# Change Log
-This file contains a log of major changes in letsencrypt.sh
+This file contains a log of major changes in dehydrated.sh
## [x.x.x] - xxxx-xx-xx
## Changed
- ...
+## [0.3.1] - 2016-09-13
+## Changed
+- Renamed project to `dehydrated` and main script to `dehydrated.sh`.
+
## [0.3.0] - 2016-09-07
## Changed
- Config is now named `config` instead of `config.sh`!
-# letsencrypt.sh [](https://travis-ci.org/lukas2511/letsencrypt.sh)
+# dehydrated.sh [](https://travis-ci.org/lukas2511/dehydrated)
+
+
This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.
## Usage:
```text
-Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
+Usage: ./dehydrated.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Default command: help
#!/usr/bin/env bash
-# letsencrypt.sh by lukas2511
-# Source: https://github.com/lukas2511/letsencrypt.sh
+# dehydrated.sh by lukas2511
+# Source: https://github.com/lukas2511/dehydrated
#
# This script is licensed under The MIT License (see LICENSE for more information).
# Create (identifiable) temporary files
_mktemp() {
# shellcheck disable=SC2068
- mktemp ${@:-} "${TMPDIR:-/tmp}/letsencrypt.sh-XXXXXX"
+ mktemp ${@:-} "${TMPDIR:-/tmp}/dehydrated.sh-XXXXXX"
}
# Check for script dependencies
load_config() {
# Check for config in various locations
if [[ -z "${CONFIG:-}" ]]; then
- for check_config in "/etc/letsencrypt.sh" "/usr/local/etc/letsencrypt.sh" "${PWD}" "${SCRIPTDIR}"; do
+ for check_config in "/etc/dehydrated.sh" "/usr/local/etc/dehydrated.sh" "${PWD}" "${SCRIPTDIR}"; do
if [[ -f "${check_config}/config" ]]; then
BASEDIR="${check_config}"
CONFIG="${check_config}/config"
[[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
[[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
- [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/letsencrypt"
+ [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
[[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
[[ -n "${PARAM_NO_LOCK:-}" ]] && LOCKFILE=""
# If we generated a new private key in the step above we have to register it with the acme-server
if [[ "${register_new_key}" = "yes" ]]; then
- echo "+ Registering account key with letsencrypt..."
+ echo "+ Registering account key with ACME server..."
[[ ! -z "${CA_NEW_REG}" ]] || _exiterr "Certificate authority doesn't allow registrations."
# If an email for the contact has been provided then adding it to the registration request
FAILED=false
# Usage: --env (-e)
# Description: Output configuration variables for use in other scripts
command_env() {
- echo "# letsencrypt.sh configuration"
+ echo "# dehydrated.sh configuration"
load_config
typeset -p CA LICENSE CERTDIR CHALLENGETYPE DOMAINS_D DOMAINS_TXT HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
}
You can delete the TXT record when called with operation clean_challenge, when $2 is also the domain name.
-Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks)
+Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)
### domains.txt
-letsencrypt.sh uses the file `domains.txt` as configuration for which certificates should be requested.
+dehydrated.sh uses the file `domains.txt` as configuration for which certificates should be requested.
The file should have the following format:
########################################################
-# This is the main config file for letsencrypt.sh #
+# This is the main config file for dehydrated.sh #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
-# /usr/local/etc/letsencrypt.sh/config #
-# /etc/letsencrypt.sh/config #
+# /usr/local/etc/dehydrated/config #
+# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
# Directory for account keys and registration information
#ACCOUNTDIR="${BASEDIR}/accounts"
-# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/letsencrypt)
-#WELLKNOWN="/var/www/letsencrypt"
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+#WELLKNOWN="/var/www/dehydrated"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
### HOOK_CHAIN="no" (default behaviour)
```
-# INFO: Using main config file /etc/letsencrypt.sh/config
+# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
-HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152442
+HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152442
+ Done!
```
### HOOK_CHAIN="yes"
```
-# INFO: Using main config file /etc/letsencrypt.sh/config
+# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
-HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152408
+HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152408
+ Done!
```
# Import
-If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client).
+If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/dehydrated/wiki/Import-from-official-letsencrypt-client).
# Config on per-certificate base
-letsencrypt.sh allows a few configuration variables to be set on a per-certificate base.
