diff options
author | rsiddharth <s@ricketyspace.net> | 2020-02-02 11:12:55 -0500 |
---|---|---|
committer | rsiddharth <s@ricketyspace.net> | 2020-02-02 11:13:22 -0500 |
commit | 6d24382540942818ebde8659ab0d4ea638c354f4 (patch) | |
tree | 5887e90dc7333e2c488a80cf61ec32c343406476 /sign_csr.py | |
parent | 2a4e0d618a8d3d072fd5f70ab3b2bbced43482a2 (diff) |
sign_csr.py: Refactor script to use acmev2.
Initial version.
Diffstat (limited to 'sign_csr.py')
-rw-r--r-- | sign_csr.py | 488 |
1 files changed, 145 insertions, 343 deletions
diff --git a/sign_csr.py b/sign_csr.py index be9dfd4..17654d3 100644 --- a/sign_csr.py +++ b/sign_csr.py @@ -5,28 +5,22 @@ import argparse, subprocess, json, os, urllib.request, sys, base64, binascii, \ from urllib.request import urlopen from urllib.error import HTTPError -def sign_csr(pubkey, csr, email=None, file_based=False): +def sign_csr(account_key, csr, email=None): """Use the ACME protocol to get an ssl certificate signed by a certificate authority. - :param string pubkey: Path to the user account public key. + :param string account_key: Path to the user account key. :param string csr: Path to the certificate signing request. :param string email: An optional user account contact email (defaults to webmaster@<shortest_domain>) - :param bool file_based: An optional flag indicating that the - hosting should be file-based rather - than providing a simple python HTTP - server. :returns: Signed Certificate (PEM format) :rtype: string """ - #CA = "https://acme-staging.api.letsencrypt.org" - CA = "https://acme-v01.api.letsencrypt.org" + #CA = "https://acme-staging-v02.api.letsencrypt.org" + CA = "https://acme-v02.api.letsencrypt.org" DIRECTORY = json.loads(urlopen(CA + "/directory").read().decode('utf8')) - nonce_req = urllib.request.Request("{0}/directory".format(CA)) - nonce_req.get_method = lambda : 'HEAD' def _b64(b): "Shortcut function to go from bytes to jwt base64 string" @@ -35,16 +29,63 @@ def sign_csr(pubkey, csr, email=None, file_based=False): return base64.urlsafe_b64encode(b).decode().replace("=", "") + # helper function - run external commands + def _cmd(cmd_list, stdin=None, cmd_input=None, err_msg="Command Line Error"): + proc = subprocess.Popen(cmd_list, stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = proc.communicate(cmd_input) + if proc.returncode != 0: + raise IOError("{0}\n{1}".format(err_msg, err)) + return out + + # helper function - make request and automatically parse json response + def _do_request(url, data=None, err_msg="Error", depth=0): + try: + resp = urllib.request.urlopen(urllib.request.Request(url, data=data, headers={"Content-Type": "application/jose+json", "User-Agent": "acme-nosudo"})) + resp_data, code, headers = resp.read().decode("utf8"), resp.getcode(), resp.headers + except IOError as e: + resp_data = e.read().decode("utf8") if hasattr(e, "read") else str(e) + code, headers = getattr(e, "code", None), {} + try: + resp_data = json.loads(resp_data) # try to parse json results + except ValueError: + pass # ignore json parsing errors + if depth < 100 and code == 400 and resp_data['type'] == "urn:ietf:params:acme:error:badNonce": + raise IndexError(resp_data) # allow 100 retrys for bad nonces + if code not in [200, 201, 204]: + raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) + return resp_data, code, headers + + # helper function - make signed requests + def _send_signed_request(url, payload, err_msg, depth=0): + payload64 = "" if payload is None else _b64(json.dumps(payload).encode('utf8')) + new_nonce = _do_request(DIRECTORY['newNonce'])[2]['Replay-Nonce'] + protected = {"url": url, "alg": "RS256", "nonce": new_nonce} + protected.update({"jwk": jwk} if acct_headers is None else {"kid": acct_headers['Location']}) + protected64 = _b64(json.dumps(protected).encode('utf8')) + protected_input = "{0}.