2019-05-16 03:47:50 +00:00
![Greenlock Logo ](https://git.rootprojects.org/root/greenlock.js/raw/branch/master/logo/greenlock-1063x250.png "Greenlock Logo" )
2016-11-02 00:26:25 +00:00
2019-05-16 03:47:50 +00:00
!["Greenlock Function" ](https://git.rootprojects.org/root/greenlock.js/raw/branch/master/logo/from-not-secure-to-secure-url-bar.png "from url bar showing not secure to url bar showing secure" )
2018-05-16 20:57:58 +00:00
2019-05-16 03:47:50 +00:00
# Greenlock™ for Web Servers | a [Root](https://rootprojects.org) project
2018-05-15 08:52:19 +00:00
Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple< br >
2019-05-16 03:47:50 +00:00
< small > certificates issued by Let's Encrypt v2 via [ACME ](https://git.rootprojects.org/root/acme-v2.js )</ small >
2016-04-22 18:17:29 +00:00
2018-05-15 08:52:19 +00:00
!["Lifetime Downloads" ](https://img.shields.io/npm/dt/greenlock.svg "Lifetime Download Count can't be shown" )
!["Monthly Downloads" ](https://img.shields.io/npm/dm/greenlock.svg "Monthly Download Count can't be shown" )
!["Weekly Downloads" ](https://img.shields.io/npm/dw/greenlock.svg "Weekly Download Count can't be shown" )
2018-05-16 01:29:58 +00:00
!["Stackoverflow Questions" ](https://img.shields.io/stackexchange/stackoverflow/t/greenlock.svg "S.O. Question count can't be shown" )
2018-05-15 08:52:19 +00:00
| **Greenlock for Web Servers**
2019-05-16 03:47:50 +00:00
| [Greenlock for Web Browsers ](https://git.rootprojects.org/root/greenlock.html )
| [Greenlock for Express.js ](https://git.rootprojects.org/root/greenlock-express.js )
| [Greenlock™.js ](https://git.rootprojects.org/root/greenlock.js )
2018-05-15 08:52:19 +00:00
|
2015-12-16 09:16:09 +00:00
2019-05-16 03:47:50 +00:00
# Features
2018-05-15 08:52:19 +00:00
- [x] Commandline (cli) Certificate Manager (like certbot)
- [x] Integrated Web Server
- [x] Free SSL Certificates
- [x] Automatic certificate renewal before expiration
- [x] One-off standalone registration / renewal
- [x] On-the-fly registration / renewal via webroot
2015-12-16 12:00:27 +00:00
2019-05-16 03:47:50 +00:00
# Install
2015-12-16 11:01:10 +00:00
2019-05-16 03:47:50 +00:00
## Mac & Linux
2015-12-16 11:01:10 +00:00
2018-05-16 01:29:58 +00:00
Open Terminal and run this install script:
2015-12-16 11:01:10 +00:00
2018-05-16 01:29:58 +00:00
```bash
curl -fsS https://get.greenlock.app/ | bash
2015-12-16 11:01:10 +00:00
```
2018-05-16 01:29:58 +00:00
This will install greenlock to `/opt/greenlock` and put a symlink to
`/opt/greenlock/bin/greenlock` in `/usr/local/bin/greenlock` for convenience.
You can customize the installation:
2015-12-16 09:16:09 +00:00
```bash
2018-05-16 01:29:58 +00:00
export NODEJS_VER=v8.11.1
export GREENLOCK_PATH=/opt/greenlock
curl -fsS https://get.greenlock.app/ | bash
2015-12-16 09:16:09 +00:00
```
2018-05-16 01:29:58 +00:00
This will change which version of node.js is bundled with greenlock
and the path to which greenlock installs.
2015-12-16 09:16:09 +00:00
2019-05-16 03:47:50 +00:00
## Windows & Node.js
2015-12-16 11:06:33 +00:00
2018-05-16 01:29:58 +00:00
1. Install [node.js ](https://nodejs.org )
2. Open _Node.js_
2. Run the command `npm install -g greenlock-cli`
2015-12-19 22:30:56 +00:00
2019-05-16 03:47:50 +00:00
# Usage
2015-12-16 11:06:33 +00:00
2018-05-16 01:29:58 +00:00
We have a few different examples of issuing SSL certificates:
2015-12-16 11:06:33 +00:00
2018-05-16 01:29:58 +00:00
* Standalone (testing): Issue a one-off certificate
* Webroot (production): Automatic certificate renewal for Apache, Nginx, HAProxy, etc
* Manual (debugging): Go through the certificate proccess step-by-step
<!-- * Server (production): Leave it all to Greenlock -->
2015-12-16 09:16:09 +00:00
2018-05-16 01:29:58 +00:00
**Important Note**: Staging vs Production
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
Each of these examples are using the **staging server** .
