[andy/dehydrated.git] / README.md

# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)

This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.

It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed.

Other dependencies are: curl, sed, grep, mktemp (all found on almost any system, curl being the only exception)

Current features:
- Signing of a list of domains
- Signing of a CSR
- Renewal if a certificate is about to expire or SAN (subdomains) changed
- Certificate revocation

If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client).

Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues.
Feel free to report any issues you find with this script or contribute by submitting a pullrequest.

## Usage:

```text
Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --cron (-c)                      Sign/renew non-existant/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config.sh  Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
```

### domains.txt

The file `domains.txt` should have the following format:

```text
example.com www.example.com
example.net www.example.net wiki.example.net
```

This states that there should be two certificates `example.com` and `example.net`,
with the other domains in the corresponding line being their alternative names.

### $WELLKNOWN / challenge-response

Boulder (acme-server) is looking for challenge responses under your domain in the `.well-known/acme-challenge` directory

This script uses `http-01`-type verification (for now) so you need to have that directory available over normal http (no ssl).

A full URL would look like `http://example.org/.well-known/acme-challenge/c3VjaC1jaGFsbGVuZ2UtbXVjaA-aW52YWxpZC13b3c`.

An example setup to get this to work would be:

nginx.conf:
```
...
location /.well-known/acme-challenge {
  alias /var/www/letsencrypt;
}
...
```

config.sh:
```bash
...
WELLKNOWN="/var/www/letsencrypt"
...
```

An alternative to setting the WELLKNOWN variable would be to create a symlink to the default location next to the script (or BASEDIR):
`ln -s /var/www/letsencrypt .acme-challenges`

### dns-01 challenge

This script also supports the new `dns-01`-type verification. This type of verification requires you to be able to create a specific `TXT` DNS record for each hostname included in the certificate.

You need a hook script that deploys the challenge to your DNS server!

The hook script (indicated in the config.sh file or the --hook/-k command line argument) gets four arguments: an operation name (clean_challenge, deploy_challenge, or deploy_cert) and some operands for that. For deploy_challenge $2 is the domain name for which the certificate is required, $3 is a "challenge token" (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain.

Typically, you will need to split the subdomain name in two, the subdomain name and the domain name separately. For example, for "my.example.com", you'll need "my" and "example.com" separately. You then have to prefix "_acme-challenge." before the subdomain name, as in "_acme-challenge.my" and set a TXT record for that on the domain (e.g. "example.com") which has the value supplied in $4

That could be done manually (as most providers don't have a DNS API), by having your hook script echo $1, $2 and $4 and then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system. Usually providers give you a boxes to put "_acme-challenge.my" and the token value in, and a dropdown to choose the record type, TXT. 

Or when you do have a DNS API, pass the details accordingly to achieve the same thing.

You can delete the TXT record when called with operation clean_challenge, when $2 is also the domain name.

Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks)