{1}".format(protected64, payload64).encode('utf8') + out = _cmd(["openssl", "dgst", "-sha256", "-sign", account_key], stdin=subprocess.PIPE, cmd_input=protected_input, err_msg="OpenSSL Error") + data = json.dumps({"protected": protected64, "payload": payload64, "signature": _b64(out)}) + try: + return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth) + except IndexError: # retry bad nonces (they raise IndexError) + return _send_signed_request(url, payload, err_msg, depth=(depth + 1)) + + # helper function - poll until complete + def _poll_until_not(url, pending_statuses, err_msg): + result, t0 = None, time.time() + while result is None or result['status'] in pending_statuses: + assert (time.time() - t0 < 3600), "Polling timeout" # 1 hour timeout + time.sleep(0 if result is None else 2) + result, _, _ = _send_signed_request(url, None, err_msg) + return result + + # Step 1: Get account public key sys.stderr.write("Reading pubkey file...\n") - proc = subprocess.Popen(["openssl", "rsa", "-pubin", "-in", pubkey, "-noout", "-text"], - stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True) - out, err = proc.communicate() - if proc.returncode != 0: - raise IOError("Error loading {0}".format(pubkey)) + out = _cmd(["openssl", "rsa", "-in", account_key, "-noout", "-text"], err_msg="Error reading account public key") pub_hex, pub_exp = re.search( - "Modulus(?: \((?:2048|4096) bit\)|)\:\s+00:([a-f0-9\:\s]+?)Exponent\: ([0-9]+)", - out, re.MULTILINE|re.DOTALL).groups() + r"modulus:[\s]+?00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)", + out.decode('utf8'), re.MULTILINE|re.DOTALL).groups() pub_mod = binascii.unhexlify(re.sub("(\s|:)", "", pub_hex)) pub_mod64 = _b64(pub_mod) pub_exp = int(pub_exp) @@ -52,30 +93,23 @@ def sign_csr(pubkey, csr, email=None, file_based=False): pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp pub_exp = binascii.unhexlify(pub_exp) pub_exp64 = _b64(pub_exp) - header = { - "alg": "RS256", - "jwk": { - "e": pub_exp64, - "kty": "RSA", - "n": pub_mod64, - }, + jwk = { + "e": pub_exp64, + "kty": "RSA", + "n": pub_mod64, } - accountkey_json = json.dumps(header['jwk'], sort_keys=True, separators=(',', ':')) + accountkey_json = json.dumps(jwk, sort_keys=True, separators=(',', ':')) thumbprint = _b64(hashlib.sha256(accountkey_json.encode()).digest()) sys.stderr.write("Found public key!\n") # Step 2: Get the domain names to be certified sys.stderr.write("Reading csr file...\n") - proc = subprocess.Popen(["openssl", "req", "-in", csr, "-noout", "-text"], - stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True) - out, err = proc.communicate() - if proc.returncode != 0: - raise IOError("Error loading {0}".format(csr)) + out = _cmd(["openssl", "req", "-in", csr, "-noout", "-text"], err_msg="Error loading {}".format(csr)) domains = set([]) - common_name = re.search("Subject:.*? CN *= *([^\s,;/]+)", out) + common_name = re.search("Subject:.*? CN *= *([^\s,;/]+)", out.decode('utf8')) if common_name is not None: domains.add(common_name.group(1)) - subject_alt_names = re.search("X509v3 Subject Alternative Name: \n +([^\n]+)\n", out, re.MULTILINE|re.DOTALL) + subject_alt_names = re.search("X509v3 Subject Alternative Name: \n +([^\n]+)\n", out.decode('utf8'), re.MULTILINE|re.DOTALL) if subject_alt_names is not None: for san in subject_alt_names.group(1).split(", "): if san.startswith("DNS:"): @@ -91,328 +125,97 @@ def sign_csr(pubkey, csr, email=None, file_based=False): email = input_email if input_email else default_email sys.stdout = stdout - # Step 4: Generate the payloads that need to be signed - # registration - sys.stderr.write("Building request payloads...\n") - reg_nonce = urllib.request.urlopen(nonce_req).headers['Replay-Nonce'] - reg_raw = json.dumps({ - "resource": "new-reg", - "contact": ["mailto:{0}".format(email)], - "agreement": DIRECTORY['meta']['terms-of-service'], - }, sort_keys=True, indent=4) - reg_b64 = _b64(reg_raw) - reg_protected = copy.deepcopy(header) - reg_protected.update({"nonce": reg_nonce}) - reg_protected64 = _b64(json.dumps(reg_protected, sort_keys=True, indent=4)) - reg_file = tempfile.NamedTemporaryFile(dir=".", prefix="register_", suffix=".json") - reg_file.write("{0}.