Coder Social home page Coder Social logo

acme's Introduction

acme

A simple command line tool to manage TLS certificates with ACME-compliant CAs, which has no third party dependencies.

If you're looking for a package to import in your program, golang.org/x/crypto/acme or golang.org/x/crypto/acme/autocert is what you'll want instead.

This package is a work in progress and makes no API stability promises.

Usage

Quick install with go get -u github.com/google/acme or download a pre-built binary from the releases page.

The release binaries have an additional command, acme version, which reports the release version.

  1. You need to have a user account, registered with the CA. This is represented by an RSA private key.

The easiest is to let the acme tool generate it for you:

    acme reg -gen mailto:[email protected]

If you want to generate a key manually:

    mkdir -p ~/.config/acme
    openssl genrsa -out ~/.config/acme/account.key 4096
    acme reg mailto:[email protected]

The latter version assumes that default acme config dir is ~/.config/acme. Yours may vary. Check with acme help reg.

The "mailto:[email protected]" in the example above is a contact argument. While some ACME CA may let you register without providing any contact info, it is recommended to use one. For instance a CA might need to notify cert owners with an update.

  1. Agree with the ACME CA Terms of Service.

Before requesting your first certificate, you may need to accept the terms of the CA. You can check the status of your account with:

    acme whoami

and look for the "Accepted: ..." line. If it says "no", check the CA's terms document provided as a link in "Terms: ..." field and agree by executing:

    acme update -accept
  1. Request a new certificate for your domain.

The easiest way to do this is:

    acme cert example.com

The above command will generate a new certificate key (unless one already exists), and send a certificate request. The location of the output files is ~/.config/acme, but depends on your environment. You can check this location with acme help cert.

If you don't want to auto-generate a cert key, one can always be generated upfront:

    openssl genrsa -out cert.key 2048

in which case the cert command will look something like this:

    acme cert -k cert.key example.com

Note that for the certificate request command to succeed, it needs to be executed in a way allowing for resolving authorization challenges (domain ownership proof). This typically means the command should be executed on the same host the domain is served from.

If the latter is not possible, use the -manual flag and follow the instructions:

    acme cert -manual example.com

License

(c) Google, 2015. Licensed under Apache-2 license.

This is not an official Google product.

acme's People

Contributors

hkjn avatar ikellenberger avatar kkirsche avatar mbwalas avatar sgomes avatar siepkes avatar titanous avatar trhall avatar uncompiled avatar x1ddos avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

acme's Issues

dns challenge feature with support for external dns tools like the dehydrated project

Lukas Schauer's dehydrated has support for external dns tools to enable "ACME DNS challenge" for the many situations where http challenge is problematic. Generally it just runs a command with parameters specifying the FQDN and magic value that need to be setup as a TXT dns record and then a cleanup after letsencrypt is done verifying. It would be super-cool you used the same 'protocol' so that existing tools work out-of-the-box. See: https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.md

dehydrated works but since it is written in BASH is sensitive to many platform issues and has a lot of dependencies on various unix/linux tools.

Reverse proxy

Some kind of a reverse proxy. Similar to autocert but command line version.

golang ListenAndServeTLS

func main() {

	http.HandleFunc("/do", func(w http.ResponseWriter, r *http.Request) {
		fmt.Println( "do")
	})

	err := http.ListenAndServeTLS(":9000", "key.pem", "cert.pem", nil)
	if err != nil {
		panic(err)
	}
}

1# using browser open https://localhost:9000/do
2# browser remind "not safe connection:NET::ERR_CERT_AUTHORITY_INVALID"
3# how to handle this except importing the ca cert in client?

ECDSA keys

Will there be support for ECDSA keys soon?

Make sure we fetch all the chain when bundling a cert

We currently fetch only one level up when retrieving a cert. @kuba says we need to go more levels up into the chain.

The spec says

The server provides metadata about the certificate in HTTP headers. In particular, the server MUST include a Link relation header field RFC5988 with relation “up” to provide a certificate under which this certificate was issued

It's not entirely clear whether the up response may also contain another relation level: the way it is at the moment seems to work.

Anyway, just wanted to create this issue for now, as a reminder to make sure we're doing it correctly.

Add GetChallenge method

Currently it fetches only full Authz (GetAuthz) - one need to filter if interested only in given challenge.

fail with staging, but not with prod?

I've been using the acme client for several rounds of cert renewals, over the last 9 months, without any issues. I'm using HTTP challenge

Now I notice that I can no longer renew against the staging environment, but the production environment still works as usual.

The error I get, is
(MYDOMAIN): acme: identifier authorization failed

I still see the HTTP challenge in the web server logs, replied to with a 200 status, so that part is working still.

TOS acceptance is fine (checked with whoami, even updated once although it said "yes").

Can anybody reproduce that / sees the same issues? Maybe something changed in letsencrypt staging that the acme client needs to learn?

Provide the option to auto-generate the certificate's private key using RSA instead of ECDSA

If you call acme cert without the -k option it will auto-generate a private certificate key for the user, but it is currently hard-coded to only use the ECDSA algorithm. While ECDSA is supposed to be superior algorithm, ECDSA certs are not compatible with a number client and server systems e.g. AWS API Gateway requires a 2048bit RSA key.

