coolaj86
/
greenlock.js
mirror of https://github.com/therootcompany/greenlock.js.git
1
0
Fork 0
Code Projects Releases Wiki Activity

nix scraps

This commit is contained in:
AJ ONeal 2016-08-04 11:52:43 -06:00
parent 015259c996
commit 25475328fb
9 changed files with 0 additions and 708 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
scraps/README.md
View File

@ -1,202 +0,0 @@
Scraps
======
These are examples that we might come back and update (and would love help updating),
but they are more likely to cause confusion than success for the casual googled-it-and-got-here-er.
Probably Outdated Examples
========
The simplest example of setting up a webserver appropriately is probably `letsencrypt-cli` (~120 lines of code):
* [letsencrypt-cli//lib/standalone.js](https://github.com/Daplie/node-letsencrypt-cli/blob/master/lib/standalone.js)
Similary, `letsencrypt-cli`'s usage of `le.register()` is fairly simple (~75 lines of code):
* [letsencrypt-cli/bin/letsencrypt.js](https://github.com/Daplie/node-letsencrypt-cli/blob/master/bin/letsencrypt.js)
### One-Time Registration
Register a 90-day certificate manually, on a whim
**Note**: We've been running a fast development cycle and this example may be out of date.
The API *shouldn't* have changed much but, we probably need to come back and update it.
#### Snippets
[`commandline-minimal`](https://github.com/Daplie/node-letsencrypt/blob/master/examples/commandline-minimal.js):
**Part 1: the Let's Encrypt client**:
```javascript
'use strict';
var LE = require('letsencrypt');
var config = require('./config-minimal');
// Note: you should make this special dir in your product and leave it empty
config.le.webrootPath = __dirname + '/../tests/acme-challenge';
config.le.server = LE.stagingServer;
//
// Manual Registration
//
var le = LE.create(config.backend, config.le);
le.register({
agreeTos: true
, domains: ['example.com'] // CHANGE TO YOUR DOMAIN
, email: 'user@email.com' // CHANGE TO YOUR EMAIL
}, function (err) {
if (err) {
console.error('[Error]: node-letsencrypt/examples/standalone');
console.error(err.stack);
} else {
console.log('success');
}
plainServer.close();
tlsServer.close();
});
```
**Part 2: Express Web Server**:
```javascript
//
// Express App
//
var app = require('express')();
app.use('/', le.middleware()); // TODO le.middleware was moved to letsencrypt-express, we need to update the docs here
//
// HTTP & HTTPS servers
// (required for domain validation)
//
var plainServer = require('http').createServer(app).listen(config.plainPort, function () {
console.log('Listening http', this.address());
});
var tlsServer = require('https').createServer({
key: config.tlsKey
, cert: config.tlsCert
, SNICallback: le.sniCallback
}, app).listen(config.tlsPort, function () {
console.log('Listening http', this.address());
});
```
#### Runnable Demo
* [commandline (standalone with "webroot")](https://github.com/Daplie/node-letsencrypt/blob/master/examples/commandline.js)
```bash
# manual standalone registration via commandline
# (runs against testing server on tls port 5001)
node examples/commandline.js example.com,www.example.com user@example.net agree
```
### Express
Fully Automatic HTTPS with ExpressJS using Free SSL certificates from Let's Encrypt
#### Snippets
* [Minimal ExpressJS Example](https://github.com/Daplie/node-letsencrypt/blob/master/examples/express-minimal.js)
```javascript
'use strict';
var LE = require('letsencrypt');
var config = require('./config-minimal');
// Note: you should make this special dir in your product and leave it empty
config.le.webrootPath = __dirname + '/../tests/acme-challenge';
config.le.server = LE.stagingServer;
//
// Automatically Register / Renew Domains
//
var le = LE.create(config.backend, config.le, {
sniRegisterCallback: function (args, expiredCert, cb) {
// Security: check that this is actually a subdomain we allow
// (otherwise an attacker can cause you to rate limit against the LE server)
var hostname = args.domains[0];
if (!/\.example\.com$/.test(hostname)) {
console.error("bad domain '" + hostname + "', not a subdomain of example.com");
cb(nul, null);
}
// agree to the LE TOS for this domain
args.agreeTos = true;
args.email = 'user@example.com';
// use the cert even though it's expired
if (expiredCert) {
cb(null, expiredCert);
cb = function () { /*ignore*/ };
}
// register / renew the certificate in the background
le.register(args, cb);
}
});
//
// Express App
//
var app = require('express')();
app.use('/', le.middleware());
//
// HTTP & HTTPS servers
//
require('http').createServer(app).listen(config.plainPort, function () {
console.log('Listening http', this.address());
});
require('https').createServer({
key: config.tlsKey
, cert: config.tlsCert
, SNICallback: le.sniCallback
}, app).listen(config.tlsPort, function () {
console.log('Listening http', this.address());
});
```
#### Runnable Example
* [Full ExpressJS Example](https://github.com/Daplie/node-letsencrypt/blob/master/examples/express.js)
```bash
# clear out the certificates
rm -rf tests/letsencrypt.*
# automatic registration and renewal (certs install as you visit the site for the first time)
# (runs against testing server on tls port 5001)
node examples/express.js example.com,www.example.com user@example.net agree
```
```bash
# this will take a moment because it won't respond to the tls sni header until it gets the certs
curl https://example.com/
```
### non-root
If you want to run this as non-root, you can.
You just have to set node to be allowed to use root ports
```
# node
sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
```
and then make sure to set all of of the following to a directory that your user is permitted to write to
* `webrootPath`
* `configDir`

