From b2407029ab8effbc245975342f78c910c74bc8c5 Mon Sep 17 00:00:00 2001 From: Ben Schmidt Date: Sat, 8 Oct 2016 15:16:26 +1100 Subject: [PATCH] support tls-sni-01 challenge Previously the http-01 challenge was simply served over SSL. --- README.md | 18 +++++++++++++++--- index.js | 29 ++++++++++++++++++++++++----- lib/servers.js | 2 +- package.json | 1 + 4 files changed, 41 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 8f46de7..d45b0e0 100644 --- a/README.md +++ b/README.md @@ -48,8 +48,9 @@ multiple domains doesn't work for you, file a bug. ### Standalone -You can run standalone mode to get a cert **on the server** you will be -using it for over ports **80 and 443 (or 5001)** like so: +You can run standalone mode to get a cert **on the server**. You either use an +http-01 challenge (the default) on port 80, or a tls-sni-01 challenge on port +443 (or 5001). Like so: ```bash letsencrypt certonly \ @@ -60,6 +61,17 @@ letsencrypt certonly \ --config-dir ~/letsencrypt/etc ``` +or + +```bash +letsencrypt certonly \ + --agree-tos --email john.doe@example.com \ + --standalone --tls-sni-01-port 443 \ + --domains example.com,www.example.com \ + --server https://acme-staging.api.letsencrypt.org/directory \ + --config-dir ~/letsencrypt/etc +``` + Then you can see your certs at `~/letsencrypt/etc/live`. ``` @@ -174,7 +186,7 @@ Options: --debug BOOLEAN show traces and logs - --tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port. (Default is 443) + --tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port. (must be 443 with most production servers) (Boulder allows 5001 in testing mode) --http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80) diff --git a/index.js b/index.js index f69f989..1c40f1b 100644 --- a/index.js +++ b/index.js @@ -15,6 +15,7 @@ module.exports.run = function (args) { args.standalone = USE_DNS; } else if (args.tlsSni01Port) { challengeType = 'tls-sni-01'; + args.webrootPath = ''; } else /*if (args.http01Port)*/ { challengeType = 'http-01'; } @@ -27,12 +28,13 @@ module.exports.run = function (args) { // TODO rename le-challenge-fs to le-challenge-webroot leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath }); } + else if (args.tlsSni01Port) { + leChallenge = require('le-challenge-sni').create({}); + servers = require('./lib/servers').create(leChallenge); + } else if (USE_DNS !== args.standalone) { leChallenge = require('le-challenge-standalone').create({}); - servers = require('./lib/servers').create(leChallenge).startServers( - args.http01Port || [80], args.tlsSni01Port || [443, 5001] - , { debug: args.debug } - ); + servers = require('./lib/servers').create(leChallenge); } leStore = require('le-store-certbot').create({ @@ -51,14 +53,31 @@ module.exports.run = function (args) { } // let LE know that we're handling standalone / webroot here + var leChallenges = {}; + leChallenges[challengeType] = leChallenge; var le = LE.create({ debug: args.debug , server: args.server , store: leStore - , challenges: { 'http-01': leChallenge, 'tls-sni-01': leChallenge } + , challenges: leChallenges , duplicate: args.duplicate }); + if (servers) { + if (args.tlsSni01Port) { + servers = servers.startServers( + [], args.tlsSni01Port + , { debug: args.debug, httpsOptions: le.httpsOptions } + ); + } + else { + servers = servers.startServers( + args.http01Port || [80], [] + , { debug: args.debug } + ); + } + } + // Note: can't use args directly as null values will overwrite template values le.register({ domains: args.domains diff --git a/lib/servers.js b/lib/servers.js index 1c2b7a1..fcae91f 100644 --- a/lib/servers.js +++ b/lib/servers.js @@ -25,7 +25,7 @@ module.exports.create = function (challenge) { , startServers: function (plainPorts, tlsPorts, opts) { opts = opts || {}; - var httpsOptions = require('localhost.daplie.com-certificates'); + var httpsOptions = opts.httpsOptions || require('localhost.daplie.com-certificates'); var https = require('https'); var http = require('http'); diff --git a/package.json b/package.json index f160371..d23dd87 100644 --- a/package.json +++ b/package.json @@ -37,6 +37,7 @@ "homedir": "^0.6.0", "le-acme-core": "^2.0.5", "le-challenge-manual": "^2.0.0", + "le-challenge-sni": "^2.0.0", "le-challenge-standalone": "^2.0.0", "le-store-certbot": "^2.0.2", "letsencrypt": "^2.1.2",