support tls-sni-01 challenge

Previously the http-01 challenge was simply served over SSL.

README.md

@@ -48,8 +48,9 @@ multiple domains doesn't work for you, file a bug.
 
 ### Standalone
 
-You can run standalone mode to get a cert **on the server** you will be
-using it for over ports **80 and 443 (or 5001)** like so:
+You can run standalone mode to get a cert **on the server**. You either use an
+http-01 challenge (the default) on port 80, or a tls-sni-01 challenge on port
+443 (or 5001). Like so:
 
 ```bash
 letsencrypt certonly \
@@ -60,6 +61,17 @@ letsencrypt certonly \
   --config-dir ~/letsencrypt/etc
 ```
 
+or
+
+```bash
+letsencrypt certonly \
+  --agree-tos --email john.doe@example.com \
+  --standalone --tls-sni-01-port 443 \
+  --domains example.com,www.example.com \
+  --server https://acme-staging.api.letsencrypt.org/directory \
+  --config-dir ~/letsencrypt/etc
+```
+
 Then you can see your certs at `~/letsencrypt/etc/live`.
 
 ```
@@ -174,7 +186,7 @@ Options:
 
       --debug BOOLEAN           show traces and logs
 
-      --tls-sni-01-port NUMBER  Use TLS-SNI-01 challenge type with this port. (Default is 443)
+      --tls-sni-01-port NUMBER  Use TLS-SNI-01 challenge type with this port.
                                 (must be 443 with most production servers) (Boulder allows 5001 in testing mode)
 
       --http-01-port [NUMBER]   Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)

index.js

@@ -15,6 +15,7 @@ module.exports.run = function (args) {
     args.standalone = USE_DNS;
   } else if (args.tlsSni01Port) {
     challengeType = 'tls-sni-01';
+    args.webrootPath = '';
   } else /*if (args.http01Port)*/ {
     challengeType = 'http-01';
   }
@@ -27,12 +28,13 @@ module.exports.run = function (args) {
     // TODO rename le-challenge-fs to le-challenge-webroot
     leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath });
   }
+  else if (args.tlsSni01Port) {
+    leChallenge = require('le-challenge-sni').create({});
+    servers = require('./lib/servers').create(leChallenge);
+  }
   else if (USE_DNS !== args.standalone) {
     leChallenge = require('le-challenge-standalone').create({});
-    servers = require('./lib/servers').create(leChallenge).startServers(
-      args.http01Port || [80], args.tlsSni01Port || [443, 5001]
-    , { debug: args.debug }
-    );
+    servers = require('./lib/servers').create(leChallenge);
   }
 
   leStore = require('le-store-certbot').create({
@@ -51,14 +53,31 @@ module.exports.run = function (args) {
   }
 
   // let LE know that we're handling standalone / webroot here
+  var leChallenges = {};
+  leChallenges[challengeType] = leChallenge;
   var le = LE.create({
     debug: args.debug
   , server: args.server
   , store: leStore
-  , challenges: { 'http-01': leChallenge, 'tls-sni-01': leChallenge }
+  , challenges: leChallenges
   , duplicate: args.duplicate
   });
 
+  if (servers) {
+    if (args.tlsSni01Port) {
+      servers = servers.startServers(
+        [], args.tlsSni01Port
+      , { debug: args.debug, httpsOptions: le.httpsOptions }
+      );
+    }
+    else {
+      servers = servers.startServers(
+        args.http01Port || [80], []
+      , { debug: args.debug }
+      );
+    }
+  }
+
   // Note: can't use args directly as null values will overwrite template values
   le.register({
     domains: args.domains

lib/servers.js

@@ -25,7 +25,7 @@ module.exports.create = function (challenge) {
   , startServers: function (plainPorts, tlsPorts, opts) {
       opts = opts || {};
 
-      var httpsOptions = require('localhost.daplie.com-certificates');
+      var httpsOptions = opts.httpsOptions || require('localhost.daplie.com-certificates');
       var https = require('https');
       var http = require('http');
 

package.json

@@ -37,6 +37,7 @@
     "homedir": "^0.6.0",
     "le-acme-core": "^2.0.5",
     "le-challenge-manual": "^2.0.0",
+    "le-challenge-sni": "^2.0.0",
     "le-challenge-standalone": "^2.0.0",
     "le-store-certbot": "^2.0.2",
     "letsencrypt": "^2.1.2",