update link

A similar fix to 69f5fc9c45, but using a
public property exposed by an updated version of greenlock.

.gitignore

@@ -25,3 +25,6 @@ build/Release
 # Dependency directory
 # https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git
 node_modules
+
+# VS Code
+.vscode

LICENSE

@@ -1,202 +1,375 @@
-                                 Apache License
+Copyright 2017-2019 AJ ONeal
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
 
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+Mozilla Public License Version 2.0
+==================================
 
-   1. Definitions.
+1. Definitions
+--------------
 
-      "License" shall mean the terms and conditions for use, reproduction,
+1.1. "Contributor"
-      and distribution as defined by Sections 1 through 9 of this document.
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
 
-      "Licensor" shall mean the copyright owner or entity authorized by
+1.2. "Contributor Version"
-      the copyright owner that is granting the License.
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
 
-      "Legal Entity" shall mean the union of the acting entity and all
+1.3. "Contribution"
-      other entities that control, are controlled by, or are under common
+    means Covered Software of a particular Contributor.
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
 
-      "You" (or "Your") shall mean an individual or Legal Entity
+1.4. "Covered Software"
-      exercising permissions granted by this License.
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
 
-      "Source" form shall mean the preferred form for making modifications,
+1.5. "Incompatible With Secondary Licenses"
-      including but not limited to software source code, documentation
+    means
-      source, and configuration files.
 
-      "Object" form shall mean any form resulting from mechanical
+    (a) that the initial Contributor has attached the notice described
-      transformation or translation of a Source form, including but
+        in Exhibit B to the Covered Software; or
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
 
-      "Work" shall mean the work of authorship, whether in Source or
+    (b) that the Covered Software was made available under the terms of
-      Object form, made available under the License, as indicated by a
+        version 1.1 or earlier of the License, but not also under the
-      copyright notice that is included in or attached to the work
+        terms of a Secondary License.
-      (an example is provided in the Appendix below).
 
-      "Derivative Works" shall mean any work, whether in Source or Object
+1.6. "Executable Form"
-      form, that is based on (or derived from) the Work and for which the
+    means any form of the work other than Source Code Form.
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
 
-      "Contribution" shall mean any work of authorship, including
+1.7. "Larger Work"
-      the original version of the Work and any modifications or additions
+    means a work that combines Covered Software with other material, in
-      to that Work or Derivative Works thereof, that is intentionally
+    a separate file or files, that is not Covered Software.
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
 
-      "Contributor" shall mean Licensor and any individual or Legal Entity
+1.8. "License"
-      on behalf of whom a Contribution has been received by Licensor and
+    means this document.
-      subsequently incorporated within the Work.
 
-   2. Grant of Copyright License. Subject to the terms and conditions of
+1.9. "Licensable"
-      this License, each Contributor hereby grants to You a perpetual,
+    means having the right to grant, to the maximum extent possible,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+    whether at the time of the initial grant or subsequently, any and
-      copyright license to reproduce, prepare Derivative Works of,
+    all of the rights conveyed by this License.
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
 
-   3. Grant of Patent License. Subject to the terms and conditions of
+1.10. "Modifications"
-      this License, each Contributor hereby grants to You a perpetual,
+    means any of the following:
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
 
-   4. Redistribution. You may reproduce and distribute copies of the
+    (a) any file in Source Code Form that results from an addition to,
-      Work or Derivative Works thereof in any medium, with or without
+        deletion from, or modification of the contents of Covered
-      modifications, and in Source or Object form, provided that You
+        Software; or
-      meet the following conditions:
 
-      (a) You must give any other recipients of the Work or
+    (b) any new file in Source Code Form that contains any Covered
-          Derivative Works a copy of this License; and
+        Software.
 
-      (b) You must cause any modified files to carry prominent notices
+1.11. "Patent Claims" of a Contributor
-          stating that You changed the files; and
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
 
-      (c) You must retain, in the Source form of any Derivative Works
+1.12. "Secondary License"
-          that You distribute, all copyright, patent, trademark, and
+    means either the GNU General Public License, Version 2.0, the GNU
-          attribution notices from the Source form of the Work,
+    Lesser General Public License, Version 2.1, the GNU Affero General
-          excluding those notices that do not pertain to any part of
+    Public License, Version 3.0, or any later versions of those
-          the Derivative Works; and
+    licenses.
 
-      (d) If the Work includes a "NOTICE" text file as part of its
+1.13. "Source Code Form"
-          distribution, then any Derivative Works that You distribute must
+    means the form of the work preferred for making modifications.
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
 
-      You may add Your own copyright statement to Your modifications and
+1.14. "You" (or "Your")
-      may provide additional or different license terms and conditions
+    means an individual or a legal entity exercising rights under this
-      for use, reproduction, or distribution of Your modifications, or
+    License. For legal entities, "You" includes any entity that
-      for any such Derivative Works as a whole, provided Your use,
+    controls, is controlled by, or is under common control with You. For
-      reproduction, and distribution of the Work otherwise complies with
+    purposes of this definition, "control" means (a) the power, direct
-      the conditions stated in this License.
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
 
-   5. Submission of Contributions. Unless You explicitly state otherwise,
+2. License Grants and Conditions
-      any Contribution intentionally submitted for inclusion in the Work
+--------------------------------
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
 
-   6. Trademarks. This License does not grant permission to use the trade
+2.1. Grants
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
 
-   7. Disclaimer of Warranty. Unless required by applicable law or
+Each Contributor hereby grants You a world-wide, royalty-free,
-      agreed to in writing, Licensor provides the Work (and each
+non-exclusive license:
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
 
-   8. Limitation of Liability. In no event and under no legal theory,
+(a) under intellectual property rights (other than patent or trademark)
-      whether in tort (including negligence), contract, or otherwise,
+    Licensable by such Contributor to use, reproduce, make available,
-      unless required by applicable law (such as deliberate and grossly
+    modify, display, perform, distribute, and otherwise exploit its
-      negligent acts) or agreed to in writing, shall any Contributor be
+    Contributions, either on an unmodified basis, with Modifications, or
-      liable to You for damages, including any direct, indirect, special,
+    as part of a Larger Work; and
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
 
-   9. Accepting Warranty or Additional Liability. While redistributing
+(b) under Patent Claims of such Contributor to make, use, sell, offer
-      the Work or Derivative Works thereof, You may choose to offer,
+    for sale, have made, import, and otherwise transfer either its
-      and charge a fee for, acceptance of support, warranty, indemnity,
+    Contributions or its Contributor Version.
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
 
-   END OF TERMS AND CONDITIONS
+2.2. Effective Date
 
-   APPENDIX: How to apply the Apache License to your work.
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
 
-      To apply the Apache License to your work, attach the following
+2.3. Limitations on Grant Scope
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
 
