetsCert
|
|
|
88
91
|
|
|
89
92
|
options[:files] ||= []
|
|
90
93
|
options[:files].each do |plugname|
|
|
91
|
-
IOPlugin.registered[plugname].save(account_key:
|
|
94
|
+
IOPlugin.registered[plugname].save(account_key: account_key,
|
|
92
95
|
key: pkey, cert: @cert,
|
|
93
96
|
chain: @chain)
|
|
94
97
|
end
|
|
@@ -157,10 +160,8 @@ module LetsCert
|
|
|
157
160
|
def get_acme_client(account_key, options)
|
|
158
161
|
return @client if @client
|
|
159
162
|
|
|
160
|
-
key = get_account_key(account_key, options[:account_key_size])
|
|
161
|
-
|
|
162
163
|
logger.debug { "connect to #{options[:server]}" }
|
|
163
|
-
@client = Acme::Client.new(private_key:
|
|
164
|
+
@client = Acme::Client.new(private_key: account_key, endpoint: options[:server])
|
|
164
165
|
|
|
165
166
|
yield @client if block_given?
|
|
166
167
|
|
|
@@ -212,12 +213,28 @@ module LetsCert
|
|
|
212
213
|
|
|
213
214
|
# Generate a new account key if no one is given in +data+
|
|
214
215
|
# @param [OpenSSL::PKey,nil] key
|
|
216
|
+
# @param [String] key_type +'rsa'+ or +'ecdsa'+
|
|
215
217
|
# @param [Integer] key_size
|
|
216
218
|
# @return [OpenSSL::PKey::PKey]
|
|
217
|
-
def get_account_key(key, key_size)
|
|
219
|
+
def get_account_key(key, key_type, key_size)
|
|
218
220
|
if key.nil?
|
|
219
221
|
logger.info { 'No account key. Generate a new one...' }
|
|
220
|
-
|
|
222
|
+
case key_type
|
|
223
|
+
when 'rsa'
|
|
224
|
+
OpenSSL::PKey::RSA.new key_size
|
|
225
|
+
when 'ecdsa'
|
|
226
|
+
curve = case key_size
|
|
227
|
+
when 256
|
|
228
|
+
'prime256v1'
|
|
229
|
+
when 384
|
|
230
|
+
'secp384r1'
|
|
231
|
+
else
|
|
232
|
+
raise Error, 'ECDSA account key size: only 256 or 384 bits'
|
|
233
|
+
end
|
|
234
|
+
generate_ecdsa_key curve
|
|
235
|
+
else
|
|
236
|
+
raise Error, "unsupported '#{key_type}' account key type"
|
|
237
|
+
end
|
|
221
238
|
else
|
|
222
239
|
key
|
|
223
240
|
end
|
|
@@ -313,8 +330,10 @@ module LetsCert
|
|
|
313
330
|
end
|
|
314
331
|
|
|
315
332
|
if options[:cert_ecdsa]
|
|
333
|
+
logger.debug { "generate a #{options[:cert_ecdsa]}-bit ECDSA private key" }
|
|
316
334
|
generate_ecdsa_key options[:cert_ecdsa]
|
|
317
335
|
else
|
|
336
|
+
logger.debug { "generate a #{options[:cert_rsa]}-bit RSA private key" }
|
|
318
337
|
OpenSSL::PKey::RSA.generate options[:cert_rsa]
|
|
319
338
|
end
|
|
320
339
|
end
|
|
@@ -351,8 +370,10 @@ module LetsCert
|
|
|
351
370
|
# @param [OpenSSL::PKey::PKey] pkey private key to use
|
|
352
371
|
# @return [OpenSSL::PKey::PKey] +pkey+
|
|
353
372
|
def generate_certificate_from_pkey(domains, pkey)
|
|
373
|
+
logger.debug { 'generate certificate request' }
|
|
354
374
|
csr = Acme::Client::CertificateRequest.new(names: domains,
|
|
355
375
|
private_key: pkey)
|
|
376
|
+
logger.debug { 'requesting certificate...' }
|
|
356
377
|
acme_cert = client.new_certificate(csr)
|
|
357
378
|
@cert = acme_cert.x509
|
|
358
379
|
@chain = acme_cert.x509_chain
|
data/lib/letscert/runner.rb
CHANGED
|
@@ -45,6 +45,12 @@ module LetsCert
|
|
|
45
45
|
# Default key size for RSA certificates
|
|
46
46
|
RSA_DEFAULT_KEY_SIZE = 2048
|
|
47
47
|
|
|
48
|
+
# Default account key size for RSA type
|
|
49
|
+
RSA_DEFAULT_ACCOUNT_KEY_SIZE = 4096
