letsencrypt_webfaction 1.1.3 → 1.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +4 -0
- data/README.md +87 -39
- data/lib/letsencrypt_webfaction.rb +1 -1
- data/lib/letsencrypt_webfaction/args_parser.rb +10 -1
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 83c1b3f724a12f75203d4d279ca98398efb67623
|
4
|
+
data.tar.gz: c76364b7a81bf4e28e4db65d83fc993c1fc1cced
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1e2befa31cdd2e53cbb6dfb50dd1cfa17263a4add4a48f2b397707e876b881631db94bc57d3f1f41b67d91bfa8bc475de88091c229c5721390c8341e41dc477e
|
7
|
+
data.tar.gz: c4d3cf0bdd1bc6bef919cc8811988e2000f722e5c0eb6942c8dc88e1d07b251e61b79d986fd4618a1e3e82a4ad70ab3728990f4cde386b82146b32d7cb5a5b3b
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
LetsEncrypt utility client for WebFaction hosts.
|
4
4
|
|
5
|
-
This tool simplifies the manual process of using LetsEncrypt on Webfaction hosts. It can be added to
|
5
|
+
This tool simplifies the manual process of using LetsEncrypt on Webfaction hosts. It can be added to the Cron scheduled task runner where it will validate your domains automatically, place the generated certificates in a common folder, and then email the Webfaction support team to request installation, also notifying you.
|
6
6
|
|
7
7
|
[![Build Status](https://travis-ci.org/will-in-wi/letsencrypt-webfaction.svg?branch=master)](https://travis-ci.org/will-in-wi/letsencrypt-webfaction)
|
8
8
|
|
@@ -12,23 +12,45 @@ This tool simplifies the manual process of using LetsEncrypt on Webfaction hosts
|
|
12
12
|
|
13
13
|
*Note: if you find this useful and are setting up a new account, you can support me a little by using [my WebFaction affiliate link](https://www.webfaction.com/?aid=49923). I think I get a 10% referal bonus from whatever you spend at WebFaction. Thanks!*
|
14
14
|
|
15
|
+
## Why not Certbot?
|
16
|
+
|
17
|
+
[Certbot](https://certbot.eff.org/) is the "official" (in that it was the first and to some extent reference client) Let's Encrypt client. Let's Encrypt decided to focus Certbot on a particular use case, namely the configuration of servers which are directly facing the internet and can have the Certbot application run as root. For other use cases, they encourage the implementation of other clients tailored to different cases. This has spawned a wide variety of alternative implementations.
|
18
|
+
|
19
|
+
LetsEncrypt Webfaction is just such an alternative implementation. It was built because the WebFaction use case does not fit in the Certbot preconditions, namely that users don't have root access to change the frontend Nginx server configuration. WebFaction thus far requires that we place the certificate and private key somewhere on the server and then submit a ticket to install the certificate. This is exactly the workflow that is being automated.
|
20
|
+
|
21
|
+
Certbot could probably be used in "manual" mode to create the certificate on disk, and then something else wired up to make the certificate installation request. For various reasons, I decided not to do this. If someone creates instructions to do this, I'd be happy to link to it from [the wiki](https://github.com/will-in-wi/letsencrypt-webfaction/wiki).
|
22
|
+
|
23
|
+
## Prerequisite topics
|
24
|
+
|
25
|
+
Below are a list of server administration topics that it is assumed you know in order to follow the installation and setup instructions. If you find something in the readme that is unclear to you, please open a ticket and I'll try to improve the documentation!
|
26
|
+
|
27
|
+
### Cron
|
28
|
+
|
29
|
+
Cron is an application which will execute commands on a defined schedule. WebFaction has [some good documentation on how to use it](https://docs.webfaction.com/software/general.html#scheduling-tasks-with-cron).
|
30
|
+
|
31
|
+
### SSH
|
32
|
+
|
33
|
+
All of the commands listed below (unless specified otherwise) are run in an SSH session on the server. Again, WebFaction has written a [splendid little tutorial on how to get this working](https://docs.webfaction.com/user-guide/access.html#ssh).