-   Licensed under the Apache License, Version 2.0 (the "License");
+(a) for any code that a Contributor has removed from Covered Software;
-   you may not use this file except in compliance with the License.
+    or
-   You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
 
-   Unless required by applicable law or agreed to in writing, software
+(c) under Patent Claims infringed by Covered Software in the absence of
-   distributed under the License is distributed on an "AS IS" BASIS,
+    its Contributions.
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
 
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

README.md

@@ -1,161 +1,223 @@
-# letsencrypt-cli (for node.js)
+![Greenlock Logo](https://git.rootprojects.org/root/greenlock.js/raw/branch/master/logo/greenlock-1063x250.png "Greenlock Logo")
 
-CLI for node-letsencrypt modeled after the official client.
+!["Greenlock Function"](https://git.rootprojects.org/root/greenlock.js/raw/branch/master/logo/from-not-secure-to-secure-url-bar.png "from url bar showing not secure to url bar showing secure")
 
-* Free SSL Certificates
-* 90-day certificate lifetime
-* One-off standalone registration / renewal
-* On-the-fly registration / renewal via webroot
 
-## Install Node
+# [Greenlock™](https://git.rootprojects.org/root/greenlock-cli.js) for Web Servers | a [Root](https://rootprojects.org) project
 
-For **Windows**:
+Free SSL, Free Wildcard SSL, and Fully Automated HTTPS made dead simple<br>
+<small>certificates issued by Let's Encrypt v2 via [ACME](https://git.rootprojects.org/root/acme-v2.js)</small>
 
-Choose **Stable** from <https://nodejs.org/en/>
+!["Lifetime Downloads"](https://img.shields.io/npm/dt/greenlock.svg "Lifetime Download Count can't be shown")
+!["Monthly Downloads"](https://img.shields.io/npm/dm/greenlock.svg "Monthly Download Count can't be shown")
+!["Weekly Downloads"](https://img.shields.io/npm/dw/greenlock.svg "Weekly Download Count can't be shown")
+!["Stackoverflow Questions"](https://img.shields.io/stackexchange/stackoverflow/t/greenlock.svg "S.O. Question count can't be shown")
 
-For Linux and **OS X**:
+| **Greenlock for Web Servers**
+| [Greenlock for Web Browsers](https://git.rootprojects.org/root/greenlock.html)
+| [Greenlock for Express.js](https://git.rootprojects.org/root/greenlock-express.js)
+| [Greenlock&trade;.js](https://git.rootprojects.org/root/greenlock.js)
+|
 
-```
+# Features
-curl -L bit.ly/iojs-min | bash
-```
 
-# Install LetsEncrypt
+- [x] Commandline (cli) Certificate Manager (like certbot)
+- [x] Integrated Web Server
+- [x] Free SSL Certificates
+- [x] Automatic certificate renewal before expiration
+- [x] One-off standalone registration / renewal
+- [x] On-the-fly registration / renewal via webroot
+
+# Install
+
+## Mac & Linux
+
+Open Terminal and run this install script:
 
 ```bash
-npm install -g letsencrypt-cli
+curl -fsS https://get.greenlock.app/ | bash
 ```
 
-## Usage
+This will install greenlock to `/opt/greenlock` and put a symlink to
+`/opt/greenlock/bin/greenlock` in `/usr/local/bin/greenlock` for convenience.
 
-These commands are shown using the **testing server**.
+You can customize the installation:
-
-Want to use the **live server**?
-
-1. remove the `--server https://acme-staging.api.letsencrypt.org/directory`
-2. or change it to `--server https://acme-v01.api.letsencrypt.org/directory`
-
-**Note**: This has really only been tested with single domains so if
-multiple domains doesn't work for you, file a bug.
-
-### Standalone
-
-You can run standalone mode to get a cert **on the server** you will be
-using it for over ports **80 and 443 (or 5001)** like so:
 
 ```bash
-letsencrypt certonly \
+export NODEJS_VER=v8.11.1
-  --agree-tos --email john.doe@example.com \
+export GREENLOCK_PATH=/opt/greenlock
-  --standalone \
+curl -fsS https://get.greenlock.app/ | bash
-  --domains example.com,www.example.com \
-  --server https://acme-staging.api.letsencrypt.org/directory \
-  --config-dir ~/letsencrypt/etc
 ```
 
-Then you can see your certs at `~/letsencrypt/etc/live`.
+This will change which version of node.js is bundled with greenlock
+and the path to which greenlock installs.
+
+## Windows & Node.js
+
+1. Install [node.js](https://nodejs.org)
+2. Open _Node.js_
+2. Run the command `npm install -g greenlock-cli`
+
+# Usage
+
+We have a few different examples of issuing SSL certificates:
+
+* Standalone (testing): Issue a one-off certificate
+* Webroot (production): Automatic certificate renewal for Apache, Nginx, HAProxy, etc
+* Manual (debugging): Go through the certificate proccess step-by-step
+<!-- * Server (production): Leave it all to Greenlock -->
+
+**Important Note**: Staging vs Production
+
+Each of these examples are using the **staging server**.
+
+Once you've successfully gotten certificates with the staging server
+you must **delete** `--config-dir` (i.e. `rm -rf ~/acme`) and then
+switch to the **production server**.
 
 ```
-ls ~/letsencrypt/etc/live
+--acme-version draft-11 --server https://acme-v02.api.letsencrypt.org/directory \
 ```
 
-This option is great for testing, but since it requires the use of
+## Standalone
-the same ports that your webserver needs, it isn't a good choice
-for production.
 
-### WebRoot (for production)
+<small>**primarily for testing**</small>
 
-You can specify the path to where you keep your `index.html` with `webroot`.
+You can run in standalone mode **on your server** and get a cert instantly.
 
-For example, if I want to get a domain for `example.com` and my `index.html` is
+Note: No other webserver may be running at the time (use Webroot mode for that).
-at `/srv/www/example.com`, then I would use this command:
 
 ```bash
-sudo letsencrypt certonly \
+sudo greenlock certonly --standalone \
-  --agree-tos --email john.doe@example.com \
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
-  --webroot --webroot-path /srv/www/example.com \
+  --agree-tos --email jon@example.com --domains example.com,www.example.com \
-  --config-dir /etc/letsencrypt \
+  --community-member \
-  --domains example.com,www.example.com \
+  --config-dir ~/acme/etc
-  --server https://acme-staging.api.letsencrypt.org/directory
 ```
 
-Note that we use `sudo` because in this example we are using `/etc/letsencrypt`
+## WebRoot
-as the cert directory rather than `~/letsencrypt/etc`, which we used in the previous example.
 
