root
/
greenlock-cli.js
mirror of https://git.coolaj86.com/coolaj86/greenlock-cli.js
2
0
Fork 0
Code Issues 2 Releases Wiki Activity
greenlock-cli.js/README.md

227 lines
7.5 KiB
Markdown
Raw Blame History

![Greenlock Logo](https://git.coolaj86.com/coolaj86/greenlock.js/raw/branch/master/logo/greenlock-1063x250.png "Greenlock Logo")
Greenlock™ for Web Servers
================
Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple<br>
<small>certificates issued by Let's Encrypt v2 via [ACME](https://git.coolaj86.com/coolaj86/acme-v2.js)</small>
!["Lifetime Downloads"](https://img.shields.io/npm/dt/greenlock.svg "Lifetime Download Count can't be shown")
!["Monthly Downloads"](https://img.shields.io/npm/dm/greenlock.svg "Monthly Download Count can't be shown")
!["Weekly Downloads"](https://img.shields.io/npm/dw/greenlock.svg "Weekly Download Count can't be shown")
| Sponsored by [ppl](https://ppl.family)
| **Greenlock for Web Servers**
| [Greenlock for Web Browsers](https://git.coolaj86.com/coolaj86/greenlock.html)
| [Greenlock for Express.js](https://git.coolaj86.com/coolaj86/greenlock-express.js)
| [Greenlock&trade;.js](https://git.coolaj86.com/coolaj86/greenlock.js)
|
Features
====
- [x] Commandline (cli) Certificate Manager (like certbot)
- [x] Integrated Web Server
- [x] Free SSL Certificates
- [x] Automatic certificate renewal before expiration
- [x] One-off standalone registration / renewal
- [x] On-the-fly registration / renewal via webroot
## Install Node
For **Windows**:
Choose **Stable** from <https://nodejs.org/en/>
For Linux and **OS X**:
```
curl -L bit.ly/nodejs-min | bash
```
# Install Greenlock
```bash
npm install -g greenlock-cli@2.x
```
## Usage
These commands are shown using the **testing server**.
Want to use the **live server**?
1. change server to `--server https://acme-v01.api.letsencrypt.org/directory`
**Note**: This has really only been tested with single domains so if
multiple domains doesn't work for you, file a bug.
### Standalone (primarily for testing)
You can run standalone mode to get a cert **on the server**. You either use an
http-01 challenge (the default) on port 80. Like so:
```bash
greenlock certonly \
--agree-tos --email john.doe@example.com \
--standalone \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory \
--config-dir ~/letsencrypt/etc
```
Then you can see your certs at `~/letsencrypt/etc/live`.
```
ls ~/letsencrypt/etc/live
```
This option is great for testing, but since it requires the use of
the same ports that your webserver needs, it isn't a good choice
for production.
### WebRoot
You can specify the path to where you keep your `index.html` with `webroot`, as
long as your server is serving plain HTTP on port 80.
For example, if I want to get a domain for `example.com` and my `index.html` is
at `/srv/www/example.com`, then I would use this command:
```bash
sudo greenlock certonly \
--agree-tos --email john.doe@example.com \
--webroot --webroot-path /srv/www/example.com \
--config-dir /etc/letsencrypt \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory
```
Note that we use `sudo` because in this example we are using `/etc/letsencrypt`
as the cert directory rather than `~/letsencrypt/etc`, which we used in the previous example.
Then see your brand new shiny certs:
```
ls /etc/letsencrypt/live/
```
You can use a cron job to run the script above every 80 days (the certificates expire after 90 days)
so that you always have fresh certificates.
### Interactive (for debugging)
The token (for all challenge types) and keyAuthorization (only for https-01)
will be printed to the screen and you will be given time to copy it wherever
(file, dns record, database, etc) and the process will complete once you hit `enter`.
```bash
sudo greenlock certonly \
--agree-tos --email john.doe@example.com \
--manual
--config-dir /etc/letsencrypt \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory
```
## Test with a free domain
```bash
# Install Daplie DNS
npm install -g ddns-cli
# see terms of use
ddns --help
# agree to terms and get domain
ddns --random --email user@example.com --agree
# the default is to use the ip address from which
# you can the command, but you can also assign the
# ip manually
ddns --random --email user@example.com --agree -a '127.0.0.1'
```
Example domain:
```
rubber-duck-42.daplie.me
```
## Run without Root
If you'd like to allow node.js to use privileged ports `80` and `443`
(and everything under 1024 really) without being run as `root` or `sudo`,
you can use `setcap` to do so. (it may need to be run any time you reinstall node as well)
```bash
sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
```
By default `node-greenlock` assumes your home directory `~/letsencrypt/`, but if
you really want to use `/etc/letsencrypt`, `/var/lib/letsencrypt/`, and `/var/log/letsencrypt`
you could change the permissions on them. **Probably a BAD IDEA**. Probabry a security risk.
```
# PROBABLY A BAD IDEA
sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt
```
## Command Line Options
```
Usage:
greenlock [OPTIONS] [ARGS]
Options:
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--email EMAIL Email used for registration and recovery contact. (default: null)
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
--domains URL Domain names to apply. For multiple domains you can enter a comma
separated list of domains as a parameter. (default: [])
--renew-within [NUMBER] Renew certificates this many days before expiry. (default: 7)
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is
an early renewal.
--rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048)
--cert-path STRING Path to where new cert.pem is saved
(Default is :conf/live/:hostname/cert.pem)
--fullchain-path [STRING] Path to where new fullchain.pem (cert + chain) is saved
(Default is :conf/live/:hostname/fullchain.pem)
--chain-path [STRING] Path to where new chain.pem is saved
(Default is :conf/live/:hostname/chain.pem)
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
--account-key-path STRING Path to privkey.pem to use for account (default: generate new)
--config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/)
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
(must be 80 with most production servers)
--dns-01 Use DNS-01 challenge type.
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true)
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
--debug BOOLEAN show traces and logs
-h, --help Display help and usage details
```
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
Reference in New Issue View Git Blame Copy Permalink