fix renewal, add --renew-within, reorganise args

This commit is contained in:
Ben Schmidt 2016-10-09 23:54:27 +11:00
parent 2f1b577117
commit 69f5fc9c45
3 changed files with 59 additions and 38 deletions

View File

@ -237,24 +237,19 @@ Usage:
letsencrypt [OPTIONS] [ARGS] letsencrypt [OPTIONS] [ARGS]
Options: Options:
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--email EMAIL Email used for registration and recovery contact. (default: null) --email EMAIL Email used for registration and recovery contact. (default: null)
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
--domains URL Domain names to apply. For multiple domains you can enter a comma --domains URL Domain names to apply. For multiple domains you can enter a comma
separated list of domains as a parameter. (default: []) separated list of domains as a parameter. (default: [])
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one --renew-within [NUMBER] Renew certificates this many days before expiry. (default: 7)
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement --duplicate BOOLEAN Allow getting a certificate that duplicates an existing one/is
an early renewal.
--debug BOOLEAN show traces and logs
--tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port.
(must be 443 with most production servers) (Boulder allows 5001 in testing mode)
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
(must be 80 with most production servers)
--dns-01 Use DNS-01 challenge type.
--rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048) --rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048)
@ -269,9 +264,26 @@ Options:
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new) --domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
--account-key-path STRING Path to privkey.pem to use for account (default: generate new)
--config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/) --config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/)
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory)) --tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port.
(must be 443 with most production servers) (Boulder allows 5001 in testing mode)
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
(must be 80 with most production servers)
--dns-01 Use DNS-01 challenge type.
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true)
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
--apache BOOLEAN Obtain certs using Apache virtual hosts. --apache BOOLEAN Obtain certs using Apache virtual hosts.
@ -301,14 +313,7 @@ Options:
--apache-disable STRING Command to run to disable the site in Apache. --apache-disable STRING Command to run to disable the site in Apache.
(Default is `rm /etc/apache2/sites-enabled/{{{token}}}.conf`) (Default is `rm /etc/apache2/sites-enabled/{{{token}}}.conf`)
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true) --debug BOOLEAN show traces and logs
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
-h, --help Display help and usage details -h, --help Display help and usage details
``` ```

View File

@ -5,14 +5,12 @@ var cli = require('cli');
var mkdirp = require('mkdirp'); var mkdirp = require('mkdirp');
cli.parse({ cli.parse({
email: [ false, " Email used for registration and recovery contact. (default: null)", 'email' ] server: [ false, " ACME Directory Resource URI.", 'string', '' ]
, domains: [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ] , email: [ false, " Email used for registration and recovery contact. (default: null)", 'email' ]
, duplicate: [ false, " Allow getting a certificate that duplicates an existing one", 'boolean', false ]
, 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ] , 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ]
, debug: [ false, " show traces and logs", 'boolean', false ] , domains: [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ]
, 'tls-sni-01-port': [ false, " Use TLS-SNI-01 challenge type with this port (only port 443 is valid with most production servers)", 'int' ] , 'renew-within': [ false, " Renew certificates this many days before expiry", 'int', 7 ]
, 'http-01-port': [ false, " Use HTTP-01 challenge type with this port (only port 80 is valid with most production servers) (default: 80)", 'int' ] , duplicate: [ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ]
, 'dns-01': [ false, " Use DNS-01 challange type", 'boolean', false ]
, 'rsa-key-size': [ false, " Size (in bits) of the RSA key.", 'int', 2048 ] , 'rsa-key-size': [ false, " Size (in bits) of the RSA key.", 'int', 2048 ]
, 'cert-path': [ false, " Path to where new cert.pem is saved", 'string',':configDir/live/:hostname/cert.pem' ] , 'cert-path': [ false, " Path to where new cert.pem is saved", 'string',':configDir/live/:hostname/cert.pem' ]
, 'fullchain-path': [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string', ':configDir/live/:hostname/fullchain.pem' ] , 'fullchain-path': [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string', ':configDir/live/:hostname/fullchain.pem' ]
