devnomads-cli 0.4.0__tar.gz → 0.4.1__tar.gz

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.0
+Version: 0.4.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,7 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads[acme]>=0.2.1
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -129,9 +129,18 @@ dncli services list | jq -r '.[].entity'
 `dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/README.md

@@ -113,9 +113,18 @@ dncli services list | jq -r '.[].entity'
 `dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/devnomads_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.4.0
+Version: 0.4.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,7 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads[acme]>=0.2.1
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -129,9 +129,18 @@ dncli services list | jq -r '.[].entity'
 `dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/devnomads_cli.egg-info/requires.txt

@@ -2,4 +2,4 @@ typer>=0.12
 httpx>=0.27
 rich>=13
 cryptography>=42
-devnomads[acme]>=0.2.1
+devnomads[acme]>=0.2.3

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/dncli.py

@@ -1362,6 +1362,16 @@ LE_STAGING_DIRECTORY = "https://acme-staging-v02.api.letsencrypt.org/directory"
 CERT_RENEW_WINDOW_DAYS = 30
 
 
+class KeyType(str, Enum):
+    """Certificate key types. ECDSA is the default; RSA on request."""
+
+    ecdsa256 = "ecdsa256"
+    ecdsa384 = "ecdsa384"
+    ecdsa521 = "ecdsa521"
+    rsa2048 = "rsa2048"
+    rsa4096 = "rsa4096"
+
+
 def _load_acme() -> Any:
     """Import devnomads.acme lazily, so non-cert commands skip the ACME
     stack at startup."""
@@ -1498,8 +1508,13 @@ def cert_issue(
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
@@ -1528,7 +1543,7 @@ def cert_issue(
         webroot=webroot,
         standalone=standalone,
         email=email,
-        key_type=key_type,
+        key_type=key_type.value,
         staging=staging,
         out_dir=_cert_out_dir(out, domain),
     )
@@ -1564,8 +1579,13 @@ def cert_renew(
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
@@ -1597,7 +1617,7 @@ def cert_renew(
             webroot=None,
             standalone=False,
             email=email,
-            key_type=key_type,
+            key_type=key_type.value,
             staging=staging,
             out_dir=out_dir,
         )

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "devnomads-cli"
-version = "0.4.0"
+version = "0.4.1"
 description = "Manage your DevNomads services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -11,7 +11,7 @@ dependencies = [
     "httpx>=0.27",
     "rich>=13",
     "cryptography>=42",
-    "devnomads[acme]>=0.2.1",
+    "devnomads[acme]>=0.2.3",
 ]
 
 [project.scripts]

{devnomads_cli-0.4.0 → devnomads_cli-0.4.1}/tests/test_cert.py

@@ -57,6 +57,56 @@ def test_issue_dns01_default_uses_dns_provider(configured, captured, isolated_co
     assert stat.S_IMODE(privkey.stat().st_mode) == 0o600
 
 
+def _spy_generate_key(monkeypatch, seen):
+    import devnomads.acme as acme
+
+    def spy(algo):
+        seen["algo"] = algo
+        return object()
+
+    monkeypatch.setattr(acme, "generate_key", spy)
+
+
+def test_issue_default_key_type_is_ecdsa384(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa384"
+
+
+def test_issue_key_type_ecdsa521(configured, captured, isolated_config, monkeypatch):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ecdsa521"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa521"
+
+
+def test_issue_key_type_is_selectable(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "rsa4096"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "rsa4096"
+
+
+def test_issue_rejects_unknown_key_type():
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ed25519"]
+    )
+    assert result.exit_code != 0
+    assert "ed25519" in result.output
+
+
 def test_issue_http01_webroot_uses_webroot_solver(
     configured, captured, isolated_config, tmp_path
 ):