|
|
50
|
+
|
|
51
|
+
# Default account key size for ECDSA type
|
|
52
|
+
ECDSA_DEFAULT_ACCOUNT_KEY_SIZE = 384
|
|
53
|
+
|
|
48
54
|
# Get options
|
|
49
55
|
# @return [Hash]
|
|
50
56
|
attr_reader :options
|
|
@@ -66,7 +72,7 @@ module LetsCert
|
|
|
66
72
|
domains: [],
|
|
67
73
|
files: [],
|
|
68
74
|
valid_min: ValidTime.new('30d'),
|
|
69
|
-
|
|
75
|
+
account_key_type: 'rsa',
|
|
70
76
|
tos_sha256: '33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f3' \
|
|
71
77
|
'5226540f',
|
|
72
78
|
server: 'https://acme-v01.api.letsencrypt.org/directory'
|
|
@@ -188,9 +194,16 @@ module LetsCert
|
|
|
188
194
|
' specified by --server')
|
|
189
195
|
opts.separator('')
|
|
190
196
|
|
|
197
|
+
opts.on('--account-key-type TYPE', %w(rsa ecdsa),
|
|
198
|
+
'Account key type: rsa or ecdsa',
|
|
199
|
+
'(Defaul: rsa)') do |type|
|
|
200
|
+
@options[:account_key_type] = type
|
|
201
|
+
end
|
|
202
|
+
|
|
191
203
|
opts.on('--account-key-size BITS', Integer,
|
|
192
204
|
'Account key size (default: ' \
|
|
193
|
-
"#{
|
|
205
|
+
"#{RSA_DEFAULT_ACCOUNT_KEY_SIZE} (RSA) or ",
|
|
206
|
+
"#{ECDSA_DEFAULT_ACCOUNT_KEY_SIZE} (ECDSA))") do |bits|
|
|
194
207
|
@options[:account_key_size] = bits
|
|
195
208
|
end
|
|
196
209
|
|
|
@@ -221,6 +234,7 @@ module LetsCert
|
|
|
221
234
|
@opt_parser.parse!
|
|
222
235
|
compute_roots
|
|
223
236
|
select_default_cert_type_if_none_specified
|
|
237
|
+
select_default_account_key_size_if_none_specified
|
|
224
238
|
end
|
|
225
239
|
|
|
226
240
|
# Check all components are covered by plugins
|
|
@@ -374,6 +388,15 @@ module LetsCert
|
|
|
374
388
|
end
|
|
375
389
|
end
|
|
376
390
|
|
|
391
|
+
def select_default_account_key_size_if_none_specified
|
|
392
|
+
case @options[:account_key_type]
|
|
393
|
+
when 'rsa'
|
|
394
|
+
@options[:account_key_size] ||= RSA_DEFAULT_ACCOUNT_KEY_SIZE
|
|
395
|
+
when 'ecdsa'
|
|
396
|
+
@options[:account_key_size] ||= ECDSA_DEFAULT_ACCOUNT_KEY_SIZE
|
|
397
|
+
end
|
|
398
|
+
end
|
|
399
|
+
|
|
377
400
|
def persisted_data
|
|
378
401
|
persisted = IOPlugin.empty_data
|
|
379
402
|
@options[:files].each do |file|
|
data/lib/letscert/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: letscert
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sylvain Daubert
|
|
@@ -31,7 +31,7 @@ cert_chain:
|
|
|
31
31
|
dMi8WSKt03lfzyxIqZseBwVYYn+XMlzCcJLXCUgZXHcBRRRDH5wGDqOqXjL25b2O
|
|
32
32
|
6m3JJngqkCFrOw==
|
|
33
33
|
-----END CERTIFICATE-----
|
|
34
|
-
date: 2017-
|
|
34
|
+
date: 2017-06-03 00:00:00.000000000 Z
|
|
35
35
|
dependencies:
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: acme-client
|
|
@@ -39,14 +39,14 @@ dependencies:
|
|
|
39
39
|
requirements:
|
|
40
40
|
- - "~>"
|
|
41
41
|
- !ruby/object:Gem::Version
|
|
42
|
-
version: 0.
|
|
42
|
+
version: 0.6.1
|
|
43
43
|
type: :runtime
|
|
44
44
|
prerelease: false
|
|
45
45
|
version_requirements: !ruby/object:Gem::Requirement
|
|
46
46
|
requirements:
|
|
47
47
|
- - "~>"
|
|
48
48
|
- !ruby/object:Gem::Version
|
|
49
|
-
version: 0.
|
|
49
|
+
version: 0.6.1
|
|
50
50
|
- !ruby/object:Gem::Dependency
|
|
51
51
|
name: bundler
|
|
52
52
|
requirement: !ruby/object:Gem::Requirement
|
metadata.gz.sig
CHANGED
|
Binary file
|