srvrco / getssl Goto Github PK

View Code? Open in Web Editor NEW

2.0K 65.0 367.0 1.57 MB

obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.

License: GNU General Public License v3.0

Shell 96.97% Makefile 0.24% Python 0.65% Batchfile 0.55% PHP 0.97% PowerShell 0.60%

getssl certificate ssl-certificate acme-server ssh ftp remote letsencrypt acme

getssl's Introduction

getssl

Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers.

Upgrade broken in v2.43
Features
Overview
Quick Start Guide
Manual Installation
Getting started
Detailed guide to getting started with more examples
Wildcard certificates
ISPConfig
Automating updates
Structure
Custom template for configuration
Server-Types
Revoke a certificate
Elliptic curve keys
Preferred Chain
Include Root certificate in full chain
Windows Server and IIS Support
Building getssl as an RPM Package (Redhat/CentOS/SuSe/Oracle/AWS)
Building getssl as a Debian Package (Debian/Ubuntu)
Issues / problems / help

Upgrade broken in v2.43

The automatic upgrade in v2.43 is broken as the url is incorrect. If you have this version installed you'll need to manually upgrade using: curl --silent --user-agent getssl/manual https://raw.githubusercontent.com/srvrco/getssl/latest/getssl --output getssl

Features

Bash - It runs on virtually all unix machines, including BSD, most Linux distributions, macOS.
Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server.
Runs as a daily cron - so certificates will be automatically renewed when required.
Automatic certificate renewals
Checks certificates are correctly loaded - After installation of a new certificate it will test the port specified ( see Server-Types for options ) that the certificate is actually being used correctly.
Automatically updates - The script can automatically update itself with bug fixes etc if required.
Extensively configurable - With a simple configuration file for each certificate it is possible to configure it exactly for your needs, whether a simple single domain or multiple domains across multiple servers on the same certificate.
Supports http and dns challenges - Full ACME implementation
Simple and easy to use
Detailed debug info - Whilst it shouldn't be needed, detailed debug information is available.
Reload services - After a new certificate is obtained then the relevant services (e.g. apache/nginx/postfix) can be reloaded.
ACME v1 and V2 - Supports both ACME versions 1 and 2 (note ACMEv1 is deprecated and clients will automatically use v2)

Overview

GetSSL was written in standard bash ( so it can be run on a server, a desktop computer, or even a virtualbox) and add the checks, and certificates to a remote server ( providing you have a ssh with key, sftp or ftp access to the remote server).

getssl ver. 2.36
Obtain SSL certificates from the letsencrypt.org ACME server

Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-X|--experimental tag] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   

Options:
  -a, --all          Check all certificates
  -d, --debug        Output debug information
  -c, --create       Create default config files
  -f, --force        Force renewal of cert (overrides expiry checks)
  -h, --help         Display this help message and exit
  -i, --install      Install certificates and reload service
  -q, --quiet        Quiet mode (only outputs on error, success of new cert, or getssl was upgraded)
  -Q, --mute         Like -q, but also mute notification about successful upgrade
  -r, --revoke   "cert" "key" [CA_server] Revoke a certificate (the cert and key are required)
  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
  -X  --experimental tag Allow upgrade to a specified version of getssl
  -U, --nocheck      Do not check if a more recent version is available
  -v  --version      Display current version of getssl
  -w working_dir "Working directory"
    --preferred-chain "chain" Use an alternate chain for the certificate

Quick Start Guide

You can download precompiled RPM packages and Debian (DEB) packages from the release page for this project, or you can manually build and install the program from the git sources.

If you want to manually install the program from scratch with the git sources rather than use the pre-compiled RPMS and DEB packages, or if your target platform does not support Linux RPM or DEB packages, then please skip to the section Manual Installation for instructions on installing the getssl program manually.

Packages are provided in binary and source versions, and can be downloaded and installed directly or rebuilt. Package types are Red Hat Package Manager (RPM) packages and Debian (DEB) packages for binary installation and Source RPM packages (SRPMS) and Debbuild SDEB packages for source code installation.

RPM and DEB packages for each release include a binary architecture specific package and a source package which can be downloaded and built/rebuilt and which contains the source code.

For example, the release v2.49 contains the following packages in the release section:

RPM Based Packages (RedHat, CentOS, SuSe, Oracle Linux, AWS Linux)

getssl-2.49-1.src.rpm (source)
getssl-2.49-1.noarch.rpm (binary)

Debian Based Packages (Debian, Ubuntu)

getssl_2.49-1_all.deb (binary)

Installing Binary Packages

To install the binary package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

rpm -i getssl-2.49-1.noarch.rpm

To deinstall the RPM binary package:

rpm -e getssl

To install the binary package with the Debian dpkg package manager for Debian and Ubuntu Linux distributions:

dpkg -i getssl_2.49-1_all.deb

To deinstall the Debian dpkg binary package:

dpkg -r getssl

Installing Source Packages

To install the source package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

rpm -i getssl-2.48-1.src.rpm

(Note: rpm installs the source code files in /root/rpmbuild/ as top directory for RedHat, CentOS, Oracle Linux, and AWS Linux platforms. SuSe platforms install the source code files in /usr/src/packages/)

To install the source package with the Debbuild package tool for Debian or Ubuntu Linux distributions:

debbuild -i getssl-2.49-1.sdeb

(Note: Debbuild installs the source code files in /root/debbuild/ as top directory)

One item of note is that SDEB packages are actually just tar.gz archives renamed with an .sdeb file extension with the files organized into a SPECS and SOURCES directory tree structure. Subsequently, an SDEB can also be extracted and installed with the tar -xvf command or the files listed with the tar -tvf command:

[root@localhost getssl]$ tar -tvf /root/debbuild/SDEBS/getssl-2.49-1.sdeb 
-rw-r--r-- root/root   1772110 2022-10-12 20:42 SOURCES/getssl-2.49.tar.gz
-rw-r--r-- root/root       192 2022-08-02 15:02 SOURCES/getssl.crontab
-rw-r--r-- root/root       126 2022-08-02 15:02 SOURCES/getssl.logrotate
-rw-r--r-- root/root      1537 2022-08-02 15:02 SPECS/getssl.spec
[root@localhost getssl]$

For building or rebuilding RPMS or DEB Packages after you have installed the associated source packages on your platform, refer to the following:

Building getssl as an RPM Package (Redhat/CentOS/SuSe/Oracle/AWS)
Building getssl as a Debian Package (Debian/Ubuntu)

Manual Installation

Since the script is only one file, you can use the following command for a quick installation of GetSSL only:

curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > getssl ; chmod 700 getssl

This will copy the getssl Bash script to the current location and change the permissions to make it executable for you.

For a more comprehensive installation (e.g. install also helper scripts) use the provided Makefile with each release tarball. Use the install target.

You'll find the latest version in the git repository:

git clone https://github.com/srvrco/getssl.git

For Arch Linux there are packages in the AUR, see here and there.

If you use puppet, there is a GetSSL Puppet module by dthielking

Getting started

Once you have obtained the script (see Installation above), the next step is to use

./getssl -c yourdomain.com

where yourdomain.com is the primary domain name that you want to create a certificate for. This will create the following folders and files.

~/.getssl
~/.getssl/getssl.cfg
~/.getssl/yourdomain.com
~/.getssl/yourdomain.com/getssl.cfg

You can then edit ~/.getssl/getssl.cfg to set the values you want as the default for the majority of your certificates.

Then edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain (make sure to uncomment and specify correct ACL option, since it is required).

You can then just run:

getssl yourdomain.com

and it should run, providing output like:

Registering account
Verify each domain
Verifying yourdomain.com
Verified yourdomain.com
Verifying www.yourdomain.com
Verified www.yourdomain.com
Verification completed, obtaining certificate.
Certificate saved in /home/user/.getssl/yourdomain.com/yourdomain.com.crt
The intermediate CA cert is in /home/user/.getssl/yourdomain.com/chain.crt
copying domain certificate to ssh:server5:/home/yourdomain/ssl/domain.crt
copying private key to ssh:server5:/home/yourdomain/ssl/domain.key
copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt
reloading SSL services

This will (by default) use the staging server, so should give you a certificate that isn't trusted ( Fake Let's Encrypt). Change the server in your config file to get a fully valid certificate.