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
Once you've successfully gotten certificates with the staging server
you must **delete** `--config-dir` (i.e. `rm -rf ~/acme` ) and then
switch to the **production server** .
2015-12-16 12:58:05 +00:00
2015-12-19 20:46:24 +00:00
```
2018-05-16 01:29:58 +00:00
--acme-version draft-11 --server https://acme-v02.api.letsencrypt.org/directory \
2015-12-16 09:16:09 +00:00
```
2018-05-16 01:29:58 +00:00
## Standalone
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
< small > **primarily for testing**< / small >
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
You can run in standalone mode **on your server** and get a cert instantly.
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
Note: No other webserver may be running at the time (use Webroot mode for that).
2015-12-16 09:16:09 +00:00
```bash
2018-05-16 01:29:58 +00:00
sudo greenlock certonly --standalone \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com,www.example.com \
--community-member \
--config-dir ~/acme/etc
2015-12-19 20:46:24 +00:00
```
2018-05-16 01:29:58 +00:00
## WebRoot
2015-12-16 12:58:05 +00:00
2018-05-16 01:29:58 +00:00
< small > **for testing and production**< / small >
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
With this method you must use **your existing http (port 80) server** (Apache, Nginx, HAProxy, etc).
You will specify the **path or template path** to your `public_html` or `www` webroot.
2015-12-19 20:46:24 +00:00
2018-05-16 01:29:58 +00:00
For example:
2016-08-12 06:33:39 +00:00
2018-05-16 01:29:58 +00:00
* I want to get an SSL cert for `example.com`
* `index.html` lives at `/srv/www/example.com`
* I would use this command:
2016-08-12 06:33:39 +00:00
```bash
2018-05-16 01:29:58 +00:00
sudo greenlock certonly --webroot \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com \
--community-member \
--root /srv/www/example.com \
--config-dir ~/acme/etc
2016-08-12 06:33:39 +00:00
```
2018-05-16 01:29:58 +00:00
Now let's say that
* I have many sites in `/srv/www/` , all by their name
* I already store my ssl certs in the format `/etc/apache/ssl/:hostname/{key.pem,ssl.crt}`
* I'll run this command instead:
2015-12-16 13:32:00 +00:00
```bash
2018-05-16 01:29:58 +00:00
sudo greenlock certonly --webroot \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com,whatever.com,foobar.net \
--community-member \
--root "/srv/www/:hostname" \
--privkey-path "/etc/apache/ssl/:hostname/key.pem" \
--fullchain-path "/etc/apache/ssl/:hostname/ssl.crt" \
--config-dir ~/acme/etc
```
### Run with cron
Those commands are safe to be run **daily** with cron.
The certificates will automatically renew 2 weeks before expiring.
## Interactive
2015-12-16 13:32:00 +00:00
2018-05-16 01:29:58 +00:00
< small > **primarily for debugging**< / small >
2015-12-16 13:32:00 +00:00
2018-05-16 01:29:58 +00:00
The token (for all challenge types) and keyAuthorization (only for https-01)
will be printed to the screen and you will be given time to copy it wherever
(file, dns record, database, etc) and the process will complete once you hit `enter` .
2015-12-16 13:33:17 +00:00
2018-05-16 01:29:58 +00:00
```bash
sudo greenlock certonly --manual \
--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
--agree-tos --email jon@example.com --domains example.com \
--community-member \
--config-dir ~/acme/etc
2015-12-16 13:32:00 +00:00
```
2019-05-16 03:47:50 +00:00
# Certificate Locations
2018-05-16 01:29:58 +00:00
Then you can see your certs at `~/acme/etc/live` .
2015-12-16 13:32:00 +00:00
```
2018-05-16 01:29:58 +00:00
~/acme/etc/
└── example.com
├── cert.pem
├── chain.pem
├── fullchain.pem (Apache, Nginx, node.js)
├── privkey.pem (Apache, Nginx, node.js)
└── bundle.pem (HAProxy)
2015-12-16 13:32:00 +00:00
```
2015-12-16 11:16:25 +00:00
2018-05-16 01:29:58 +00:00
## Run without root (no sudo)
2019-05-16 03:47:50 +00:00
`sudo` is used to allow greenlock to use port 80 and write to httpd-owned directories.
