From 658e7543a0b675c595fe6d93fd9177b77a430a93 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 16 May 2018 01:29:58 +0000 Subject: [PATCH] update docs, update to greenlock-v2.2.x --- README.md | 267 ++++++++++++++++++++++++++++------------------- bin/greenlock.js | 93 ++++++++++------- index.js | 56 ++++------ installer/get.sh | 128 +++++++++++++++++++++++ lib/servers.js | 13 ++- package.json | 15 +-- 6 files changed, 376 insertions(+), 196 deletions(-) create mode 100644 installer/get.sh diff --git a/README.md b/README.md index 295321f..1c27729 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple
!["Lifetime Downloads"](https://img.shields.io/npm/dt/greenlock.svg "Lifetime Download Count can't be shown") !["Monthly Downloads"](https://img.shields.io/npm/dm/greenlock.svg "Monthly Download Count can't be shown") !["Weekly Downloads"](https://img.shields.io/npm/dw/greenlock.svg "Weekly Download Count can't be shown") +!["Stackoverflow Questions"](https://img.shields.io/stackexchange/stackoverflow/t/greenlock.svg "S.O. Question count can't be shown") | Sponsored by [ppl](https://ppl.family) | **Greenlock for Web Servers** @@ -26,168 +27,202 @@ Features - [x] One-off standalone registration / renewal - [x] On-the-fly registration / renewal via webroot -## Install Node +Install +======= -For **Windows**: +Mac & Linux +----------- -Choose **Stable** from - -For Linux and **OS X**: - -``` -curl -L bit.ly/nodejs-min | bash -``` - -# Install Greenlock +Open Terminal and run this install script: ```bash -npm install -g greenlock-cli@2.x +curl -fsS https://get.greenlock.app/ | bash ``` -## Usage +This will install greenlock to `/opt/greenlock` and put a symlink to +`/opt/greenlock/bin/greenlock` in `/usr/local/bin/greenlock` for convenience. -These commands are shown using the **testing server**. - -Want to use the **live server**? - -1. change server to `--server https://acme-v01.api.letsencrypt.org/directory` - -**Note**: This has really only been tested with single domains so if -multiple domains doesn't work for you, file a bug. - -### Standalone (primarily for testing) - -You can run standalone mode to get a cert **on the server**. You either use an -http-01 challenge (the default) on port 80. Like so: +You can customize the installation: ```bash -greenlock certonly \ - --agree-tos --email john.doe@example.com \ - --standalone \ - --domains example.com,www.example.com \ - --server https://acme-staging.api.letsencrypt.org/directory \ - --config-dir ~/letsencrypt/etc +export NODEJS_VER=v8.11.1 +export GREENLOCK_PATH=/opt/greenlock +curl -fsS https://get.greenlock.app/ | bash ``` -Then you can see your certs at `~/letsencrypt/etc/live`. +This will change which version of node.js is bundled with greenlock +and the path to which greenlock installs. + +Windows & Node.js +----------------- + +1. Install [node.js](https://nodejs.org) +2. Open _Node.js_ +2. Run the command `npm install -g greenlock-cli` + +Usage +===== + +We have a few different examples of issuing SSL certificates: + +* Standalone (testing): Issue a one-off certificate +* Webroot (production): Automatic certificate renewal for Apache, Nginx, HAProxy, etc +* Manual (debugging): Go through the certificate proccess step-by-step + + +**Important Note**: Staging vs Production + +Each of these examples are using the **staging server**. + +Once you've successfully gotten certificates with the staging server +you must **delete** `--config-dir` (i.e. `rm -rf ~/acme`) and then +switch to the **production server**. ``` -ls ~/letsencrypt/etc/live +--acme-version draft-11 --server https://acme-v02.api.letsencrypt.org/directory \ ``` -This option is great for testing, but since it requires the use of -the same ports that your webserver needs, it isn't a good choice -for production. +## Standalone -### WebRoot +**primarily for testing** -You can specify the path to where you keep your `index.html` with `webroot`, as -long as your server is serving plain HTTP on port 80. +You can run in standalone mode **on your server** and get a cert instantly. -For example, if I want to get a domain for `example.com` and my `index.html` is -at `/srv/www/example.com`, then I would use this command: +Note: No other webserver may be running at the time (use Webroot mode for that). ```bash -sudo greenlock certonly \ - --agree-tos --email john.doe@example.com \ - --webroot --webroot-path /srv/www/example.com \ - --config-dir /etc/letsencrypt \ - --domains example.com,www.example.com \ - --server https://acme-staging.api.letsencrypt.org/directory +sudo greenlock certonly --standalone \ + --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \ + --agree-tos --email jon@example.com --domains example.com,www.example.com \ + --community-member \ + --config-dir ~/acme/etc ``` -Note that we use `sudo` because in this example we are using `/etc/letsencrypt` -as the cert directory rather than `~/letsencrypt/etc`, which we used in the previous example. +## WebRoot -Then see your brand new shiny certs: +**for testing and production** -``` -ls /etc/letsencrypt/live/ +With this method you must use **your existing http (port 80) server** (Apache, Nginx, HAProxy, etc). +You will specify the **path or template path** to your `public_html` or `www` webroot. + +For example: + + * I want to get an SSL cert for `example.com` + * `index.html` lives at `/srv/www/example.com` + * I would use this command: + +```bash +sudo greenlock certonly --webroot \ + --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \ + --agree-tos --email jon@example.com --domains example.com \ + --community-member \ + --root /srv/www/example.com \ + --config-dir ~/acme/etc ``` -You can use a cron job to run the script above every 80 days (the certificates expire after 90 days) -so that you always have fresh certificates. +Now let's say that -### Interactive (for debugging) + * I have many sites in `/srv/www/`, all by their name + * I already store my ssl certs in the format `/etc/apache/ssl/:hostname/{key.pem,ssl.crt}` + * I'll run this command instead: + +```bash +sudo greenlock certonly --webroot \ + --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \ + --agree-tos --email jon@example.com --domains example.com,whatever.com,foobar.net \ + --community-member \ + --root "/srv/www/:hostname" \ + --privkey-path "/etc/apache/ssl/:hostname/key.pem" \ + --fullchain-path "/etc/apache/ssl/:hostname/ssl.crt" \ + --config-dir ~/acme/etc +``` + +### Run with cron + +Those commands are safe to be run **daily** with cron. +The certificates will automatically renew 2 weeks before expiring. + +## Interactive + +**primarily for debugging** The token (for all challenge types) and keyAuthorization (only for https-01) will be printed to the screen and you will be given time to copy it wherever (file, dns record, database, etc) and the process will complete once you hit `enter`. ```bash -sudo greenlock certonly \ - --agree-tos --email john.doe@example.com \ - --manual - --config-dir /etc/letsencrypt \ - --domains example.com,www.example.com \ - --server https://acme-staging.api.letsencrypt.org/directory +sudo greenlock certonly --manual \ + --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \ + --agree-tos --email jon@example.com --domains example.com \ + --community-member \ + --config-dir ~/acme/etc ``` -## Test with a free domain +Certificate Locations +===================== +Then you can see your certs at `~/acme/etc/live`. + +``` +~/acme/etc/ +└── example.com + ├── cert.pem + ├── chain.pem + ├── fullchain.pem (Apache, Nginx, node.js) + ├── privkey.pem (Apache, Nginx, node.js) + └── bundle.pem (HAProxy) +``` + + +## Run without root (no sudo) + +`sudo` is used to allow greenlock to use port 80 and write to httpd-owned directories. + +Allow greenlock to bind on system ports without root: ```bash -# Install Daplie DNS -npm install -g ddns-cli - -# see terms of use -ddns --help - -# agree to terms and get domain -ddns --random --email user@example.com --agree - -# the default is to use the ip address from which -# you can the command, but you can also assign the -# ip manually -ddns --random --email user@example.com --agree -a '127.0.0.1' +sudo setcap cap_net_bind_service=+ep /opt/greenlock/bin/node ``` -Example domain: +To allow greenlock to write to folders owned by another user, set it to run as that user. -``` -rubber-duck-42.daplie.me -``` - -## Run without Root - -If you'd like to allow node.js to use privileged ports `80` and `443` -(and everything under 1024 really) without being run as `root` or `sudo`, -you can use `setcap` to do so. (it may need to be run any time you reinstall node as well) - -```bash -sudo setcap cap_net_bind_service=+ep /usr/local/bin/node -``` - -By default `node-greenlock` assumes your home directory `~/letsencrypt/`, but if -you really want to use `/etc/letsencrypt`, `/var/lib/letsencrypt/`, and `/var/log/letsencrypt` -you could change the permissions on them. **Probably a BAD IDEA**. Probabry a security risk. +Otherwise, you can change the permissions on the folders, which is +**probably a BAD IDEA**. Probabry a **security risk**. +But since some of you are going to do it anyway I might as well tell you how: ``` # PROBABLY A BAD IDEA -sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt +sudo chown -R $(whoami) /etc/ssl /etc/acme ``` -## Command Line Options +Command Line Options +==================== ``` Usage: greenlock [OPTIONS] [ARGS] Options: - --server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory)) + --acme-version [STRING] 'draft-11' for Let's Encrypt v2 or 'v01' for Let's Encrypt v1. (default: null) + + --acme-url [URL] Directory URL for ACME API. Let's Encrypt URLs are: + draft-11 + https://acme-staging-v02.api.letsencrypt.org/directory + https://acme-v02.api.letsencrypt.org/directory + + v01 + https://acme-staging.api.letsencrypt.org/directory + https://acme-v01.api.letsencrypt.org/directory --email EMAIL Email used for registration and recovery contact. (default: null) --agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement - --domains URL Domain names to apply. For multiple domains you can enter a comma + --community-member Submit stats to and receive updates from Greenlock + + --domains HOSTNAME Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: []) - --renew-within [NUMBER] Renew certificates this many days before expiry. (default: 7) - - --duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is - an early renewal. - - --rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048) + --renew-within [NUMBER] Renew certificates this many days before expiry. (default: 10) --cert-path STRING Path to where new cert.pem is saved (Default is :conf/live/:hostname/cert.pem) @@ -198,6 +233,9 @@ Options: --chain-path [STRING] Path to where new chain.pem is saved (Default is :conf/live/:hostname/chain.pem) + --bundle-path [STRING] Path to where new bundle.pem (fullchain + privkey) is saved + (Default is :conf/live/:hostname/bundle.pem) + --domain-key-path STRING Path to privkey.pem to use for domain (default: generate new) --account-key-path STRING Path to privkey.pem to use for account (default: generate new) @@ -214,13 +252,26 @@ Options: --manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing. (Default is false) - --webroot BOOLEAN Obtain certs by placing files in a webroot directory. - - --webroot-path STRING public_html / webroot path. - --debug BOOLEAN show traces and logs -h, --help Display help and usage details ``` + +Certbot Command Line Options +============================ + +These options are maintained for compatability with certbot: + +``` + --server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory)) + + --duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is + an early renewal. + + --webroot BOOLEAN Obtain certs by placing files in a webroot directory. + + --webroot-path STRING public_html / webroot path. +``` + Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page. diff --git a/bin/greenlock.js b/bin/greenlock.js index a0c273b..cde6b36 100755 --- a/bin/greenlock.js +++ b/bin/greenlock.js @@ -5,49 +5,67 @@ var cli = require('cli'); var mkdirp = require('mkdirp'); cli.parse({ - server: [ false, " ACME Directory Resource URI.", 'string', '' ] -, email: [ false, " Email used for registration and recovery contact. (default: null)", 'email' ] + 