|
34
|
+
|
15
35
|
## Installation
|
16
36
|
|
17
37
|
This utility works on [CentOS 6 and 7 boxes](https://docs.webfaction.com/user-guide/server.html#finding-your-server-s-operating-system). The CentOS 5 systems do not have a new enough OpenSSL to include the algorithms required. You may be able to make this work using rbenv and compiling openssl yourself. A tutorial for CentOS 5 is available here: https://github.com/will-in-wi/letsencrypt-webfaction/wiki/Install-custom-OpenSSL-and-Ruby-on-CentOS-5-host
|
18
38
|
|
39
|
+
All places where you need to substitute a value specific to your setup will be denoted with square brackets, e.g. `[mydomain.tld]`. There are cases where shell variables are used, such as `$HOME`. These should be typed verbatim.
|
40
|
+
|
19
41
|
You can install LetsEncrypt Webfaction using the system Ruby or using RBEnv.
|
20
42
|
|
21
43
|
### System Ruby
|
22
44
|
|
23
45
|
This is the simpler method and is preferred.
|
24
46
|
|
25
|
-
Run the following command to install:
|
47
|
+
Run the following command to install the letsencrypt_webfaction package via the [RubyGems package management site](https://rubygems.org/gems/letsencrypt_webfaction):
|
26
48
|
|
27
49
|
```sh
|
28
50
|
GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.2 install letsencrypt_webfaction
|
29
51
|
```
|
30
52
|
|
31
|
-
Add the following to `~/.bash_profile
|
53
|
+
Add the following to `~/.bash_profile` to simplify the running of LetsEncrypt Webfaction with a bash function:
|
32
54
|
|
33
55
|
```sh
|
34
56
|
function letsencrypt_webfaction {
|
@@ -36,34 +58,74 @@ function letsencrypt_webfaction {
|
|
36
58
|
}
|
37
59
|
```
|
38
60
|
|
39
|
-
Then run `source $HOME/.bash_profile
|
61
|
+
Then run the command `source $HOME/.bash_profile` to apply the new settings.
|
40
62
|
|
41
|
-
Now, you can run `letsencrypt_webfaction` from the shell.
|
63
|
+
Now, you can run `letsencrypt_webfaction` from the shell to get certificates. You can run this from any folder.
|
42
64
|
|
43
65
|
### RBEnv
|
44
66
|
|
45
|
-
This method is useful if you are already using RBEnv to manage Ruby.
|
67
|
+
This method is useful if you are already using RBEnv to manage Ruby, or if you are already a Ruby developer. If neither of these cases are true, just use the system Ruby method.
|
46
68
|
|
47
69
|
Follow the instructions to [set up RBEnv](https://github.com/rbenv/rbenv) and [Ruby Build](https://github.com/rbenv/ruby-build#readme) on your WebFaction server.
|
48
70
|
|
49
71
|
Once you have done so, install Ruby 2.1+ (probably 2.3.0 at time of writing). Then set the local Ruby and install the Gem. Finally unset the local Ruby so that you don't run into problems.
|
50
72
|
|
51
|
-
$ rbenv install 2.3.0
|
52
|
-
$ rbenv local 2.3.0
|
53
|
-
$ gem install letsencrypt_webfaction
|
54
|
-
$ rbenv rehash
|
55
|
-
$ rm .ruby-version
|
73
|
+
$ rbenv install 2.3.0 # Installs Ruby 2.3.0
|
74
|
+
$ rbenv local 2.3.0 # Sets Ruby 2.3.0 as the default version in the current folder.
|
75
|
+
$ gem install letsencrypt_webfaction # Installs this utility from RubyGems.
|
76
|
+
$ rbenv rehash # Makes RBenv aware of the letsencrypt_webfaction utility.
|
77
|
+
$ rm .ruby-version # Unsets Ruby 2.3.0 as the default version in the current folder.
|
78
|
+
|
79
|
+
## Upgrading
|
80
|
+
|
81
|
+
The WebFaction support team will not upgrade your installation of LetsEncrypt Webfaction. You don't usually need to do this unless you have an issue, but as a general rule with most software it is good to do occasionally.
|
82
|
+
|
83
|
+
You can find the version by running `letsencrypt_webfaction --version`. Sort of. In versions >= 1.1.4, this will work. In older versions, this will just print `letsencrypt_webfaction: version unknown` due to an oversight on my part. So if you get the latter output, just upgrade.
