starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-16 16:36:48 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

renamed project to dehydrated and main script to dehydrated.sh

Browse Source
This commit is contained in:
Lukas Schauer
2016-09-13 19:48:27 +02:00
parent 992beecbdb
commit 64e35463cb
13 changed files with 49 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@@ -1,10 +1,14 @@
# Change Log
This file contains a log of major changes in letsencrypt.sh
This file contains a log of major changes in dehydrated.sh
## [x.x.x] - xxxx-xx-xx
## Changed
- ...
## [0.3.1] - 2016-09-13
## Changed
- Renamed project to `dehydrated` and main script to `dehydrated.sh`.
## [0.3.0] - 2016-09-07
## Changed
- Config is now named `config` instead of `config.sh`!

6
README.md
View File

@@ -1,4 +1,6 @@
# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)
# dehydrated.sh [![Build Status](https://travis-ci.org/lukas2511/dehydrated.svg?branch=master)](https://travis-ci.org/lukas2511/dehydrated)
![](docs/logo.jpg)
This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.
@@ -28,7 +30,7 @@ If you have any problems take a look at our [Troubleshooting](docs/troubleshooti
## Usage:
```text
Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Usage: ./dehydrated.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Default command: help

14
letsencrypt.sh → dehydrated.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# letsencrypt.sh by lukas2511
# Source: https://github.com/lukas2511/letsencrypt.sh
# dehydrated.sh by lukas2511
# Source: https://github.com/lukas2511/dehydrated
#
# This script is licensed under The MIT License (see LICENSE for more information).
@@ -25,7 +25,7 @@ BASEDIR="${SCRIPTDIR}"
# Create (identifiable) temporary files
_mktemp() {
# shellcheck disable=SC2068
mktemp ${@:-} "${TMPDIR:-/tmp}/letsencrypt.sh-XXXXXX"
mktemp ${@:-} "${TMPDIR:-/tmp}/dehydrated.sh-XXXXXX"
}
# Check for script dependencies
@@ -94,7 +94,7 @@ verify_config() {
load_config() {
# Check for config in various locations
if [[ -z "${CONFIG:-}" ]]; then
for check_config in "/etc/letsencrypt.sh" "/usr/local/etc/letsencrypt.sh" "${PWD}" "${SCRIPTDIR}"; do
for check_config in "/etc/dehydrated.sh" "/usr/local/etc/dehydrated.sh" "${PWD}" "${SCRIPTDIR}"; do
if [[ -f "${check_config}/config" ]]; then
BASEDIR="${check_config}"
CONFIG="${check_config}/config"
@@ -181,7 +181,7 @@ load_config() {
[[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
[[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/letsencrypt"
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
[[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
[[ -n "${PARAM_NO_LOCK:-}" ]] && LOCKFILE=""
@@ -246,7 +246,7 @@ init_system() {
# If we generated a new private key in the step above we have to register it with the acme-server
if [[ "${register_new_key}" = "yes" ]]; then
echo "+ Registering account key with letsencrypt..."
echo "+ Registering account key with ACME server..."
[[ ! -z "${CA_NEW_REG}" ]] || _exiterr "Certificate authority doesn't allow registrations."
# If an email for the contact has been provided then adding it to the registration request
FAILED=false
@@ -924,7 +924,7 @@ command_help() {
# Usage: --env (-e)
# Description: Output configuration variables for use in other scripts
command_env() {
echo "# letsencrypt.sh configuration"
echo "# dehydrated.sh configuration"
load_config
typeset -p CA LICENSE CERTDIR CHALLENGETYPE DOMAINS_D DOMAINS_TXT HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
}

2
docs/dns-verification.md
View File

@@ -19,4 +19,4 @@ Or when you do have a DNS API, pass the details accordingly to achieve the same
You can delete the TXT record when called with operation clean_challenge, when $2 is also the domain name.
Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks)
Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)

2
docs/domains_txt.md
View File

@@ -1,6 +1,6 @@
### domains.txt
letsencrypt.sh uses the file `domains.txt` as configuration for which certificates should be requested.
dehydrated.sh uses the file `domains.txt` as configuration for which certificates should be requested.
The file should have the following format:

10
docs/examples/config
View File

@@ -1,10 +1,10 @@
########################################################
# This is the main config file for letsencrypt.sh #
# This is the main config file for dehydrated.sh #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/letsencrypt.sh/config #
# /etc/letsencrypt.sh/config #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
@@ -42,8 +42,8 @@
# Directory for account keys and registration information
#ACCOUNTDIR="${BASEDIR}/accounts"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/letsencrypt)
#WELLKNOWN="/var/www/letsencrypt"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
#WELLKNOWN="/var/www/dehydrated"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"

8
docs/hook_chain.md
View File

@@ -9,7 +9,7 @@ See below for an example on how the calls change:
### HOOK_CHAIN="no" (default behaviour)
```
# INFO: Using main config file /etc/letsencrypt.sh/config
# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
@@ -31,13 +31,13 @@ HOOK: clean_challenge www.lukas.im blublublu blublublu.supersecure
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152442
HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152442
+ Done!
```
### HOOK_CHAIN="yes"
```
# INFO: Using main config file /etc/letsencrypt.sh/config
# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
@@ -57,7 +57,7 @@ HOOK: clean_challenge lukas.im blablabla blablabla.supersecure www.lukas.im blub
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152408
HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152408
+ Done!
```

2
docs/import-from-official-client.md
View File

@@ -1,3 +1,3 @@
# Import
If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client).
If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/dehydrated/wiki/Import-from-official-letsencrypt-client).

BIN
docs/logo.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

2
docs/per-certificate-config.md
View File