'acme-version': + [ false, " ACME / Let's Encrypt version. v01 or draft-11 (aka v02)", 'string', 'draft-11' ] +, 'acme-url': + [ false, " ACME Directory Resource URL", 'string', '' ] +, email: + [ false, " Email used for registration and recovery contact. (default: null)", 'email' ] , 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ] -, domains: [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ] +, 'community-member': [ false, " Submit stats to and get updates from Greenlock", 'boolean', false ] +, domains: + [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ] , 'renew-within': [ false, " Renew certificates this many days before expiry", 'int', 7 ] -, duplicate: [ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ] -, 'rsa-key-size': [ false, " Size (in bits) of the RSA key.", 'int', 2048 ] -, 'cert-path': [ false, " Path to where new cert.pem is saved", 'string',':configDir/live/:hostname/cert.pem' ] -, 'fullchain-path': [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string', ':configDir/live/:hostname/fullchain.pem' ] -, 'chain-path': [ false, " Path to where new chain.pem is saved", 'string', ':configDir/live/:hostname/chain.pem' ] -, 'domain-key-path': [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ] -, 'account-key-path': [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ] -, 'config-dir': [ false, " Configuration directory.", 'string', '~/letsencrypt/etc/' ] -, 'tls-sni-01-port': [ false, " Use TLS-SNI-01 challenge type with this port (only port 443 is valid with most production servers)", 'int' ] +, 'cert-path': + [ false, " Path to where new cert.pem is saved", 'string' + , ':configDir/live/:hostname/cert.pem' ] +, 'fullchain-path': + [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string' + , ':configDir/live/:hostname/fullchain.pem' ] +, 'bundle-path': + [ false, " Path to where new bundle.pem (fullchain + privkey) is saved", 'string' + , ':configDir/live/:hostname/bundle.pem' ] +, 'chain-path': + [ false, " Path to where new chain.pem is saved", 'string' + , ':configDir/live/:hostname/chain.pem' ] +, 'privkey-path': + [ false, " Path to where privkey.pem is saved", 'string' + , ':configDir/live/:hostname/privkey.pem' ] +, 'config-dir': + [ false, " Configuration directory.", 'string' + , '~/letsencrypt/etc/' ] , 'http-01-port': [ false, " Use HTTP-01 challenge type with this port (only port 80 is valid with most production servers) (default: 80)", 'int' ] , 'dns-01': [ false, " Use DNS-01 challange type", 'boolean', false ] , standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ] , manual: [ false, " Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (default: false)", 'boolean', false ] -, webroot: [ false, " Obtain certs by placing files in a webroot directory.", 'boolean', false ] -, 'webroot-path': [ false, " public_html / webroot path.", 'string' ] -, hooks: [ false, " Obtain certs with hooks that configure a webserver to meet TLS-SNI-01 challenges.", 'boolean', false ] -, 'hooks-path': [ false, " Path in which to store files for hooks.", 'string' ] -, 'hooks-server': [ false, " Type of webserver to configure.", 'string' ] -, 'hooks-template': [ false, " Template to use for hooks configuration file.", 'string' ] -, 'hooks-bind': [ false, " IP address to use in configuration for hooks.", 'string' ] -, 'hooks-port': [ false, " Port to use in configuration for hooks.", 'string' ] -, 'hooks-webroot': [ false, " Webroot to use in configuration for hooks (e.g. empty dir).", 'string' ] -, 'hooks-pre-enable': [ false, " Hook to check the webserver configuration prior to enabling.", 'string' ] -, 'hooks-enable': [ false, " Hook to enable the webserver configuration.", 'string' ] -, 'hooks-pre-reload': [ false, " Hook to check the webserver configuration prior to reloading.", 'string' ] -, 'hooks-reload': [ false, " Hook to reload the webserver.", 'string' ] -, 'hooks-disable': [ false, " Hook to disable the webserver configuration.", 'string' ] -//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01'] , debug: [ false, " show traces and logs", 'boolean', false ] -, 