53
scraps/commandline-minimal.js
View File

@ -1,53 +0,0 @@
'use strict';
var LE = require('../');
var config = require('./config-minimal');
// Note: you should make this special dir in your product and leave it empty
config.le.webrootPath = __dirname + '/../tests/acme-challenge';
config.le.server = LE.stagingServer;
//
// Manual Registration
//
var le = LE.create(config.le);
le.register({
agreeTos: true
, domains: [process.argv[3] || 'example.com'] // CHANGE TO YOUR DOMAIN
, email: process.argv[2] || 'user@example.com' // CHANGE TO YOUR EMAIL
}, function (err) {
if (err) {
console.error('[Error]: node-letsencrypt/examples/standalone');
console.error(err.stack);
} else {
console.log('success');
}
plainServer.close();
tlsServer.close();
});
//
// Express App
//
var app = require('express')();
app.use('/', le.middleware());
//
// HTTP & HTTPS servers
// (required for domain validation)
//
var plainServer = require('http').createServer(app).listen(config.plainPort, function () {
console.log('Listening http', this.address());
});
var tlsServer = require('https').createServer({
key: config.tlsKey
, cert: config.tlsCert
, SNICallback: le.sniCallback
}, app).listen(config.tlsPort, function () {
console.log('Listening http', this.address());
});

87
scraps/commandline.js
View File

@ -1,87 +0,0 @@
'use strict';
var conf = {
domains: process.argv[2]
, email: process.argv[3]
, agree: process.argv[4]
};
var port = 80;
var tlsPort = 5001;
if (!conf.domains || !conf.email || !conf.agree) {
console.error("Usage: letsencrypt <domain1,domain2> <email> agree");
console.error("Example: letsencrypt example.com,www.example.com user@example.com agree");
return;
}
var LE = require('../');
var path = require('path');
// backend-specific defaults will be passed through
// Note: Since agreeTos is a legal agreement, I would suggest not accepting it by default
var bkDefaults = {
webrootPath: path.join(__dirname, '..', 'tests', 'acme-challenge')
, fullchainTpl: '/live/:hostname/fullchain.pem'
, privkeyTpl: '/live/:hostname/privkey.pem'
, configDir: path.join(__dirname, '..', 'tests', 'letsencrypt.config')
, server: LE.stagingServer
// backend-specific
, logsDir: path.join(__dirname, '..', 'tests', 'letsencrypt.logs')
, workDir: path.join(__dirname, '..', 'tests', 'letsencrypt.work')
};
var le = LE.create(bkDefaults, {
/*
setChallenge: function (hostnames, key, value, cb) {
// the python backend needs fs.watch implemented
// before this would work (and even then it would be difficult)
}
, getChallenge: function (hostnames, key, cb) {
//
}
, sniRegisterCallback: function (args, certInfo, cb) {
}
, registrationFailureCallback: function (args, certInfo, cb) {
what do to when a backgrounded registration fails
}
*/
});
var localCerts = require('localhost.daplie.com-certificates');
var express = require('express');
var app = express();
app.use('/', le.middleware());
var server = require('http').createServer();
server.on('request', app);
server.listen(port, function () {
console.log('Listening http', server.address());
});
var tlsServer = require('https').createServer({
key: localCerts.key
, cert: localCerts.cert
, SNICallback: le.sniCallback
});
tlsServer.on('request', app);
tlsServer.listen(tlsPort, function () {
console.log('Listening http', tlsServer.address());
});
le.register({
agreeTos: 'agree' === conf.agree
, domains: conf.domains.split(',')
, email: conf.email
}, function (err) {
if (err) {
console.error('[Error]: node-letsencrypt/examples/standalone');
console.error(err.stack);
} else {
console.log('success');
}
server.close();
tlsServer.close();
});

