diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 329 |
1 files changed, 10 insertions, 319 deletions
@@ -1,47 +1,20 @@ -# ACME Without Sudo +# acmens -The [Let's Encrypt](https://letsencrypt.org/) initiative is a fantastic program -that offers **free** https certificates! However, the one catch is that you need -to use their command program to get a free certificate. The default instructions -all assume that you will run it on your your server as root, and that it will -edit your apache/nginx config files. +A fork of [acme-nosudo][]. It uses ACMEv2 protocol and requires Python 3. -I love the Let's Encrypt devs dearly, but there's no way I'm going to trust -their script to run on my server as root, be able to edit my server configs, and -have access to my private keys. I'd just like the free ssl certificate, please. +[acme-nosudo]: https://github.com/diafygi/acme-nosudo -So I made a script that does that. You generate your private key and certificate -signing request (CSR) like normal, then run `sign_csr.py` with your CSR to get -it signed. The script goes through the [ACME protocol](https://github.com/ietf-wg-acme/acme/) -with the Let's Encrypt certificate authority and outputs the signed certificate -to stdout. +acmens has two scripts: -This script is meant to be run on your computer locally. It requires you to pass -your account private key. If the account private key is encrypted, openssl will -directly ask for the passphrase each time the private key is needed to sign -requests or data. + - sign_csr.py + - revoke_crt.py -## Table of Contents +The `sign_csr.py` is for getting a new SSL certificate or renewing a +SSL certificate for a domain. -* [Donate](#donate) -* [Prerequisites](#prerequisites) -* Signing script - * [How to use the signing script](#how-to-use-the-signing-script) - * [Example use of the signing script](#example-use-of-the-signing-script) - * [How to use the signed https certificate](#how-to-use-the-signed-https-certificate) - * [Demo](#demo) -* Revocation script - * [How to use the revocation script](#how-to-use-the-revocation-script) - * [Example use of the revocation script](#example-use-of-the-revocation-script) -* [Alternative: Official Let's Encrypt Client](#alternative-official-lets-encrypt-client) -* [Feedback/Contributing](#feedbackcontributing) +The `revoke_crt.py` is for revoking a certificate for a domain. -## Donate - -If this script is useful to you, please donate to the EFF. I don't work there, -but they do fantastic work. - -[https://eff.org/donate/](https://eff.org/donate/) +Both scripts are meant to be run locally from your computer. ## Prerequisites @@ -96,218 +69,6 @@ When you run the script, it will: - Will write the certificate to `signed.crt` if ACME HTTP challenge is successful. -### Help text -``` -user@hostname:~$ python3 sign_csr.py --help -usage: sign_csr.py [-h] -k ACCOUNT_KEY [-e EMAIL] csr_path - -Get a SSL certificate signed by a Let's Encrypt (ACME) certificate -authority and output that signed certificate. You do NOT need to run -this script on your server, it is meant to be run on your -computer. The script will request you to manually deploy the acme -challenge on your server. - -NOTE: YOUR ACCOUNT KEY NEEDS TO BE DIFFERENT FROM YOUR DOMAIN KEY. - -Prerequisites: -* openssl -* python version 3 - -Example: Generate an account keypair, a domain key and csr, and have the domain csr signed. --------------- -$ openssl genrsa -aes256 4096 > user.key -$ openssl rsa -in user.key -pubout > user.pub -$ openssl genrsa -aes256 4096 > domain.key -$ openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr -$ python3 sign_csr.py --account-key user.key --email user@example.com domain.csr > signed.crt --------------- - -positional arguments: - csr_path path to your certificate signing request - -optional arguments: - -h, --help show this help message and exit - -k ACCOUNT_KEY, --account-key ACCOUNT_KEY - path to your Let's Encrypt account private key - -e EMAIL, --email EMAIL - contact email, default is webmaster@<shortest_domain> -user@hostname:~$ -``` - -## Example use of the signing script - -### Commands (what you do in your main terminal window) -``` -user@hostname:~$ openssl genrsa -aes256 4096 > user.key -Generating RSA private key, 4096 bit long modulus -.....................................++++ -...................................................++++ -e is 65537 (0x10001) -Enter pass phrase: -Verifying - Enter pass phrase: -user@hostname:~$ openssl genrsa -aes256 4096 > domain.key -Generating RSA private key, 4096 bit long modulus -................................................++++ -.................................................................................................................