'work-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/lib/' ] -, 'logs-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/log/' ] +, 'root': [ false, " public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)", 'string' ] + +// +// backwards compat +// +, duplicate: + [ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ] +, 'rsa-key-size': + [ false, " Size (in bits) of the RSA key.", 'int', 2048 ] +, server: + [ false, " alias of acme-url for certbot compatibility", 'string', '' ] +, 'domain-key-path': + [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ] +, 'account-key-path': + [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ] +, webroot: [ false, " for certbot compatibility", 'boolean', false ] +, 'webroot-path': [ false, "alias of '--root' for certbot compatibility", 'string' ] +//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01'] +, 'work-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/lib/' ] +, 'logs-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/log/' ] }); // ignore certonly and extraneous arguments cli.main(function(_, options) { console.log(''); var args = {}; - var homedir = require('homedir')(); + var homedir = require('os').homedir(); Object.keys(options).forEach(function (key) { var val = options[key]; @@ -74,20 +92,15 @@ cli.main(function(_, options) { args.domains = args.domains.split(','); } - if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos) { - console.error("\nUsage: greenlock certonly --standalone --domains example.com --email user@example.com --agree-tos"); + if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos || !args.acmeVersion || (!args.server && !args.acmeUrl)) { + console.error("\nUsage:\n\ngreenlock certonly --standalone \\"); + console.error("\t--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \\"); + console.error("\t--agree-tos --email user@example.com --domains example.com \\"); + console.error("\t--config-dir ~/acme/etc \\"); console.error("\nSee greenlock --help for more details\n"); return; } - if (args.tlsSni01Port) { - // [@agnat]: Coerce to string. cli returns a number although we request a string. - args.tlsSni01Port = "" + args.tlsSni01Port; - args.tlsSni01Port = args.tlsSni01Port.split(',').map(function (port) { - return parseInt(port, 10); - }); - } - if (args.http01Port) { // [@agnat]: Coerce to string. cli returns a number although we request a string. args.http01Port = "" + args.http01Port; diff --git a/index.js b/index.js index 95c5c57..6dc2f4d 100644 --- a/index.js +++ b/index.js @@ -2,22 +2,21 @@ var DAY = 24 * 60 * 60 * 1000; -var LE = require('greenlock'); +var Greenlock = require('greenlock'); module.exports.run = function (args) { var leChallenge; var leStore; var servers; var USE_DNS = {}; - var challengeType; + + args.acmeUrl = args.server = (args.acmeUrl || args.server); + args.root = args.webrootPath = (args.root || args.webrootPath); if (args.dns01) { challengeType = 'dns-01'; args.webrootPath = ''; args.standalone = USE_DNS; - } else if (args.tlsSni01Port || args.hooks) { - challengeType = 'tls-sni-01'; - args.webrootPath = ''; } else /*if (args.http01Port)*/ { challengeType = 'http-01'; } @@ -25,57 +24,43 @@ module.exports.run = function (args) { if (args.manual) { leChallenge = require('le-challenge-manual').create({}); } - else if (args.hooks) { - leChallenge = require('le-challenge-hooks').create({ - hooksPath: args.hooksPath - , hooksServer: args.hooksServer - , hooksTemplate: args.hooksTemplate - , hooksBind: args.hooksBind - , hooksPort: args.hooksPort - , hooksWebroot: args.hooksWebroot - , hooksPreEnable: args.hooksPreEnable - , hooksEnable: args.hooksEnable - , hooksPreReload: args.hooksPreReload - , hooksReload: args.hooksReload - , hooksDisable: args.hooksDisable - }); - } else if (args.webrootPath) { // webrootPath is all that really matters here // TODO rename le-challenge-fs to le-challenge-webroot leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath }); } - else if (args.tlsSni01Port) { - leChallenge = require('le-challenge-sni').create({}); - servers = require('./lib/servers').create(leChallenge); - } else if (USE_DNS !