{1}".format(reg_protected64, reg_b64).encode()) - reg_file.flush() - reg_file_name = os.path.basename(reg_file.name) - reg_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="register_", suffix=".sig") - reg_file_sig_name = os.path.basename(reg_file_sig.name) - - # need signature for each domain identifiers - ids = [] + + # Step 4: Generate the payload for registering user and initiate registration. + sys.stderr.write("Registering {0}...\n".format(email)) + reg = { + "termsOfServiceAgreed": True + } + acct_headers = None + result, code, acct_headers = _send_signed_request(DIRECTORY['newAccount'], reg, "Error registering") + if code == 201: + sys.stderr.write("Registered!\n") + else: + sys.stderr.write("Already registered!\n") + + + # Step 5: Request challenges for each domain for domain in domains: - sys.stderr.write("Building request for {0}...\n".format(domain)) - id_nonce = urllib.request.urlopen(nonce_req).headers['Replay-Nonce'] - id_raw = json.dumps({ - "resource": "new-authz", - "identifier": { + sys.stderr.write("Making new order for {0}...\n".format(domain)) + id = { + "identifiers": [{ "type": "dns", "value": domain, - }, - }, sort_keys=True) - id_b64 = _b64(id_raw) - id_protected = copy.deepcopy(header) - id_protected.update({"nonce": id_nonce}) - id_protected64 = _b64(json.dumps(id_protected, sort_keys=True, indent=4)) - id_file = tempfile.NamedTemporaryFile(dir=".", prefix="domain_", suffix=".json") - id_file.write("{0}.{1}".format(id_protected64, id_b64).encode()) - id_file.flush() - id_file_name = os.path.basename(id_file.name) - id_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="domain_", suffix=".sig") - id_file_sig_name = os.path.basename(id_file_sig.name) - ids.append({ - "domain": domain, - "protected64": id_protected64, - "data64": id_b64, - "file": id_file, - "file_name": id_file_name, - "sig": id_file_sig, - "sig_name": id_file_sig_name, - }) - - # need signature for the final certificate issuance - sys.stderr.write("Building request for CSR...\n") - proc = subprocess.Popen(["openssl", "req", "-in", csr, "-outform", "DER"], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - csr_der, err = proc.communicate() - csr_der64 = _b64(csr_der) - csr_nonce = urllib.request.urlopen(nonce_req).headers['Replay-Nonce'] - csr_raw = json.dumps({ - "resource": "new-cert", - "csr": csr_der64, - }, sort_keys=True, indent=4) - csr_b64 = _b64(csr_raw) - csr_protected = copy.deepcopy(header) - csr_protected.update({"nonce": csr_nonce}) - csr_protected64 = _b64(json.dumps(csr_protected, sort_keys=True, indent=4)) - csr_file = tempfile.NamedTemporaryFile(dir=".", prefix="cert_", suffix=".json") - csr_file.write("{0}.{1}".format(csr_protected64, csr_b64).encode()) - csr_file.flush() - csr_file_name = os.path.basename(csr_file.name) - csr_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="cert_", suffix=".sig") - csr_file_sig_name = os.path.basename(csr_file_sig.name) - - # Step 5: Ask the user to sign the registration and requests - sys.stderr.write("""\ -STEP 2: You need to sign some files (replace 'user.key' with your user private key). - -openssl dgst -sha256 -sign user.key -out {0} {1} -{2} -openssl dgst -sha256 -sign user.key -out {3} {4} - -""".format( - reg_file_sig_name, reg_file_name, - "\n".join("openssl dgst -sha256 -sign user.key -out {0} {1}".format(i['sig_name'], i['file_name']) for i in ids), - csr_file_sig_name, csr_file_name)) - - stdout = sys.stdout - sys.stdout = sys.stderr - input("Press Enter when you've run the above commands in a new terminal window...") - sys.stdout = stdout - - # Step 6: Load the signatures - reg_file_sig.seek(0) - reg_sig64 = _b64(reg_file_sig.read()) - for n, i in enumerate(ids): - i['sig'].seek(0) - i['sig64'] = _b64(i['sig'].read()) - - # Step 7: Register the user - sys.stderr.write("Registering {0}...