-# letsencrypt.sh
+# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)
-This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple shell-script.
+This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.
It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed.
## Usage:
-Add domains to domains.txt like in this example:
+```text
+Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
+Default command: help
+
+Commands:
+ --cron (-c) Sign/renew non-existant/changed/expiring certificates.
+ --revoke (-r) path/to/cert.pem Revoke specified certificate
+ --help (-h) Show help text
+ --env (-e) Output configuration variables for use in other scripts
+
+Parameters:
+ --domain (-d) domain.tld Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names
+ --force (-x) force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --config (-f) path/to/config.sh Use specified config file
+ --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation)
```
+
+### domains.txt
+
+The file `domains.txt` should have the following format:
+
+```text
example.com www.example.com
example.net www.example.net wiki.example.net
```
This states that there should be two certificates `example.com` and `example.net`,
with the other domains in the corresponding line being their alternative names.
-You'll also need to set up a webserver to serve the challenge-response directory as configured with `$WELLKNOWN`,
-or you can use the hook in the script if you want to deploy it some other way (e.g. copy it to a server via scp).
+### $WELLKNOWN / challenge-response
-After doing those two things you can just `./letsencrypt.sh`, and it should generate certificates.
+Boulder (acme-server) is looking for challenge responses under your domain in the `.well-known/acme-challenge` directory
-It can be used inside a cronjob as it automatically detects if a certificate is about to expire.
+This script uses `http-01`-type verification (for now) so you need to have the that directory available over normal http (no ssl).
-### Certificate revocation
+A full URL would look like `http://example.org/.well-known/acme-challenge/c3VjaC1jaGFsbGVuZ2UtbXVjaA-aW52YWxpZC13b3c`.
-Usage: `./letsencrypt.sh revoke path/to/cert.pem`
-
-### nginx config
-
-If you want to use nginx you can set up a location block to serve your challenge responses:
+An example setup to get this to work would be:
+nginx.conf:
```
+...
location /.well-known/acme-challenge {
- root /var/www/letsencrypt;
+ alias /var/www/letsencrypt;
}
+...
```
+config.sh:
+```bash
+...
+WELLKNOWN="/var/www/letsencrypt"
+...
+```
+
+An alternative to setting the WELLKNOWN variable would be to create a symlink to the default location next to the script (or BASEDIR):
+`ln -s /var/www/letsencrypt .acme-challenges`
+
## Import
### import-account.pl