Note: Verification is done via port 80 (http), port 443 (https) or dns. The certificate can be used (and checked with getssl) on alternate ports.

Detailed guide to getting started with more examples

Guide to getting a certificate for example.com and www.example.com

Wildcard certificates

getssl supports creating wildcard certificates, i.e. *.example.com which allows a single certificate to be used for any domain under example.com, e.g. www.example.com, mail.example.com. These must be validated using the dns-01 method.

A partial example getssl.cfg file is:

VALIDATE_VIA_DNS=true
export CPANEL_USERNAME=''
export CPANEL_URL='https://www.cpanel.host:2083'
export CPANEL_APITOKEN='1ABC2DEF3GHI4JKL5MNO6PQR7STU8VWX9YZA'
DNS_ADD_COMMAND=/home/root/getssl/dns_scripts/dns_add_cpanel
DNS_DEL_COMMAND=/home/root/getssl/dns_scripts/dns_del_cpanel

ISPConfig

There is a need to create a remote user in ISPConfig to enable the remote API access.

You need to go to System -> Remote Users and then enable the features for the remote user such as DNS zone functions.

PHP is required to exeucte soap functions in file ispconfig_soap.php.

DNS_ADD_COMMAND="/home/root/getssl/dns_scripts/dns_add_ispconfig"
DNS_DEL_COMMAND="/home/root/getssl/dns_scripts/dns_del_ispconfig"

export ISPCONFIG_REMOTE_USER_NAME="ussename"
export ISPCONFIG_REMOTE_USER_PASSWORD="password"
export ISPCONFIG_SOAP_LOCATION="https://localhost:8080/remote/index.php"
export ISPCONFIG_SOAP_URL="https://localhost:8080/remote/"

Create the wildcard certificate (need to use quotes to prevent globbing):

getssl "*.example.domain"

You can renew the certificate using getssl -a to renew all configured certificates.

You can also specify additional domains in the SANS line, e.g. SANS="www.test.example.com". This cannot contain any of the domains which would be covered by the wildcard certificate.

Automating updates

I use the following cron job

23  5 * * * /root/scripts/getssl -u -a -q

The cron will automatically update getssl and renew any certificates, only giving output if there are issues / errors.

The -u flag updates getssl if there is a more recent version available.
The -a flag automatically renews any certificates that are due for renewal.
The -q flag is "quiet" so that it only outputs and emails me if there was an error / issue.

Structure

The design aim was to provide flexibility in running the code. The default working directory is ~/.getssl (which can be modified via the command line).

Within the working directory is a config file getssl.cfg which is a simple bash file containing variables, an example of which is:

# Uncomment and modify any variables you need
# The staging server is best for testing (hence set as default)
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

# Set an email address associated with your account - generally set at account level rather than domain.
ACCOUNT_EMAIL="[email protected]"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/user/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"

# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits.
RENEW_ALLOW="30"

# openssl config file.  The default should work in most cases.
SSLCONF="/usr/lib/ssl/openssl.cnf"

then, within the working directory there will be a folder for each certificate (based on its domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is:

# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
# The staging server is best for testing
#CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

PRIVATE_KEY_ALG="rsa"

# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="www.example.org"

# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
# An ssh key will be needed to provide you with access to the remote server.
# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
# If left blank, the username on the local server will be used to authenticate against the remote server.
# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
#ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge')


# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert


# The command needed to reload apache / nginx or whatever you use.
# Several (ssh) commands may be given using a bash array:
# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
RELOAD_CMD="service apache2 reload"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="https"
#CHECK_REMOTE="true"

If a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path. Files will be securely copied using scp, and it assumes that you have a key on the server (for passwordless access). You can set the user, port etc for the server in your .ssh/config file.

If an ACL starts with ftp: or sftp: it as assumed that the line is in the format "ftp:UserID:Password:servername:/path/to/acme-challenge". sftp requires sshpass. Note: FTP can be used for copying tokens only and can not be used for uploading private key or certificates as it's not a secure method of transfer.

ssh can also be used for the reload command if using on remote servers.

Multiple locations can be defined for a file by separating the locations with a semi-colon.

A typical config file for example.com and www.example.com on the same server would be:

# uncomment and modify any variables you need
# The staging server is best for testing
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

# additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="www.example.com"

#Acme Challenge Location.   The first line for the domain, the following ones for each additional domain
ACL=('/var/www/example.com/web/.well-known/acme-challenge')

USE_SINGLE_ACL="true"

DOMAIN_CERT_LOCATION="/etc/ssl/example.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/example.com.key"
CA_CERT_LOCATION="/etc/ssl/example.com.bundle"

RELOAD_CMD="service apache2 reload"

Custom template for configuration

You can create and customize a template that can be use to generate the ~/.getssl/yourdomain.com/getssl.cfg config file, instead of the default one.

Create one of fhe following allowed locations, according to your getssl installation:

/etc/getssl/getssl_default.cfg
/path/of/your/getssl/installation/getssl_default.cfg
~/.getssl/getssl_default.cfg

And define the default values, optionally using the dynamic variables, as in the example below:

# Additional domains - this could be multiple domains / subdomains in a comma separated list
# Note: this is Additional domains - so should not include the primary domain.
SANS="${EX_SANS}"

ACL=('/home/myuser/${DOMAIN}/public_html/.well-known/acme-challenge')

USE_SINGLE_ACL="true"

RELOAD_CMD="sudo /bin/systemctl restart nginx.service"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="https"
#CHECK_REMOTE="true"
CHECK_REMOTE_WAIT="1" # wait 1 second before checking the remote server

Server-Types

OpenSSL has built-in support for getting the certificate from a number of SSL services these are available in getssl to check if the certificate is installed correctly

Server-Type	Port	Extra
https	443
ftp	21	FTP Explicit
ftpi	990	FTP Implicit
imap	143	StartTLS
imaps	993
pop3	110	StartTLS
pop3s	995
smtp	25	StartTLS
smtps_deprecated	465
smtps	587	StartTLS
smtp_submission	587	StartTLS
xmpp	5222	StartTLS
xmpps	5269
ldaps	636
postgres	5432
port number

Revoke a certificate

In general revoking a certificate is not required.

Usage: getssl -r path/to/cert path/to/key [CA_server]

You need to specify both the certificate you want to revoke, and the account or private domain key which was used to sign / obtain the original certificate. The CA_server is an optional parameter and defaults to Let's Encrypt ("https://acme-v02.api.letsencrypt.org") as that is currently the only Certificate Authority using the ACME protocol.

Elliptic curve keys

You can use Elliptic curve keys for both the account key and the domain key (different of course, don't use the same key for both). prime256v1 (NIST P-256) and secp384r1 (NIST P-384) are both fully supported. secp521r1 (NIST P-521) is included in the code, but not currently supported by Let's Encrypt).

Preferred Chain

If a CA offers multiple chains then it is possible to select which chain is used by using the PREFERRED_CHAIN variable in getssl.cfg or specifying --preferred-chain in the call to getssl

This uses wildcard matching so requesting "X1" returns the first certificate returned by the CA which contains the text "X1", Note you may need to escape any characters which special characters, e.g. PREFERRED_CHAIN="$STAGING$ Doctored Durian Root CA X3"

Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
Production options are: "ISRG Root X1" and "ISRG Root X2"

Include Root certificate in full chain

Some servers, including those that use Java keystores, will not accept a server certificate if it cannot valid the full chain of signers.

Specifically, Nutanix Prism (Element and Central) will not accept the fullchain.crt until the root CA's certificate has been appended to it manually.