-Then see your brand new shiny certs:
+<small>**for testing and production**</small>
 
-```
+With this method you must use **your existing http (port 80) server** (Apache, Nginx, HAProxy, etc).
-ls /etc/letsencrypt/live/
+You will specify the **path or template path** to your `public_html` or `www` webroot.
-```
 
-You can use a cron job to run the script above every 80 days (the certificates expire after 90 days)
+For example:
-so that you always have fresh certificates.
 
-## Test with a free domain
+  * I want to get an SSL cert for `example.com`
+  * `index.html` lives at `/srv/www/example.com`
+  * I would use this command:
 
 ```bash
-# Install Daplie DNS
+sudo greenlock certonly --webroot \
-npm install -g ddns-cli
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
-
+  --agree-tos --email jon@example.com --domains example.com \
-# see terms of use
+  --community-member \
-ddns --help
+  --root /srv/www/example.com \
-
+  --config-dir ~/acme/etc
-# agree to terms and get domain
-ddns --random --email user@example.com --agree
-
-# the default is to use the ip address from which
-# you can the command, but you can also assign the
-# ip manually
-ddns --random --email user@example.com --agree -a '127.0.0.1'
 ```
 
-Example domain:
+Now let's say that
 
-```
+  * I have many sites in `/srv/www/`, all by their name
-rubber-duck-42.daplie.me
+  * I already store my ssl certs in the format `/etc/apache/ssl/:hostname/{key.pem,ssl.crt}`
-```
+  * I'll run this command instead:
-
-## Run without Root
-
-If you'd like to allow node.js to use privileged ports `80` and `443`
-(and everything under 1024 really) without being run as `root` or `sudo`,
-you can use `setcap` to do so. (it may need to be run any time you reinstall node as well)
 
 ```bash
-sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
+sudo greenlock certonly --webroot \
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
+  --agree-tos --email jon@example.com --domains example.com,whatever.com,foobar.net \
+  --community-member \
+  --root "/srv/www/:hostname" \
+  --privkey-path "/etc/apache/ssl/:hostname/key.pem" \
+  --fullchain-path "/etc/apache/ssl/:hostname/ssl.crt" \
+  --config-dir ~/acme/etc
 ```
 
-By default `node-letsencrypt` assumes your home directory `~/letsencrypt/`, but if
+### Run with cron
-you really want to use `/etc/letsencrypt`, `/var/lib/letsencrypt/`, and `/var/log/letsencrypt`
+
-you could change the permissions on them. **Probably a BAD IDEA**. Probabry a security risk.
+Those commands are safe to be run **daily** with cron.
+The certificates will automatically renew 2 weeks before expiring.
+
+## Interactive
+
+<small>**primarily for debugging**</small>
+
+The token (for all challenge types) and keyAuthorization (only for https-01)
+will be printed to the screen and you will be given time to copy it wherever
+(file, dns record, database, etc) and the process will complete once you hit `enter`.
+
+```bash
+sudo greenlock certonly --manual \
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
+  --agree-tos --email jon@example.com --domains example.com \
+  --community-member \
+  --config-dir ~/acme/etc
+```
+
+# Certificate Locations
+Then you can see your certs at `~/acme/etc/live`.
+
+```
+~/acme/etc/
+└── example.com
+    ├── cert.pem
+    ├── chain.pem
+    ├── fullchain.pem  (Apache, Nginx, node.js)
+    ├── privkey.pem    (Apache, Nginx, node.js)
+    └── bundle.pem     (HAProxy)
+```
+
+
+## Run without root (no sudo)
+
+`sudo` is used to allow greenlock to use port 80 and write to httpd-owned directories.
+
+Allow greenlock to bind on system ports without root:
+
+```bash
+sudo setcap cap_net_bind_service=+ep /opt/greenlock/bin/node
+```
+
+To allow greenlock to write to folders owned by another user, set it to run as that user.
+
+Otherwise, you can change the permissions on the folders, which is
+**probably a BAD IDEA**. Probabry a **security risk**.
+But since some of you are going to do it anyway I might as well tell you how:
 
 ```
 # PROBABLY A BAD IDEA
-sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt 
+sudo chown -R $(whoami) /etc/ssl /etc/acme
 ```
 
-## Command line Options
+# Command Line Options
 
 ```
 Usage:
-  letsencrypt [OPTIONS] [ARGS]
+  greenlock [OPTIONS] [ARGS]
 
 Options:
+      --acme-version [STRING]   'draft-11' for Let's Encrypt v2 or 'v01' for Let's Encrypt v1. (default: null)
+
+      --acme-url [URL]          Directory URL for ACME API. Let's Encrypt URLs are:
+                                  draft-11
+                                    https://acme-staging-v02.api.letsencrypt.org/directory
+                                    https://acme-v02.api.letsencrypt.org/directory
+
+                                  v01
+                                    https://acme-staging.api.letsencrypt.org/directory
+                                    https://acme-v01.api.letsencrypt.org/directory
+
       --email EMAIL             Email used for registration and recovery contact. (default: null)
 
-      --domains URL             Domain names to apply. For multiple domains you can enter a comma
-                                separated list of domains as a parameter. (default: [])
-
-      --duplicate BOOLEAN       Allow getting a certificate that duplicates an existing one
-
       --agree-tos BOOLEAN       Agree to the Let's Encrypt Subscriber Agreement
 
-      --debug BOOLEAN           show traces and logs
+      --community-member        Submit stats to and receive updates from Greenlock
 
-      --tls-sni-01-port NUMBER  Port number to perform tls-sni-01 challenge.
+      --domains HOSTNAME        Domain names to apply. For multiple domains you can enter a comma
-                                Boulder in testing mode defaults to 5001. (default: 443 and 5001)
+                                separated list of domains as a parameter. (default: [])
 
-      --http-01-port [NUMBER]   Port used in the SimpleHttp challenge. (Default is 80)
+      --renew-within [NUMBER]   Renew certificates this many days before expiry. (default: 10)
-
-      --rsa-key-size [NUMBER]   Size (in bits) of the RSA key. (Default is 2048)
 
       --cert-path STRING        Path to where new cert.pem is saved
                                 (Default is :conf/live/:hostname/cert.pem)
@@ -166,19 +228,60 @@ Options:
       --chain-path [STRING]     Path to where new chain.pem is saved
                                 (Default is :conf/live/:hostname/chain.pem)
 
+      --bundle-path [STRING]    Path to where new bundle.pem (fullchain + privkey) is saved
+                                (Default is :conf/live/:hostname/bundle.pem)
+
       --domain-key-path STRING  Path to privkey.pem to use for domain (default: generate new)
 
+      --account-key-path STRING Path to privkey.pem to use for account (default: generate new)
+
       --config-dir STRING       Configuration directory. (Default is ~/letsencrypt/etc/)
 
-      --server [STRING]         ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
+      --http-01-port [NUMBER]   Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
+                                (must be 80 with most production servers)
+
+      --dns-01                  Use DNS-01 challenge type.
 
       --standalone [BOOLEAN]    Obtain certs using a "standalone" webserver.  (Default is true)
 
-      --webroot BOOLEAN         Obtain certs by placing files in a webroot directory.
+      --manual [BOOLEAN]        Print the token and key to the screen and wait for you to hit enter,
+                                giving you time to copy it somewhere before continuing. (Default is false)
 
-      --webroot-path STRING      public_html / webroot path.
+      --debug BOOLEAN           show traces and logs
 
   -h, --help                    Display help and usage details
 ```
 