|
84
|
+
|
85
|
+
[The changelog](./CHANGELOG.md) describes changes from version to version.
|
86
|
+
|
87
|
+
LetsEncrypt Webfaction follows [Semantic Versioning](http://semver.org/). In a nutshell, a version number such as `1.2.3` is divided as `major.minor.patch`. When the major version is incremented, you will probably have to change something about the configuration to make it work. The changelog will let you know what changes you need to make. When the minor version is incremented, there are new features but existing features haven't changed. If the patch version is incremented, the changes are all under the hood and shouldn't change or add any existing features.
|
88
|
+
|
89
|
+
TL;DR: Be careful with major version upgrades and you should be fine with upgrading to minor or patch releases.
|
90
|
+
|
91
|
+
To upgrade, run one of the following two commands to fetch and install the newest version from RubyGems:
|
92
|
+
|
93
|
+
```sh
|
94
|
+
# For system Ruby:
|
95
|
+
GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.2 install letsencrypt_webfaction
|
96
|
+
|
97
|
+
# For RBenv
|
98
|
+
RBENV_VERSION=2.3.0 gem install letsencrypt_webfaction
|
99
|
+
```
|
56
100
|
|
57
101
|
## Usage
|
58
102
|
|
59
|
-
|
103
|
+
Here is a basic example which issues one certificate for both example.com and www.example.com which is served by `~/webapps/myapp/my_public_html` when your WebFaction contact email address is myemail@example.com. This assumes that both example.com and www.example.com are served from the same folder. An easy way to think about it is that there is one certificate per webapp, regardless of how many domains are served from it.
|
60
104
|
|
61
|
-
$ letsencrypt_webfaction --account_email
|
105
|
+
$ letsencrypt_webfaction --account_email [myemail@example.com] --domains [example.com,www.example.com] --public ~/webapps/[myapp]/[my_public_html]/
|
62
106
|
|
63
|
-
|
107
|
+
The certificate will be placed in `~/le_certs/example.com/[timestamp]/` and WebFaction will be emailed to install the certificate.
|
108
|
+
|
109
|
+
To quickly get a list of parameters and help for each, you should run:
|
64
110
|
|
65
111
|
$ letsencrypt_webfaction --help
|
66
112
|
|
113
|
+
To test certificate issuance, consider using the [LetsEncrypt staging server](https://community.letsencrypt.org/t/testing-against-the-lets-encrypt-staging-environment/6763). This doesn't have the 5 certs per domain every 7 days rate limit. You can add the `--endpoint https://acme-staging.api.letsencrypt.org/` parameter to the `letsencrypt_webfaction` command to do so.
|
114
|
+
|
115
|
+
When letsencrypt_webfaction runs, it places verification files into a public directory, validates the domains with LetsEncrypt (or your ACME provider), and then dumps the signed certificate and private key into an output folder. By default, the output folder is `~/le_certs/`, inside which it will create `[domain_name]/[timestamp]/`.
|
116
|
+
|
117
|
+
After this is done, the utility will email the cert installation request to Webfaction support and also copy you.
|
118
|
+
|
119
|
+
Once you have the certificate installed and working, you will probably want to redirect the HTTP version to the HTTPS version. WebFaction has [documentation describing how to do this](https://docs.webfaction.com/software/static.html#static-redirecting-from-http-to-https).
|
120
|
+
|
121
|
+
### Public folders
|
122
|
+
|
123
|
+
For this utility to work, it is assumed that there is a folder which is directly served at `http://[yourdomain]/` into which the ACME verification files can be placed.
|
124
|
+
|
125
|
+
In the case of a PHP site, such as Drupal or Wordpress, look for the folder with `index.php` in it. This is usually in `/home/[myuser]/webapps/[myapp/]`.
|
126
|
+
|
127
|
+
In the case of a Rails app, look for a folder called `public/`. If you are deploying your app with Capistrano, this could show up in `/home/myuser/webapps/[myapp]/current/public/`.
|
128
|
+
|
67
129
|
### Cron usage
|
68
130
|
|
69
131
|
Normally, you will run the script manually once to get the certificate, and then you will use Cron to automate future certificate renewal.
