letsencrypt-cli 0.1.0.beta1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 101dcc9fbc8cd59d85926f5fc726c13393306292
+  data.tar.gz: b829a1224e1b3f9ae59d656034cf791f958c978b
+SHA512:
+  metadata.gz: c267226d7a856b80b6b8979acba3682687444546cdd2fe9adfc08990ad88ba1800ed48360f9148ea6fd2537d3dd6d8374a32018f8e40caa6250f51268ba05c5d
+  data.tar.gz: eab63e043424e82abc9e95d639deb339bd61a693983c6cbee4a6e925517b2f2b3d1ec4f0055131d81e2047fe6bdb7cf0c20cffbb1f3cc8a38df51e8f575da278

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.pem

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,16 @@
+language: ruby
+sudo: false
+cache: bundler
+
+rvm:
+  - 2.2
+  - 2.1
+  # - 2.0
+
+# before_script:
+#   - "bundle exec rake db:schema:load RAILS_ENV=test"
+
+script:
+  - bundle exec rspec
+  # - ./exe/letsencrypt-cli
+

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in letsencrypt-cli.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 TODO: Write your name
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,87 @@
+# Letsencrypt::Cli
+
+[![Build Status](https://travis-ci.org/zealot128/ruby-letsencrypt-cli.svg?branch=travis)](https://travis-ci.org/zealot128/ruby-letsencrypt-cli)
+[![Gem Version](https://badge.fury.io/rb/letsencrypt-cli.svg)](https://badge.fury.io/rb/letsencrypt-cli)
+
+Yet another Letsencrypt client using Ruby.
+
+## Installation
+
+* This tool needs Ruby > 2.0 (as the dependency acme needs that).
+* openssl bindings
+* no sudo! (Just access to webserver root .well-known alias)
+
+    $ gem install letsencrypt-cli
+
+## Usage
+
+Specify ``-t`` to use Letsencrypt test server. Without it, all requests are called against the production server, that might have same more strict rate limiting. If you are just toying around, add the -t flag.
+
+```bash
+# show all commands
+
+letsencrypt-cli help
+
+# show options for an individual command
+letsencrypt-cli help cert
+
+# creates account_key.json in current_dir
+letsencrypt-cli register -t myemail@example.com
+
+
+# authorize one or more domains/subdomains
+letsencrypt-cli authorize -t --webroot-path /var/www/default example.com www.example.com somedir.example.com
+
+# experimental: authorize all server_names in /etc/nginx/sites-enabled/*
+letsencrypt-cli authorize_all -t --webroot-path /var/www/default
+
+
+# create a certificate for before authorized domains.
+# the first domain will be the cn subject. All other are subjectAlternateName
+letsencrypt-cli cert -t example.com www.example.com somdir.example.com
+# will create key.pem fullchain.pem chain.pem and cert.pem
+```
+
+
+## Example integration nginx:
+
+
+```nginx
+server {
+  listen 80;
+  server_name example.com www.example.com somedir.example.com
+  location /.well-known/acme-challenge {
+	  alias /home/letsencrypt/webroot/.well-known/acme-challenge;
+	  default_type "text/plain";
+	  try_files $uri =404;
+  }
+```
+
+notice the location - alias. Use this dir with ``--webroot-path`` for authorization.
+
+Afterwards, use the fullchain.pem and key.pem:
+
+```nginx
+server {
+  listen 443 ssl;
+  server_name stefanwienert.de www.stefanwienert.de;
+  ssl on;
+  ssl_certificate_key /path/to/key.pem;
+  ssl_certificate /path/to/fullchain.pem;
+
+  # use the settings from: https://gist.github.com/konklone/6532544
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+1. Fork it ( https://github.com/zealot128/letsencrypt-cli/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "letsencrypt/cli"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/letsencrypt-cli

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "letsencrypt-cli"
+
+Letsencrypt::Cli::App.start

data/letsencrypt-cli.gemspec

@@ -0,0 +1,34 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'letsencrypt/cli/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "letsencrypt-cli"
+  spec.version       = Letsencrypt::Cli::VERSION
+  spec.authors       = ["Stefan Wienert"]
+  spec.email         = ["stwienert@gmail.com"]
+
+  spec.summary       = %q{slim letsencrypt client for quickly authorizing (multiple) domains and issuing certificates}
+  spec.homepage      = "https://github.com/zealot28/letsencrypt-cli"
+  spec.license       = "MIT"
+  spec.required_ruby_version = '>= 2.0.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'acme-client'
+  spec.add_runtime_dependency 'thor'
+  spec.add_runtime_dependency 'colorize'
+
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'vcr', "~> 3.0"
+  spec.add_development_dependency 'webmock', "~> 1.22"
+  spec.add_development_dependency 'timecop', "~> 0.8"
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/lib/letsencrypt-cli.rb