If your application requires the full chain, i.e. including the root certificate of the CA, then this can be included in the fullchain.crt file by adding the following line to getssl.cfg

FULL_CHAIN_INCLUDE_ROOT="true"

Windows Server and IIS Support

System and software requirements:

Windows Server with DNS and IIS services
One of
- WSL Windows Sub for Linux
  - Ubuntu or any other distro
  - gettssl can be installed inside WSL or using /mnt/ path to windows
- Bash - gettssl should be installed in Windows
  - Git Bash - https://git-scm.com/downloads
  - Rtools4.0 - https://cran.r-project.org/bin/windows/Rtools/

WSL

Installing and configuring WSL 2
- Add remove Windows features and choose "Windows for sub Linux"
- Install a distro like Ubuntu or any other Linux platform
  - If newly added to the system a reboot is required to continue
  - wsl --install -d ubuntu
  - Any user will work
  - Copying files to WSL
    - From Windows open Windows Explorer and browse to \\wsl$\Ubuntu\home\user\ and then place the getssl files and folders .getssl and getssl into users home directory \\wsl$\Ubuntu\home\user\.getssl . or in Windows
  - Open cmd in Widnows and type
    wsl -d Ubuntu /bin/bash /home/UserName/getssl/getssl domain.eu && exit
  - Using a specific distro if not set as default in WSL then use the wsl -d distro command
Notes:
- While configuring WSL please do check the /etc/hosts file if the IP of the domain is correct since it overrides the DNS server.
- Make sure running version 2.

GIT Bash - MINGW64_NT

Install git GIT Bash
"C:\Program Files\Git\bin\bash.exe" --login -i -- path_to/getssl/getssl domain.eu

Rtools Bash - MSYS_NT

Make sure that the path of \rtools42\usr\bin in Windows system environment variables is right before c:\windows\system32\ so that getssl will use the Rtools applications instead of Windows applications such as sort.exe that crashes or speify full path to sort.
\rtools42\usr\bin\bash.exe \Users\Administrator\getssl\getssl domain.eu 2>&1 1>out.txt

Updating DNS TXT records

Using PowerShell to add and delete _acme-challenge records
- dns_add_windows_dnsserver
- dns_del_windows_dnsserver
Notes: The script supports optional second level TLDs. sub.domain.co.uk You can update the reqexp .(co|com).uk to fit your needs.

IIS internet information service

Under folder other_scripts you can find a PowerSheell script iis_install_certeficate.ps1 which generates PFX certificate to be installed in IIS and binds the domains to the PFX certificate.
WSL
- RELOAD_CMD=("powershell.exe -ExecutionPolicy Bypass -File "\\\\wsl$\\Ubuntu\\home\\user\\getssl\\other_scripts\\iis_install_certeficate.ps1" "domain.eu" "IIS SiteName" "\\\\wsl$\\Ubuntu\\home\\user\\ssl\\" "path_to_ssl_dir" )
GIT and Rtools4 Bash
- RELOAD_CMD=("powershell.exe /c/Users/Administrator/getssl/other_scripts/iis_install_certeficate.ps1 domain.eu domain path_to_ssl_dir")

Building as an RPM Package

In order to build getssl as an RPM, the program must be compressed into a tar.gz file and the tar.gz file named to match the versioning information contained in the associated .spec file.

Spec files are special files which contain instructions on how to build a particular package from a source code archive. On Red Hat, CentOS, Oracle Linux, and AWS Linux systems, RPMS are built in the /root/rpmbuild/ top directory. SuSe systems build RPMS in the /usr/src/packages/ as top directory. These "top directories" will contain BUILD, BUILDROOT, SPECS, RPMS, SRPMS, and SOURCES subdirectories.

The SPECS directory contains the *.spec files used to build RPMS and SRPMS packages. The SOURCES subdirectory will contain the soure code archive file referred to in the *.spec file used to build the RPM package.

See the Quick Start Guide on instructions for installing the source rpm which installs both the .spec file and source archive file (tar.gz) into the rpm build top directory (i.e. /root/rpmbuild/). You should have previously installed the src.rpm file before attempting to build the rpm. You can also manually install the .spec file into the <top directory>/SPECS/ directory and the source code tarball in the <top directory/SOURCES/ directory, then attempt to build the rpm package.

To build getssl using the rpm tool, change directories (cd) into the /root/rpmbuild/SPECS/ directory (/usr/src/packages/SPECS/ for SuSe) and enter the following command:

rpmbuild -ba getssl.spec <enter>

The program should output the following if the build is successful and verify that the program wrote both the RPMS and SRPMS packages:

Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.BYQw0V
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf getssl-2.49
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/getssl-2.49.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd getssl-2.49
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.xpA456
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd getssl-2.49
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.zQs24R
+ umask 022
+ cd /root/rpmbuild/BUILD
+ '[' /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64 '!=' / ']'
+ rm -rf /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
++ dirname /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
+ mkdir -p /root/rpmbuild/BUILDROOT
+ mkdir /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
+ cd getssl-2.49
+ '[' -n /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64 -a /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64 '!=' / ']'
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
+ /usr/bin/mkdir -p /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/bin
+ /usr/bin/mkdir -p /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts
+ /usr/bin/mkdir -p /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/other_scripts
+ /usr/bin/make DESTDIR=/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64 install
mkdir -p /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
install -Dvm755 getssl /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/bin/getssl
'getssl' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/bin/getssl'
install -dvm755 /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl
for dir in *_scripts; do install -dv /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/$dir; install -pv $dir/* /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/$dir/; done
'dns_scripts/Azure-README.txt' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/Azure-README.txt'
'dns_scripts/Cloudflare-README.md' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/Cloudflare-README.md'
'dns_scripts/DNS_IONOS.md' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/DNS_IONOS.md'
'dns_scripts/DNS_ROUTE53.md' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/DNS_ROUTE53.md'
'dns_scripts/GoDaddy-README.txt' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/GoDaddy-README.txt'
'dns_scripts/dns_add_acmedns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_acmedns'
'dns_scripts/dns_add_azure' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_azure'
'dns_scripts/dns_add_challtestsrv' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_challtestsrv'
'dns_scripts/dns_add_clouddns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_clouddns'
'dns_scripts/dns_add_cloudflare' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_cloudflare'
'dns_scripts/dns_add_cpanel' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_cpanel'
'dns_scripts/dns_add_del_aliyun.sh' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_del_aliyun.sh'
'dns_scripts/dns_add_dnspod' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_dnspod'
'dns_scripts/dns_add_duckdns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_duckdns'
'dns_scripts/dns_add_dynu' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_dynu'
'dns_scripts/dns_add_godaddy' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_godaddy'
'dns_scripts/dns_add_hostway' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_hostway'
'dns_scripts/dns_add_ionos' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_ionos'
'dns_scripts/dns_add_ispconfig' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_ispconfig'
'dns_scripts/dns_add_joker' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_joker'
'dns_scripts/dns_add_lexicon' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_lexicon'
'dns_scripts/dns_add_linode' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_linode'
'dns_scripts/dns_add_manual' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_manual'
'dns_scripts/dns_add_nsupdate' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_nsupdate'
'dns_scripts/dns_add_ovh' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_ovh'
'dns_scripts/dns_add_pdns-mysql' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_pdns-mysql'
'dns_scripts/dns_add_vultr' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_vultr'
'dns_scripts/dns_add_windows_dns_server' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_add_windows_dns_server'
'dns_scripts/dns_del_acmedns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_acmedns'
'dns_scripts/dns_del_azure' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_azure'
'dns_scripts/dns_del_challtestsrv' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_challtestsrv'
'dns_scripts/dns_del_clouddns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_clouddns'
'dns_scripts/dns_del_cloudflare' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_cloudflare'
'dns_scripts/dns_del_cpanel' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_cpanel'
'dns_scripts/dns_del_dnspod' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_dnspod'
'dns_scripts/dns_del_duckdns' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_duckdns'
'dns_scripts/dns_del_dynu' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_dynu'
'dns_scripts/dns_del_godaddy' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_godaddy'
'dns_scripts/dns_del_hostway' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_hostway'
'dns_scripts/dns_del_ionos' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_ionos'
'dns_scripts/dns_del_ispconfig' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_ispconfig'
'dns_scripts/dns_del_joker' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_joker'
'dns_scripts/dns_del_lexicon' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_lexicon'
'dns_scripts/dns_del_linode' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_linode'
'dns_scripts/dns_del_manual' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_manual'
'dns_scripts/dns_del_nsupdate' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_nsupdate'
'dns_scripts/dns_del_ovh' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_ovh'
'dns_scripts/dns_del_pdns-mysql' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_pdns-mysql'
'dns_scripts/dns_del_vultr' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_vultr'
'dns_scripts/dns_del_windows_dns_server' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_del_windows_dns_server'
'dns_scripts/dns_freedns.sh' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_freedns.sh'
'dns_scripts/dns_godaddy' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_godaddy'
'dns_scripts/dns_route53.py' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/dns_route53.py'
'dns_scripts/ispconfig_soap.php' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/dns_scripts/ispconfig_soap.php'
'other_scripts/cpanel_cert_upload' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/other_scripts/cpanel_cert_upload'
'other_scripts/iis_install_certeficate.ps1' -> '/root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/usr/share/getssl/other_scripts/iis_install_certeficate.ps1'
+ install -Dpm 644 /root/rpmbuild/SOURCES/getssl.crontab /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/etc/cron.d/getssl
+ install -Dpm 644 /root/rpmbuild/SOURCES/getssl.logrotate /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64/etc/logrotate.d/getssl
+ /usr/lib/rpm/check-buildroot
+ /usr/lib/rpm/redhat/brp-ldconfig
/sbin/ldconfig: Warning: ignoring configuration file that cannot be opened: /etc/ld.so.conf: No such file or directory
+ /usr/lib/rpm/brp-compress
+ /usr/lib/rpm/brp-strip /usr/bin/strip
+ /usr/lib/rpm/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
+ /usr/lib/rpm/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/brp-python-bytecompile '' 1
+ /usr/lib/rpm/brp-python-hardlink
+ /usr/bin/true
Processing files: getssl-2.49-1.noarch
Provides: getssl = 2.49-1
Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(pre): /bin/sh
Requires(post): /bin/sh
Requires(preun): /bin/sh
Requires(postun): /bin/sh
Requires: /bin/bash /usr/bin/env
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
Wrote: /root/rpmbuild/SRPMS/getssl-2.49-1.src.rpm
Wrote: /root/rpmbuild/RPMS/noarch/getssl-2.49-1.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.hgma8Q
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd getssl-2.49
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/getssl-2.49-1.x86_64
+ exit 0