|
@@ -71,9 +133,9 @@ Normally, you will run the script manually once to get the certificate, and then
|
|
71
133
|
Your cron task could look something like:
|
72
134
|
|
73
135
|
# System Ruby Installation
|
74
|
-
0 4 1 */2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --account_email you@example.com --domains example.com,www.example.com --public ~/webapps/myapp/
|
136
|
+
0 4 1 */2 * PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --account_email [you@example.com] --domains [example.com,www.example.com] --public ~/webapps/[myapp]/
|
75
137
|
# RBEnv Installation
|
76
|
-
0 4 1 */2 * RBENV_ROOT=~/.rbenv RBENV_VERSION=2.3.0 ~/.rbenv/bin/rbenv exec letsencrypt_webfaction --account_email you@example.com --domains example.com,www.example.com --public ~/webapps/myapp/
|
138
|
+
0 4 1 */2 * RBENV_ROOT=~/.rbenv RBENV_VERSION=2.3.0 ~/.rbenv/bin/rbenv exec letsencrypt_webfaction --account_email [you@example.com] --domains [example.com,www.example.com] --public ~/webapps/[myapp]/
|
77
139
|
|
78
140
|
This [would run](http://crontab.guru/#0_4_1_*/2_*) at 4 a.m. on the first day of January, March, May, July, September, and November. Certificates expire three months after issuance, so modify as desired. It may be preferable to change the date of the month that your cron task runs on so that WebFaction staff don't simultaneously receive all certificate change requests at the same time.
|
79
141
|
|
@@ -83,33 +145,17 @@ If you have more than one cron task running like this, you may want to set the e
|
|
83
145
|
|
84
146
|
Default parameters can be found in [config.defaults.yml](./config.defaults.yml). All of the parameters can be overridden by passing another config file, arguments to the executable, or both. If a config file and arguments are passed, they will be interleaved with the arguments having precedence.
|
85
147
|
|
86
|
-
A config file needs to be in YAML format and have a subset of the keys in [config.defaults.yml](./config.defaults.yml). If you use a config file, you
|
148
|
+
A config file needs to be in YAML format and have a subset of the keys in [config.defaults.yml](./config.defaults.yml). If you use a config file, you add the `--config [./myconfig.yml]` parameter to the letsencrypt_webfaction command.
|
87
149
|
|
88
150
|
This allows you to set up a cron task for multiple sites with the defaults for all of them (such as your email address) in a config file, and site specific directives in the command. For example:
|
89
151
|
|
90
|
-
$ letsencrypt_webfaction --config ~/le_config.yml --domains example.com,www.example.com --public ~/webapps/myapp/public_html/
|
152
|
+
$ letsencrypt_webfaction --config [~/le_config.yml] --domains [example.com,www.example.com] --public ~/webapps/[myapp/public_html/]
|
91
153
|
|
92
154
|
This could be run automatically every two months.
|
93
155
|
|
94
|
-
### Operation
|
95
|
-
|
96
|
-
When the code runs, it places verification files into a public directory, validates the domains with LetsEncrypt (or your ACME provider), and then dumps the signed certificate and private key into an output folder. By default, the output folder is `~/le_certs/`, inside which it will create `[domain_name]/[timestamp]/`.
|
97
|
-
|
98
|
-
After this is done, the utility will email the cert installation request to Webfaction support and also copy you.
|
99
|
-
|
100
|
-
If you see messages containing SyntaxErrors, you are most likely using an old version of Ruby. This utility requires Ruby 2.1+.
|
101
|
-
|
102
|
-
### Public folders
|
103
|
-
|
104
|
-
For this utility to work, it is assumed that there is a folder which is directly served at `http://yourdomain/` into which the ACME verification files can be placed.
|
105
|
-
|
106
|
-
In the case of a PHP site, such as Drupal or Wordpress, look for the folder with `index.php` in it. This is usually in `/home/myuser/webapps/myapp/`.
|
107
|
-
|
108
|
-
In the case of a Rails app, look for a folder called `public/`. If you are deploying your app with Capistrano, this could show up in `/home/myuser/webapps/myapp/current/public/`.
|
109
|
-
|
110
156
|
### Custom email configuration
|
111
157
|
|
112
|
-
Particularly in the case of Gmail, you may need to override the default usage of Sendmail and use SMTP. You can
|
158
|
+
Particularly in the case of Gmail, you may need to override the default usage of Sendmail and use SMTP. You can create a custom configuration file as described above (passed using `--config`) and add the below custom configuration in order to accomplish this.