\n".format(email)) - reg_data = json.dumps({ - "header": header, - "protected": reg_protected64, - "payload": reg_b64, - "signature": reg_sig64, - }, sort_keys=True, indent=4) - reg_url = "{0}/acme/new-reg".format(CA) - try: - resp = urllib.request.urlopen(reg_url, reg_data.encode()) - result = json.loads(resp.read()) - except HTTPError as e: - err = e.read() - # skip already registered accounts - if b"Registration key is already in use" in err: - sys.stderr.write("Already registered. Skipping...\n") - else: - sys.stderr.write("Error: reg_data:\n") - sys.stderr.write("POST {0}\n".format(reg_url)) - sys.stderr.write(reg_data) - sys.stderr.write("\n") - sys.stderr.write(err.decode()) - sys.stderr.write("\n") - raise - - # Step 8: Request challenges for each domain - responses = [] - tests = [] - for n, i in enumerate(ids): - sys.stderr.write("Requesting challenges for {0}...\n".format(i['domain'])) - id_data = json.dumps({ - "header": header, - "protected": i['protected64'], - "payload": i['data64'], - "signature": i['sig64'], - }, sort_keys=True, indent=4) - id_url = "{0}/acme/new-authz".format(CA) - try: - resp = urllib.request.urlopen(id_url, id_data.encode()) - result = json.loads(resp.read()) - except HTTPError as e: - sys.stderr.write("Error: id_data:\n") - sys.stderr.write("POST {0}\n".format(id_url)) - sys.stderr.write(id_data) - sys.stderr.write("\n") - sys.stderr.write(e.read()) - sys.stderr.write("\n") - raise - challenge = [c for c in result['challenges'] if c['type'] == "http-01"][0] + }], + } + order, order_code, order_headers = _send_signed_request(DIRECTORY['newOrder'], id, "Error creating new order") + + # Request challenges + sys.stderr.write("Requesting challenges...\n") + chl_result, chl_code, chl_headers = _send_signed_request(order['authorizations'][0], None, "Error getting challenges") + + challenge = [c for c in chl_result['challenges'] if c['type'] == "http-01"][0] + token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token']) keyauthorization = "{0}.{1}".format(challenge['token'], thumbprint) - # challenge request - sys.stderr.write("Building challenge responses for {0}...\n".format(i['domain'])) - test_nonce = urllib.request.urlopen(nonce_req).headers['Replay-Nonce'] - test_raw = json.dumps({ - "resource": "challenge", - "keyAuthorization": keyauthorization, - }, sort_keys=True, indent=4) - test_b64 = _b64(test_raw) - test_protected = copy.deepcopy(header) - test_protected.update({"nonce": test_nonce}) - test_protected64 = _b64(json.dumps(test_protected, sort_keys=True, indent=4)) - test_file = tempfile.NamedTemporaryFile(dir=".", prefix="challenge_", suffix=".json") - test_file.write("{0}.{1}".format(test_protected64, test_b64).encode()) - test_file.flush() - test_file_name = os.path.basename(test_file.name) - test_file_sig = tempfile.NamedTemporaryFile(dir=".", prefix="challenge_", suffix=".sig") - test_file_sig_name = os.path.basename(test_file_sig.name) - tests.append({ - "uri": challenge['uri'], - "protected64": test_protected64, - "data64": test_b64, - "file": test_file, - "file_name": test_file_name, - "sig": test_file_sig, - "sig_name": test_file_sig_name, - }) + # build request for the server to test this challenge. + test_url = challenge['url'] + test_raw = "{}" # challenge response for server - responses.append({ + response = { "uri": ".well-known/acme-challenge/{0}".format(challenge['token']), "data": keyauthorization, - }) - - # Step 9: Ask the user to sign the challenge responses - sys.stderr.write("""\ -STEP 3: You need to sign some more files (replace 'user.key' with your user private key). - -{0} - -""".format( - "\n".join("openssl dgst -sha256 -sign user.key -out {0} {1}".format( - i['sig_name'], i['file_name']) for i in tests))) - - stdout = sys.stdout - sys.stdout = sys.stderr - input("Press Enter when you've run the above commands in a new terminal window...") - sys.stdout = stdout + } - # Step 10: Load the response signatures - for n, i in