Building as a Debian Package

In order to build getssl as a Debian package, the program must be compressed into a tar.gz file and the tar.gz file named to match the versioning information contained in the associated .spec file. Spec files are special files which contain instructions on how to build a particular package from a source code archive.

Debian Packages can be built using a utility called "debbuild" and use a top directory structure which is similar to that used by the RPM tool but using /root/debbuild/ as the "top directory". These "top directories" will contain BUILD, BUILDROOT, SPECS, DEBS, SDEBS, and SOURCES subdirectories and follows a similar layout that is used for RPM files.

The SPECS directory contains the *.spec files used to build DEB and SDEB packages. The SOURCES subdirectory will contain the soure code archive file referred to in the *.spec file used to build the DEB and SDEB packages.

See the Quick Start Guide on instructions for installing the source SDEB which installs both the .spec file and source archive file (tar.gz) into the debbuild top directory (i.e. /root/debbuild/). You should have previously installed the SDEB file before attempting to build the DEB package. You can also manually install the .spec file into the <top directory>/SPECS/ directory and the source code tarball in the <top directory/SOURCES/ directory, then attempt to build the DEB package.

To build getssl using debbuild, change directories (cd) into the /root/debbuild/SPECS/ directory and enter the following command:

debbuild -vv -ba getssl.spec <enter>

The program should output the following if the build is successful and verify that the program wrote both the DEB and SDEB packages:

This is debbuild, version 22.02.1\ndebconfigdir:/usr/lib/debbuild\nsysconfdir:/etc\n
Lua: No Lua module loaded
Executing (%prep): /bin/sh -e /var/tmp/deb-tmp.prep.92007
+ umask 022
+ cd /root/debbuild/BUILD
+ /bin/rm -rf getssl-2.49
+ /bin/gzip -dc /root/debbuild/SOURCES/getssl-2.49.tar.gz
+ /bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd getssl-2.49
+ /bin/chmod -Rf a+rX,u+w,go-w .
+ exit 0
Executing (%build): /bin/sh -e /var/tmp/deb-tmp.build.40956
+ umask 022
+ cd /root/debbuild/BUILD
+ cd getssl-2.49
+ exit 0
Executing (%install): /bin/sh -e /var/tmp/deb-tmp.install.36647
+ umask 022
+ cd /root/debbuild/BUILD
+ cd getssl-2.49
+ '[' -n /root/debbuild/BUILDROOT/getssl-2.49-1.amd64 -a /root/debbuild/BUILDROOT/getssl-2.49-1.amd64 '!=' / ']'
+ /bin/rm -rf /root/debbuild/BUILDROOT/getssl-2.49-1.amd64
+ /bin/mkdir -p /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/bin
+ /bin/mkdir -p /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts
+ /bin/mkdir -p /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/other_scripts
+ /usr/bin/make DESTDIR=/root/debbuild/BUILDROOT/getssl-2.49-1.amd64 install
mkdir -p /root/debbuild/BUILDROOT/getssl-2.49-1.amd64
install -Dvm755 getssl /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/bin/getssl
'getssl' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/bin/getssl'
install -dvm755 /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl
for dir in *_scripts; do install -dv /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/$dir; install -pv $dir/* /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/$dir/; done
'dns_scripts/Azure-README.txt' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/Azure-README.txt'
'dns_scripts/Cloudflare-README.md' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/Cloudflare-README.md'
'dns_scripts/DNS_IONOS.md' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/DNS_IONOS.md'
'dns_scripts/DNS_ROUTE53.md' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/DNS_ROUTE53.md'
'dns_scripts/GoDaddy-README.txt' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/GoDaddy-README.txt'
'dns_scripts/dns_add_acmedns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_acmedns'
'dns_scripts/dns_add_azure' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_azure'
'dns_scripts/dns_add_challtestsrv' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_challtestsrv'
'dns_scripts/dns_add_clouddns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_clouddns'
'dns_scripts/dns_add_cloudflare' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_cloudflare'
'dns_scripts/dns_add_cpanel' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_cpanel'
'dns_scripts/dns_add_del_aliyun.sh' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_del_aliyun.sh'
'dns_scripts/dns_add_dnspod' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_dnspod'
'dns_scripts/dns_add_duckdns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_duckdns'
'dns_scripts/dns_add_dynu' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_dynu'
'dns_scripts/dns_add_godaddy' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_godaddy'
'dns_scripts/dns_add_hostway' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_hostway'
'dns_scripts/dns_add_ionos' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_ionos'
'dns_scripts/dns_add_ispconfig' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_ispconfig'
'dns_scripts/dns_add_joker' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_joker'
'dns_scripts/dns_add_lexicon' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_lexicon'
'dns_scripts/dns_add_linode' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_linode'
'dns_scripts/dns_add_manual' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_manual'
'dns_scripts/dns_add_nsupdate' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_nsupdate'
'dns_scripts/dns_add_ovh' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_ovh'
'dns_scripts/dns_add_pdns-mysql' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_pdns-mysql'
'dns_scripts/dns_add_vultr' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_vultr'
'dns_scripts/dns_add_windows_dns_server' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_add_windows_dns_server'
'dns_scripts/dns_del_acmedns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_acmedns'
'dns_scripts/dns_del_azure' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_azure'
'dns_scripts/dns_del_challtestsrv' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_challtestsrv'
'dns_scripts/dns_del_clouddns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_clouddns'
'dns_scripts/dns_del_cloudflare' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_cloudflare'
'dns_scripts/dns_del_cpanel' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_cpanel'
'dns_scripts/dns_del_dnspod' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_dnspod'
'dns_scripts/dns_del_duckdns' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_duckdns'
'dns_scripts/dns_del_dynu' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_dynu'
'dns_scripts/dns_del_godaddy' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_godaddy'
'dns_scripts/dns_del_hostway' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_hostway'
'dns_scripts/dns_del_ionos' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_ionos'
'dns_scripts/dns_del_ispconfig' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_ispconfig'
'dns_scripts/dns_del_joker' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_joker'
'dns_scripts/dns_del_lexicon' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_lexicon'
'dns_scripts/dns_del_linode' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_linode'
'dns_scripts/dns_del_manual' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_manual'
'dns_scripts/dns_del_nsupdate' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_nsupdate'
'dns_scripts/dns_del_ovh' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_ovh'
'dns_scripts/dns_del_pdns-mysql' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_pdns-mysql'
'dns_scripts/dns_del_vultr' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_vultr'
'dns_scripts/dns_del_windows_dns_server' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_del_windows_dns_server'
'dns_scripts/dns_freedns.sh' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_freedns.sh'
'dns_scripts/dns_godaddy' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_godaddy'
'dns_scripts/dns_route53.py' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/dns_route53.py'
'dns_scripts/ispconfig_soap.php' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/dns_scripts/ispconfig_soap.php'
'other_scripts/cpanel_cert_upload' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/other_scripts/cpanel_cert_upload'
'other_scripts/iis_install_certeficate.ps1' -> '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/usr/share/getssl/other_scripts/iis_install_certeficate.ps1'
+ install -Dpm 644 /root/debbuild/SOURCES/getssl.crontab /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/etc/cron.d/getssl
+ install -Dpm 644 /root/debbuild/SOURCES/getssl.logrotate /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/etc/logrotate.d/getssl
+ exit 0
Checking library requirements...
Executing (package-creation): /bin/sh -e /var/tmp/deb-tmp.pkg.6107 for getssl
+ umask 022
+ cd /root/debbuild/BUILD
+ /usr/bin/fakeroot -- /usr/bin/dpkg-deb -b /root/debbuild/BUILDROOT/getssl-2.49-1.amd64/main /root/debbuild/DEBS/all/getssl_2.49-1_all.deb
dpkg-deb: warning: parsing file '/root/debbuild/BUILDROOT/getssl-2.49-1.amd64/main/DEBIAN/control' near line 10 package 'getssl':
 missing 'Maintainer' field
dpkg-deb: warning: ignoring 1 warning about the control file(s)
dpkg-deb: building package 'getssl' in '/root/debbuild/DEBS/all/getssl_2.49-1_all.deb'.
+ exit 0
Executing (%clean): /bin/sh -e /var/tmp/deb-tmp.clean.52780
+ umask 022
+ cd /root/debbuild/BUILD
+ '[' /root/debbuild/BUILDROOT/getssl-2.49-1.amd64 '!=' / ']'
+ /bin/rm -rf /root/debbuild/BUILDROOT/getssl-2.49-1.amd64
+ exit 0
Wrote source package getssl-2.49-1.sdeb in /root/debbuild/SDEBS.
Wrote binary package getssl_2.49-1_all.deb in /root/debbuild/DEBS/all