### Elliptic Curve Cryptography (ECC)

This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.
Commit	Line	Data
7664f1c2	1	# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)
61f0b7ed	2
e567a87e	3	This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.
274e8e41 LS	4
	5	It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed.
	6
e45f28bb	7	Other dependencies are: curl, sed, grep, mktemp (all found on almost any system, curl being the only exception)
274e8e41 LS	8
	9	Current features:
	10	- Signing of a list of domains
429ec400	11	- Signing of a CSR
e45f28bb	12	- Renewal if a certificate is about to expire or SAN (subdomains) changed
12c566b1	13	- Certificate revocation
274e8e41	14
5878f16a LS	15	If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client).
5878f16a LS	16
274e8e41 LS	17	Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues.
274e8e41 LS	18	Feel free to report any issues you find with this script or contribute by submitting a pullrequest.
0d7913ab LS	19
	20	## Usage:
	21
8662a000 LS	22	```text
8662a000 LS	23	Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
0d7913ab	24
083c6736	25	Default command: help
8662a000 LS	26
8662a000 LS	27	Commands:
083c6736	28	--cron (-c) Sign/renew non-existant/changed/expiring certificates.
429ec400	29	--signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
8662a000 LS	30	--revoke (-r) path/to/cert.pem Revoke specified certificate
	31	--help (-h) Show help text
	32	--env (-e) Output configuration variables for use in other scripts
	33
	34	Parameters:
92a822e0 LS	35	--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
92a822e0 LS	36	--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
8662a000	37	--privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation)
92a822e0	38	--config (-f) path/to/config.sh Use specified config file
ed27e013	39	--hook (-k) path/to/hook.sh Use specified script for hooks
e925b293	40	--challenge (-t) http-01\|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported
0d7913ab	41	```
8662a000 LS	42
	43	### domains.txt
	44
	45	The file `domains.txt` should have the following format:
	46
	47	```text
0d7913ab LS	48	example.com www.example.com
	49	example.net www.example.net wiki.example.net
	50	```
	51
	52	This states that there should be two certificates `example.com` and `example.net`,
	53	with the other domains in the corresponding line being their alternative names.
	54
7b968344	55	### $WELLKNOWN / challenge-response
0d7913ab	56
7b968344	57	Boulder (acme-server) is looking for challenge responses under your domain in the `.well-known/acme-challenge` directory
0d7913ab	58
92a822e0	59	This script uses `http-01`-type verification (for now) so you need to have that directory available over normal http (no ssl).
7b968344 LS	60
	61	A full URL would look like `http://example.org/.well-known/acme-challenge/c3VjaC1jaGFsbGVuZ2UtbXVjaA-aW52YWxpZC13b3c`.
	62
	63	An example setup to get this to work would be:
	64
	65	nginx.conf:
0d7913ab	66	```
7b968344	67	...
0d7913ab	68	location /.well-known/acme-challenge {
7b968344	69	alias /var/www/letsencrypt;
0d7913ab	70	}
7b968344 LS	71	...
	72	```
	73
	74	config.sh:
	75	```bash
	76	...
	77	WELLKNOWN="/var/www/letsencrypt"
	78	...
0d7913ab LS	79	```
0d7913ab LS	80
7b968344 LS	81	An alternative to setting the WELLKNOWN variable would be to create a symlink to the default location next to the script (or BASEDIR):
7b968344 LS	82	`ln -s /var/www/letsencrypt .acme-challenges`
8662a000	83
e925b293 MG	84	### dns-01 challenge
e925b293 MG	85
08ced4bd	86	This script also supports the new `dns-01`-type verification. This type of verification requires you to be able to create a specific `TXT` DNS record for each hostname included in the certificate.
e925b293 MG	87
e925b293 MG	88	You need a hook script that deploys the challenge to your DNS server!
c71ca3a8	89
682b1d5b	90	The hook script (indicated in the config.sh file or the --hook/-k command line argument) gets four arguments: an operation name (clean_challenge, deploy_challenge, or deploy_cert) and some operands for that. For deploy_challenge $2 is the domain name for which the certificate is required, $3 is a "challenge token" (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain.
	91
	92	Typically, you will need to split the subdomain name in two, the subdomain name and the domain name separately. For example, for "my.example.com", you'll need "my" and "example.com" separately. You then have to prefix "_acme-challenge." before the subdomain name, as in "_acme-challenge.my" and set a TXT record for that on the domain (e.g. "example.com") which has the value supplied in $4
	93
	94	That could be done manually (as most providers don't have a DNS API), by having your hook script echo $1, $2 and $4 and then wait (read -s -r -e < /dev/tty) - give it a little time to get into their DNS system. Usually providers give you a boxes to put "_acme-challenge.my" and the token value in, and a dropdown to choose the record type, TXT.
	95
	96	Or when you do have a DNS API, pass the details accordingly to achieve the same thing.
	97
	98	You can delete the TXT record when called with operation clean_challenge, when $2 is also the domain name.
	99
b6fafea0	100	Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks)
682b1d5b	101
c71ca3a8 MG	102	### Elliptic Curve Cryptography (ECC)
	103
	104	This script also supports certificates with Elliptic Curve public keys! Be aware that at the moment this is not available on the production servers from letsencrypt. Please read https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809/ for the current state of ECC support.