update letsencrypt conventions

This commit is contained in:
AJ ONeal 2015-07-13 17:46:44 -06:00
parent eaf0e60b12
commit 7dbe9bd605
3 changed files with 43 additions and 24 deletions

View File

@ -31,20 +31,20 @@ Usage
Specifying a custom HTTPS certificate:
* `--key /path/to/privkey.pem` specifies the server private key
* `--cert /path/to/cert.pem` specifies the server certificate
* `--chain /path/to/chain.pem` specifies the certificate authorities
* `--cert /path/to/fullchain.pem` specifies the bundle of server certificate and all intermediate certificates
* `--root /path/to/root.pem` specifies the certificate authority(ies)
Note: `--chain` may specify single cert, a bundle, and may be used multiple times like so:
Note: `--root` may specify single cert or a bundle, and may be used multiple times like so:
```
--chain /path/to/intermediate-ca-1.pem --chain /path/to/intermediate-ca-2.pem
--root /path/to/primary-root.pem --root /path/to/cross-root.pem
```
Other options:
* `--serve-chain true` alias for `-c` with the contents of chain.pem
* `--serve-root true` alias for `-c` with the contents of root.pem
* `--servername example.com` changes the servername logged to the console
* `--letsencrypt-certs example.com` sets and key, cert, and chain to standard letsencrypt locations
* `--letsencrypt-certs example.com` sets and key, fullchain, and root to standard letsencrypt locations
Examples
--------
@ -82,7 +82,7 @@ you can do so like this:
```bash
sudo serve-https -p 8443 \
--letsencrypt-certs test.mooo.com \
--serve-chain true
--serve-root true
```
which is equilavent to
@ -91,16 +91,16 @@ which is equilavent to
sudo serve-https -p 8443 \
--servername test.mooo.com
--key /etc/letsencrypt/live/test.mooo.com/privkey.pem \
--cert /etc/letsencrypt/live/test.mooo.com/cert.pem \
--chain /etc/letsencrypt/live/test.mooo.com/chain.pem \
-c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/chain.pem')"
--cert /etc/letsencrypt/live/test.mooo.com/fullchain.pem \
--root /etc/letsencrypt/live/test.mooo.com/root.pem \
-c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/root.pem')"
```
and can be tested like so
```bash
curl --insecure https://test.mooo.com:8443 > ./chain.pem
curl https://test.mooo.com:8843 --cacert ./chain.pem
curl --insecure https://test.mooo.com:8443 > ./root.pem
curl https://test.mooo.com:8843 --cacert ./root.pem
```
* [QuickStart Guide for Let's Encrypt](https://coolaj86.com/articles/lets-encrypt-on-raspberry-pi/)

View File

@ -39,7 +39,7 @@
"homepage": "https://github.com/Daplie/localhost.daplie.com-server#readme",
"dependencies": {
"finalhandler": "^0.4.0",
"localhost.daplie.com-certificates": "^1.0.2",
"localhost.daplie.com-certificates": "^1.1.2",
"minimist": "^1.1.1",
"redirect-https": "^1.1.0",
"serve-index": "^1.7.0",

View File

@ -76,35 +76,47 @@ function run() {
var opts = {
key: cert.key
, cert: cert.cert
, ca: cert.ca
//, ca: cert.ca
, SNICallback: function (servername, cb) {
cb(null, require('tls').createSecureContext(opts));
return;
}
};
var peerCa;
if (letsencryptHost) {
argv.key = argv.key || '/etc/letsencrypt/live/' + letsencryptHost + '/privkey.pem';
argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/cert.pem';
argv.chain = argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/chain.pem';
argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/fullchain.pem';
argv.root = argv.root || argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/root.pem';
argv.servername = argv.servername || letsencryptHost;
argv['serve-root'] = argv['serve-root'] || argv['serve-chain'];
}
if (argv.key || argv.cert || argv.chain || argv['serve-chain']) {
if (!argv.key || !argv.cert || !argv.chain) {
console.error("You must specify each of --key --cert and --chain (chain may be empty)");
if (argv['serve-root'] && !argv.root) {
console.error("You must specify bath --root to use --serve-root");
return;
}
if (!Array.isArray(argv.chain)) {
argv.chain = [argv.chain];
if (argv.key || argv.cert || argv.root) {
if (!argv.key || !argv.cert) {
console.error("You must specify bath --key and --cert, and optionally --root (required with serve-root)");
return;
}
if (!Array.isArray(argv.root)) {
argv.root = [argv.root];
}
opts.key = fs.readFileSync(argv.key);
opts.cert = fs.readFileSync(argv.cert);
// turn multiple-cert pemfile into array of cert strings
opts.ca = argv.chain.reduce(function (chain, fullpath) {
return chain.concat(fs.readFileSync(fullpath, 'ascii')
peerCa = argv.root.reduce(function (roots, fullpath) {
if (!fs.existsSync(fullpath)) {
return roots;
}
return roots.concat(fs.readFileSync(fullpath, 'ascii')
.split('-----END CERTIFICATE-----')
.filter(function (ca) {
return ca.trim();
@ -113,9 +125,16 @@ function run() {
}));
}, []);
if (argv['serve-chain']) {
if (argv['serve-root']) {
content = opts.ca.join('\r\n');
}
// TODO * `--verify /path/to/root.pem` require peers to present certificates from said authority
if (argv.verify) {
opts.ca = peerCa;
opts.requestCert = true;
opts.rejectUnauthorized = true;
}
}
opts.servername = 'localhost.daplie.com';