Issues / problems / help

If you have any issues, please log them at https://github.com/srvrco/getssl/issues

There are additional help pages on the wiki

If you have any suggestions for improvements then pull requests are welcomed, or raise an issue.

getssl's People

Contributors

Stargazers

Watchers

Forkers

falkbizz michishyguy koter84 capslock2000 iamraghavgupta xdadrm rogst omega8cc pecigonzalo tallship jlbooker agp8x todhuff 2autunni cartcaved jusedawg liluxdev mrrandol m-to ianabc laurentfough realinit mtfnx nazar-pc ibuystuff rklomp beingmeta lgommans giuppi alexs77 zothar invisnet sunadtudk zoldan yiqun misterunknown codingminds phattanle ecarmonaatcubewisedotcom dhutty froonix slodki mafalb sideeffect42 mapthegod dedinext stombi fdkuiper amberweather pazuzu156 yfix fzipi micheloe jbeima sajjad-021 tacticalcode mitchellkrogza cloved mefb90 yacinepes darkonc kbabioch mostafahussein emphazer spenceratkin ichibsah izagz yourpalal aidhamza favorinfo zenny zazaz-de yatv flintlongjohnsilver lolo32 nicronics introsec vovcat bryant1410 bitshakereu tlhackque sleeplesscoder phdru fichte darylounet kevinlowrie lianran firstval materone mjbnz jobcespedes knightorc visioncritical mcenirm-forks ratchet-stpup bruderbb sjas fjimenez77 jaltek keramzyt

getssl's Issues

400 Bad Request due to ^M in $AGREEMENT

Using getssl 1.25 I got

response {
  "type": "urn:acme:error:malformed",
  "detail": "Request payload did not parse as JSON",
  "status": 400
}

apparently because $AGREEMENT had a ^M appended by the code that updates the variable. Setting AGREEMENT specifically in getssl.cfg (not letting the script set it) it works.

Use sh instead of bash

Hey,
i really like your script and want to use it. But i don't have bash on my servers. I only have sh on it. For the most part this is fine with your script. There is just one line that causes a problem:

$ sh getssl 
getssl: line 407: syntax error: bad substitution

Maybe you could solve that in another way. That way more people could use your script because it would not be limited to bash.

Thanks and greetings
Leo

No key/cert/ACL file is being written.

$ getssl EXAMPLE.co.uk
/home/USER/.getssl/EXAMPLE.co.uk/getssl.cfg: line 66: unexpected EOF while looking for matching `"'
/home/USER/.getssl/EXAMPLE.co.uk/getssl.cfg: line 69: syntax error: unexpected end of file
archiving old certificate file to /home/USER/.getssl/EXAMPLE.co.uk/EXAMPLE.co.uk.crt_2016-04-27_2016-07-26
Registering account
Verify each domain
Verifing pickle-it.co.uk
getssl: ACL location not specified for domain EXAMPLE.co.uk in /home/USER/.getssl/pickle-it.co.uk/getssl.cfg

issues:

I don't a line 69.
re: line 66 error - it seems that any commented out variable (with anything after the "=" sign), causes a syntax error.
ACL location not specified for domain EXAMPLE.co.uk in /home/USER/.getssl/pickle-it.co.uk/getssl.cfg - I have double checked that I have the correct number of ACLs listed and that the first line is for the domain; but the issue still occurs.
no key, cert or ACL files are being written.

Document how to enter empty values

create-getssl-config mentions at the start that just pressing enter uses the default. At least for the Additional domain names a.k.a. SANS question, empty is a perfectly valid and reasonable answer. Please print something to tell the user about '' or "" as input for empty values.

Check if the certificate is installed correctly

In order to check the certificate, the command line should be openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" < /dev/ null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

With the actual command line, result contains more than fingerprint and the check failed. Exemple of actual result :
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = foo.bar.net verify return:1 DONE SHA1 Fing

Error registering account on Raspbian 8 (Jessie)

As requested, I repost the issue here (1.25, 1.26 and 1.27 have the same behavior)

Message:
Expires: Wed, 03 Aug 2016 18:15:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 110
Boulder-Request-Id: FeRDzOzJKyjgO5wXc9oF7gFdWskCJ_GymlPEDS9yC94
Replay-Nonce: 47KMBxhmvqyytQJeCR3sD-Y1_mrh6mXLC3yuSLwvYO4
Expires: Wed, 03 Aug 2016 18:15:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 03 Aug 2016 18:15:04 GMT
Connection: close
response {
"type": "urn:acme:error:malformed",
"detail": "Request payload did not parse as JSON",
"status": 400
}
code 400
getssl: Error registering account

I attach the config files (main + domain) below.
Command are performed locally on the web server which is perfectly reachable from the internet (other sites work with ssl on the same box/ip.