26
scraps/config-minimal.js
View File

@ -1,26 +0,0 @@
'use strict';
var path = require('path');
var config = {
plainPort: 80
, tlsPort: 5001 // 5001 for testing, normally 443
, tlsKey: require('localhost.daplie.com-certificates').key
, tlsCert: require('localhost.daplie.com-certificates').cert
, le: {
webrootPath: path.join(__dirname, '..', 'tests', 'acme-challenge')
, fullchainTpl: '/live/:hostname/fullchain.pem'
, privkeyTpl: '/live/:hostname/privkey.pem'
, configDir: path.join(__dirname, '..', 'tests', 'letsencrypt.config')
// these are specific to the python client and won't be needed with the purejs library
, logsDir: path.join(__dirname, '..', 'tests', 'letsencrypt.logs')
, workDir: path.join(__dirname, '..', 'tests', 'letsencrypt.work')
}
};
module.exports = config;

57
scraps/express-minimal.js
View File

@ -1,57 +0,0 @@
'use strict';
var LE = require('../');
var config = require('./config-minimal');
// Note: you should make this special dir in your product and leave it empty
config.le.webrootPath = __dirname + '/../tests/acme-challenge';
config.le.server = LE.stagingServer;
var le = LE.create(config.le, {
sniRegisterCallback: function (args, expiredCert, cb) {
// In theory you should never get an expired certificate because
// the certificates automatically renew in the background starting
// about a week before they expire.
// (the default behavior is to randomly stagger renewals)
// so in this case we'll just return the expired certificate
if (expiredCert) { return cb(null, expiredCert); }
// If we get here that means this domain hasn't been registered yet
// Security Warning: you should either manually register domains
// and return null here or check that the sni header isn't being
// spoofed and this is actually a domain you own before registering
//
// cb(null, null);
var hostname = args.domains[0];
console.log("[TODO] check that '" + hostname + "' is one I expect");
args.agreeTos = true;
args.email = 'user@example.com';
le.register(args, cb);
}
});
//
// Express App
//
var app = require('express')();
app.use('/', le.middleware());
//
// HTTP & HTTPS servers
//
require('http').createServer(app).listen(config.plainPort, function () {
console.log('Listening http', this.address());
});
require('https').createServer({
key: config.tlsKey
, cert: config.tlsCert
, SNICallback: le.sniCallback
}, app).listen(config.tlsPort, function () {
console.log('Listening http', this.address());
});

87
scraps/express.js
View File

@ -1,87 +0,0 @@
'use strict';
var conf = {
domains: (process.argv[2]||'').split(',')
, email: process.argv[3]
, agree: 'agree' === process.argv[4]
};
var port = 80;
var tlsPort = 5001;
if (!conf.domains || !conf.email || !conf.agree) {
console.error("Usage: node examples/express <domain1,domain2> <email> agree");
console.error("Example: node examples/express example.com,www.example.com user@example.com agree");
return;
}
var LE = require('../');
var path = require('path');
// backend-specific defaults will be passed through
// Note: Since agreeTos is a legal agreement, I would suggest not accepting it by default
var bkDefaults = {
webrootPath: path.join(__dirname, '..', 'tests', 'acme-challenge')
, fullchainTpl: '/live/:hostname/fullchain.pem'
, privkeyTpl: '/live/:hostname/privkey.pem'
, configDir: path.join(__dirname, '..', 'tests', 'letsencrypt.config')
, server: LE.stagingServer
};
var le = LE.create(LEP, bkDefaults, {
sniRegisterCallback: function (args, certInfo, cb) {
var allowedDomains = conf.domains; // require('../tests/config').allowedDomains;
// let the renewal take place in the background
if (certInfo && certInfo.context) {
cb(null, certInfo);
return;
}
// verify that these are domains we allow to register on our server
if (args.domains.length && args.domains.every(function (hostname) {
hostname = hostname.toLowerCase();
return (-1 !== allowedDomains.indexOf(hostname));
})) {
// wait for registration before responding
args.agreeTos = conf.agree;
args.email = conf.email; // you'd want to lookup which user has this email
le.register(args, cb);
} else {
// I don't know where this error goes (SNICallback)... but at least we put it somewhere
cb(new Error("SNI came in for (an) unrecognized domain(s): '" + args.domains + "'"));
}
}
/*
, setChallenge: function (hostnames, key, value, cb) {
// the python backend needs fs.watch implemented
// before this would work (and even then it would be difficult)
}
, getChallenge: function (hostnames, key, cb) {
//
}
, registrationFailureCallback: function (args, certInfo, cb) {
what do to when a backgrounded registration fails
}
*/
});
var localCerts = require('localhost.daplie.com-certificates');
var express = require('express');
var app = express();
app.use('/', le.middleware());
var server = require('http').createServer();
server.on('request', app);
server.listen(port, function () {
console.log('Listening http', server.address());
});
var tlsServer = require('https').createServer({
key: localCerts.key
, cert: localCerts.cert
, SNICallback: le.sniCallback
});
tlsServer.on('request', app);
tlsServer.listen(tlsPort, function () {
console.log('Listening http', tlsServer.address());
});

