🔐 Free SSL, Free Wildcard SSL, and Fully Automated HTTPS for node.js, issued by Let's Encrypt v2 via ACME
https://git.rootprojects.org/root/greenlock.js
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
378 lines
11 KiB
378 lines
11 KiB
'use strict';
|
|
|
|
var mkdirp = require('@root/mkdirp');
|
|
var cli = require('./cli.js');
|
|
|
|
cli.parse({
|
|
'directory-url': [
|
|
false,
|
|
' ACME Directory Resource URL',
|
|
'string',
|
|
'https://acme-v02.api.letsencrypt.org/directory',
|
|
'server,acme-url'
|
|
],
|
|
email: [
|
|
false,
|
|
' Email used for registration and recovery contact. (default: null)',
|
|
'email'
|
|
],
|
|
'agree-tos': [
|
|
false,
|
|
" Agree to the Greenlock and Let's Encrypt Subscriber Agreements",
|
|
'boolean',
|
|
false
|
|
],
|
|
'community-member': [
|
|
false,
|
|
' Submit stats to and get updates from Greenlock',
|
|
'boolean',
|
|
false
|
|
],
|
|
domains: [
|
|
false,
|
|
' Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])',
|
|
'string'
|
|
],
|
|
'renew-offset': [
|
|
false,
|
|
' Positive (time after issue) or negative (time before expiry) offset, such as 30d or -45d',
|
|
'string',
|
|
'45d'
|
|
],
|
|
'renew-within': [
|
|
false,
|
|
' (ignored) use renew-offset instead',
|
|
'ignore',
|
|
undefined
|
|
],
|
|
'cert-path': [
|
|
false,
|
|
' Path to where new cert.pem is saved',
|
|
'string',
|
|
':configDir/live/:hostname/cert.pem'
|
|
],
|
|
'fullchain-path': [
|
|
false,
|
|
' Path to where new fullchain.pem (cert + chain) is saved',
|
|
'string',
|
|
':configDir/live/:hostname/fullchain.pem'
|
|
],
|
|
'bundle-path': [
|
|
false,
|
|
' Path to where new bundle.pem (fullchain + privkey) is saved',
|
|
'string',
|
|
':configDir/live/:hostname/bundle.pem'
|
|
],
|
|
'chain-path': [
|
|
false,
|
|
' Path to where new chain.pem is saved',
|
|
'string',
|
|
':configDir/live/:hostname/chain.pem'
|
|
],
|
|
'privkey-path': [
|
|
false,
|
|
' Path to where privkey.pem is saved',
|
|
'string',
|
|
':configDir/live/:hostname/privkey.pem'
|
|
],
|
|
'config-dir': [
|
|
false,
|
|
' Configuration directory.',
|
|
'string',
|
|
'~/letsencrypt/etc/'
|
|
],
|
|
store: [
|
|
false,
|
|
' The name of the storage module to use',
|
|
'string',
|
|
'greenlock-store-fs'
|
|
],
|
|
'store-xxxx': [
|
|
false,
|
|
' An option for the chosen storage module, such as --store-apikey or --store-bucket',
|
|
'bag'
|
|
],
|
|
'store-json': [
|
|
false,
|
|
' A JSON string containing all option for the chosen store module (instead of --store-xxxx)',
|
|
'json',
|
|
'{}'
|
|
],
|
|
challenge: [
|
|
false,
|
|
' The name of the HTTP-01, DNS-01, or TLS-ALPN-01 challenge module to use',
|
|
'string',
|
|
'@greenlock/acme-http-01-fs'
|
|
],
|
|
'challenge-xxxx': [
|
|
false,
|
|
' An option for the chosen challenge module, such as --challenge-apikey or --challenge-bucket',
|
|
'bag'
|
|
],
|
|
'challenge-json': [
|
|
false,
|
|
' A JSON string containing all option for the chosen challenge module (instead of --challenge-xxxx)',
|
|
'json',
|
|
'{}'
|
|
],
|
|
'skip-dry-run': [
|
|
false,
|
|
' Use with caution (and test with the staging url first). Creates an Order on the ACME server without a self-test.',
|
|
'boolean'
|
|
],
|
|
'skip-challenge-tests': [
|
|
false,
|
|
' Use with caution (and with the staging url first). Presents challenges to the ACME server without first testing locally.',
|
|
'boolean'
|
|
],
|
|
'http-01-port': [
|
|
false,
|
|
' Required to be 80 for live servers. Do not use. For special test environments only.',
|
|
'int'
|
|
],
|
|
'dns-01': [false, ' Use DNS-01 challange type', 'boolean', false],
|
|
standalone: [
|
|
false,
|
|
' Obtain certs using a "standalone" webserver.',
|
|
'boolean',
|
|
false
|
|
],
|
|
manual: [
|
|
false,
|
|
' Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (uses acme-http-01-cli or acme-dns-01-cli)',
|
|
'boolean',
|
|
false
|
|
],
|
|
debug: [false, ' show traces and logs', 'boolean', false],
|
|
root: [
|
|
false,
|
|
' public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)',
|
|
'string',
|
|
undefined,
|
|
'webroot-path'
|
|
],
|
|
|
|
//
|
|
// backwards compat
|
|
//
|
|
duplicate: [
|
|
false,
|
|
' Allow getting a certificate that duplicates an existing one/is an early renewal',
|
|
'boolean',
|
|
false
|
|
],
|
|
'rsa-key-size': [
|
|
false,
|
|
' (ignored) use server-key-type or account-key-type instead',
|
|
'ignore',
|
|
2048
|
|
],
|
|
'server-key-path': [
|
|
false,
|
|
' Path to privkey.pem to use for certificate (default: generate new)',
|
|
'string',
|
|
undefined,
|
|
'domain-key-path'
|
|
],
|
|
'server-key-type': [
|
|
false,
|
|
" One of 'RSA' (2048), 'RSA-3084', 'RSA-4096', 'ECDSA' (P-256), or 'P-384'. For best compatibility, security, and efficiency use the default (More bits != More security)",
|
|
'string',
|
|
'RSA'
|
|
],
|
|
'account-key-path': [
|
|
false,
|
|
' Path to privkey.pem to use for account (default: generate new)',
|
|
'string'
|
|
],
|
|
'account-key-type': [
|
|
false,
|
|
" One of 'ECDSA' (P-256), 'P-384', 'RSA', 'RSA-3084', or 'RSA-4096'. Stick with 'ECDSA' (P-256) unless you need 'RSA' (2048) for legacy compatibility. (More bits != More security)",
|
|
'string',
|
|
'P-256'
|
|
],
|
|
webroot: [false, ' (ignored) for certbot compatibility', 'ignore', false],
|
|
//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-alpn-01)", 'string', 'http-01']
|
|
'work-dir': [
|
|
false,
|
|
' for certbot compatibility (ignored)',
|
|
'string',
|
|
'~/letsencrypt/var/lib/'
|
|
],
|
|
'logs-dir': [
|
|
false,
|
|
' for certbot compatibility (ignored)',
|
|
'string',
|
|
'~/letsencrypt/var/log/'
|
|
],
|
|
'acme-version': [
|
|
false,
|
|
' (ignored) ACME is now RFC 8555 and prior drafts are no longer supported',
|
|
'ignore',
|
|
'rfc8555'
|
|
]
|
|
});
|
|
|
|
// ignore certonly and extraneous arguments
|
|
cli.main(function(_, options) {
|
|
console.info('');
|
|
|
|
[
|
|
'configDir',
|
|
'privkeyPath',
|
|
'certPath',
|
|
'chainPath',
|
|
'fullchainPath',
|
|
'bundlePath'
|
|
].forEach(function(k) {
|
|
if (options[k]) {
|
|
options.storeOpts[k] = options[k];
|
|
}
|
|
delete options[k];
|
|
});
|
|
|
|
if (options.workDir) {
|
|
options.challengeOpts.workDir = options.workDir;
|
|
delete options.workDir;
|
|
}
|
|
|
|
if (options.debug) {
|
|
console.debug(options);
|
|
}
|
|
|
|
var args = {};
|
|
var homedir = require('os').homedir();
|
|
|
|
Object.keys(options).forEach(function(key) {
|
|
var val = options[key];
|
|
|
|
if ('string' === typeof val) {
|
|
val = val.replace(/^~/, homedir);
|
|
}
|
|
|
|
key = key.replace(/\-([a-z0-9A-Z])/g, function(c) {
|
|
return c[1].toUpperCase();
|
|
});
|
|
args[key] = val;
|
|
});
|
|
|
|
Object.keys(args).forEach(function(key) {
|
|
var val = args[key];
|
|
|
|
if ('string' === typeof val) {
|
|
val = val.replace(/(\:configDir)|(\:config)/, args.configDir);
|
|
}
|
|
|
|
args[key] = val;
|
|
});
|
|
|
|
if (args.domains) {
|
|
args.domains = args.domains.split(',');
|
|
}
|
|
|
|
if (
|
|
!(Array.isArray(args.domains) && args.domains.length) ||
|
|
!args.email ||
|
|
!args.agreeTos ||
|
|
(!args.server && !args.directoryUrl)
|
|
) {
|
|
console.error('\nUsage:\n\ngreenlock certonly --standalone \\');
|
|
console.error(
|
|
'\t--agree-tos --email user@example.com --domains example.com \\'
|
|
);
|
|
console.error('\t--config-dir ~/acme/etc \\');
|
|
console.error('\nSee greenlock --help for more details\n');
|
|
return;
|
|
}
|
|
|
|
if (args.http01Port) {
|
|
// [@agnat]: Coerce to string. cli returns a number although we request a string.