@ -20,7 +18,9 @@ cli.parse({
, 'domain-key-path': [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ] , 'domain-key-path': [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ]
, 'account-key-path': [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ] , 'account-key-path': [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ]
, 'config-dir': [ false, " Configuration directory.", 'string', '~/letsencrypt/etc/' ] , 'config-dir': [ false, " Configuration directory.", 'string', '~/letsencrypt/etc/' ]
, server: [ false, " ACME Directory Resource URI.", 'string', '' ] , 'tls-sni-01-port': [ false, " Use TLS-SNI-01 challenge type with this port (only port 443 is valid with most production servers)", 'int' ]
, 'http-01-port': [ false, " Use HTTP-01 challenge type with this port (only port 80 is valid with most production servers) (default: 80)", 'int' ]
, 'dns-01': [ false, " Use DNS-01 challange type", 'boolean', false ]
, standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ] , standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ]
, manual: [ false, " Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (default: false)", 'boolean', false ] , manual: [ false, " Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (default: false)", 'boolean', false ]
, webroot: [ false, " Obtain certs by placing files in a webroot directory.", 'boolean', false ] , webroot: [ false, " Obtain certs by placing files in a webroot directory.", 'boolean', false ]
@ -36,6 +36,7 @@ cli.parse({
, 'apache-reload': [ false, " Command to run to reload Apache.", 'string' ] , 'apache-reload': [ false, " Command to run to reload Apache.", 'string' ]
, 'apache-disable': [ false, " Command to run to disable the site in Apache.", 'string' ] , 'apache-disable': [ false, " Command to run to disable the site in Apache.", 'string' ]
//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01'] //, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01']
, debug: [ false, " show traces and logs", 'boolean', false ]
, 'work-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/lib/' ] , 'work-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/lib/' ]
, 'logs-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/log/' ] , 'logs-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/log/' ]
}); });

View File

@ -1,5 +1,7 @@
'use strict'; 'use strict';
var DAY = 24 * 60 * 60 * 1000;
var LE = require('letsencrypt'); var LE = require('letsencrypt');
module.exports.run = function (args) { module.exports.run = function (args) {
@ -73,6 +75,7 @@ module.exports.run = function (args) {
, server: args.server , server: args.server
, store: leStore , store: leStore
, challenges: leChallenges , challenges: leChallenges
, renewWithin: args.renewWithin * DAY
, duplicate: args.duplicate , duplicate: args.duplicate
}); });
@ -93,29 +96,41 @@ module.exports.run = function (args) {
// Note: can't use args directly as null values will overwrite template values // Note: can't use args directly as null values will overwrite template values
le.register({ le.register({
domains: args.domains debug: args.debug
, email: args.email , email: args.email
, agreeTos: args.agreeTos , agreeTos: args.agreeTos
, challengeType: challengeType , domains: args.domains
, rsaKeySize: args.rsaKeySize , rsaKeySize: args.rsaKeySize
, challengeType: challengeType
}).then(function (certs) {
if (!certs._renewing) {
return certs;
}
console.log("");
console.log("Got certificate(s) for " + certs.altnames.join(', '));
console.log("\tIssued at " + new Date(certs.issuedAt).toISOString() + "");
console.log("\tValid until " + new Date(certs.expiresAt).toISOString() + "");
console.log("");
console.log("Renewing them now");
return certs._renewing;
}).then(function (certs) { }).then(function (certs) {
if (servers) { if (servers) {
servers.closeServers(); servers.closeServers();
} }
console.log("");
console.log("Got certificate(s) for " + certs.altnames.join(', '));
console.log("\tIssued at " + new Date(certs.issuedAt).toISOString() + "");
console.log("\tValid until " + new Date(certs.expiresAt).toISOString() + "");
console.log("");
// should get back account, path to certs, pems, etc? // should get back account, path to certs, pems, etc?
console.log('\nCertificates installed at:'); console.log('\nCertificates installed at:');
console.log(Object.keys(args).filter(function (key) { console.log(Object.keys(args).filter(function (key) {
return /Path/.test(key); return /Path/.test(key);
}).map(function (key) { }).map(function (key) {
return args[key]; return args[key];
}).join('\n').replace(/:hostname/, args.domains[0])); }).join('\n').replace(/:hostname/g, args.domains[0]));
console.log("");
console.log("Got certificate(s) for " + certs.altnames.join(', '));
console.log("\tIssued at " + new Date(certs.issuedAt).toISOString() + "");
console.log("\tValid until " + new Date(certs.expiresAt).toISOString() + "");
console.log("");
process.exit(0); process.exit(0);
}, function (err) { }, function (err) {