+
+# Certbot Command Line Options
+
+These options are maintained for compatability with certbot:
+
+```
+      --server [STRING]         ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
+
+      --duplicate BOOLEAN       Allow getting a certificate that duplicates an existing one/is
+                                an early renewal.
+
+      --webroot BOOLEAN         Obtain certs by placing files in a webroot directory.
+
+      --webroot-path STRING     public_html / webroot path.
+```
+
 Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
+
+# Legal &amp; Rules of the Road
+
+Greenlock&trade; and Bluecrypt&trade; are [trademarks](https://rootprojects.org/legal/#trademark) of AJ ONeal
+
+The rule of thumb is "attribute, but don't confuse". For example:
+
+> Built with [Greenlock CLI](https://git.rootprojects.org/root/greenlock-cli.js) (a [Root](https://rootprojects.org) project).
+
+Please [contact us](mailto:aj@therootcompany.com) if you have any questions in regards to our trademark,
+attribution, and/or visible source policies. We want to build great software and a great community.
+
+[Greenlock&trade;](https://git.rootprojects.org/root/greenlock.js) |
+MPL-2.0 |
+[Terms of Use](https://therootcompany.com/legal/#terms) |
+[Privacy Policy](https://therootcompany.com/legal/#privacy)

bin/greenlock.js

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+'use strict';
+
+var cli = require('cli');
+var mkdirp = require('mkdirp');
+
+cli.parse({
+  'acme-version':
+    [ false, " ACME / Let's Encrypt version. v01 or draft-11 (aka v02)", 'string', 'draft-11' ]
+, 'acme-url':
+    [ false, " ACME Directory Resource URL", 'string', '' ]
+, email:
+    [ false, " Email used for registration and recovery contact. (default: null)", 'email' ]
+, 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ]
+, 'community-member': [ false, " Submit stats to and get updates from Greenlock", 'boolean', false ]
+, domains:
+    [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ]
+, 'renew-within': [ false, " Renew certificates this many days before expiry", 'int', 7 ]
+, 'cert-path':
+    [ false, " Path to where new cert.pem is saved", 'string'
+    , ':configDir/live/:hostname/cert.pem' ]
+, 'fullchain-path':
+    [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string'
+    , ':configDir/live/:hostname/fullchain.pem' ]
+, 'bundle-path':
+    [ false, " Path to where new bundle.pem (fullchain + privkey) is saved", 'string'
+    , ':configDir/live/:hostname/bundle.pem' ]
+, 'chain-path':
+    [ false, " Path to where new chain.pem is saved", 'string'
+    , ':configDir/live/:hostname/chain.pem' ]
+, 'privkey-path':
+    [ false, " Path to where privkey.pem is saved", 'string'
+    , ':configDir/live/:hostname/privkey.pem' ]
+, 'config-dir':
+    [ false, " Configuration directory.", 'string'
+    , '~/letsencrypt/etc/' ]
+, 'http-01-port': [ false, " Use HTTP-01 challenge type with this port (only port 80 is valid with most production servers) (default: 80)", 'int' ]
+, 'dns-01': [ false, " Use DNS-01 challange type", 'boolean', false ]
+, standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ]
+, manual: [ false, " Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (default: false)", 'boolean', false ]
+, debug: [ false, " show traces and logs", 'boolean', false ]
+, 'root': [ false, " public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)", 'string' ]
+
+//
+// backwards compat
+//
+, duplicate:
+    [ false, " Allow getting a certificate that duplicates an existing one/is an early renewal", 'boolean', false ]
+, 'rsa-key-size':
+    [ false, " Size (in bits) of the RSA key.", 'int', 2048 ]
+, server:
+    [ false, " alias of acme-url for certbot compatibility", 'string', '' ]
+, 'domain-key-path':
+    [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ]
+, 'account-key-path':
+    [ false, " Path to privkey.pem to use for account (default: generate new)", 'string' ]
+, webroot: [ false, " for certbot compatibility", 'boolean', false ]
+, 'webroot-path': [ false, "alias of '--root' for certbot compatibility", 'string' ]
+//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01']
+, 'work-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/lib/' ]
+, 'logs-dir': [ false, "for certbot compatibility (ignored)", 'string', '~/letsencrypt/var/log/' ]
+});
+
+// ignore certonly and extraneous arguments
+cli.main(function(_, options) {
+  console.log('');
+  var args = {};
+  var homedir = require('os').homedir();
+
+  Object.keys(options).forEach(function (key) {
+    var val = options[key];
+
+    if ('string' === typeof val) {
+      val = val.replace(/^~/, homedir);
+    }
+
+    key = key.replace(/\-([a-z0-9A-Z])/g, function (c) { return c[1].toUpperCase(); });
+    args[key] = val;
+  });
+
+  Object.keys(args).forEach(function (key) {
+    var val = args[key];
+
+    if ('string' === typeof val) {
+      val = val.replace(/(\:configDir)|(\:config)/, args.configDir);
+    }
+
+    args[key] = val;
+  });
+
+  if (args.domains) {
+    args.domains = args.domains.split(',');
+  }
+
+  if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos || !args.acmeVersion || (!args.server && !args.acmeUrl)) {
+    console.error("\nUsage:\n\ngreenlock certonly --standalone \\");
+    console.error("\t--acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \\");
+    console.error("\t--agree-tos --email user@example.com --domains example.com \\");
+    console.error("\t--config-dir ~/acme/etc \\");
+    console.error("\nSee greenlock --help for more details\n");
+    return;
+  }
+
+  if (args.http01Port) {
+    // [@agnat]: Coerce to string. cli returns a number although we request a string.
+    args.http01Port = "" + args.http01Port;
+    args.http01Port = args.http01Port.split(',').map(function (port) {
+      return parseInt(port, 10);
+    });
+  }
+
+  mkdirp(args.configDir, function (err) {
+    if (err) {
+      console.error("Could not create --config-dir '" + args.configDir + "':", err.code);
+      console.error("Try setting --config-dir '/tmp'");
+      return;
+    }
+
+    require('../').run(args).then(function (status) {
+      process.exit(status);
+    });
+  });
+});