Than you help, this is a great project

global_getssl.txt
domain_getssl.txt

Copying challenge token fails: /tmp is a directory

While trying to generate a new certificate from the Let's Encrypt staging server, I get the following output:

Registering account
Verify each domain
Verifing example.com
./getssl: line 890: /home/jbooker/.getssl/example.com/tmp/: Is a directory
copying challenge token to /var/www/html/www.example.com/.well-known/acme-challenge/
cp: omitting directory `/home/jbooker/.getssl/example.com/tmp/'
getssl: cannot copy /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/

In looking at the output from --debug, I'm noticing that the http01, token, and uri variables are all empty, which then causes line 890 to run cp on the whole directory. The debug output:

code 201
completed send_signed_request
http01
token
uri
keyauthorization <redacted>
./getssl: line 890: /home/jbooker/.getssl/example.com/tmp/: Is a directory
copying file from /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge
copying challenge token to /var/www/html/www.example.com/.well-known/acme-challenge/
copying from /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/
cp: omitting directory `/home/jbooker/.getssl/example.com/tmp/'
getssl: cannot copy /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/

If it helps, this is an older CentOS 5 / RHEL 5 system.

ACL requirement

From what I understand ACL is actually required.
However, there is nothing about it explicitly in readme, so when using default config verification fails.

fullchain cert issue

I created this files

abf.openmandriva.org.crt
abf.openmandriva.org.csr
abf.openmandriva.org.key
chain.crt

But nginx
says
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found

Looks like need to add fulchain cert or something else.

I looked into the code of getssl

cat "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}_chain.pem"
copy_file_to_location "full pem" "$TEMP_DIR/${DOMAIN}_chain.pem"  "$DOMAIN_CHAIN_LOCATION"
cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}.pem"
copy_file_to_location "full pem" "$TEMP_DIR/${DOMAIN}.pem"  "$DOMAIN_PEM_LOCATION"

But for unknown reasons this files never been created.

Multiple destinations for copy of files

This isn't really an issue, and I have not idea how to really use github to suggest this, but I wanted to copy the .crt files to more than one place, one locally, and another on an remote server via scp, so I added a bit of code to put a loop in copy_file_to_location(). It's probably not very elegant, but it does the job for me. Perhaps you can make it more efficient and add it to your script?

copy_file_to_location() { # copies a file, using scp if required.
  cert=$1   # descriptive name, just used for display
  from=$2   # current file location
  #to=$3     # location to move file to.
  fullto=$3     # location to move file to.
  for to in ${fullto}
  do
    to=$(echo ${to}|sed -e 's/ //g') # this gets rid of the space after each destination, if there is one
    #
    # body of function unaltered
    #
  done
}

I then changed the config file as follows:
DOMAIN_CERT_LOCATION="/etc/certs/LE/test ssh:remote:/etc/certs/LE/test"

different debug/info levels

Hi,

for me it would be a very helpful feature to be able to choose different information levels. For example

-i 0 <= no info (quiet = -q)
-i 1 <= show all severe errors (dir not found, no permission to ..., config not found, openssl error messages, ...)
-i 2 <= show all severe errors + getssl update infos
-i 3 <= show all severe errors + getssl update infos + cert update success info
-i 4 <= show all severe errors + getssl update infos + cert update success info + RELOAD_CMD or server-restart success info
....
-i 9 <= show all infos (debugg = -d)

The reason is, that I don't want to get every day an email saying "Check all certificates: Certificate for mydomain.com is still valid for more than XX days ...", but I want to be informed by email when getssl got an severe error, so I can check whats wrong, when getssl was updated, so I can give a look at the new things, and I want to know when my certificates were updated, so I can look if everything is still running without problems.

Would be a nice feature, if you have the time to do it ;-)

Is working_dir supposed to be a temp directory?

If working_dir is to be a temp directory, please consider clearing it out before use (if it exists), or refusing to run if it is not clear.

If it has data in it (say, from an unsuccessful run, or a previous run which contained SANS which no longer exist), getssl can fail.

csr recreated if SAN includes a shorter version of domain

For example (no pun intended), I have 'example.co.uk' and 'example.co' as a SAN. The grep in getssl (line 841) finds two entries for DNS:example.co because it finds example.co.uk and example.co.

Because of this "failure" of the grep the variable "domain_in_csr" holds two values and the csr is regenerated:

existing csr at /andy/.getssl/example.co.uk/example.co.uk.csr does not contain example.co - re-create-csr

I put |tail -1 on the end of the grep to fix it, but there's probably a more elegant way to do it...

Use the same ACL for multiple domains

I have Nginx reverse proxy on server that handles almost all TLS-related stuff for multiple Docker containers. For simplicity I'd like to point .well-known/acme-challenge for every supported domain to the same directory.

Would be nice if script pick first element in ACL variable if necessary index doesn't exists.

For instance, following should work:

SANS="s0.example.com,s1.example.com"
ACL=('/etc/nginx/acme-challenge')

Or even better, having ACL=('/etc/nginx/acme-challenge') in main config would be really nice.

And every virtual host in Nginx will have:

location /.well-known/acme-challenge {
    alias /etc/nginx/acme-challenge;
}

This would greatly unify virtual hosts.

Generate pem file for lighttpd

For lighttpd the pem file have to be a concatenated file of the key file and the crt file (see the official lighttpd manual)

WORKING_DIR in config file has no effect

I defined WORKING_DIR in my account getssl.cfg and did not define it at domain level.

Running getssl -c did not create folders below this directory. But in the default.

Looks like in getssl's DOMAIN_DIR is defined before the new WORKING_DIR is got out of the config file an then isn't also defined new :-/

wrong sql statement

the script getssl/dns_scripts/dns_del_pdns-mysql doesn't delete the record _acme-challenge.

Certificate not renewing using getssl

Hello,
I have tried renewing my Let's Encrypt certificate multiple times now. Unfortunately, the cron job I have been running does not work. Can anyone let me know what I need to update? Do I need to remove all files that were generated with my original certificate? Any help is appreciated!
Renew Let's Encrypt certificate.docx

Option to specify a DNS server for the SOA query

When using a DNS split horizon, the SOA query may not produce the correct result. An option for specifying a separate server to be used would be helpful (e.g. 8.8.8.8).

"DNS add command" printed twice

The prompt for the DNS delete command is wrong.

No key file is being written

I do get a domain.crt file, but no domain.key. Also, getssl domain said that the certificate is still valid from the very first run. I never got the output as in the docs.

(any reference to 'domain' is to be read as the relevant fqdn)

Undocumented sed option

Hi, and thanks for this tool.

Do you really need to use -E option for sed ? Some older sed releases (ex: 4.1.5, Centos 5.x) does not support it and getssl fails. This option is equivalent to -r and is only here for compatibility with BSD sed.

ref: http://blog.dmitryleskov.com/small-hacks/mysterious-gnu-sed-option-e/

Additionally, some older date version (ex: 5.97) can't handle date past the "year 2038 bug" so force renew (-f) is failing because of the 100000 days check. Don't you think 365 days would be enough ?

I can create a PR with these small "Centos 5" compatibility fixes, if you are OK with this.

Old bash compatibility break with version 1.15

Hello,

Sorry for my bad English :-(

First of all, thank you for the great work you do here, I use this very effective script on my server with great pleasure (my every need is covered ;-)) ...