@@ -0,0 +1 @@
+require 'letsencrypt/cli'

data/lib/letsencrypt/cli.rb

@@ -0,0 +1,10 @@
+require "letsencrypt/cli/version"
+require "letsencrypt/cli/acme_wrapper"
+require "letsencrypt/cli/app"
+
+
+module Letsencrypt
+  module Cli
+    # Your code goes here...
+  end
+end

data/lib/letsencrypt/cli/acme_wrapper.rb

@@ -0,0 +1,131 @@
+require 'json'
+require 'acme-client'
+require 'pry'
+
+class AcmeWrapper
+  def initialize(options)
+    @options = options
+    if !@options[:color]
+      String.disable_colorization = true
+    end
+  end
+
+  def log(message, severity=:info)
+    @logger ||= Logger.new(STDOUT).tap {|logger|
+      logger.level = Logger::SEV_LABEL.index(@options[:log_level].upcase)
+      logger.formatter = proc do |sev, datetime, progname, msg|
+        "#{datetime.to_s.light_black}: #{msg}\n"
+      end
+    }
+    @logger.send(severity, message)
+  end
+
+  def client
+    @client ||= Acme::Client.new(private_key: account_key, endpoint: endpoint)
+  end
+
+  def authorize(domain)
+    FileUtils.mkdir_p(@options[:webroot_path])
+    log "Authorizing #{domain.blue}.."
+    authorization = client.authorize(domain: domain)
+
+    challenge = authorization.http01
+
+    challenge_file = File.join(@options[:webroot_path], challenge.filename.split('/').last)
+    log "Writing challenge to #{challenge_file}", :debug
+    File.write(challenge_file, challenge.file_content)
+
+    challenge.request_verification
+
+    5.times do
+      log "Checking verification...", :debug
+      sleep 1
+      break if challenge.verify_status != 'pending'
+    end
+    if challenge.verify_status == 'valid'
+      log "Authorization successful for #{domain.green}"
+      File.unlink(challenge_file)
+      true
+    else
+      log "Authorization error for #{domain.red}", :error
+      log challenge.error['detail']
+      false
+    end
+  end
+
+  def cert(domains)
+    return if certificate_exists_and_valid?
+    csr = OpenSSL::X509::Request.new
+    certificate_private_key = find_or_create_pkey(@options[:private_key_path], "private key", @options[:key_length] || 2048)
+
+    csr.subject = OpenSSL::X509::Name.new([
+      # ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
+      # ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
+      # ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
+      # ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
+      # ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
+      # ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
+      # ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
+      ['CN', domains.first, OpenSSL::ASN1::UTF8STRING]
+    ])
+    if domains.count > 1
+      ef = OpenSSL::X509::ExtensionFactory.new
+      exts = [ ef.create_extension( "subjectAltName", domains.map{|domain| "DNS:#{domain}"}.join(','), false  ) ]
+      attrval = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+      attrs = [
+        OpenSSL::X509::Attribute.new('extReq', attrval),
+        OpenSSL::X509::Attribute.new('msExtReq', attrval),
+      ]
+      attrs.each do |attr|
+        csr.add_attribute(attr)
+      end
+    end
+    csr.public_key = certificate_private_key.public_key
+    csr.sign(certificate_private_key, OpenSSL::Digest::SHA256.new)
+    certificate = client.new_certificate(csr)
+    File.write(@options[:fullchain_path], certificate.fullchain_to_pem)
+    File.write(@options[:chain_path], certificate.chain_to_pem)
+    File.write(@options[:certificate_path], certificate.to_pem)
+    log "Certificate successfully created to #{@options[:fullchain_path]} #{@options[:chain_path]} and #{@options[:certificate_path]}!".green
+    log "Certificate valid until: #{certificate.x509.not_after}"
+  end
+
+  private
+
+  def certificate_exists_and_valid?
+    if File.exists?(@options[:certificate_path])
+      cert = OpenSSL::X509::Certificate.new(File.read(@options[:certificate_path]))
+      renew_on = cert.not_after.to_date - @options[:days_valid]
+      if renew_on > Date.today
+        log "Certificate '#{@options[:certificate_path]}' still valid till #{cert.not_after.to_date}.", :warn
+        log "Won't renew until #{renew_on} (#{@options[:days_valid]} days before)", :warn
+        exit 1
+      end
+    end
+  end
+
+  def endpoint
+    if @options[:test]
+      "https://acme-staging.api.letsencrypt.org"
+    else
+      ""
+    end
+  end
+
+
+  def account_key
+    @account_key ||= find_or_create_pkey(@options[:account_key], "account key", @options[:key_length] || 4096)
+  end
+
+  def find_or_create_pkey(file_path, name, length)
+    if File.exists?(file_path)
+      log "existing account key found"
+      OpenSSL::PKey::RSA.new File.read file_path
+    else
+      log "creating new private key to #{file_path}..."
+      private_key = OpenSSL::PKey::RSA.new(length)
+      File.write(file_path, private_key.to_s)
+      private_key
+    end
+  end
+end