bin/letsencrypt.js

@@ -1,141 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-var cli = require('cli');
-var mkdirp = require('mkdirp');
-
-cli.parse({
-  email: [ false, " Email used for registration and recovery contact. (default: null)", 'email' ]
-, domains: [ false, " Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])", 'string' ]
-, duplicate: [ false, " Allow getting a certificate that duplicates an existing one", 'boolean', false ]
-, 'agree-tos': [ false, " Agree to the Let's Encrypt Subscriber Agreement", 'boolean', false ]
-, debug: [ false, " show traces and logs", 'boolean', false ]
-, 'tls-sni-01-port': [ false, " Port number to perform tls-sni-01 challenge. Boulder in testing mode defaults to 5001. (default: 443,5001)", 'string' ]
-, 'http-01-port': [ false, " Port used in the SimpleHttp challenge. (default: 80)", 'string' ]
-, 'rsa-key-size': [ false, " Size (in bits) of the RSA key.", 'int', 2048 ]
-, 'cert-path': [ false, " Path to where new cert.pem is saved", 'string',':config/live/:hostname/cert.pem' ]
-, 'fullchain-path': [ false, " Path to where new fullchain.pem (cert + chain) is saved", 'string', ':config/live/:hostname/fullchain.pem' ]
-, 'chain-path': [ false, " Path to where new chain.pem is saved", 'string', ':config/live/:hostname/chain.pem' ]
-, 'domain-key-path': [ false, " Path to privkey.pem to use for domain (default: generate new)", 'string' ]
-, 'config-dir': [ false, " Configuration directory.", 'string', '~/letsencrypt/etc/' ]
-, server: [ false, " ACME Directory Resource URI.", 'string', 'https://acme-v01.api.letsencrypt.org/directory)' ]
-, standalone: [ false, " Obtain certs using a \"standalone\" webserver.", 'boolean', false ]
-//, manual: [ false, " Provide laborious manual instructions for obtaining a cert (default: false)", 'boolean', false ]
-, webroot: [ false, " Obtain certs by placing files in a webroot directory.", 'boolean', false ]
-, 'webroot-path': [ false, " public_html / webroot path.", 'string' ]
-//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-sni-01)", 'string', 'http-01,tls-sni-01']
-, 'work-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/lib/' ]
-, 'logs-dir': [ false, "(ignored)", 'string', '~/letsencrypt/var/log/' ]
-});
-
-// ignore certonly and extraneous arguments
-cli.main(function(_, options) {
-  console.log('');
-  var args = {};
-  var homedir = require('homedir')();
-
-  Object.keys(options).forEach(function (key) {
-    var val = options[key];
-
-    if ('string' === typeof val) {
-      val = val.replace(/^~/, homedir);
-    }
-
-    key = key.replace(/\-([a-z0-9A-Z])/g, function (c) { return c[1].toUpperCase(); });
-    args[key] = val;
-  });
-
-  Object.keys(args).forEach(function (key) {
-    var val = args[key];
-
-    if ('string' === typeof val) {
-      val = val.replace(/\:config/, args.configDir);
-    }
-
-    args[key] = val;
-  });
-
-  if (args.domains) {
-    args.domains = args.domains.split(',');
-  }
-
-  if (!(Array.isArray(args.domains) && args.domains.length) || !args.email || !args.agreeTos) {
-    console.error("\nUsage: letsencrypt certonly --standalone --domains example.com --email user@example.com --agree-tos");
-    console.error("\nSee letsencrypt --help for more details\n");
-    return;
-  }
-
-  if (args.tlsSni01Port) {
-    // [@agnat]: Coerce to string. cli returns a number although we request a string.
-    args.tlsSni01Port = "" + args.tlsSni01Port;
-    args.tlsSni01Port = args.tlsSni01Port.split(',').map(function (port) {
-      return parseInt(port, 10);
-    });
-  }
-
-  if (args.http01Port) {
-    // [@agnat]: Coerce to string. cli returns a number although we request a string.
-    args.http01Port = "" + args.http01Port;
-    args.http01Port = args.http01Port.split(',').map(function (port) {
-      return parseInt(port, 10);
-    });
-  }
-
-  mkdirp(args.configDir, function (err) {
-    if (err) {
-      console.error("Could not create --config-dir '" + args.configDir + "':", err.code);
-      console.error("Try setting --config-dir '/tmp'");
-      return;
-    }
-
-    var LE = require('letsencrypt');
-    var handlers;
-
-    if (args.webrootPath) {
-      handlers = require('../lib/webroot').create(args);
-    }
-    else /*if (args.standalone)*/ {
-      handlers = require('../lib/standalone').create();
-      handlers.startServers(args.http01Port || [80], args.tlsSni01Port || [443, 5001]);
-    }
-
-    // let LE know that we're handling standalone / webroot here
-    LE.create({
-      manual: true
-    , debug: args.debug
-    , configDir: args.configDir
-    , privkeyPath: ':config/live/:hostname/privkey.pem' //args.privkeyPath
-    , fullchainPath: args.fullchainPath
-    , certPath: args.certPath
-    , chainPath: args.chainPath
-    }, handlers).register(args, function (err, results) {
-      if (err) {
-        console.error('[Error]: letsencrypt-cli');
-        console.error(err.stack || err);
-        return;
-      }
-
-      if (!results || ('object' !== typeof results)) {
-        console.error("Error: An unknown error occurred. My best guess is that we got an error that we're not used to from the ACME server and accidentally interpretted it as a success... or forgot to expose the error.");
-        console.error(results);
-        err = new Error("Here's a stack trace, in case it helps:");
-        console.error(err.stack);
-        return;
-      }
-
-      if (handlers.closeServers) {
-        handlers.closeServers();
-      }
-
-      // should get back account, path to certs, pems, etc?
-      console.log('\nCertificates installed at:');
-      console.log(Object.keys(results).filter(function (key) {
-        return /Path/.test(key);
-      }).map(function (key) {
-        return results[key];
-      }).join('\n'));
-
-      process.exit(0);
-    });
-  });
-});

examples/standalone.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+sudo greenlock certonly --standalone \
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
+  --agree-tos --email jon@example.com --domains example.com,www.example.com \
+  --community-member \
+  --config-dir ~/acme/etc

examples/webroot.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+## create a quick server if needed
+# sudo mkdir -p /srv/www/example.com
+# pushd /srv/www/example.com
+#   sudo python -m SimpleHTTPServer 80 &
+#   my_pid=$!
+
+sudo greenlock certonly --webroot \
+  --acme-version draft-11 --acme-url https://acme-staging-v02.api.letsencrypt.org/directory \
+  --agree-tos --email jon@example.com --domains example.com \
+  --community-member \
+  --root /srv/www/example.com \
+  --config-dir ~/acme/etc
+
+#   kill $my_pid
+# popd

