2015-12-19 18:47:00 +00:00
|
|
|
# letsencrypt-cli (for node.js)
|
2015-12-16 09:16:09 +00:00
|
|
|
|
|
|
|
CLI for node-letsencrypt modeled after the official client.
|
|
|
|
|
2015-12-16 12:00:27 +00:00
|
|
|
* Free SSL Certificates
|
|
|
|
* 90-day certificate lifetime
|
|
|
|
* One-off standalone registration / renewal
|
|
|
|
* On-the-fly registration / renewal via webroot
|
|
|
|
|
2015-12-16 11:01:10 +00:00
|
|
|
## Install Node
|
|
|
|
|
2015-12-16 11:01:30 +00:00
|
|
|
For **Windows**:
|
2015-12-16 11:01:10 +00:00
|
|
|
|
|
|
|
Choose **Stable** from <https://nodejs.org/en/>
|
|
|
|
|
2015-12-16 11:01:30 +00:00
|
|
|
For Linux and **OS X**:
|
2015-12-16 11:01:10 +00:00
|
|
|
|
|
|
|
```
|
|
|
|
curl -L bit.ly/iojs-min | bash
|
|
|
|
```
|
|
|
|
|
|
|
|
# Install LetsEncrypt
|
2015-12-16 09:16:09 +00:00
|
|
|
|
|
|
|
```bash
|
|
|
|
npm install -g letsencrypt-cli
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2015-12-16 11:06:33 +00:00
|
|
|
These commands are shown using the **testing server**.
|
|
|
|
|
2015-12-19 22:30:56 +00:00
|
|
|
Want to use the **live server**?
|
|
|
|
|
|
|
|
1. remove the `--server https://acme-staging.api.letsencrypt.org/directory`
|
|
|
|
2. or change it to `--server https://acme-v01.api.letsencrypt.org/directory`
|
2015-12-16 11:06:33 +00:00
|
|
|
|
|
|
|
**Note**: This has really only been tested with single domains so if
|
|
|
|
multiple domains doesn't work for you, file a bug.
|
|
|
|
|
2015-12-16 09:16:09 +00:00
|
|
|
### Standalone
|
|
|
|
|
2015-12-19 20:46:24 +00:00
|
|
|
You can run standalone mode to get a cert **on the server** you will be
|
2016-01-01 22:08:01 +00:00
|
|
|
using it for over ports **80 and 443 (or 5001)** like so:
|
2015-12-19 20:46:24 +00:00
|
|
|
|
2015-12-16 09:16:09 +00:00
|
|
|
```bash
|
|
|
|
letsencrypt certonly \
|
|
|
|
--agree-tos --email john.doe@example.com \
|
|
|
|
--standalone \
|
2015-12-16 11:06:33 +00:00
|
|
|
--domains example.com,www.example.com \
|
2015-12-16 11:16:25 +00:00
|
|
|
--server https://acme-staging.api.letsencrypt.org/directory \
|
2015-12-19 20:46:24 +00:00
|
|
|
--config-dir ~/letsencrypt/etc
|
|
|
|
```
|
|
|
|
|
|
|
|
Then you can see your certs at `~/letsencrypt/etc/live`.
|
2015-12-16 12:58:05 +00:00
|
|
|
|
2015-12-19 20:46:24 +00:00
|
|
|
```
|
2015-12-16 13:02:09 +00:00
|
|
|
ls ~/letsencrypt/etc/live
|
2015-12-16 09:16:09 +00:00
|
|
|
```
|
|
|
|
|
2015-12-19 20:46:24 +00:00
|
|
|
This option is great for testing, but since it requires the use of
|
|
|
|
the same ports that your webserver needs, it isn't a good choice
|
|
|
|
for production.
|
|
|
|
|
|
|
|
### WebRoot (for production)
|
|
|
|
|
|
|
|
You can specify the path to where you keep your `index.html` with `webroot`.
|
|
|
|
|
|
|
|
For example, if I want to get a domain for `example.com` and my `index.html` is
|
|
|
|
at `/srv/www/example.com`, then I would use this command:
|
2015-12-16 09:16:09 +00:00
|
|
|
|
|
|
|
```bash
|
2015-12-16 13:02:09 +00:00
|
|
|
sudo letsencrypt certonly \
|
2015-12-16 09:16:09 +00:00
|
|
|
--agree-tos --email john.doe@example.com \
|
2015-12-19 20:46:24 +00:00
|
|
|
--webroot --webroot-path /srv/www/example.com \
|
2015-12-16 13:02:09 +00:00
|
|
|
--config-dir /etc/letsencrypt \
|
2015-12-16 11:06:33 +00:00
|
|
|
--domains example.com,www.example.com \
|
|
|
|
--server https://acme-staging.api.letsencrypt.org/directory
|
2015-12-19 20:46:24 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Note that we use `sudo` because in this example we are using `/etc/letsencrypt`
|
|
|
|
as the cert directory rather than `~/letsencrypt/etc`, which we used in the previous example.
