support tls-sni-01 challenge

Previously the http-01 challenge was simply served over SSL.
This commit is contained in:
Ben Schmidt 2016-10-08 15:16:26 +11:00
parent 7d3702aa81
commit b2407029ab
4 changed files with 41 additions and 9 deletions

View File

@ -48,8 +48,9 @@ multiple domains doesn't work for you, file a bug.
### Standalone
You can run standalone mode to get a cert **on the server** you will be
using it for over ports **80 and 443 (or 5001)** like so:
You can run standalone mode to get a cert **on the server**. You either use an
http-01 challenge (the default) on port 80, or a tls-sni-01 challenge on port
443 (or 5001). Like so:
```bash
letsencrypt certonly \
@ -60,6 +61,17 @@ letsencrypt certonly \
--config-dir ~/letsencrypt/etc
```
or
```bash
letsencrypt certonly \
--agree-tos --email john.doe@example.com \
--standalone --tls-sni-01-port 443 \
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory \
--config-dir ~/letsencrypt/etc
```
Then you can see your certs at `~/letsencrypt/etc/live`.
```
@ -174,7 +186,7 @@ Options:
--debug BOOLEAN show traces and logs
--tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port. (Default is 443)
--tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port.
(must be 443 with most production servers) (Boulder allows 5001 in testing mode)
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)

View File

@ -15,6 +15,7 @@ module.exports.run = function (args) {
args.standalone = USE_DNS;
} else if (args.tlsSni01Port) {
challengeType = 'tls-sni-01';
args.webrootPath = '';
} else /*if (args.http01Port)*/ {
challengeType = 'http-01';
}
@ -27,12 +28,13 @@ module.exports.run = function (args) {
// TODO rename le-challenge-fs to le-challenge-webroot
leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath });
}
else if (args.tlsSni01Port) {
leChallenge = require('le-challenge-sni').create({});
servers = require('./lib/servers').create(leChallenge);
}
else if (USE_DNS !== args.standalone) {
leChallenge = require('le-challenge-standalone').create({});
servers = require('./lib/servers').create(leChallenge).startServers(
args.http01Port || [80], args.tlsSni01Port || [443, 5001]
, { debug: args.debug }
);
servers = require('./lib/servers').create(leChallenge);
}
leStore = require('le-store-certbot').create({
@ -51,14 +53,31 @@ module.exports.run = function (args) {
}
// let LE know that we're handling standalone / webroot here
var leChallenges = {};
leChallenges[challengeType] = leChallenge;
var le = LE.create({
debug: args.debug
, server: args.server
, store: leStore
, challenges: { 'http-01': leChallenge, 'tls-sni-01': leChallenge }
, challenges: leChallenges
, duplicate: args.duplicate
});
if (servers) {
if (args.tlsSni01Port) {
servers = servers.startServers(
[], args.tlsSni01Port
, { debug: args.debug, httpsOptions: le.httpsOptions }
);
}
else {
servers = servers.startServers(
args.http01Port || [80], []
, { debug: args.debug }
);
}
}
// Note: can't use args directly as null values will overwrite template values
le.register({
domains: args.domains

View File

@ -25,7 +25,7 @@ module.exports.create = function (challenge) {
, startServers: function (plainPorts, tlsPorts, opts) {
opts = opts || {};
var httpsOptions = require('localhost.daplie.com-certificates');
var httpsOptions = opts.httpsOptions || require('localhost.daplie.com-certificates');
var https = require('https');
var http = require('http');

View File

@ -37,6 +37,7 @@
"homedir": "^0.6.0",
"le-acme-core": "^2.0.5",
"le-challenge-manual": "^2.0.0",
"le-challenge-sni": "^2.0.0",
"le-challenge-standalone": "^2.0.0",
"le-store-certbot": "^2.0.2",
"letsencrypt": "^2.1.2",