2018-05-16 01:29:58 +00:00
Allow greenlock to bind on system ports without root:
2015-12-16 11:16:25 +00:00
```bash
2018-05-16 01:29:58 +00:00
sudo setcap cap_net_bind_service=+ep /opt/greenlock/bin/node
2015-12-16 11:16:25 +00:00
```
2018-05-16 01:29:58 +00:00
To allow greenlock to write to folders owned by another user, set it to run as that user.
Otherwise, you can change the permissions on the folders, which is
**probably a BAD IDEA**. Probabry a **security risk** .
But since some of you are going to do it anyway I might as well tell you how:
2015-12-16 13:02:09 +00:00
```
# PROBABLY A BAD IDEA
2018-05-16 01:29:58 +00:00
sudo chown -R $(whoami) /etc/ssl /etc/acme
2015-12-16 13:02:09 +00:00
```
2019-05-16 03:47:50 +00:00
# Command Line Options
2015-12-16 11:01:10 +00:00
```
Usage:
2017-01-25 21:42:01 +00:00
greenlock [OPTIONS] [ARGS]
2015-12-16 11:01:10 +00:00
Options:
2018-05-16 01:29:58 +00:00
--acme-version [STRING] 'draft-11' for Let's Encrypt v2 or 'v01' for Let's Encrypt v1. (default: null)
--acme-url [URL] Directory URL for ACME API. Let's Encrypt URLs are:
draft-11
https://acme-staging-v02.api.letsencrypt.org/directory
https://acme-v02.api.letsencrypt.org/directory
v01
https://acme-staging.api.letsencrypt.org/directory
https://acme-v01.api.letsencrypt.org/directory
2015-12-16 11:01:10 +00:00
2016-10-09 12:54:27 +00:00
--email EMAIL Email used for registration and recovery contact. (default: null)
2015-12-16 11:01:10 +00:00
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
2018-05-16 01:29:58 +00:00
--community-member Submit stats to and receive updates from Greenlock
2016-08-10 02:39:39 +00:00
2018-05-16 01:29:58 +00:00
--domains HOSTNAME Domain names to apply. For multiple domains you can enter a comma
separated list of domains as a parameter. (default: [])
2015-12-16 11:01:10 +00:00
2018-05-16 01:29:58 +00:00
--renew-within [NUMBER] Renew certificates this many days before expiry. (default: 10)
2015-12-16 11:01:10 +00:00
--cert-path STRING Path to where new cert.pem is saved
(Default is :conf/live/:hostname/cert.pem)
--fullchain-path [STRING] Path to where new fullchain.pem (cert + chain) is saved
(Default is :conf/live/:hostname/fullchain.pem)
--chain-path [STRING] Path to where new chain.pem is saved
(Default is :conf/live/:hostname/chain.pem)
2018-05-16 01:29:58 +00:00
--bundle-path [STRING] Path to where new bundle.pem (fullchain + privkey) is saved
(Default is :conf/live/:hostname/bundle.pem)
2015-12-16 11:01:10 +00:00
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
2016-10-09 12:54:27 +00:00
--account-key-path STRING Path to privkey.pem to use for account (default: generate new)
2015-12-16 11:17:06 +00:00
--config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/)
2015-12-16 11:01:10 +00:00
2016-10-09 12:54:27 +00:00
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
(must be 80 with most production servers)
--dns-01 Use DNS-01 challenge type.
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true)
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
--debug BOOLEAN show traces and logs
2015-12-16 11:01:10 +00:00
-h, --help Display help and usage details
```
2015-12-16 13:03:03 +00:00
2018-05-16 01:29:58 +00:00
2019-05-16 03:47:50 +00:00
# Certbot Command Line Options
2018-05-16 01:29:58 +00:00
These options are maintained for compatability with certbot:
```
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is
an early renewal.
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
```
2015-12-16 13:03:03 +00:00
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
2019-05-16 03:47:50 +00:00
# Legal & Rules of the Road
Bluecrypt™ and Greenlock™ are [trademarks ](https://rootprojects.org/legal/#trademark ) of AJ ONeal
The rule of thumb is "attribute, but don't confuse". For example:
> Built with [Greenlock CLI](https://git.rootprojects.org/root/greenlock-cli.js) (a [Root](https://rootprojects.org) project).
Please [contact us ](mailto:aj@therootcompany.com ) if have any questions in regards to our trademark,
attribution, and/or visible source policies. We want to build great software and a great community.
[Greenlock™ ](https://git.rootprojects.org/root/greenlock.js ) |
MPL-2.0 |
[Terms of Use ](https://therootcompany.com/legal/#terms ) |
[Privacy Policy ](https://therootcompany.com/legal/#privacy )