== args.standalone) { leChallenge = require('le-challenge-standalone').create({}); servers = require('./lib/servers').create(leChallenge); } - var privkeyPath = args.domainKeyPath || ':configDir/live/:hostname/privkey.pem'; //args.privkeyPath + var privkeyPath = args.privkeyPath || args.domainKeyPath || ':configDir/live/:hostname/privkey.pem'; //args.privkeyPath leStore = require('le-store-certbot').create({ configDir: args.configDir , privkeyPath: privkeyPath , fullchainPath: args.fullchainPath , certPath: args.certPath , chainPath: args.chainPath - , webrootPath: args.webrootPath + , bundlePath: args.bundlePath + , webrootPath: args.root , domainKeyPath: args.domainKeyPath , accountKeyPath: args.accountKeyPath }); - if (!args.server) { - throw new Error("You must specify a server to use with --server"); + if (!args.acmeUrl) { + throw new Error("You must specify the ACME server url with --acme-url"); + } + if (!args.acmeVersion) { + throw new Error("You must specify the ACME API version with --acme-version"); } - // let LE know that we're handling standalone / webroot here + // let Greenlock know that we're handling standalone / webroot here var leChallenges = {}; leChallenges[challengeType] = leChallenge; - var le = LE.create({ + var greenlock = Greenlock.create({ debug: args.debug - , server: args.server + , server: args.acmeUrl + , version: args.acmeVersion , store: leStore , challenges: leChallenges , renewWithin: args.renewWithin * DAY @@ -86,7 +71,7 @@ module.exports.run = function (args) { if (args.tlsSni01Port) { servers.startServers( [], args.tlsSni01Port - , { debug: args.debug, httpsOptions: le.httpsOptions } + , { debug: args.debug, tlsOptions: greenlock.tlsOptions } ); } else { @@ -98,10 +83,11 @@ module.exports.run = function (args) { } // Note: can't use args directly as null values will overwrite template values - return le.register({ + return greenlock.register({ debug: args.debug , email: args.email , agreeTos: args.agreeTos + , communityMember: args.communityMember , domains: args.domains , rsaKeySize: args.rsaKeySize , challengeType: challengeType @@ -134,10 +120,12 @@ module.exports.run = function (args) { console.log('Certificates installed at:'); console.log( [ + // args.privkeyPath args.certPath , args.chainPath , args.fullchainPath - ].join('\n') + , args.bundlePath || '' + ].join('\n').replace(/\n+/g, '\n') .replace(/:configDir/g, args.configDir) .replace(/:hostname/g, args.domains[0]) ); diff --git a/installer/get.sh b/installer/get.sh new file mode 100644 index 0000000..bac890f --- /dev/null +++ b/installer/get.sh @@ -0,0 +1,128 @@ +#!/bin/bash + +# This is a 3 step process +# 1. First we need to figure out whether to use wget or curl for fetching remote files +# 2. Next we need to figure out whether to use unzip or tar for downloading releases +# 3. We need to actually install the stuff + +set -e +set -u + +############################### +# # +# http_get # +# boilerplate for curl / wget # +# # +############################### + +# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh + +_my_http_get="" +_my_http_opts="" +_my_http_out="" + +detect_http_get() +{ + set +e + if type -p curl >/dev/null 2>&1; then + _my_http_get="curl" + _my_http_opts="-fsSL" + _my_http_out="-o" + elif type -p wget >/dev/null 2>&1; then + _my_http_get="wget" + _my_http_opts="--quiet" + _my_http_out="-O" + else + echo "Aborted, could not find curl or wget" + return 7 + fi + set -e +} + +http_get() +{ + $_my_http_get $_my_http_opts $_my_http_out "$2" "$1" + touch "$2" +} + +http_bash() +{ + _http_url=$1 + my_args=${2:-} + rm -rf my-tmp-runner.sh + $_my_http_get $_my_http_opts $_my_http_out my-tmp-runner.sh "$_http_url"; bash my-tmp-runner.sh $my_args; rm my-tmp-runner.sh +} + +detect_http_get + +############################### +## END HTTP_GET ## +############################### + +echo "" +echo "" +echo "" + +if [ -z "${GREENLOCK_PATH:-}" ]; then + echo 'GREENLOCK_PATH="'${GREENLOCK_PATH:-}'"' + GREENLOCK_PATH=/opt/greenlock +fi + +echo "Installing Greenlock to '$GREENLOCK_PATH'" +echo "" + +echo "sudo mkdir -p '$GREENLOCK_PATH'" +sudo mkdir -p "$GREENLOCK_PATH" +echo "sudo chown -R $(whoami) '$GREENLOCK_PATH'" +sudo chown -R $(whoami) "$GREENLOCK_PATH" + +# until node v10.x gets fix for ursa we have no advantage to switching from 8.x +export NODEJS_VER=v8.11.1 +export NODE_PATH="$GREENLOCK_PATH/lib/node_modules" +export NPM_CONFIG_PREFIX="$GREENLOCK_PATH" +export PATH="$GREENLOCK_PATH/bin:$PATH" +sleep 1 +http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps + +my_tree="master" +my_node="$GREENLOCK_PATH/bin/node" +my_npm="$my_node $GREENLOCK_PATH/bin/npm" +my_tmp="$GREENLOCK_PATH/tmp" +mkdir -p $my_tmp + +echo "blah" +set +e +my_unzip=$(type -p unzip) +my_tar=$(type -p tar) +if [ -n "$my_unzip" ]; then + rm -f $my_tmp/greenlock-$my_tree.zip + http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.zip $my_tmp/greenlock-$my_tree.zip + # -j is the same as --strip 1, it nixes the top-level directory + $my_unzip -j $my_tmp/greenlock-$my_tree.zip -d $GREENLOCK_PATH/ +elif [ -n "$my_tar" ]; then + rm -f $my_tmp/greenlock-$my_tree.tar.gz + http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.tar.gz $my_tmp/greenlock-$my_tree.tar.gz + ls -lah $my_tmp/greenlock-$my_tree.tar.gz + $my_tar -xzf $my_tmp/greenlock-$my_tree.tar.gz --strip 1 -C $GREENLOCK_PATH/ +else + echo "Neither tar nor unzip found. Abort." + exit 13 +fi +set -e + +pushd $GREENLOCK_PATH + $my_npm install +popd + +cat << EOF > $GREENLOCK_PATH/bin/greenlock +!#/bin/bash +$my_node $GREENLOCK_PATH/bin/greenlock.js +EOF +chmod a+x $GREENLOCK_PATH/bin/greenlock +ln -sf $GREENLOCK_PATH/bin/greenlock /usr/local/bin/greenlock + +#sudo setcap cap_net_bind_service=+ep $GREENLOCK_PATH/bin/node + +#https://git.coolaj86.com/coolaj86/greenlock-cli.js.git +#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.tar.gz +#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.zip diff --git a/lib/servers.js b/lib/servers.js index e1e45e8..2f1820f 100644 --- a/lib/servers.js +++ b/lib/servers.js @@ -7,17 +7,22 @@ module.exports.create = function (challenge) { _servers: [] , httpResponder: function (req, res) { - console.log('[LE-CLI] httpResponder'); + console.info(req.method + ' ' + req.headers.host + req.url); var acmeChallengePrefix = '/.well-known/acme-challenge/'; if (0 !== req.url.indexOf(acmeChallengePrefix)) { - res.end("Let's Encrypt! Command line tool"); + res.end("Greenlock™ Commandline: https://git.coolaj86.com/coolaj86/greenlock-cli.js"); return; } var token = req.url.slice(acmeChallengePrefix.length); challenge.get(NOBJ, req.headers.host.replace(/:.*/, ''), token, function (err, val) { + if (val) { + console.info("Responding with authorization token '" + val + "'"); + } else { + console.info("No authorization token found"); + } res.end(val || '_ ERROR challenge not found _'); }); } @@ -25,7 +30,7 @@ module.exports.create = function (challenge) { , startServers: function (plainPorts, tlsPorts, opts) { opts = opts || {}; - var httpsOptions = opts.httpsOptions || require('localhost.daplie.me-certificates'); + var tlsOptions = opts.tlsOptions || {}; var https = require('https'); var http = require('http'); @@ -56,7 +61,7 @@ module.exports.create = function (challenge) { // tls-sni-01-port tlsPorts.forEach(function (port) { - var server = https.createServer(httpsOptions, servers.httpResponder); + var server = https.createServer(tlsOptions, servers.httpResponder); servers._servers.push(server); server.listen(port, function () { diff --git a/package.json b/package.json index 1f684e8..eaca5be 100644 --- a/package.json +++ b/package.json @@ -34,16 +34,11 @@ }, "homepage": "https://git.coolaj86.com/coolaj86/greenlock-cli.js", "dependencies": { - "cli": "^0.11.1", - "greenlock": "^2.1.16", - "homedir": "^0.6.0", - "le-acme-core": "^2.0.5", - "le-challenge-hooks": "^2.0.0", - "le-challenge-manual": "^2.0.0", - "le-challenge-sni": "^2.0.0", - "le-challenge-standalone": "^2.0.0", - "le-store-certbot": "^2.0.2", - "localhost.daplie.me-certificates": "^1.3.2", + "cli": "^1.0.1", + "greenlock": "^2.2.15", + "le-challenge-manual": "^2.1.0", + "le-challenge-standalone": "^2.1.0", + "le-store-certbot": "^2.1.0", "mkdirp": "^0.5.1" } }