blob: de469eaf73b07dde43b2d4cd84643bbf6391d997 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# acmens
A fork of [acme-nosudo][]. It uses ACMEv2 protocol and requires Python 3.
[acme-nosudo]: https://github.com/diafygi/acme-nosudo
`acmens` may be used for getting a new SSL certificate, renewing a SSL
certificate for a domain, and revoking a certificate for a domain.
It's meant to be run locally from your computer.
## prerequisites
* openssl or libressl
* python3
* pip
* virtualenv (if you want to use the repo version)
## installation
```sh
pip install acmens
```
Or, if you would like to use the repo version:
```sh
cd /path/to/acmens
# init virtual environment
make venv
# activate virtual environment
. .venv/bin/activate
# put acmens in your PATH
make develop
# note that any changes you make to acmens.py will be instantly reflected
# in the acmens in your PATH.
# de-activate the virtual environment:
deactivate
```
## getting/renewing a certificate
First, generate an user account key for Let's Encrypt:
```sh
openssl genrsa -aes256 4096 > user.key
openssl rsa -in user.key -pubout > user.pub
```
Next, generate the domain key and a certificate request:
```sh
# Generate domain key
openssl genrsa -aes256 -out domain.key 4096
# Generate CSR for a single domain
openssl req -new -sha256 -key domain.key -out domain.csr
# Or Generate CSR for multiple domains
openssl req -new -sha256 -key domain.key -subj "/" -addext "subjectAltName = DNS:example.com, DNS:www.example.com" > domain.csr
```
Lastly, run `acmens`:
```sh
acmens --account-key user.key --email mail@example.com --csr domain.csr > signed.crt
```
## dns challenge
If you want to use the DNS challenge type provide it using the `--challenge` flag.
```sh
acmens --account-key user.key --email mail@example.com --challenge dns --csr domain.csr > signed.crt
```
This will prompt you to update the DNS records to add a TXT record.
## revoking a certificate
This:
```sh
acmens --revoke -k user.key --crt signed.crt
```
will revoke SSL certificate in `signed.crt`.
|