+dehydrated.sh allows a few configuration variables to be set on a per-certificate base.
To use this feature create a `config` file in the certificates output directory (e.g. `certs/example.org/config`).
You probably changed from staging-CA to production-CA (or the other way).
-Currently letsencrypt.sh doesn't detect a missing registration on the selected CA,
+Currently dehydrated.sh doesn't detect a missing registration on the selected CA,
the current workaround is to move `private_key.pem` (and, if you care, `private_key.json`) out of the way so the scripts generates and registers a new one.
This will hopefully be fixed in the future.
## "Error creating new cert :: Too many certificates already issued for: [...]"
-This is not an issue with letsencrypt.sh but an API limit with letsencrypt.
+This is not an issue with dehydrated.sh but an API limit with boulder (the ACME server).
At the time of writing this you can only create 5 certificates per domain in a sliding window of 7 days.
## "Certificate request has 123 names, maximum is 100."
-This also is an API limit from letsencrypt, you are requesting to sign a certificate with way too many domains.
+This also is an API limit from boulder, you are requesting to sign a certificate with way too many domains.
## Invalid challenges
At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).
-letsencrypt.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
+dehydrated.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
If you only have one docroot on your server you could easily do something like `WELLKNOWN=/var/www/.well-known/acme-challenge`, for anything else look at the example below.
If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.
-An example would be to create a directory `/var/www/letsencrypt` and set `WELLKNOWN=/var/www/letsencrypt` in the scripts config.
+An example would be to create a directory `/var/www/dehydrated` and set `WELLKNOWN=/var/www/dehydrated` in the scripts config.
You'll need to configure aliases on your Webserver:
server {
[...]
location /.well-known/acme-challenge {
- alias /var/www/letsencrypt;
+ alias /var/www/dehydrated;
}
[...]
}
With Apache just add this to your config and it should work in any VHost:
```apache
-Alias /.well-known/acme-challenge /var/www/letsencrypt
+Alias /.well-known/acme-challenge /var/www/dehydrated
-<Directory /var/www/letsencrypt>
+<Directory /var/www/dehydrated>
Options None
AllowOverride None
modules += "alias"
alias.url += (
- "/.well-known/acme-challenge/" => "/var/www/letsencrypt/"
+ "/.well-known/acme-challenge/" => "/var/www/dehydrated/"
)
```
TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
- echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
+ echo "Couldn't get an url from ngrok, not a dehydrated.sh bug, tests can't continue."
exit 1
fi
# Check if help command is working
_TEST "Checking if help command is working..."
-./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Default command: help"
_CHECK_LOG "--help (-h)"
_CHECK_LOG "--domain (-d) domain.tld"
# Run in cron mode with empty domains.txt (should only generate private key and exit)
_TEST "First run in cron mode, checking if private key is generated and registered"
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Registering account key"
_CHECK_FILE accounts/*/account_key.pem
_CHECK_ERRORLOG
# Temporarily move config out of the way and try signing certificate by using temporary config location
_TEST "Try signing using temporary config location and with domain as command line parameter"
mv config tmp_config
-./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
# Add third domain to command-lime, should force renewal.
_TEST "Run in cron mode again, this time adding third domain, should force renewal."
-./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Domain name(s) are not matching!"
_CHECK_LOG "Forcing renew."
_CHECK_LOG "Generating private key"
# Run in cron mode again (should find a non-expiring certificate and do nothing)
_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Skipping renew"
_CHECK_ERRORLOG
# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
-./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Ignoring because renew was forced!"
_CHECK_NOT_LOG "Generating private key"
# Check if signcsr command is working
_TEST "Running signcsr command"
-./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "BEGIN CERTIFICATE"
_CHECK_LOG "END CERTIFICATE"
_CHECK_NOT_LOG "ERROR"
# Check if renewal works
_TEST "Run in cron mode again, to check if renewal works"
echo 'RENEW_DAYS="300"' >> config
-./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Renewing!"
_CHECK_ERRORLOG
# Revoke certificate using certificate key
_TEST "Revoking certificate..."
-./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
_CHECK_LOG "Done."
# Test cleanup command
_TEST "Cleaning up certificates"
-./letsencrypt.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
+./dehydrated.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"
projects / thirdparty / dehydrated.git / commitdiff
