From aa82bb4f02e00837e90397583fe13757a228b61a Mon Sep 17 00:00:00 2001 From: Jason Heard Date: Sun, 15 Nov 2015 15:43:01 -0700 Subject: Update README to mention revocation --- README.md | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- revoke_crt.py | 5 ++- 2 files changed, 110 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index a16d5fb..9f59e65 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,12 @@ #Let's Encrypt Without Sudo -**WARNING: THE LET'S ENCRYPT CERTIFICATE AUTHORITY IS ONLY IN BETA! YOU MUST -HAVE A WHITELISTED DOMAIN DURING BETA. GENERAL AVAILABILITY WILL BE SOON!** +**WARNING: THE LET'S ENCRYPT CERTIFICATE AUTHORITY IS ONLY IN BETA!** The [Let's Encrypt](https://letsencrypt.org/) initiative is a fantastic program -that is going to offer **free** https certificates! However, the one catch is -that you need to use their command program to get a free certificate. You have -to run it on your your server as root, and it tries to edit your apache/nginx -config files. +that offers **free** https certificates! However, the one catch is that you need +to use their command program to get a free certificate. The default instructions +all assume that you will run it on your your server as root, and that it will +edit your apache/nginx config files. I love the Let's Encrypt devs dearly, but there's no way I'm going to trust their script to run on my server as root, be able to edit my server configs, and @@ -30,10 +29,14 @@ python https server that you can inspect for yourself before you run it. * [Donate](#donate) * [Prerequisites](#prerequisites) -* [How to use the script](#how-to-use-the-script) -* [Example Use](#example-use) -* [How to use the signed https certificate](#how-to-use-the-signed-https-certificate) -* [Demo](#demo) +* Signing script + * [How to use the signing script](#how-to-use-the-signing-script) + * [Example use of the signing script](#example-use-of-the-signing-script) + * [How to use the signed https certificate](#how-to-use-the-signed-https-certificate) + * [Demo](#demo) +* Revocation script + * [How to use the revocation script](#how-to-use-the-revocation-script) + * [Example use of the revocation script](#example-use-of-the-revocation-script) * [Feedback/Contributing](#feedbackcontributing) ##Donate @@ -48,7 +51,7 @@ but they do fantastic work. * openssl * python -##How to use the script +##How to use the signing script First, you need to generate an user account key for Let's Encrypt. This is the key that you use to register with Let's Encrypt. If you @@ -137,7 +140,7 @@ optional arguments: user@hostname:~$ ``` -##Example Use +##Example use of the signing script ###Commands (what you do in your main terminal window) ``` @@ -304,6 +307,97 @@ Here's a website that is using a certificate signed using `sign_csr.py`: [https://letsencrypt.daylightpirates.org/](https://letsencrypt.daylightpirates.org/) +##How to use the revocation script + +First, you will need to the user account key for Let's Encrypt that was used +when the certifacate was signed. + +Second, you will need the PEM encoded signed certificate that was produced bys +`sign_csr.py`. + +Third, you run the script using python and passing in the path to your user +account public key and the signed domain certificate. The paths can be relative +or absolute. If you wish to give the script access to your user private key, it +can accept that as an optional argument. + +```sh +python revoke_crt.py --public-key user.pub domain.crt +``` + +When you run the script, it will ask you do one manual signature if you didn't +provide your user private key. It has to ask you to do these because it doesn't +know your private key. You can edit the manual commands to fit your situation +(e.g. if your private key is in a different location). + +NOTE: When the script asks you to run these manual commands, you need to run +them in a separate terminal window. You need to keep the script open while you +run them. They sign temporary test files that the script created, so if you exit +or continue the script before you run the commands, those test files will be +destroyed before they can be used correctly (and you'll have to run the script +again). + +The `*.json` and `*.sig` files are temporary files automatically generated by +the script and will be destroyed when the script stops. They only contain the +protocol requests and signatures. They do NOT contain your private keys +because this script does not have access to your private keys unless you choose +to give it access to your user key. + +###Help text +``` +user@hostname:~$ python revoke_crt.py --help +usage: revoke_crt.py [-h] -p PUBLIC_KEY [-r PRIVATE_KEY] crt_path + +Get a SSL certificate revoked by a Let's Encrypt (ACME) certificate authority. +You do NOT need to run this script on your server and this script does not ask +for your private keys. It will print out commands that you need to run with +your private key, which gives you a chance to review the commands instead of +trusting this script. + +NOTE: YOUR ACCOUNT KEY NEEDS TO BE THE SAME KEY USED TO ISSUE THE CERTIFICATE. + +Prerequisites: +* openssl +* python + +Example: +-------------- +$ python revoke_crt.py --public-key user.pub domain.crt +-------------- + +positional arguments: + crt_path path to your signed certificate + +optional arguments: + -h, --help show this help message and exit + -p PUBLIC_KEY, --public-key PUBLIC_KEY + path to your account public key +user@hostname:~$ +``` + +##Example use of the revocation script + +###Commands (what you do in your main terminal window) +``` +user@hostname:~$ python revoke_crt.py --public-key user.pub domain.crt +Reading pubkey file... +Found public key! +STEP 1: You need to sign a file (replace 'auth.key' with your user private key +or the certificate private key). + +openssl dgst -sha256 -sign auth.key -out revoke_Z5Qxj3.sig revoke_TKSK9w.json + +Press Enter when you've run the above command in a new terminal window... +Requesting revocation... +Certificate revoked! +user@hostname:~$ +``` + +###Manual Command (the stuff the script asked you to do in a 2nd terminal) +``` +#signed files +user@hostname:~$ openssl dgst -sha256 -sign user.key -out revoke_Z5Qxj3.sig revoke_TKSK9w.json +``` + ##Feedback/Contributing I'd love to receive feedback, issues, and pull requests to make this script @@ -312,8 +406,6 @@ feel free to read through it! I tried to comment things well and make it crystal clear what it's doing. For example, it currently can't do any ACME challenges besides SimpleHTTP. Maybe -someone could do a pull request to add more challenge compatibility? Also, it -currently can't revoke certificates, and I don't want to include that in the -`sign_csr.py` script. Perhaps there should also be a `revoke_crt.py` script? +someone could do a pull request to add more challenge compatibility? diff --git a/revoke_crt.py b/revoke_crt.py index b7aa5e1..ccfce0a 100644 --- a/revoke_crt.py +++ b/revoke_crt.py @@ -71,9 +71,10 @@ def revoke_crt(pubkey, crt): # Step 3: Ask the user to sign the revocation request sys.stderr.write("""\ -STEP 1: You need to sign some files (replace 'user.key' with your user private key). +STEP 1: You need to sign a file (replace 'auth.key' with your user private key¬ +or the certificate private key). -openssl dgst -sha256 -sign user.key -out {} {} +openssl dgst -sha256 -sign auth.key -out {} {} """.format(crt_file_sig_name, crt_file_name)) -- cgit v1.2.3