|
2015-12-16 12:58:05 +00:00
|
|
|
|
2015-12-19 20:46:24 +00:00
|
|
|
Then see your brand new shiny certs:
|
|
|
|
|
|
|
|
```
|
2015-12-16 13:02:09 +00:00
|
|
|
ls /etc/letsencrypt/live/
|
2015-12-16 09:16:09 +00:00
|
|
|
```
|
2015-12-16 11:01:10 +00:00
|
|
|
|
2015-12-19 20:46:24 +00:00
|
|
|
You can use a cron job to run the script above every 80 days (the certificates expire after 90 days)
|
|
|
|
so that you always have fresh certificates.
|
|
|
|
|
2015-12-16 13:32:00 +00:00
|
|
|
## Test with a free domain
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# Install Daplie DNS
|
|
|
|
npm install -g ddns-cli
|
|
|
|
|
|
|
|
# see terms of use
|
|
|
|
ddns --help
|
|
|
|
|
|
|
|
# agree to terms and get domain
|
|
|
|
ddns --random --email user@example.com --agree
|
2015-12-16 13:33:17 +00:00
|
|
|
|
|
|
|
# the default is to use the ip address from which
|
|
|
|
# you can the command, but you can also assign the
|
|
|
|
# ip manually
|
|
|
|
ddns --random --email user@example.com --agree -a '127.0.0.1'
|
2015-12-16 13:32:00 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Example domain:
|
|
|
|
|
|
|
|
```
|
|
|
|
rubber-duck-42.daplie.me
|
|
|
|
```
|
|
|
|
|
2015-12-16 11:16:25 +00:00
|
|
|
## Run without Root
|
|
|
|
|
|
|
|
If you'd like to allow node.js to use privileged ports `80` and `443`
|
|
|
|
(and everything under 1024 really) without being run as `root` or `sudo`,
|
|
|
|
you can use `setcap` to do so. (it may need to be run any time you reinstall node as well)
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
|
|
|
|
```
|
|
|
|
|
2015-12-16 13:02:09 +00:00
|
|
|
By default `node-letsencrypt` assumes your home directory `~/letsencrypt/`, but if
|
|
|
|
you really want to use `/etc/letsencrypt`, `/var/lib/letsencrypt/`, and `/var/log/letsencrypt`
|
|
|
|
you could change the permissions on them. **Probably a BAD IDEA**. Probabry a security risk.
|
|
|
|
|
|
|
|
```
|
|
|
|
# PROBABLY A BAD IDEA
|
|
|
|
sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt
|
|
|
|
```
|
|
|
|
|
2015-12-16 11:01:10 +00:00
|
|
|
## Command line Options
|
|
|
|
|
|
|
|
```
|
|
|
|
Usage:
|
|
|
|
letsencrypt [OPTIONS] [ARGS]
|
|
|
|
|
|
|
|
Options:
|
|
|
|
--email EMAIL Email used for registration and recovery contact. (default: null)
|
|
|
|
|
|
|
|
--domains URL Domain names to apply. For multiple domains you can enter a comma
|
|
|
|
separated list of domains as a parameter. (default: [])
|
|
|
|
|
|
|
|
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one
|
|
|
|
|
|
|
|
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
|
|
|
|
|
|
|
|
--debug BOOLEAN show traces and logs
|
|
|
|
|
|
|
|
--tls-sni-01-port NUMBER Port number to perform tls-sni-01 challenge.
|
|
|
|
Boulder in testing mode defaults to 5001. (default: 443 and 5001)
|
|
|
|
|
|
|
|
--http-01-port [NUMBER] Port used in the SimpleHttp challenge. (Default is 80)
|
|
|
|
|
|
|
|
--rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048)
|
|
|
|
|
|
|
|
--cert-path STRING Path to where new cert.pem is saved
|
|
|
|
(Default is :conf/live/:hostname/cert.pem)
|
|
|
|
|
|
|
|
--fullchain-path [STRING] Path to where new fullchain.pem (cert + chain) is saved
|
|
|
|
(Default is :conf/live/:hostname/fullchain.pem)
|
|
|
|
|
|
|
|
--chain-path [STRING] Path to where new chain.pem is saved
|
|
|
|
(Default is :conf/live/:hostname/chain.pem)
|
|
|
|
|
|
|
|
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
|
|
|
|
|
2015-12-16 11:17:06 +00:00
|
|
|
--config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/)
|
2015-12-16 11:01:10 +00:00
|
|
|
|
|
|
|
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
|
|
|
|
|
|
|
|
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true)
|
|
|
|
|
|
|
|
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
|
|
|
|
|
|
|
|
--webroot-path STRING public_html / webroot path.
|
|
|
|
|
|
|
|
-h, --help Display help and usage details
|
|
|
|
```
|
2015-12-16 13:03:03 +00:00
|
|
|
|
|
|
|
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
|