index.js

@@ -0,0 +1,148 @@
+'use strict';
+
+var DAY = 24 * 60 * 60 * 1000;
+
+var Greenlock = require('greenlock');
+
+module.exports.run = function (args) {
+  var leChallenge;
+  var leStore;
+  var servers;
+  var USE_DNS = {};
+  var challengeType;
+
+  args.acmeUrl = args.server = (args.acmeUrl || args.server);
+  args.root = args.webrootPath = (args.root || args.webrootPath);
+  if (args.dns01) {
+    challengeType = 'dns-01';
+    args.webrootPath = '';
+    args.standalone = USE_DNS;
+  } else /*if (args.http01Port)*/ {
+    challengeType = 'http-01';
+  }
+
+  if (args.manual) {
+    leChallenge = require('le-challenge-manual').create({});
+  }
+  else if (args.webrootPath) {
+    // webrootPath is all that really matters here
+    // TODO rename le-challenge-fs to le-challenge-webroot
+    leChallenge = require('./lib/webroot').create({ webrootPath: args.webrootPath });
+  }
+  else if (USE_DNS !== args.standalone) {
+    leChallenge = require('le-challenge-standalone').create({});
+    servers = require('./lib/servers').create(leChallenge);
+  }
+
+  var privkeyPath = args.privkeyPath || args.domainKeyPath || ':configDir/live/:hostname/privkey.pem'; //args.privkeyPath
+  leStore = require('le-store-certbot').create({
+    configDir: args.configDir
+  , privkeyPath: privkeyPath
+  , fullchainPath: args.fullchainPath
+  , certPath: args.certPath
+  , chainPath: args.chainPath
+  , bundlePath: args.bundlePath
+  , webrootPath: args.root
+  , domainKeyPath: args.domainKeyPath
+  , accountKeyPath: args.accountKeyPath
+  });
+
+  if (!args.acmeUrl) {
+    throw new Error("You must specify the ACME server url with --acme-url");
+  }
+  if (!args.acmeVersion) {
+    throw new Error("You must specify the ACME API version with --acme-version");
+  }
+
+  // let Greenlock know that we're handling standalone / webroot here
+  var leChallenges = {};
+  leChallenges[challengeType] = leChallenge;
+  var greenlock = Greenlock.create({
+    debug: args.debug
+  , server: args.acmeUrl
+  , version: args.acmeVersion
+  , store: leStore
+  , challenges: leChallenges
+  , renewWithin: args.renewWithin * DAY
+  , duplicate: args.duplicate
+  });
+
+  if (servers) {
+    if (args.tlsSni01Port) {
+      servers.startServers(
+        [], args.tlsSni01Port
+      , { debug: args.debug, tlsOptions: greenlock.tlsOptions }
+      );
+    }
+    else {
+      servers.startServers(
+        args.http01Port || [80], []
+      , { debug: args.debug }
+      );
+    }
+  }
+
+  // Note: can't use args directly as null values will overwrite template values
+  return greenlock.register({
+    debug: args.debug
+  , email: args.email
+  , agreeTos: args.agreeTos
+  , communityMember: args.communityMember
+  , domains: args.domains
+  , rsaKeySize: args.rsaKeySize
+  , challengeType: challengeType
+  }).then(function (certs) {
+    if (!certs.renewing) {
+      return certs;
+    }
+    console.log("");
+    console.log("Got certificate(s) for " + certs.altnames.join(', '));
+    console.log("\tIssued at " + new Date(certs.issuedAt).toISOString() + "");
+    console.log("\tValid until " + new Date(certs.expiresAt).toISOString() + "");
+    console.log("");
+    console.log("Renewing them now");
+    return certs.renewing;
+  }).then(function (certs) {
+    console.log("");
+    console.log("Got certificate(s) for " + certs.altnames.join(', '));
+    console.log("\tIssued at " + new Date(certs.issuedAt).toISOString() + "");
+    console.log("\tValid until " + new Date(certs.expiresAt).toISOString() + "");
+    console.log("");
+    console.log('Private key installed at:');
+    console.log(
+      privkeyPath
+      .replace(/:configDir/g, args.configDir)
+      .replace(/:hostname/g, args.domains[0])
+    );
+    console.log("");
+
+    // should get back account, path to certs, pems, etc?
+    console.log('Certificates installed at:');
+    console.log(
+      [
+      //  args.privkeyPath
+        args.certPath
+      , args.chainPath
+      , args.fullchainPath
+      , args.bundlePath || ''
+      ].join('\n').replace(/\n+/g, '\n')
+      .replace(/:configDir/g, args.configDir)
+      .replace(/:hostname/g, args.domains[0])
+    );
+    console.log("");
+
+    if (servers) {
+      return servers.closeServers({ debug: args.debug }).then(function() {
+        return 0;
+      });
+    }
+
+    return 0;
+  }, function (err) {
+    console.error('[Error]: greenlock-cli');
+    console.error(err.stack || new Error('get stack').stack);
+
+    return 1;
+  });
+
+};

