From 7dbe9bd6053870ffaf12e462907b50dc926f413c Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 13 Jul 2015 17:46:44 -0600 Subject: [PATCH] update letsencrypt conventions --- README.md | 24 ++++++++++++------------ package.json | 2 +- serve.js | 41 ++++++++++++++++++++++++++++++----------- 3 files changed, 43 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index acf5497..d274f2e 100644 --- a/README.md +++ b/README.md @@ -31,20 +31,20 @@ Usage Specifying a custom HTTPS certificate: * `--key /path/to/privkey.pem` specifies the server private key -* `--cert /path/to/cert.pem` specifies the server certificate -* `--chain /path/to/chain.pem` specifies the certificate authorities +* `--cert /path/to/fullchain.pem` specifies the bundle of server certificate and all intermediate certificates +* `--root /path/to/root.pem` specifies the certificate authority(ies) -Note: `--chain` may specify single cert, a bundle, and may be used multiple times like so: +Note: `--root` may specify single cert or a bundle, and may be used multiple times like so: ``` ---chain /path/to/intermediate-ca-1.pem --chain /path/to/intermediate-ca-2.pem +--root /path/to/primary-root.pem --root /path/to/cross-root.pem ``` Other options: -* `--serve-chain true` alias for `-c` with the contents of chain.pem +* `--serve-root true` alias for `-c` with the contents of root.pem * `--servername example.com` changes the servername logged to the console -* `--letsencrypt-certs example.com` sets and key, cert, and chain to standard letsencrypt locations +* `--letsencrypt-certs example.com` sets and key, fullchain, and root to standard letsencrypt locations Examples -------- @@ -82,7 +82,7 @@ you can do so like this: ```bash sudo serve-https -p 8443 \ --letsencrypt-certs test.mooo.com \ - --serve-chain true + --serve-root true ``` which is equilavent to @@ -91,16 +91,16 @@ which is equilavent to sudo serve-https -p 8443 \ --servername test.mooo.com --key /etc/letsencrypt/live/test.mooo.com/privkey.pem \ - --cert /etc/letsencrypt/live/test.mooo.com/cert.pem \ - --chain /etc/letsencrypt/live/test.mooo.com/chain.pem \ - -c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/chain.pem')" + --cert /etc/letsencrypt/live/test.mooo.com/fullchain.pem \ + --root /etc/letsencrypt/live/test.mooo.com/root.pem \ + -c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/root.pem')" ``` and can be tested like so ```bash -curl --insecure https://test.mooo.com:8443 > ./chain.pem -curl https://test.mooo.com:8843 --cacert ./chain.pem +curl --insecure https://test.mooo.com:8443 > ./root.pem +curl https://test.mooo.com:8843 --cacert ./root.pem ``` * [QuickStart Guide for Let's Encrypt](https://coolaj86.com/articles/lets-encrypt-on-raspberry-pi/) diff --git a/package.json b/package.json index 952bfa1..e78a57a 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,7 @@ "homepage": "https://github.com/Daplie/localhost.daplie.com-server#readme", "dependencies": { "finalhandler": "^0.4.0", - "localhost.daplie.com-certificates": "^1.0.2", + "localhost.daplie.com-certificates": "^1.1.2", "minimist": "^1.1.1", "redirect-https": "^1.1.0", "serve-index": "^1.7.0", diff --git a/serve.js b/serve.js index a1f2d42..7d258cb 100755 --- a/serve.js +++ b/serve.js @@ -76,35 +76,47 @@ function run() { var opts = { key: cert.key , cert: cert.cert - , ca: cert.ca + //, ca: cert.ca , SNICallback: function (servername, cb) { cb(null, require('tls').createSecureContext(opts)); return; } }; + var peerCa; if (letsencryptHost) { argv.key = argv.key || '/etc/letsencrypt/live/' + letsencryptHost + '/privkey.pem'; - argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/cert.pem'; - argv.chain = argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/chain.pem'; + argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/fullchain.pem'; + argv.root = argv.root || argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/root.pem'; argv.servername = argv.servername || letsencryptHost; + argv['serve-root'] = argv['serve-root'] || argv['serve-chain']; } - if (argv.key || argv.cert || argv.chain || argv['serve-chain']) { - if (!argv.key || !argv.cert || !argv.chain) { - console.error("You must specify each of --key --cert and --chain (chain may be empty)"); + if (argv['serve-root'] && !argv.root) { + console.error("You must specify bath --root to use --serve-root"); + return; + } + + if (argv.key || argv.cert || argv.root) { + if (!argv.key || !argv.cert) { + console.error("You must specify bath --key and --cert, and optionally --root (required with serve-root)"); return; } - if (!Array.isArray(argv.chain)) { - argv.chain = [argv.chain]; + if (!Array.isArray(argv.root)) { + argv.root = [argv.root]; } opts.key = fs.readFileSync(argv.key); opts.cert = fs.readFileSync(argv.cert); + // turn multiple-cert pemfile into array of cert strings - opts.ca = argv.chain.reduce(function (chain, fullpath) { - return chain.concat(fs.readFileSync(fullpath, 'ascii') + peerCa = argv.root.reduce(function (roots, fullpath) { + if (!fs.existsSync(fullpath)) { + return roots; + } + + return roots.concat(fs.readFileSync(fullpath, 'ascii') .split('-----END CERTIFICATE-----') .filter(function (ca) { return ca.trim(); @@ -113,9 +125,16 @@ function run() { })); }, []); - if (argv['serve-chain']) { + if (argv['serve-root']) { content = opts.ca.join('\r\n'); } + + // TODO * `--verify /path/to/root.pem` require peers to present certificates from said authority + if (argv.verify) { + opts.ca = peerCa; + opts.requestCert = true; + opts.rejectUnauthorized = true; + } } opts.servername = 'localhost.daplie.com';