|
|
args.http01Port = '' + args.http01Port;
|
|
args.http01Port = args.http01Port.split(',').map(function(port) {
|
|
return parseInt(port, 10);
|
|
});
|
|
}
|
|
|
|
function run() {
|
|
var challenges = {};
|
|
if (/http.?01/i.test(args.challenge)) {
|
|
challenges['http-01'] = args.challengeOpts;
|
|
}
|
|
if (/dns.?01/i.test(args.challenge)) {
|
|
challenges['dns-01'] = args.challengeOpts;
|
|
}
|
|
if (/alpn.?01/i.test(args.challenge)) {
|
|
challenges['tls-alpn-01'] = args.challengeOpts;
|
|
}
|
|
if (!Object.keys(challenges).length) {
|
|
throw new Error(
|
|
"Could not determine the challenge type for '" +
|
|
args.challengeOpts.module +
|
|
"'. Expected a name like @you/acme-xxxx-01-foo. Please name the module with http-01, dns-01, or tls-alpn-01."
|
|
);
|
|
}
|
|
args.challengeOpts.module = args.challenge;
|
|
args.storeOpts.module = args.store;
|
|
|
|
console.log('\ngot to the run step');
|
|
require(args.challenge);
|
|
require(args.store);
|
|
|
|
var greenlock = require('../').create({
|
|
maintainerEmail: args.maintainerEmail || 'coolaj86@gmail.com',
|
|
manager: './manager.js',
|
|
configFile: '~/.config/greenlock/certs.json',
|
|
challenges: challenges,
|
|
store: args.storeOpts,
|
|
renewOffset: args.renewOffset || '30d',
|
|
renewStagger: '1d'
|
|
});
|
|
|
|
// for long-running processes
|
|
if (args.renewEvery) {
|
|
setInterval(function() {
|
|
greenlock.renew({
|
|
period: args.renewEvery
|
|
});
|
|
}, args.renewEvery);
|
|
}
|
|
|
|
// TODO should greenlock.add simply always include greenlock.renew?
|
|
// the concern is conflating error events
|
|
return greenlock
|
|
.add({
|
|
subject: args.subject,
|
|
altnames: args.altnames,
|
|
subscriberEmail: args.subscriberEmail || args.email
|
|
})
|
|
.then(function(changes) {
|
|
console.info(changes);
|
|
// renew should always
|
|
return greenlock
|
|
.renew({
|
|
subject: args.subject,
|
|
force: false
|
|
})
|
|
.then(function() {});
|
|
});
|
|
}
|
|
|
|
if ('greenlock-store-fs' !== args.store) {
|
|
run();
|
|
return;
|
|
}
|
|
|
|
// TODO remove mkdirp and let greenlock-store-fs do this?
|
|
mkdirp(args.storeOpts.configDir, function(err) {
|
|
if (!err) {
|
|
run();
|
|
}
|
|
|
|
console.error(
|
|
"Could not create --config-dir '" + args.configDir + "':",
|
|
err.code
|
|
);
|
|
console.error("Try setting --config-dir '/tmp'");
|
|
return;
|
|
});
|
|
}, process.argv.slice(3));
|
|
|