installer/get.sh

@@ -0,0 +1,151 @@
+#!/bin/bash
+#<pre><code>
+
+# This is a 3 step process
+#   1. First we need to figure out whether to use wget or curl for fetching remote files
+#   2. Next we need to figure out whether to use unzip or tar for downloading releases
+#   3. We need to actually install the stuff
+
+set -e
+set -u
+
+###############################
+#                             #
+#         http_get            #
+# boilerplate for curl / wget #
+#                             #
+###############################
+
+# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
+
+_my_http_get=""
+_my_http_opts=""
+_my_http_out=""
+
+detect_http_get()
+{
+  set +e
+  if type -p curl >/dev/null 2>&1; then
+    _my_http_get="curl"
+    _my_http_opts="-fsSL"
+    _my_http_out="-o"
+  elif type -p wget >/dev/null 2>&1; then
+    _my_http_get="wget"
+    _my_http_opts="--quiet"
+    _my_http_out="-O"
+  else
+    echo "Aborted, could not find curl or wget"
+    return 7
+  fi
+  set -e
+}
+
+http_get()
+{
+  $_my_http_get $_my_http_opts $_my_http_out "$2" "$1"
+  touch "$2"
+}
+
+http_bash()
+{
+  _http_url=$1
+  my_args=${2:-}
+  rm -rf my-tmp-runner.sh
+  $_my_http_get $_my_http_opts $_my_http_out my-tmp-runner.sh "$_http_url"; bash my-tmp-runner.sh $my_args; rm my-tmp-runner.sh
+}
+
+detect_http_get
+
+###############################
+##       END HTTP_GET        ##
+###############################
+
+echo ""
+echo ""
+echo ""
+
+if [ -z "${GREENLOCK_PATH:-}" ]; then
+  echo 'GREENLOCK_PATH="'${GREENLOCK_PATH:-}'"'
+  GREENLOCK_PATH=/opt/greenlock
+fi
+
+echo "Installing Greenlock to '$GREENLOCK_PATH'"
+echo ""
+
+echo "sudo mkdir -p '$GREENLOCK_PATH'"
+sudo mkdir -p "$GREENLOCK_PATH"
+echo "sudo chown -R $(whoami) '$GREENLOCK_PATH'"
+sudo chown -R $(whoami) "$GREENLOCK_PATH"
+
+echo "Installing node.js dependencies into $GREENLOCK_PATH"
+# until node v10.x gets fix for ursa we have no advantage to switching from 8.x
+export NODEJS_VER=v8.11.1
+export NODE_PATH="$GREENLOCK_PATH/lib/node_modules"
+export NPM_CONFIG_PREFIX="$GREENLOCK_PATH"
+export PATH="$GREENLOCK_PATH/bin:$PATH"
+sleep 1
+http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps >/dev/null 2>/dev/null
+
+my_tree="master"
+my_node="$GREENLOCK_PATH/bin/node"
+my_npm="$my_node $GREENLOCK_PATH/bin/npm"
+my_tmp="$GREENLOCK_PATH/tmp"
+mkdir -p $my_tmp
+
+echo "Installing Greenlock into $GREENLOCK_PATH"
+set +e
+my_unzip=$(type -p unzip)
+my_tar=$(type -p tar)
+if [ -n "$my_unzip" ]; then
+  rm -f $my_tmp/greenlock-$my_tree.zip
+  http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.zip $my_tmp/greenlock-$my_tree.zip
+  # -o means overwrite, and there is no option to strip
+  $my_unzip -o $my_tmp/greenlock-$my_tree.zip -d $GREENLOCK_PATH/ > /dev/null
+  cp -ar  $GREENLOCK_PATH/greenlock-cli.js/* $GREENLOCK_PATH/ > /dev/null
+  rm -rf $GREENLOCK_PATH/greenlock-cli.js
+elif [ -n "$my_tar" ]; then
+  rm -f $my_tmp/greenlock-$my_tree.tar.gz
+  http_get https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/$my_tree.tar.gz $my_tmp/greenlock-$my_tree.tar.gz
+  ls -lah $my_tmp/greenlock-$my_tree.tar.gz
+  $my_tar -xzf $my_tmp/greenlock-$my_tree.tar.gz --strip 1 -C $GREENLOCK_PATH/
+else
+  echo "Neither tar nor unzip found. Abort."
+  exit 13
+fi
+set -e
+
+pushd $GREENLOCK_PATH >/dev/null
+  $my_npm install >/dev/null 2>/dev/null
+popd >/dev/null
+
+cat << EOF > $GREENLOCK_PATH/bin/greenlock
+#!/bin/bash
+$my_node $GREENLOCK_PATH/bin/greenlock.js
+EOF
+chmod a+x $GREENLOCK_PATH/bin/greenlock
+echo "Creating link to 'greenlock' in /usr/local/bin"
+echo "sudo ln -sf $GREENLOCK_PATH/bin/greenlock /usr/local/bin/greenlock"
+sudo ln -sf $GREENLOCK_PATH/bin/greenlock /usr/local/bin/greenlock
+
+set +e
+if type -p setcap >/dev/null 2>&1; then
+  echo ""
+  echo "Setting permissions to allow Greenlock to run on port 80 and port 443 without sudo or root"
+  echo "sudo setcap cap_net_bind_service=+ep $GREENLOCK_PATH/bin/node"
+  sudo setcap cap_net_bind_service=+ep $GREENLOCK_PATH/bin/node
+fi
+set -e
+
+echo ""
+echo ""
+echo "Installed successfully. Try it out:"
+echo ""
+echo "  greenlock --help"
+echo ""
+echo ""
+
+#sudo setcap cap_net_bind_service=+ep $GREENLOCK_PATH/bin/node
+
+#https://git.coolaj86.com/coolaj86/greenlock-cli.js.git
+#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.tar.gz
+#https://git.coolaj86.com/coolaj86/greenlock-cli.js/archive/:tree:.zip

lib/servers.js

@@ -0,0 +1,110 @@
+'use strict';
+
+var NOBJ = {};
+
+module.exports.create = function (challenge) {
+  var servers = {
+    _servers: []
+
+  , httpResponder: function (req, res) {
+      console.info(req.method + ' ' + req.headers.host + req.url);
+      var acmeChallengePrefix = '/.well-known/acme-challenge/';
+
+      if (0 !== req.url.indexOf(acmeChallengePrefix)) {
+        res.end("Greenlock™ Commandline: https://git.coolaj86.com/coolaj86/greenlock-cli.js");
+        return;
+      }
+
+      var token = req.url.slice(acmeChallengePrefix.length);
+
+      challenge.get(NOBJ, req.headers.host.replace(/:.*/, ''), token, function (err, val) {
+        if (val) {
+          console.info("Responding with authorization token '" + val + "'");
+        } else {
+          console.info("No authorization token found");
+        }
+        res.end(val || '_ ERROR challenge not found _');
+      });
+    }
+
+  , startServers: function (plainPorts, tlsPorts, opts) {
+      opts = opts || {};
+
+      var tlsOptions = opts.tlsOptions || {};
+      var https = require('https');
+      var http = require('http');
+
+      if (servers._servers.length) {
+        return;
+      }
+
+      // http-01-port
+      plainPorts.forEach(function (port) {
+        var server = http.createServer(servers.httpResponder);
+
+        servers._servers.push(server);
+        server.listen(port, function () {
+          if (opts.debug) {
+            console.info('Listening http on', this.address());
+          }
+        });
+        server.on('error', function (err) {
+          if ('EADDRINUSE' === err.code) {
+            console.error("");
+            console.error("You already have a different server running on port '" + port + "'.");
+            console.error("You should probably use the --webroot-path option instead of --standalone.");
+            return;
+          }
+          throw err;
+        });
+      });
+
+      // tls-sni-01-port
+      tlsPorts.forEach(function (port) {
+        var server = https.createServer(tlsOptions, servers.httpResponder);
+
+        servers._servers.push(server);
+        server.listen(port, function () {
+          if (opts.debug) {
+            console.info('Listening https on', this.address());
+          }
+        });
+        server.on('error', function (err) {
+          if ('EADDRINUSE' === err.code) {
+            console.error("");
+            console.error("You already have a different server running on port '" + port + "'.");
+            console.error("You should probably use the --webroot-path option instead of --standalone.");
+            return;
+          }
+          throw err;
+        });
+      });
+
+    }
+
+  , closeServers: function (opts) {
+      opts = opts || {};
+      return new Promise(function (done) {
+        var closedServers = 0;
+        var serversToClose = servers._servers.length;
+        if (0 === serversToClose) {
+          done();
+        }
+
+        servers._servers.forEach(function (server) {
+          server.close(function () {
+            if (serversToClose === ++closedServers) {
+              if (opts.debug) {
+                console.info('Closed all servers');
+              }
+              servers._servers = [];
+              done();
+            }
+          });
+        });
+      });
+    }
+  };
+
+  return servers;
+};