enumerate(ids): - tests[n]['sig'].seek(0) - tests[n]['sig64'] = _b64(tests[n]['sig'].read()) - - # Step 11: Ask the user to host the token on their server - for n, i in enumerate(ids): - if file_based: - sys.stderr.write("""\ -STEP {0}: Please update your server to serve the following file at this URL: + # Step 6: Ask the user to host the token on their server + sys.stderr.write("""\ +Please update your server to serve the following file at this URL: -------------- -URL: http://{1}/{2} -File contents: \"{3}\" +URL: http://{0}/{1} +File contents: \"{2}\" -------------- Notes: - Do not include the quotes in the file. - The file should be one line without any spaces. -""".format(n + 4, i['domain'], responses[n]['uri'], responses[n]['data'])) +""".format(domain, response['uri'], response['data'])) - stdout = sys.stdout - sys.stdout = sys.stderr - input("Press Enter when you've got the file hosted on your server...") - sys.stdout = stdout + stdout = sys.stdout + sys.stdout = sys.stderr + input("Press Enter when you've got the file hosted on your server...") + sys.stdout = stdout + + # Step 7: Let the CA know you're ready for the challenge + sys.stderr.write("Requesting verification for {0}...\n".format(domain)) + _send_signed_request(challenge['url'], {}, "Error requesting challenge verfication: {0}".format(domain)) + chl_verification = _poll_until_not(challenge['url'], ["pending"], "Error checking challenge verification") + if chl_verification['status'] != "valid": + raise ValueError("Challenge did not pass for {0}: {1}".format(domain, chl_verification)) + sys.stderr.write("{} verified!\n".format(domain)) + + # Step 8: Finalize + csr_der = _cmd(["openssl", "req", "-in", csr, "-outform", "DER"], err_msg="DER Export Error") + fnlz_resp, fnlz_code, fnlz_headers = _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order") + + # Step 9: Wait for CA to mark test as valid + sys.stderr.write("Waiting for {0} challenge to pass...\n".format(domain)) + order = _poll_until_not(order_headers['Location'], ["pending", "processing"], "Error checking order status") + + if order['status'] == "valid": + sys.stderr.write("Passed {0} challenge!\n".format(domain)) else: - sys.stderr.write("""\ -STEP {0}: You need to run this command on {1} (don't stop the python command until the next step). - -sudo python -c "import BaseHTTPServer; \\ - h = BaseHTTPServer.BaseHTTPRequestHandler; \\ - h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('{2}'); \\ - s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \\ - s.serve_forever()" - -""".format(n + 4, i['domain'], responses[n]['data'])) - - stdout = sys.stdout - sys.stdout = sys.stderr - input("Press Enter when you've got the python command running on your server...") - sys.stdout = stdout - - # Step 12: Let the CA know you're ready for the challenge - sys.stderr.write("Requesting verification for {0}...\n".format(i['domain'])) - test_data = json.dumps({ - "header": header, - "protected": tests[n]['protected64'], - "payload": tests[n]['data64'], - "signature": tests[n]['sig64'], - }, sort_keys=True, indent=4) - test_url = tests[n]['uri'] - try: - resp = urllib.request.urlopen(test_url, test_data.encode()) - test_result = json.loads(resp.read()) - except HTTPError as e: - sys.stderr.write("Error: test_data:\n") - sys.stderr.write("POST {0}\n".format(test_url)) - sys.stderr.write(test_data) - sys.stderr.write("\n") - sys.stderr.write(e.read().decode()) - sys.stderr.write("\n") - raise - - # Step 13: Wait for CA to mark test as valid - sys.stderr.write("Waiting for {0} challenge to pass...\n".format(i['domain'])) - while True: - try: - resp = urllib.request.urlopen(test_url) - challenge_status = json.loads(resp.read()) - except HTTPError as e: - sys.stderr.write("Error: test_data:\n") - sys.stderr.write("GET {0}\n".format(test_url)) - sys.stderr.write(test_data) - sys.stderr.write("\n") - sys.stderr.write(e.read()) - sys.stderr.write("\n") - raise - if challenge_status['status'] == "pending": - time.sleep(2) - elif challenge_status['status'] == "valid": - sys.stderr.write("Passed {0} challenge!