80
scraps/private-key-json-to-account-id.js
View File

@ -1,80 +0,0 @@
'use strict';
var fs = require('fs');
var crypto = require('crypto');
var ursa = require('ursa');
// Here are all the places you can discover the account id:
//
// letsencrypt/account.py
//
// /etc/letsencrypt/accounts/{{ server }}/directory/{{ accountId }}/private_key.json
// /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f4c33502df3789849f617944253b35ae/private_key.json
//
// /etc/letsencrypt/renewal/{{ hostname }}.conf
// /etc/letsencrypt/renewal/example.com.conf
//
// Note: each domain has its own private key
function fromPrivateKeyUrsa(priv, cb) {
var pub = priv.toPublicPem();
var accountId = crypto.createHash('md5').update(pub).digest('hex');
cb(null, accountId);
}
function fromAccountPrivateKey(pkj, cb) {
Object.keys(pkj).forEach(function (key) {
pkj[key] = new Buffer(pkj[key], 'base64');
});
var priv = ursa.createPrivateKeyFromComponents(
pkj.n // modulus
, pkj.e // exponent
, pkj.p
, pkj.q
, pkj.dp
, pkj.dq
, pkj.qi
, pkj.d
);
fromPrivateKeyUrsa(priv, cb);
}
function fromAccountPrivateKeyFile(privateKeyPath, cb) {
// Read ACME account key
fs.readFile(privateKeyPath, 'utf8', function (err, privkeyJson) {
var pkj;
if (err) {
cb(err);
return;
}
try {
pkj = JSON.parse(privkeyJson);
} catch(e) {
cb(e);
return;
}
fromAccountPrivateKey(pkj, cb);
});
}
function bogusAccountId(cb) {
var priv = ursa.generatePrivateKey(2048, 65537);
fromPrivateKeyUrsa(priv, cb);
}
module.exports.bogusAccountId = bogusAccountId;
module.exports.fromAccountPrivateKey = fromAccountPrivateKey;
module.exports.bogusAccountId(function (err, id) {
console.log('Random Account Id', id);
});
module.exports.fromAccountPrivateKey('/etc/letsencrypt/live/example.com/privkey.pem', function (err, id) {
console.log(id);
});

62
scraps/renewal-example.com.conf
View File

@ -1,62 +0,0 @@
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
# Options and defaults used in the renewal process
[renewalparams]
apache_enmod = a2enmod
no_verify_ssl = False
ifaces = None
apache_dismod = a2dismod
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
func = <function obtain_cert at 0x30c9500>
prepare = False
work_dir = /var/lib/letsencrypt
tos = True
init = False
http01_port = 80
duplicate = False
key_path = None
nginx = False
fullchain_path = /home/user/letsencrypt/chain.pem
email = user@example.com
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = webroot
domains = example.com,
rsa_key_size = 2048
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /home/user/letsencrypt/cert.pem
webroot_path = /srv/www/example.com/,
strict_permissions = False
apache_server_root = /etc/apache2
account = f4c33502df3789849f617944253b35ae
manual_public_ip_logging_ok = False
chain_path = /home/user/letsencrypt/chain.pem
standalone = False
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "http-01,tls-sni-01"
webroot = True
apache_init_script = None
user_agent = None
apache_ctl = apache2ctl
apache_le_vhost_ext = -le-ssl.conf
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]
example.com = /srv/www/example.com/

54
scraps/ursa.js
View File

@ -1,54 +0,0 @@
'use strict';
var LE = require('../');
var config = require('./config-minimal');
// Note: you should make this special dir in your product and leave it empty
config.le.webrootPath = __dirname + '/../tests/acme-challenge';
config.le.server = LE.stagingServer;
//
// Manual Registration
//
var le = LE.create(config.le);
le.backend.registerAsync({
agreeTos: true
, domains: ['example.com'] // CHANGE TO YOUR DOMAIN
, email: 'user@example.com' // CHANGE TO YOUR EMAIL
}, function (err, body) {
if (err) {
console.error('[Error]: node-letsencrypt/examples/ursa');
console.error(err.stack);
} else {
console.log('success', body);
}
plainServer.close();
tlsServer.close();
}).then(function () {}, function (err) {
console.error(err.stack);
});
//
// Express App
//
var app = require('express')();
app.use('/', le.middleware());
//
// HTTP & HTTPS servers
// (required for domain validation)
//
var plainServer = require('http').createServer(app).listen(config.plainPort, function () {
console.log('Listening http', this.address());
});
var tlsServer = require('https').createServer({
key: config.tlsKey
, cert: config.tlsCert
, SNICallback: le.sniCallback
}, app).listen(config.tlsPort, function () {
console.log('Listening http', this.address());
});