It would be great if the user could optionally specify the private key certificate algorithm and key size using a flag. That would make things simpler, safer and easier for users who don't have openssl installed.

Account.key path is not created when using acme reg -gen

When using the command:
c:\Acme> acme reg -gen mailto:[email protected]"

it throws an error
account key: open C:\Users\myusername\.config\acme\account.key: The system cannot find the path specified.

when the .config directory does not exist.
This is on Windows 10, with the 1.1.1 binary.

Workaround: create directories manually.
Fix: automatically create directories .config and .config/acme if they dont' exist.

Reg fails if the config dir isn't created

root@ip-10-108-9-175:~# acme reg -gen mailto:[email protected]
account key: open /root/.config/acme/account.key: no such file or directory
root@ip-10-108-9-175:~# mkdir -p /root/.config/acme/
root@ip-10-108-9-175:~# acme reg -gen mailto:[email protected]
CA requires acceptance of their Terms and Services agreement:
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
Do you accept? (Y/n)

The suggested first step in the Readme doesn't mention that the config dir needs to be created. Maybe if this is missing it should prompt you and ask if the dir should be created automatically?

allow to listen on Unix socket

When the real web server serves as a proxy for the tool, redirecting the traffic for /.well-known/acme-challenge using unix sockets allows for more resilient/hardened setup. For example, one can use permissions or selected mounts to isolate tool's socket from the rest of the system. So it would be nice if -s option to the cert command allowed to specify a unix socket to listen.

ACMEv1 sunset at Let's Encrypt breaks `acme`

ACMEv1 sunset currently breaks at least acme reg:

$ acme reg -gen mailto:[email protected]
403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

That's completely in-sync with the sunset plan outlined at the URL:

  • November 2019 — stop new account registrations
  • June 2020 — stop allowing new domains to validate
  • June 2021 — entirely disable ACMEv1

allow to explicitly name host and cert files

Currently the cert command uses the first domain name to name the generated host key and certificates. When generating several certificates at once this naming is inconvenient and I have to rename the files in my shell script wrapper for the tool into domain-independent names that are used in a web server config. It would be nice to allow to name the files explicitly.

How to create an account.key on windows?

I can't seem to make a valid account.key to make goacme work on windows. If i use putty to generate a SSH-2 RSA key I get: account key: no block found in "C:\Users\james.config\acme\account.key"

The documentation doesn't explain how to create account.key.

Usability: default for -d when already registered ?

Another nitpick on first playing with your program: once I got it to register, I immediately proceeded to register once more against the staging server, using acme reg -c .config/acme.staging -d letsencrypt-staging. That worked fine, and I can use acme whoami -c .config/acme.staging to look at the registration details.

Next, I tried acme cert -c .config/acme.staging -manual me.example.com (of course with my own domain). That got me an error: me.example.com: 403 urn:acme:error:unauthorized: No registration exists matching provided key

Not a big issue - I simply have to once more add the -d letsencrypt-staging option, and then it works fine!

However, seeing that the "staging" URI is known (with whoami, or looking at the config file) already when the -c option is given - shouldn't then -d default to that URI from the configuration, like it does with whoami?

Error when trying to reg

$ acme reg -gen mailto:[email protected]
400 urn:acme:error:malformed: signature type 'RS256' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512

Looks like the key type changed to ED256 in 2a985c7.
Does the jws token header need to be updated to match?

If I create an rsa 4096 key manually, then reg works.

ListenAndServeTLS

Add a helper func so that people can do something like goacme.ListenAndServerTLS instead of http.ListenAndServerTLS.

Thanks @bradrydzewski for the idea.

identifier authorization failed

hi.

root@umh:# ./acme-linux-amd64 cert -s localhost:6060 mydomain.com
mydomain.com: acme: identifier authorization failed
root@umh:
#

how to fix it?
thank you

Renew certificate

What's the recommended way of renewing an existing letsencrypt certificate using cmd/acme?
Just running acme cert $domain will re-issue a new .crt.
Is there a way of handling this automatically? Like "renew, when existing .crt will expire in n days"?

Usability: reg fails when you take your time to read the license first...

First time user here, with some notes on usability with "acme reg -gen mailto:[email protected]

  • first run fails with account key: open /home/me/.config/acme/account.key: no such file or directory

  • solution was to create directory .config/acme by hand

  • second run then prompted me to accept the ToS. I took some time to read it. When I came back and entered Y at the prompt I got this error: context deadline exceeded

  • a third run fails directly with message 409 urn:acme:error:malformed: Registration key is already in use

  • after deleting .config/acme/account.key by hand, a fourth run then worked...

example.com: acme: identifier authorization failed and 409 urn:acme:error:malformed: Registration key is already in use

  1. While trying to run command " acme cert $domain name" , I am getting error as identifier authorization failed, i followed the steps there in README file, not sure how to trace the error back

  2. if I am trying to register my id like mailto option , I am getting malformed: Registration key already in use error, which is mostly because i have already registered this mail-id , how can i unregister the id or this error is completely different in scope

Pass urls map (Endpoint) to acme Client

That way we could skip url string param in each call to the client. Maybe provide Endpoint as additional parameter to acme client, maybe additional wrapper.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.