data/lib/letsencrypt/cli/app.rb

@@ -0,0 +1,72 @@
+require 'thor'
+require 'colorize'
+require 'fileutils'
+module Letsencrypt
+  module Cli
+    class App < Thor
+      class_option :account_key, desc: "Path to private key file (will be created if not exists)", aliases: "-a", default: 'account_key.pem'
+      class_option :test, desc: "Use staging url of Letsencrypt instead of production server", aliases: "-t", type: :boolean
+      class_option :log_level, desc: "Log Level (debug, info, warn, error, fatal)", default: "info"
+      class_option :color, desc: "Disable colorize", default: true, type: :boolean
+
+      desc 'register EMAIL', 'Register account'
+      method_option :key_length, desc: "Length of generated private key", type: :numeric, default: 4096
+      def register(email)
+        if email.nil? || email == ""
+          log "no E-Mail specified!", :fatal
+          exit 1
+        end
+        if !email[/.*@.*/]
+          log "not an email", :fatal
+          exit 1
+        end
+        registration = wrapper.client.register(contact: "mailto:" + email)
+        registration.agree_terms
+        wrapper.log "Account created, Terms accepted"
+      end
+
+      desc 'authorize_all', "Verify all server_names in /etc/nginx/sites-enabled/* (needs read access)"
+      method_option :webroot_path, desc: "Path to mapped .acme-challenge folder (no subdir)", aliases: '-w', required: true
+      def authorize_all
+        lines = Dir['/etc/nginx/sites-enabled/*'].map{|file| File.read(file).lines.grep(/^\s*server_name/) }.flatten
+        domains = lines.flatten.map{|i| i.strip.split(/[; ]/).drop(1) }.flatten.reject{|i| i.length < 3 }.uniq
+        authorize(*domains)
+      end
+
+      desc 'authorize [DOMAINS]', 'Authorize all domains'
+      method_option :webroot_path, desc: "Path to mapped .well-known/acme-challenge folder (no subdirs will be created)", aliases: '-w', required: true
+      def authorize(*domains)
+        rc = 0
+        domains.each do |domain|
+          if !wrapper.authorize(domain)
+            rc = 1
+          end
+        end
+        if rc != 0
+          exit rc
+        end
+      end
+
+      desc "cert [DOMAINS]", "create certificate and private key pair for domains. The first domain is the main CN domain, the reset will be added as SAN. If the given certificate-path already exists, script will exit non-zero if the certificate is still valid until the given number of days before."
+      method_option :private_key_path, desc: "Path to private key. Will be created if non existant", aliases: '-k', default: 'key.pem'
+      method_option :key_length, desc: "Length of private key", default: 2048, type: :numeric
+      method_option :fullchain_path, desc: "Path to fullchain certificate (Nginx) (will be overwritten if exists!)", aliases: '-f', default: 'fullchain.pem'
+      method_option :certificate_path, desc: "Path to certificate (Apache)", aliases: '-c', default: 'cert.pem'
+      method_option :chain_path, desc: "Path to chain (Apache)", aliases: '-n', default: 'chain.pem'
+      method_option :days_valid, desc: "If the --certificate-path already exists, only create new stuff, if that certificate isn't valid for less than the given number of days", default: 30, type: :numeric
+      def cert(*domains)
+        if domains.length == 0
+          $stderr.puts "no domains given"
+          exit 1
+        end
+        wrapper.cert(domains)
+      end
+
+      private
+
+      def wrapper
+        @wrapper ||= AcmeWrapper.new(options)
+      end
+    end
+  end
+end

data/lib/letsencrypt/cli/version.rb

@@ -0,0 +1,5 @@
+module Letsencrypt
+  module Cli
+    VERSION = "0.1.0.beta1"
+  end
+end

metadata

@@ -0,0 +1,216 @@
+--- !ruby/object:Gem::Specification
+name: letsencrypt-cli
+version: !ruby/object:Gem::Version
+  version: 0.1.0.beta1
+platform: ruby
+authors:
+- Stefan Wienert
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-12-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- stwienert@gmail.com
+executables:
+- letsencrypt-cli
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/letsencrypt-cli
+- letsencrypt-cli.gemspec
+- lib/letsencrypt-cli.rb
+- lib/letsencrypt/cli.rb
+- lib/letsencrypt/cli/acme_wrapper.rb
+- lib/letsencrypt/cli/app.rb
+- lib/letsencrypt/cli/version.rb
+homepage: https://github.com/zealot28/letsencrypt-cli
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: slim letsencrypt client for quickly authorizing (multiple) domains and issuing
+  certificates
+test_files: []