\n".format(i['domain'])) - break - else: - raise KeyError("'{0}' challenge did not pass: {1}".format(i['domain'], challenge_status)) - - # Step 14: Get the certificate signed - sys.stderr.write("Requesting signature...\n") - csr_file_sig.seek(0) - csr_sig64 = _b64(csr_file_sig.read()) - csr_data = json.dumps({ - "header": header, - "protected": csr_protected64, - "payload": csr_b64, - "signature": csr_sig64, - }, sort_keys=True, indent=4) - csr_url = "{0}/acme/new-cert".format(CA) - try: - resp = urllib.request.urlopen(csr_url, csr_data.encode()) - signed_der = resp.read() - except HTTPError as e: - sys.stderr.write("Error: csr_data:\n") - sys.stderr.write("POST {0}\n".format(csr_url)) - sys.stderr.write(csr_data) - sys.stderr.write("\n") - sys.stderr.write(e.read()) - sys.stderr.write("\n") - raise - - # Step 15: Convert the signed cert from DER to PEM - sys.stderr.write("Certificate signed!\n") - - if file_based: - sys.stderr.write("You can remove the acme-challenge file from your webserver now.\n") - else: - sys.stderr.write("You can stop running the python command on your server (Ctrl+C works).\n") + raise ValueError("'{0}' challenge did not pass: {1}".format(domain, order)) + + + # Step 10: Get the certificate. + sys.stderr.write("Getting certificate...\n") + signed_pem, _, _ = _send_signed_request(order['certificate'], None, "Error getting certificate") - signed_der64 = base64.b64encode(signed_der) - signed_pem = """\ ------BEGIN CERTIFICATE----- -{0} ------END CERTIFICATE----- -""".format("\n".join(textwrap.wrap(signed_der64.decode(), 64))) + sys.stderr.write("Received certificate!\n") + sys.stderr.write("You can remove the acme-challenge file from your webserver now.\n") return signed_pem @@ -420,17 +223,17 @@ if __name__ == "__main__": parser = argparse.ArgumentParser( formatter_class=argparse.RawDescriptionHelpFormatter, description="""\ -Get a SSL certificate signed by a Let's Encrypt (ACME) certificate authority and -output that signed certificate. You do NOT need to run this script on your -server and this script does not ask for your private keys. It will print out -commands that you need to run with your private key or on your server as root, -which gives you a chance to review the commands instead of trusting this script. +Get a SSL certificate signed by a Let's Encrypt (ACME) certificate +authority and output that signed certificate. You do NOT need to run +this script on your server, it is meant to be run on your +computer. The script will request you to manually deploy the acme +challenge on your server. NOTE: YOUR ACCOUNT KEY NEEDS TO BE DIFFERENT FROM YOUR DOMAIN KEY. Prerequisites: * openssl -* python +* python version 3 Example: Generate an account keypair, a domain key and csr, and have the domain csr signed. -------------- @@ -438,16 +241,15 @@ $ openssl genrsa 4096 > user.key $ openssl rsa -in user.key -pubout > user.pub $ openssl genrsa 4096 > domain.key $ openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr -$ python sign_csr.py --public-key user.pub domain.csr > signed.crt +$ python3 sign_csr.py --account-key user.key --email user@example.com domain.csr > signed.crt -------------- """) - parser.add_argument("-p", "--public-key", required=True, help="path to your account public key") + parser.add_argument("-k", "--account-key", required=True, help="path to your Let's Encrypt account private key") parser.add_argument("-e", "--email", default=None, help="contact email, default is webmaster@<shortest_domain>") - parser.add_argument("-f", "--file-based", action='store_true', help="if set, a file-based response is used") parser.add_argument("csr_path", help="path to your certificate signing request") args = parser.parse_args() - signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based) + signed_crt = sign_csr(args.account_key, args.csr_path, email=args.email) sys.stdout.write(signed_crt) |