update letsencrypt conventions

README.md

@@ -31,20 +31,20 @@ Usage
 Specifying a custom HTTPS certificate:
 
 * `--key /path/to/privkey.pem` specifies the server private key
-* `--cert /path/to/cert.pem` specifies the server certificate
-* `--chain /path/to/chain.pem` specifies the certificate authorities
+* `--cert /path/to/fullchain.pem` specifies the bundle of server certificate and all intermediate certificates
+* `--root /path/to/root.pem` specifies the certificate authority(ies)
 
-Note: `--chain` may specify single cert, a bundle, and may be used multiple times like so:
+Note: `--root` may specify single cert or a bundle, and may be used multiple times like so:
 
 ```
---chain /path/to/intermediate-ca-1.pem --chain /path/to/intermediate-ca-2.pem
+--root /path/to/primary-root.pem --root /path/to/cross-root.pem
 ```
 
 Other options:
 
-* `--serve-chain true` alias for `-c` with the contents of chain.pem
+* `--serve-root true` alias for `-c` with the contents of root.pem
 * `--servername example.com` changes the servername logged to the console
-* `--letsencrypt-certs example.com` sets and key, cert, and chain to standard letsencrypt locations
+* `--letsencrypt-certs example.com` sets and key, fullchain, and root to standard letsencrypt locations
 
 Examples
 --------
@@ -82,7 +82,7 @@ you can do so like this:
 ```bash
 sudo serve-https -p 8443 \
   --letsencrypt-certs test.mooo.com \
-  --serve-chain true
+  --serve-root true
 ```
 
 which is equilavent to
@@ -91,16 +91,16 @@ which is equilavent to
 sudo serve-https -p 8443 \
   --servername test.mooo.com
   --key /etc/letsencrypt/live/test.mooo.com/privkey.pem \
-  --cert /etc/letsencrypt/live/test.mooo.com/cert.pem \
-  --chain /etc/letsencrypt/live/test.mooo.com/chain.pem \
-  -c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/chain.pem')"
+  --cert /etc/letsencrypt/live/test.mooo.com/fullchain.pem \
+  --root /etc/letsencrypt/live/test.mooo.com/root.pem \
+  -c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/root.pem')"
 ```
 
 and can be tested like so
 
 ```bash
-curl --insecure https://test.mooo.com:8443 > ./chain.pem
-curl https://test.mooo.com:8843 --cacert ./chain.pem
+curl --insecure https://test.mooo.com:8443 > ./root.pem
+curl https://test.mooo.com:8843 --cacert ./root.pem
 ```
 
 * [QuickStart Guide for Let's Encrypt](https://coolaj86.com/articles/lets-encrypt-on-raspberry-pi/)

package.json

@@ -39,7 +39,7 @@
   "homepage": "https://github.com/Daplie/localhost.daplie.com-server#readme",
   "dependencies": {
     "finalhandler": "^0.4.0",
-    "localhost.daplie.com-certificates": "^1.0.2",
+    "localhost.daplie.com-certificates": "^1.1.2",
     "minimist": "^1.1.1",
     "redirect-https": "^1.1.0",
     "serve-index": "^1.7.0",

serve.js

@@ -76,35 +76,47 @@ function run() {
   var opts = {
     key: cert.key
   , cert: cert.cert
-  , ca: cert.ca
+  //, ca: cert.ca
   , SNICallback: function (servername, cb) {
       cb(null, require('tls').createSecureContext(opts));
       return;
     }
   };
+  var peerCa;
 
   if (letsencryptHost) {
     argv.key = argv.key || '/etc/letsencrypt/live/' + letsencryptHost + '/privkey.pem';
-    argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/cert.pem';
-    argv.chain = argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/chain.pem';
+    argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/fullchain.pem';
+    argv.root = argv.root || argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/root.pem';
     argv.servername = argv.servername || letsencryptHost;
+    argv['serve-root'] = argv['serve-root'] || argv['serve-chain'];
   }
 
-  if (argv.key || argv.cert || argv.chain || argv['serve-chain']) {
-    if (!argv.key || !argv.cert || !argv.chain) {
-      console.error("You must specify each of --key --cert and --chain (chain may be empty)");
+  if (argv['serve-root'] && !argv.root) {
+    console.error("You must specify bath --root to use --serve-root");
+    return;
+  }
+
+  if (argv.key || argv.cert || argv.root) {
+    if (!argv.key || !argv.cert) {
+      console.error("You must specify bath --key and --cert, and optionally --root (required with serve-root)");
       return;
     }
 
-    if (!Array.isArray(argv.chain)) {
-      argv.chain = [argv.chain];
+    if (!Array.isArray(argv.root)) {
+      argv.root = [argv.root];
     }
 
     opts.key = fs.readFileSync(argv.key);
     opts.cert = fs.readFileSync(argv.cert);
+
     // turn multiple-cert pemfile into array of cert strings
-    opts.ca = argv.chain.reduce(function (chain, fullpath) {
-      return chain.concat(fs.readFileSync(fullpath, 'ascii')
+    peerCa = argv.root.reduce(function (roots, fullpath) {
+      if (!fs.existsSync(fullpath)) {
+        return roots;
+      }
+
+      return roots.concat(fs.readFileSync(fullpath, 'ascii')
       .split('-----END CERTIFICATE-----')
       .filter(function (ca) {
         return ca.trim();
@@ -113,9 +125,16 @@ function run() {
       }));
     }, []);
 
-    if (argv['serve-chain']) {
+    if (argv['serve-root']) {
       content = opts.ca.join('\r\n');
     }
+
+    // TODO * `--verify /path/to/root.pem` require peers to present certificates from said authority
+    if (argv.verify) {
+      opts.ca = peerCa;
+      opts.requestCert = true;
+      opts.rejectUnauthorized = true;
+    }
   }
 
   opts.servername = 'localhost.daplie.com';