I use an old 5.11 CentOS GNU / Linux (very old, I know, but I'll try to use it until it reaches its OEL in March 2017 ;-)) that provides an old version of Bash (3.2 .25). The last commit (v 1.15 e59f11d) breaks compatibility with this version at line 912 and more ... ( "declare -A ..." but associative array exists only bash 4 as far as I know).

Is it in your goals to maintain compatibility with version 3.2+ bash? I understand that if I am the last guy using your script with this kind of old fabrics, it is not a priority for you ;-)

My bash scripting skill is not strong enough to hack your code without any break, I think...

Thanks again and good day

Make the 100 tries for DNS configurable

Upstream DNS server can impose somewhat lengthy update cycles. Gandi for example typically updates the zones every 20min. 100 tries with 10s delay is not enough to reliably hit an update cycle, so being able to wait longer can be attractive.

Consider relicense

In the spirit of Let's Encrypt, which uses Apache License 2.0, I'd like to discuss relicensing to a more permissive license. Naturally, @srvco, as the primary author the choice of GPLv2 was yours to make. As a contributor, do prefer a more permissive licenses though.

As an alternative to Apache License 2.0, you might prefer MPLv2, which keeps the copyleft nature for the included files. Since they're only shell scripts, the GPL's in-memory clause doesn't really apply anyway. MPLv2 wouldn't significantly alter the copyleft status of the included files. In my opinion, MPLv2 strikes a good balance between permissive and copyleft where copyleft is desired.

CC: @koter84 @MichiShyGuy @dstosberg @srvrco

https method seems to work on staging not on full

Thanks for sharing your script! Really appreciated.

One thing, today when I tried to renew my license, I got an error back - an empty one. I did an attempt at staging, and that was successful, after I found out about your new setting for https. The debugging mode was helpful, because it did not work afterwards on the actual server.

Debugging info showed that the letsencrypt server was using http not https. Not sure why that was a problem, or whether that has anything to do with your script... perhaps you might know. I worked around by re-including the request part of the uri in my redirect.

Best,
Jeroen

TEMP_DIR creation error

TEMP_DIR is defined before DOMAIN_DIR causing call to mktemp to fail.

Multiple domains, validation calls main domain

Hi.
I am trying to generate certificates for two domains (I have removed the real domains, just in case)

test.example.com
rest.test.example.com

Inside the .getssl/test.example.com/getssl.cfg I have changed the following values:

SANS=test.example.com,rest.test.example.com

ACL=('/var/www/test.example.com/web/.well-known/acme-challenge'
      '/var/www/rest.test.example.com/.well-known/acme-challenge')

When I run ./getssl -w /opt/.getssl test.example.com I get the following output:

no certificate obtained from host
existing csr at /opt/.getssl/test.example.com/test.example.com.csr does not contain test.example.com - re-create-csr .... test.example.com
test.example.com
existing csr at /opt/.getssl/test.example.com/test.example.com.csr does not contain test.example.com - re-create-csr .... test.example.com
test.example.com
Registering account
Verify each domain
Verifing test.example.com
copying challenge token to /var/www/test.example.com/web/.well-known/acme-challenge/rS0GLxc5lRSVXCUMq5NhjH9T9jXTM1w6Ci5wAu****
Pending
Verified test.example.com
Verifing test.example.com
copying challenge token to /var/www/test.rest.example.com/.well-known/acme-challenge/Zm4dK3o-z66gB8QiNAVKT8ckvyWaQx8LOXM4K****
getssl: for some reason could not reach http://test.example.com/.well-known/acme-challenge/Zm4dK3o-z66gB8QiNAVKT8ckvyWaQx8LOXM4K**** - please check it manually

It seems to register only the main domain, so it tries to test both both certificates on the main domain, but it saves the two challenge tokens in different folders, so the secondary domain is not called, and therefore the token for the second domain cannot be found.

Am I misunderstanding something, or is there something wrong in this scenario?

HTTP identifier validation is http only

Simple HTTP validation needs to support https, for sites that are https only. I believe this is only for the part where script checks against the domain itself using curl.

Right now, this line forces the request to be http only:
wellknown_url="http://$d/.well-known/acme-challenge/$token"

Perhaps a config value in getssl.cfg to specificy http or https?

Corrections to work with older slackware

On box Slackware 12 with some packages from Slackware 13:

curl package from Slackware 13 should be installed. When there is curl from 12 getssl always gets TEMP_DIR lost (deleted? it complains about absence of tmp/curl.header file). Probably, some curl option is missing in older curl. Curl 7.19.6 from Slackware 13 is OK.
GNU grep 2.5.3 can not grep properly with -o and .* pattern files with CRLF line feeds and http headers are such. So, please remove -o option, as it's redundant and not needed anyway.

-CertData=$(os_grep -i -o '^Location.*' "$CURL_HEADER" |os_sed 's/\r//g'| cut -d " " -f 2)
+CertData=$(os_grep -i '^Location.*' "$CURL_HEADER" |os_sed 's/\r//g'| cut -d " " -f 2)

Also, it's useful is to call RELOAD_CMD with eval instead of just $RELOAD_CMD, because, this way I can add multiple commands into it. It's useful when you can not just apachectl restart older apache (Apache/2.2.10), because, it forgets that it was started with startssl and there is no 'restartssl', but plain 'restart' somehow does not restarts ssl properly and it not gets certificates updates or ssl wasn't started at all (depending on luck). Thus, I want to do RELOAD_CMD="apachectl stop; sleep 3; apachectl startssl". But, this does not work when you run RELOAD_CMD with just $RELOAD_CMD, and work good when you do eval $RELOAD_CMD.

-      $RELOAD_CMD
+      eval "$RELOAD_CMD"

Thanks,

Non-standard ports for HTTP/HTTPS

My test/development server uses port 7800 for HTTP and 7440 for HTTPS. (My production server at the same IP address uses the standard ports of 80 and 443.) I need to use getssl against my test/development server, but even though I change "webserver" to "7440", it seems to be checking against 443 (my productin server), where it finds an SSL certificate from another source. I'm trying to set up with letsencrypt.org, but need to prove it out on my test/development server first before changing my production server.

Should I be specifying the HTTP port (7800) instead of the HTTPS port (7440), or is there another (undocumented) trick to doing this?

Thanks in advance - Jack

ACL via FTP

As an enhancement, would it be possible to add the functionality to copy the AC files to the ACLs via ftp (with user id and password provided in config file like "ftp:UserID:Password:someserver.com:/path/to/acme-challenge"). My sites are hosted on servers where I do not have access to use ssh with a key file. Once the challenges have been met and the certificate issued, I have to get the hosting service admin to place the certificate and key files on the server manually.

Thanks.

Permissions of challenge token cause problems

If umask is too restrictive (in my case it is 0077) copy_file_to_location() will cp the challenge token probably with insufficient permissions. The script should make sure permissions of the challenge token include "world readable".

Version 1.25 of getssl does chmod 755 "$TEMP_DIR/$token" but copy_file_to_location() uses cp without -p, hence a new file with new permissions is created.

BTW, is there a specific reason why 755 is used for a plain file rather 0644?

Does the privat key renew?

Hi,
doing getssl -f ... gets a new cert. The key remains the same. Does getssl renew the private keys some when? Is there, or can there be, a config setting like NEW_PRIVATE_KEY to automatically renew it every X days for the whole account and for the specific domain in the domain config.

DNS_DEL_COMMAND is run an extra time

When I run DNS validation, the extra DNS_DEL_COMMAND in cleanup() means that one too many DNS_DEL_COMMAND are run. In a normal run, the dns add and delete are run each in turn, then an extra call to delete happens, which doesn't actually delete anything. If I remove the DNS_DEL_COMMAND from cleanup() it doesn't run the extra delete, and still tidies up the dns entries, but I'm not sure that this won't cause problems under different conditions.