++++ -e is 65537 (0x10001) -Enter pass phrase: -Verifying - Enter pass phrase: -user@hostname:~$ openssl req -new -sha256 -key domain.key -subj "/CN=letsencrypt.daylightpirates.org" > domain.csr -Enter pass phrase for domain.key: -user@hostname:~$ python3 sign_csr.py -k user.key -e daniel@roesler.cc domain.csr > chained.pem -Reading pubkey file... -Enter pass phrase for user.key: -Found public key! -Reading csr file... -Found domains letsencrypt.daylightpirates.org -Registering daniel@roesler.cc... -Enter pass phrase for user.key: -Already registered! -Making new order for letsencrypt.daylightpirates.org... -Enter pass phrase for user.key: -Requesting challenges... -Enter pass phrase for user.key: -Please update your server to serve the following file at this URL: - --------------- -URL: http://letsencrypt.daylightpirates.org/.well-known/acme-challenge/fcGheyb6yNjSQ7oQ3hFXZqCRpKHrkeq9eBFOcloAO_k -File contents: "fcGheyb6yNjSQ7oQ3hFXZqCRpKHrkeq9eBFOcloAO_k.aY_r0djPrHVGZ6MONmcsSN84_mUmUtHydtPGFq7LKWY" --------------- - -Notes: -- Do not include the quotes in the file. -- The file should be one line without any spaces. - -Press Enter when you've got the file hosted on your server... -Requesting verification for letsencrypt.daylightpirates.org... -Enter pass phrase for user.key: -Enter pass phrase for user.key: -letsencrypt.daylightpirates.org verified! -Enter pass phrase for user.key: -Waiting for letsencrypt.daylightpirates.org challenge to pass... -Enter pass phrase for user.key: -Passed letsencrypt.daylightpirates.org challenge! -Getting certificate... -Enter pass phrase for user.key: -Received certificate! -You can remove the acme-challenge file from your webserver now. -user@hostname:~$ cat chained.pem ------BEGIN CERTIFICATE----- -MIIGJTCCBQ2gAwIBAgISATBRUGjFwTtjF4adpF7zd/5qMA0GCSqGSIb3DQEBCwUA -MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD -ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEwMjQwOTU4MDBaFw0x -NjAxMjIwOTU4MDBaMCoxKDAmBgNVBAMTH2xldHNlbmNyeXB0LmRheWxpZ2h0cGly -YXRlcy5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2Ac7twhMz -AxreQxmlY0gBq20zrriMOCLTwwdJ3sfv9bNxo+iG7eidu9imLI0FNjZkxtpyJeG/ -+4OnvTgChHiTEKtD0Q3SoeSOu3Bl73d4bVBfTsvj0yEoMrF4Y89VvqbH7HP+2evv -Uraj2Qv0EUor3KAsOJW4hiSQedmz69+3IVZHWdpyYTtC1HjO9C5DqPgD7hlrtRrP -k0SL4j048NIiDvMm36pzn/UM+HxuavVxIyQ7BigDk7Hev6jXH2BqQk0ADtR0CycI -nJeS5gk+i6ImDeOsrhPrXvub02aRbol/paoSknskAOJKe4628dd873QfMXnQz1JT -aggaFQA1S8M2DY9l574/gOH39BudXdvOGzln7MeDJoi7Tybih2FJJbj8tQPV2zwh -ArbKLHPJibM1HP8jc7QQcrWnNf3H2N5FhP8uvEVchdYk3zV2tJPqlQnsHctOjNrV -18WRsl+JpUNLclRWQ3JLYZL+waIaJvsAsjp58J3XK1PI1s7QPuJpI3u7hlu4zz2e -TMF8OqAEy+rkHML5j+ncB+ctxhgNgirwpCUQ3NL9rslte0OmO+kzjrVfJ7o5D6zt -Hn5xg2WTgNoCdXbIruEzC43SqkPIH8VeFkzjPCqGajQsXXmdbDyoNkJ+SK0Fz0hI -3alW4kaOSe0aeto22sKtOjsIy7GF6qDw4QIDAQABo4ICIzCCAh8wDgYDVR0PAQH/ -BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E -AjAAMB0GA1UdDgQWBBSpGhk6yOALnLPWzrncMA/wnd6nNzAfBgNVHSMEGDAWgBSo -SmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGG -I2h0dHA6Ly9vY3NwLmludC14MS5sZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAC -hiNodHRwOi8vY2VydC5pbnQteDEubGV0c2VuY3J5cHQub3JnLzAqBgNVHREEIzAh -gh9sZXRzZW5jcnlwdC5kYXlsaWdodHBpcmF0ZXMub3JnMIIBAAYDVR0gBIH4MIH1 -MAoGBmeBDAECATAAMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0 -cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBD -ZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBh -cnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0 -ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3Np -dG9yeS8wDQYJKoZIhvcNAQELBQADggEBADQ2nWJa0jSOgStC7luKLmNOiNZTbiYP -ITFetj6WpRIsAHwz3vTwDIWFtczrhksWRTU9mCIwaxtqflZrirc3mE6jKugeSUHr -1yqTXZ097rDNAnMvUtvoET/UBkAU+gUDn8zRFtKOePuWX7P8qHq8QqjNqMC0vb5s -ncyFqSSZl1j9e5l+Kpj/GeTCwkwck5U75Ry44kPbnu5JLd70P724gBnyEi6IxXHB -txXZEUmI0R1Ee3Kw/5N6JfeWNE1KEmM47VVFomRitruxBj9nlXtIILvkPCTWkDua -pr1OmFi/rUcaHw+Txbs8aBmZEBkxy9HPSfgqqlYqEd0ipGqFtqaFJEI= ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow -SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT -GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF -q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 -SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 -Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA -a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj -/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T -AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG -CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv -bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k -c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw -VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC -ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz -MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu -Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF -AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo -uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ -wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu -X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG -PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 -KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== ------END CERTIFICATE----- -user@hostname:~$ -``` - -### Server Commands (the stuff the script asked you to do on your server) -``` -ubuntu@letsencrypt.daylightpirates.org:~$ cd /var/www/root -ubuntu@letsencrypt.daylightpirates.org:/var/www/root$ mkdir -p .well-known/acme-challenge/ -ubuntu@letsencrypt.daylightpirates.org:/var/www/root$ echo "fcGheyb6yNjSQ7oQ3hFXZqCRpKHrkeq9eBFOcloAO_k.aY_r0djPrHVGZ6MONmcsSN84_mUmUtHydtPGFq7LKWY" > .well-known/acme-challenge/fcGheyb6yNjSQ7oQ3hFXZqCRpKHrkeq9eBFOcloAO_k -ubuntu@letsencrypt.daylightpirates.org:/var/www/root$ -``` - -## How to use the signed https certificate - -The signed https certificate that is output by this script can be used along -with your private key to run an https server. You just securely transfer (using -`scp` or similar) the private key and signed certificate to your server, then -include them in the https settings in your web server's configuration. Here's an -example on how to configure an nginx server: - -An unencrypted version of the domain private key needs to be deployed on the -server, to decrypt domain private key do: - -``` -openssl rsa -in domain.key -out domain.d.key -``` - -```nginx -server { - listen 443; - server_name letsencrypt.daylightpirates.org; - ssl on; - ssl_certificate chained.pem; - ssl_certificate_key domain.d.key; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; - ssl_session_cache shared:SSL:50m; - ssl_dhparam /etc/nginx/server.dhparam; - ssl_prefer_server_ciphers on; - - location / { - return 200 'Let\'s Encrypt Example: https://github.com/diafygi/acme-nosudo'; - add_header Content-Type text/plain; - } -} -``` - -## Demo - -Here's a website that is using a certificate signed using `sign_csr.py`: - -[https://letsencrypt.daylightpirates.org/](https://letsencrypt.daylightpirates.org/) - ## How to use the revocation script First, you will need to the user account key for Let's Encrypt that was used @@ -323,73 +84,3 @@ absolute. ```sh python3 revoke_crt.py -k user.key domain.crt ``` - -### Help text -``` -user@hostname:~$ python3 revoke_crt.py --help -usage: revoke_crt.py [-h] -k ACCOUNT_KEY crt_path - -Get a SSL certificate revoked by a Let's Encrypt (ACME) certificate -authority. You do NOT need to run this script on your server, it is -meant to be run on your computer. - -NOTE: YOUR USER KEY NEEDS TO BE THE SAME KEY USED TO ISSUE THE CERTIFICATE. - -Prerequisites: -* openssl -* python 3 - -Example: --------------- -$ python3 revoke_crt.py --account-key user.key domain.crt --------------- - -positional arguments: - crt_path path to your signed certificate - -optional arguments: - -h, --help show this help message and exit - -k ACCOUNT_KEY, --account-key ACCOUNT_KEY - path to your Let's Encrypt account private key -user@hostname:~$ -``` - -## Example use of the revocation script - -### Commands (what you do in your main terminal window) -``` -user@hostname:~$ python3 revoke_crt.py -k user.key chained.pem -Reading pubkey file... -Enter pass phrase for user.key: -Found public key! -Getting account info... -Enter pass phrase for user.key: -Enter pass phrase for user.key: -Certificate revoked! -user@hostname:~$ -``` - -## Alternative: Official Let's Encrypt Client - -After I released this script, Let's Encrypt added a manual authenticator to -allow the Let's Encrypt client to not have to be run on your server. Hooray! -However, the Let's Encrypt client still has access to your user account private -keys, so please be aware of that. Anyway, check out the comment on issue -[#5](https://github.com/diafygi/acme-nosudo/issues/5#issuecomment-117283651) -to see how to use the manual authenticator in the official Let's Encrypt client. - -``` -./letsencrypt-auto --email diafygi@gmail.com --text --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr -``` - -## Feedback/Contributing - -I'd love to receive feedback, issues, and pull requests to make this script -better. The script itself, `sign_csr.py`, is less than 500 lines of code, so -feel free to read through it! I tried to comment things well and make it crystal -clear what it's doing. - -For example, it currently can't do any ACME challenges besides 'http-01'. Maybe -someone could do a pull request to add more challenge compatibility? - - |