|
113
159
|
|
114
160
|
A Gmail example might be:
|
115
161
|
|
@@ -120,23 +166,25 @@ email_configuration:
|
|
120
166
|
:address: 'smtp.gmail.com'
|
121
167
|
:port: '587'
|
122
168
|
:enable_starttls_auto: true
|
123
|
-
:user_name: 'myuser@gmail.com'
|
124
|
-
:password: 'password_see_note'
|
169
|
+
:user_name: '[myuser@gmail.com]'
|
170
|
+
:password: '[password_see_note]'
|
125
171
|
:authentication: 'plain'
|
126
172
|
:domain: 'localhost.localdomain' # the HELO domain provided by the client to the server
|
127
173
|
```
|
128
174
|
|
129
|
-
See
|
175
|
+
See this [project's GitHub wiki](https://github.com/will-in-wi/letsencrypt-webfaction/wiki) for additional Gmail specific notes.
|
130
176
|
|
131
177
|
For all possible options, see [the Pony configuration](https://github.com/benprew/pony).
|
132
178
|
|
133
179
|
## Development
|
134
180
|
|
181
|
+
If you are interested in contributing to this project with new code or bugfixes, welcome!
|
182
|
+
|
135
183
|
To run the script directly from the repository, use:
|
136
184
|
|
137
185
|
$ ruby -Ilib exe/letsencrypt_webfaction
|
138
186
|
|
139
|
-
|
187
|
+
The note above about the Let's Encrypt stage server is very helpful when developing.
|
140
188
|
|
141
189
|
You will probably also want to use the argument `--support_email ""` which will keep support from actually being contacted. Alternately, set the `support_email` address to be yourself.
|
142
190
|
|
@@ -1,6 +1,7 @@
|
|
1
1
|
require 'optparse'
|
2
2
|
require 'yaml'
|
3
3
|
|
4
|
+
require 'letsencrypt_webfaction'
|
4
5
|
require 'letsencrypt_webfaction/args_parser/field'
|
5
6
|
require 'letsencrypt_webfaction/args_parser/string_validator'
|
6
7
|
require 'letsencrypt_webfaction/args_parser/defined_values_validator'
|
@@ -41,7 +42,7 @@ module LetsencryptWebfaction
|
|
41
42
|
file_path = File.join(File.dirname(__FILE__), '../../', DEFAULTS_PATH)
|
42
43
|
load_config!(File.expand_path(file_path))
|
43
44
|
|
44
|
-
# TODO: Rework this to not exit on instantiation due to help text.
|
45
|
+
# TODO: Rework this to not exit on instantiation due to help text or version.
|
45
46
|
parse!
|
46
47
|
end
|
47
48
|
|
@@ -88,6 +89,13 @@ module LetsencryptWebfaction
|
|
88
89
|
end
|
89
90
|
end
|
90
91
|
|
92
|
+
def handle_version(opts)
|
93
|
+
opts.on_tail('--version', 'Show version') do
|
94
|
+
puts LetsencryptWebfaction::VERSION
|
95
|
+
exit
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
91
99
|
def handle_field(opts, field)
|
92
100
|
opts.on("--#{field.identifier}=#{field.identifier.upcase}", field.description) do |val|
|
93
101
|
instance_variable_set("@#{field.identifier}", field.sanitize(val))
|
@@ -100,6 +108,7 @@ module LetsencryptWebfaction
|
|
100
108
|
|
101
109
|
handle_config(opts)
|
102
110
|
handle_help(opts)
|
111
|
+
handle_version(opts)
|
103
112
|
FIELDS.each { |field| handle_field(opts, field) }
|
104
113
|
end
|
105
114
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: letsencrypt_webfaction
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- William Johnston
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
urnVFSXSvmjoq2UEqNf39Ffw4ZJ2QYuxlOLEInXhf1Rij1+KYHwHoT6qaOmk+fgY
|
31
31
|
XWr3WAp8Tv/ogSwGuBGWtsjMTEzbRxAJbRXQDFEMeXJAvzon0o6hUtU=
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2016-07-
|
33
|
+
date: 2016-07-05 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: acme-client
|
metadata.gz.sig
CHANGED
Binary file
|