@@ -1,6 +1,6 @@
# Config on per-certificate base
letsencrypt.sh allows a few configuration variables to be set on a per-certificate base.
dehydrated.sh allows a few configuration variables to be set on a per-certificate base.
To use this feature create a `config` file in the certificates output directory (e.g. `certs/example.org/config`).

6
docs/troubleshooting.md
View File

@@ -6,7 +6,7 @@ Generally if the following information doesn't provide a solution to your proble
You probably changed from staging-CA to production-CA (or the other way).
Currently letsencrypt.sh doesn't detect a missing registration on the selected CA,
Currently dehydrated.sh doesn't detect a missing registration on the selected CA,
the current workaround is to move `private_key.pem` (and, if you care, `private_key.json`) out of the way so the scripts generates and registers a new one.
This will hopefully be fixed in the future.
@@ -19,13 +19,13 @@ LICENSE1 and LICENSE2 are just placeholders for the real values in this troubles
## "Error creating new cert :: Too many certificates already issued for: [...]"
This is not an issue with letsencrypt.sh but an API limit with letsencrypt.
This is not an issue with dehydrated.sh but an API limit with boulder (the ACME server).
At the time of writing this you can only create 5 certificates per domain in a sliding window of 7 days.
## "Certificate request has 123 names, maximum is 100."
This also is an API limit from letsencrypt, you are requesting to sign a certificate with way too many domains.
This also is an API limit from boulder, you are requesting to sign a certificate with way too many domains.
## Invalid challenges

12
docs/wellknown.md
View File

@@ -5,7 +5,7 @@ It will do that for any (sub-)domain you want to sign a certificate for.
At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).
letsencrypt.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
dehydrated.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
If you only have one docroot on your server you could easily do something like `WELLKNOWN=/var/www/.well-known/acme-challenge`, for anything else look at the example below.
@@ -13,7 +13,7 @@ If you only have one docroot on your server you could easily do something like `
If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.
An example would be to create a directory `/var/www/letsencrypt` and set `WELLKNOWN=/var/www/letsencrypt` in the scripts config.
An example would be to create a directory `/var/www/dehydrated` and set `WELLKNOWN=/var/www/dehydrated` in the scripts config.
You'll need to configure aliases on your Webserver:
@@ -25,7 +25,7 @@ With Nginx you'll need to add this to any of your `server`/VHost config blocks:
server {
[...]
location /.well-known/acme-challenge {
alias /var/www/letsencrypt;
alias /var/www/dehydrated;
}
[...]
}
@@ -36,9 +36,9 @@ server {
With Apache just add this to your config and it should work in any VHost:
```apache
Alias /.well-known/acme-challenge /var/www/letsencrypt
Alias /.well-known/acme-challenge /var/www/dehydrated
<Directory /var/www/letsencrypt>
<Directory /var/www/dehydrated>
Options None
AllowOverride None
@@ -63,6 +63,6 @@ With Lighttpd just add this to your config and it should work in any VHost:
modules += "alias"
alias.url += (
"/.well-known/acme-challenge/" => "/var/www/letsencrypt/"
"/.well-known/acme-challenge/" => "/var/www/dehydrated/"
)
```

22
test.sh
View File

@@ -84,7 +84,7 @@ TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':'
TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
echo "Couldn't get an url from ngrok, not a dehydrated.sh bug, tests can't continue."
exit 1
fi
@@ -104,7 +104,7 @@ touch domains.txt
# Check if help command is working
_TEST "Checking if help command is working..."
./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Default command: help"
_CHECK_LOG "--help (-h)"
_CHECK_LOG "--domain (-d) domain.tld"
@@ -112,7 +112,7 @@ _CHECK_ERRORLOG
# Run in cron mode with empty domains.txt (should only generate private key and exit)
_TEST "First run in cron mode, checking if private key is generated and registered"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Registering account key"
_CHECK_FILE accounts/*/account_key.pem
_CHECK_ERRORLOG
@@ -120,7 +120,7 @@ _CHECK_ERRORLOG
# Temporarily move config out of the way and try signing certificate by using temporary config location
_TEST "Try signing using temporary config location and with domain as command line parameter"
mv config tmp_config
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
@@ -133,7 +133,7 @@ mv tmp_config config
# Add third domain to command-lime, should force renewal.
_TEST "Run in cron mode again, this time adding third domain, should force renewal."
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Domain name(s) are not matching!"
_CHECK_LOG "Forcing renew."
_CHECK_LOG "Generating private key"
@@ -151,7 +151,7 @@ echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt
# Run in cron mode again (should find a non-expiring certificate and do nothing)
_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Skipping renew"
_CHECK_ERRORLOG
@@ -161,7 +161,7 @@ echo 'PRIVATE_KEY_RENEW="no"' >> config
# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Ignoring because renew was forced!"
_CHECK_NOT_LOG "Generating private key"
@@ -175,7 +175,7 @@ _CHECK_ERRORLOG
# Check if signcsr command is working
_TEST "Running signcsr command"
./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "BEGIN CERTIFICATE"
_CHECK_LOG "END CERTIFICATE"
_CHECK_NOT_LOG "ERROR"
@@ -183,7 +183,7 @@ _CHECK_NOT_LOG "ERROR"
# Check if renewal works
_TEST "Run in cron mode again, to check if renewal works"
echo 'RENEW_DAYS="300"' >> config
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Renewing!"
_CHECK_ERRORLOG
@@ -202,7 +202,7 @@ _CHECK_ERRORLOG
# Revoke certificate using certificate key
_TEST "Revoking certificate..."
./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
_CHECK_LOG "Done."
@@ -211,7 +211,7 @@ _CHECK_ERRORLOG
# Test cleanup command
_TEST "Cleaning up certificates"
./letsencrypt.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"