In fact, the extra delete is run even when the script does run because the 30 day limit has not been met:

$ ./getssl example.co.uk
certificate for example.co.uk is still valid for more than 30 days (until Sep 11 10:25:00 2016 GMT)
###################################
# this is the output from my dns-delete.sh script:
# dns-del.sh :
fulldomain=
full command options : 
Nothing to delete
###################################
$

Permissions of keys

It would be nice if private keys were not readable by others by default. E.g. before openssl genrsa etc, set umask 077 and restore it afterwards.

Error when generating certificate "for some reason could not reach..."

I'm getting an issue when trying to get an ssl certificate it says:

for some reason could not reach http://example.com/.well-known/acme-challenge/z3aLptRJhGLHBw-Nb_sizrTcCCcGItXRp16vEMVGwlM - please check it manually.

I'm not sure where is the problem, here is the configuration file:

# Uncomment and modify any variables you need
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"`
# Set an email address associated with your account - generally set at account level rather than domain. ACCOUNT_EMAIL="[email protected]" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/root/.getssl/account.key" PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.example.com
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge' 'ftp:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge')
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the A$
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # The time period within which you want to allow renewal of a certificate # this prevents hitting some of the rate limits. RENEW_ALLOW="30"
# Define the server type. This can either be a webserver, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#CHECK_REMOTE="true"
# Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= #AUTH_DNS_SERVER="" #DNS_WAIT=10 #DNS_EXTRA_WAIT=60`

Hopefully someone here can help with this issue.

Cannot verify ACL challenge

As I'm trying this I get:
getssl: for some reason could not reach http://domain.com/.well-known/acme-challenge/key - please check it manually

I can visit the page it provides just fine, and the domain has not had any DNS changes in weeks so there's no propagation. What is this using to verify the file, since visiting it in a browser works?

http-01-port support

Hello!

Its possible to support http-01-port protocol to allow non-80 port to be checked?

Thanks!

client-certificate generation

I don't know whether it is too much for getssl to ask for a client-certificate generation option using the created server-certificate. For example:
getssl -client yourdomain.com
or
getssl -client -p12 yourdomain.com
for a client-certificate in PKCS#12 format.

Performing something like this:
Client name?
mkdir -p /DOMAIN_DIR/clients/client_name
genrsa -des3 -out client_name.key
openssl req -new -key client_name.key -out client_name.req
openssl ca -cert /DOMAIN_DIR/DOMAIN.crt -keyfile /DOMAIN_DIR/DOMAIN.key -out client_name.crt -in client_name.req

If set -p12:
openssl pkcs12 -export -inkey client_name.key -name "client_name" -in client_name.crt -certfile /DOMAIN_DIR/DOMAIN.crt -out client_name.p12

issue with renew script using -q

If I run this:

/.scripts/getssl -u -a -q

I get some output that looks like its from apache, and then it exits:

Usage: apache2 [-D name] [-d directory] [-f file]
               [-C "directive"] [-c "directive"]
               [-k start|restart|graceful|graceful-stop|stop]
               [-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
  -D name            : define a name for use in <IfDefine name> directives
  -d directory       : specify an alternate initial ServerRoot
  -f file            : specify an alternate ServerConfigFile
  -C "directive"     : process directive before reading config files
  -c "directive"     : process directive after reading config files
  -e level           : show startup errors of level (see LogLevel)
  -E file            : log startup errors to file
  -v                 : show version number
  -V                 : show compile settings
  -h                 : list available command line options (this page)
  -l                 : list compiled in modules
  -L                 : list available configuration directives
  -t -D DUMP_VHOSTS  : show parsed vhost settings
  -t -D DUMP_RUN_CFG : show parsed run settings
  -S                 : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
  -t -D DUMP_MODULES : show all loaded modules 
  -M                 : a synonym for -t -D DUMP_MODULES
  -t                 : run syntax check for config files
  -T                 : start without DocumentRoot(s) check
  -X                 : debug mode (only one worker, do not detach)

If I remove -q , it still gives me that apache output, but it completes the check:

me@mine:~# ~/.scripts/getssl -u -a

Check all certificates
Usage: apache2 [-D name] [-d directory] [-f file]
               [-C "directive"] [-c "directive"]
               [-k start|restart|graceful|graceful-stop|stop]
               [-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
  -D name            : define a name for use in <IfDefine name> directives
  -d directory       : specify an alternate initial ServerRoot
  -f file            : specify an alternate ServerConfigFile
  -C "directive"     : process directive before reading config files
  -c "directive"     : process directive after reading config files
  -e level           : show startup errors of level (see LogLevel)
  -E file            : log startup errors to file
  -v                 : show version number
  -V                 : show compile settings
  -h                 : list available command line options (this page)
  -l                 : list compiled in modules
  -L                 : list available configuration directives
  -t -D DUMP_VHOSTS  : show parsed vhost settings
  -t -D DUMP_RUN_CFG : show parsed run settings
  -S                 : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
  -t -D DUMP_MODULES : show all loaded modules 
  -M                 : a synonym for -t -D DUMP_MODULES
  -t                 : run syntax check for config files
  -T                 : start without DocumentRoot(s) check
  -X                 : debug mode (only one worker, do not detach)
certificate for mydomain.com is still valid for more than 30 days (until Sep 30 18:01:00 2016 GMT)

Problem with SERVER_TYPE

There is a problem at line 712 that prevents setting the port for "other server".
The current line is
REMOTE_PORT=SERVER_TYPE
but should be
REMOTE_PORT=${SERVER_TYPE}

License clarification needed

The LICENSE file is GPLv2, but individual files say GPLv3 in the header.

Are GPLv2 terms available, or only v3 and later?

result from nslookup

Some times I've got error like this

nslookup: couldn't get address for 'ns1.domain.io
ns1.domain.io': not found

this because the command at line 1067 of the script returns two lines with the same DNS

Changing this line with
primary_ns=$(nslookup -type=soa "${d}" -debug=1 ${PUBLIC_DNS_SERVER} | os_grep origin | awk '{print $3}'|sort|uniq)
the problem will fix.

I work on linux, I don't submit a pull request beacuse I can't test the fix on different OSes

DNS Example

I cant seem to get DNS validation to work.
Im creating the txt records manually for now, for testing purposes and still.

Could you validate and provide an example config?

Stock install of OS X 10.11.6 does not contain ggrep, gsed, or gdate.

The get_os() function identifies Darwin correctly (i.e. os="mac") but the

if [[ "$os" == "mac" ]]; then
gdate "${@}"
else
date "${@}"
fi

check seems to be backwards. I do not know if ggrep, gsed, or gdate are ubiquitous on all other supported platforms. My initial thought is that all of the if [[ "$os" == "mac" ]]; checks can be done away with.

gets: Error registering account

I'm trying to get a certificate for s simple website, but obviously missed something along the way. I run
getssl -d valdez.seos.uvic.ca

and get a lot of messages (some of which I assume is private) and the script dies at:

HTTP/1.1 400 Bad Request
Seve: nginx
Content-Type: application/poblem+json
Content-Length: 96
Boulde-Request-Id: K38nGSwtV9FEDvdut4U_X0cLo2DxtcFt8y-miG0e7PM
Replay-Nonce: GzAWOzPm4nhwRBALTSGIZv966XcgikiVcqzOvB6xb0
Expies: Thu, 16 Jun 2016 18:30:34 GMT
Cache-Contol: max-age=0, no-cache, no-stoe
Pagma: no-cache
Date: Thu, 16 Jun 2016 18:30:34 GMT
Connection: close

response {
  "type": "urn:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400
}
code 400
getssl: Error registering account

I could send the whole request, but maybe it is obvious that I've not done something correctly.

TEMP_DIR is defined multiple times and doesn't always clean up after itself.

repository description typo

in your repository description you have a typo: LetsEncryot

Create chained file

Would be nice to have file with certificates chain in addition to having chain and certificate separately.
It is basically just chain.crt appended to example.com.crt, but will allow to point web/mailserver right there and do not write boilerplate for copying files on every setup.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.