From: Lukas Schauer Date: Fri, 8 Jan 2016 21:20:16 +0000 (+0100) Subject: moved import scripts from repository to wiki and updated readme a bit X-Git-Tag: v0.1.0~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e45f28bb0e40424290fb50f39c3cc77f5886e460;p=thirdparty%2Fdehydrated.git moved import scripts from repository to wiki and updated readme a bit --- diff --git a/README.md b/README.md index 4ddf04e..3457525 100644 --- a/README.md +++ b/README.md @@ -4,14 +4,11 @@ This is a client for signing certificates with an ACME-server (currently only pr It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed. -Other dependencies are (for now): curl, sed - -Perl no longer is a dependency. -The only remaining perl code in this repository is the script you can use to convert your existing letsencrypt-keyfile into something openssl (and this script) can read. +Other dependencies are: curl, sed, grep, mktemp (all found on almost any system, curl being the only exception) Current features: - Signing of a list of domains -- Renewal if a certificate is about to expire +- Renewal if a certificate is about to expire or SAN (subdomains) changed - Certificate revocation Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues. @@ -81,20 +78,4 @@ An alternative to setting the WELLKNOWN variable would be to create a symlink to ## Import -### import-account.pl - -This perl-script can be used to import the account key from the original letsencrypt client. - -You should copy `private_key.json` to the same directory as the script. -The json-file can be found in a subdirectory of `/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory`. - -Usage: `./import-account.pl` - -### import-certs.sh - -This script can be used to import private keys and certificates created by the original letsencrypt client. - -By default it expects the certificates to be found under `/etc/letsencrypt`, which is the default output directory of the original client. -You can change the path by setting LETSENCRYPT in your config file: ```LETSENCRYPT="/etc/letsencrypt"```. - -Usage: `./import-certs.sh` +If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client). diff --git a/import-account.pl b/import-account.pl deleted file mode 100755 index 5da86cc..0000000 --- a/import-account.pl +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env perl - -use strict; - -use Crypt::OpenSSL::RSA; -use Crypt::OpenSSL::Bignum; -use JSON; -use File::Slurp; -use MIME::Base64; - -my $json_file = "private_key.json"; -my $json_content = read_file($json_file); -$json_content =~ tr/-/+/; -$json_content =~ tr/_/\//; - -my $json = decode_json($json_content); - -my $n = Crypt::OpenSSL::Bignum->new_from_bin(decode_base64($json->{n})); -my $e = Crypt::OpenSSL::Bignum->new_from_bin(decode_base64($json->{e})); -my $d = Crypt::OpenSSL::Bignum->new_from_bin(decode_base64($json->{d})); -my $p = Crypt::OpenSSL::Bignum->new_from_bin(decode_base64($json->{p})); -my $q = Crypt::OpenSSL::Bignum->new_from_bin(decode_base64($json->{q})); - -my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e, $d, $p, $q); - -print($rsa->get_private_key_string()); diff --git a/import-certs.sh b/import-certs.sh deleted file mode 100755 index 133f0af..0000000 --- a/import-certs.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/env bash - -set -e -set -u -set -o pipefail - -umask 077 # paranoid umask, we're creating private keys - -SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -BASEDIR="${SCRIPTDIR}" -LETSENCRYPT="/etc/letsencrypt" - -eval "$("${SCRIPTDIR}/letsencrypt.sh" --env)" - -if [[ ! -e "${LETSENCRYPT}" ]]; then - echo "No existing letsencrypt files found." - exit 1 -fi - -if [[ -e "${BASEDIR}/domains.txt" ]]; then - DOMAINS_TXT="${BASEDIR}/domains.txt" -elif [[ -e "${SCRIPTDIR}/domains.txt" ]]; then - DOMAINS_TXT="${SCRIPTDIR}/domains.txt" -else - echo "You have to create a domains.txt file listing the domains you want certificates for. Have a look at domains.txt.example." - echo "For the purpose of this import script the file can be empty, but it has to exist." - exit 1 -fi - -for certdir in "${LETSENCRYPT}/live/"*; do - domain="$(basename "${certdir}")" - echo "Processing ${domain}" - - # Check if we already have a certificate for the same (main) domain - if [ -e "${BASEDIR}/certs/${domain}" ]; then - echo " + Skipping: Found existing certificate directory, don't want to delete anything." - continue - fi - - # Check if private-key, certificate and fullchain exist - if [[ ! -e "${certdir}/privkey.pem" ]]; then - echo " + Skipping: Private key is missing." - continue - fi - if [[ ! -e "${certdir}/cert.pem" ]]; then - echo " + Skipping: Certificate is missing." - continue - fi - if [[ ! -e "${certdir}/fullchain.pem" ]]; then - echo " + Skipping: Chain is missing." - continue - fi - - # Check if certificate still valid - if ! openssl x509 -checkend 0 -noout -in "${certdir}/cert.pem" >/dev/null 2>&1; then - echo " + Skipping: Certificate is expired." - continue - fi - - # Import certificate - timestamp="$(date +%s)" - - echo " + Adding list of domains to ${DOMAINS_TXT}" - SAN="$(openssl x509 -in "${certdir}/cert.pem" -noout -text | grep -A1 "Subject Alternative Name" | grep "DNS")" - SAN="${SAN//DNS:/}" - SAN="${SAN//, / }" - altnames="${domain}" - for altname in ${SAN}; do - if [[ ! "${altname}" = "${domain}" ]]; then - altnames="${altnames} ${altname}" - fi - done - echo "${altnames}" >> "${DOMAINS_TXT}" - - mkdir -p "${BASEDIR}/certs/${domain}" - - echo " + Importing private key" - cat "${certdir}/privkey.pem" > "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" - ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem" - - echo " + Importing certificate" - cat "${certdir}/cert.pem" > "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" - ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem" - - echo " + Importing chain" - cat "${certdir}/fullchain.pem" > "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem" - ln -s "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem" -done