lib/standalone.js

@@ -1,76 +0,0 @@
-'use strict';
-
-module.exports.create = function () {
-  var handlers =  {
-    //
-    // set,get,remove challenges
-    //
-    // Note: this is fine for a one-off CLI tool
-    // but a webserver using node-cluster or multiple
-    // servers should use a database of some sort
-    _challenges: {}
-  , setChallenge: function (args, key, value, cb) {
-      handlers._challenges[key] = value;
-      cb(null);
-    }
-  , getChallenge: function (args, key, cb) {
-      // TODO keep in mind that, generally get args are just args.domains
-      // and it is disconnected from the flow of setChallenge and removeChallenge
-      cb(null, handlers._challenges[key]);
-    }
-  , removeChallenge: function (args, key, cb) {
-      delete handlers._challenges[key];
-      cb(null);
-    }
-
-  , _servers: []
-  , httpResponder: function (req, res) {
-      var acmeChallengePrefix = '/.well-known/acme-challenge/';
-
-      if (0 !== req.url.indexOf(acmeChallengePrefix)) {
-        res.end('Hello World!');
-        return;
-      }
-
-      var key = req.url.slice(acmeChallengePrefix.length);
-
-      handlers.getChallenge(req.headers.host, key, function (err, val) {
-        res.end(val || '_');
-      });
-    }
-  , startServers: function (plainPorts, tlsPorts, opts) {
-      opts = opts || {};
-      var httpsOptions = require('localhost.daplie.com-certificates');
-      var https = require('https');
-      var http = require('http');
-
-      // tls-sni-01-port
-      if (handlers._servers.length) {
-        return;
-      }
-
-      plainPorts.forEach(function (port) {
-        http.createServer(handlers.httpResponder).listen(port, function () {
-          if (opts.debug) {
-            console.info('Listening http on', this.address());
-          }
-        });
-      });
-      tlsPorts.forEach(function (port) {
-        https.createServer(httpsOptions, handlers.httpResponder).listen(port, function () {
-          if (opts.debug) {
-            console.info('Listening https on', this.address());
-          }
-        });
-      });
-    }
-  , closeServers: function () {
-      handlers._servers.forEach(function (server) {
-        server.close();
-      });
-      handlers._servers = [];
-    }
-  };
-
-  return handlers;
-};

lib/webroot.js

@@ -9,9 +9,12 @@ module.exports.create = function (defaults) {
     //
     // set,get,remove challenges
     //
-    _challenges: {}
+    getOptions: function () {
-  , setChallenge: function (args, key, value, cb) {
+      return defaults;
-      var challengePath = path.join(defaults.webrootPath, '.well-known', 'acme-challenge');
+    }
+
+  , set: function (args, domain, token, secret, cb) {
+      var challengePath = path.join(args.webrootPath || defaults.webrootPath, '.well-known', 'acme-challenge');
       mkdirp(challengePath, function (err) {
         if (err) {
           console.error("Could not create --webroot-path '" + challengePath + "':", err.code);
@@ -20,11 +23,11 @@ module.exports.create = function (defaults) {
           return;
         }
 
-        var keyfile = path.join(challengePath, key);
+        var tokenfile = path.join(challengePath, token);
 
-        fs.writeFile(keyfile, value, 'utf8', function (err) {
+        fs.writeFile(tokenfile, secret, 'utf8', function (err) {
           if (err) {
-            console.error("Could not write '" + keyfile + "':", err.code);
+            console.error("Could not write '" + tokenfile + "':", err.code);
             cb(err);
             return;
           }
@@ -33,14 +36,18 @@ module.exports.create = function (defaults) {
         });
       });
     }
-  // handled as file read by web server
-  // , getChallenge: function (args, key, cb) {}
-  , removeChallenge: function (args, key, cb) {
-      var keyfile = path.join(defaults.webrootPath, '.well-known', 'acme-challenge', key);
 
-      fs.unlink(keyfile, function (err) {
+    // handled as file read by web server
+  , get: function (args, domain, token, cb) {
+      cb(new Error("get not implemented (on purpose) in gl-cli/lib/webroot.js"));
+    }
+
+  , remove: function (args, domain, token, cb) {
+      var tokenfile = path.join(args.webrootPath || defaults.webrootPath, '.well-known', 'acme-challenge', token);
+
+      fs.unlink(tokenfile, function (err) {
         if (err) {
-          console.error("Could not unlink '" + keyfile + "':", err.code);
+          console.error("Could not unlink '" + tokenfile + "':", err.code);
           cb(err);
           return;
         }

package.json

@@ -1,42 +1,40 @@
 {
-  "name": "letsencrypt-cli",
+  "name": "greenlock-cli",
-  "version": "1.0.8",
+  "version": "2.3.3",
-  "description": "CLI for node-letsencrypt modeled after the official client",
+  "description": "Free SSL and Automated HTTPS from the Greenlock command line, modeled after certbot",
+  "homepage": "https://greenlock.domains",
   "main": "index.js",
   "bin": {
-    "letsencrypt": "bin/letsencrypt.js",
+    "greenlock": "bin/greenlock.js"
-    "letsencrypt-node": "bin/letsencrypt.js"
   },
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/Daplie/node-letsencrypt-cli.git"
+    "url": "https://git.rootprojects.org/root/greenlock-cli.js.git"
   },
   "keywords": [
-    "node",
+    "Let's Encrypt",
-    "nodejs",
+    "ACME",
-    "acme",
+    "cli",
-    "boulder",
     "letsencrypt",
-    "le",
     "ssl",
     "https",
     "tls",
-    "free"
+    "Free SSL"
   ],
-  "author": "AJ ONeal <aj@daplie.com> (https://daplie.com)",
+  "author": "AJ ONeal <solderjs@gmail.com> (https://solderjs.com)",
-  "license": "(MIT OR Apache-2.0)",
+  "license": "MPL-2.0",
   "bugs": {
-    "url": "https://github.com/Daplie/node-letsencrypt-cli/issues"
+    "url": "https://git.rootprojects.org/root/greenlock-cli.js/issues"
   },
-  "homepage": "https://github.com/Daplie/node-letsencrypt-cli",
   "dependencies": {
-    "cli": "^0.11.1",
+    "cli": "^1.0.1",
-    "homedir": "^0.6.0",
+    "greenlock": "^2.2.15",
-    "letsencrypt": "^1.4.3",
+    "le-challenge-manual": "^2.1.0",
-    "localhost.daplie.com-certificates": "^1.1.2",
+    "le-challenge-standalone": "^2.1.0",
+    "le-store-certbot": "^2.1.0",
     "mkdirp": "^0.5.1"
   }
 }