update letsencrypt conventions

This commit is contained in:
AJ ONeal 2015-07-13 17:46:44 -06:00
parent eaf0e60b12
commit 7dbe9bd605
3 changed files with 43 additions and 24 deletions

View File

@ -31,20 +31,20 @@ Usage
Specifying a custom HTTPS certificate: Specifying a custom HTTPS certificate:
* `--key /path/to/privkey.pem` specifies the server private key * `--key /path/to/privkey.pem` specifies the server private key
* `--cert /path/to/cert.pem` specifies the server certificate * `--cert /path/to/fullchain.pem` specifies the bundle of server certificate and all intermediate certificates
* `--chain /path/to/chain.pem` specifies the certificate authorities * `--root /path/to/root.pem` specifies the certificate authority(ies)
Note: `--chain` may specify single cert, a bundle, and may be used multiple times like so: Note: `--root` may specify single cert or a bundle, and may be used multiple times like so:
``` ```
--chain /path/to/intermediate-ca-1.pem --chain /path/to/intermediate-ca-2.pem --root /path/to/primary-root.pem --root /path/to/cross-root.pem
``` ```
Other options: Other options:
* `--serve-chain true` alias for `-c` with the contents of chain.pem * `--serve-root true` alias for `-c` with the contents of root.pem
* `--servername example.com` changes the servername logged to the console * `--servername example.com` changes the servername logged to the console
* `--letsencrypt-certs example.com` sets and key, cert, and chain to standard letsencrypt locations * `--letsencrypt-certs example.com` sets and key, fullchain, and root to standard letsencrypt locations
Examples Examples
-------- --------
@ -82,7 +82,7 @@ you can do so like this:
```bash ```bash
sudo serve-https -p 8443 \ sudo serve-https -p 8443 \
--letsencrypt-certs test.mooo.com \ --letsencrypt-certs test.mooo.com \
--serve-chain true --serve-root true
``` ```
which is equilavent to which is equilavent to
@ -91,16 +91,16 @@ which is equilavent to
sudo serve-https -p 8443 \ sudo serve-https -p 8443 \
--servername test.mooo.com --servername test.mooo.com
--key /etc/letsencrypt/live/test.mooo.com/privkey.pem \ --key /etc/letsencrypt/live/test.mooo.com/privkey.pem \
--cert /etc/letsencrypt/live/test.mooo.com/cert.pem \ --cert /etc/letsencrypt/live/test.mooo.com/fullchain.pem \
--chain /etc/letsencrypt/live/test.mooo.com/chain.pem \ --root /etc/letsencrypt/live/test.mooo.com/root.pem \
-c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/chain.pem')" -c "$(cat 'sudo /etc/letsencrypt/live/test.mooo.com/root.pem')"
``` ```
and can be tested like so and can be tested like so
```bash ```bash
curl --insecure https://test.mooo.com:8443 > ./chain.pem curl --insecure https://test.mooo.com:8443 > ./root.pem
curl https://test.mooo.com:8843 --cacert ./chain.pem curl https://test.mooo.com:8843 --cacert ./root.pem
``` ```
* [QuickStart Guide for Let's Encrypt](https://coolaj86.com/articles/lets-encrypt-on-raspberry-pi/) * [QuickStart Guide for Let's Encrypt](https://coolaj86.com/articles/lets-encrypt-on-raspberry-pi/)

View File

@ -39,7 +39,7 @@
"homepage": "https://github.com/Daplie/localhost.daplie.com-server#readme", "homepage": "https://github.com/Daplie/localhost.daplie.com-server#readme",
"dependencies": { "dependencies": {
"finalhandler": "^0.4.0", "finalhandler": "^0.4.0",
"localhost.daplie.com-certificates": "^1.0.2", "localhost.daplie.com-certificates": "^1.1.2",
"minimist": "^1.1.1", "minimist": "^1.1.1",
"redirect-https": "^1.1.0", "redirect-https": "^1.1.0",
"serve-index": "^1.7.0", "serve-index": "^1.7.0",

View File

@ -76,35 +76,47 @@ function run() {
var opts = { var opts = {
key: cert.key key: cert.key
, cert: cert.cert , cert: cert.cert
, ca: cert.ca //, ca: cert.ca
, SNICallback: function (servername, cb) { , SNICallback: function (servername, cb) {
cb(null, require('tls').createSecureContext(opts)); cb(null, require('tls').createSecureContext(opts));
return; return;
} }
}; };
var peerCa;
if (letsencryptHost) { if (letsencryptHost) {
argv.key = argv.key || '/etc/letsencrypt/live/' + letsencryptHost + '/privkey.pem'; argv.key = argv.key || '/etc/letsencrypt/live/' + letsencryptHost + '/privkey.pem';
argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/cert.pem'; argv.cert = argv.cert || '/etc/letsencrypt/live/' + letsencryptHost + '/fullchain.pem';
argv.chain = argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/chain.pem'; argv.root = argv.root || argv.chain || '/etc/letsencrypt/live/' + letsencryptHost + '/root.pem';
argv.servername = argv.servername || letsencryptHost; argv.servername = argv.servername || letsencryptHost;
argv['serve-root'] = argv['serve-root'] || argv['serve-chain'];
} }
if (argv.key || argv.cert || argv.chain || argv['serve-chain']) { if (argv['serve-root'] && !argv.root) {
if (!argv.key || !argv.cert || !argv.chain) { console.error("You must specify bath --root to use --serve-root");
console.error("You must specify each of --key --cert and --chain (chain may be empty)");
return; return;
} }
if (!Array.isArray(argv.chain)) { if (argv.key || argv.cert || argv.root) {
argv.chain = [argv.chain]; if (!argv.key || !argv.cert) {
console.error("You must specify bath --key and --cert, and optionally --root (required with serve-root)");
return;
}
if (!Array.isArray(argv.root)) {
argv.root = [argv.root];
} }
opts.key = fs.readFileSync(argv.key); opts.key = fs.readFileSync(argv.key);
opts.cert = fs.readFileSync(argv.cert); opts.cert = fs.readFileSync(argv.cert);
// turn multiple-cert pemfile into array of cert strings // turn multiple-cert pemfile into array of cert strings
opts.ca = argv.chain.reduce(function (chain, fullpath) { peerCa = argv.root.reduce(function (roots, fullpath) {
return chain.concat(fs.readFileSync(fullpath, 'ascii') if (!fs.existsSync(fullpath)) {
return roots;
}
return roots.concat(fs.readFileSync(fullpath, 'ascii')
.split('-----END CERTIFICATE-----') .split('-----END CERTIFICATE-----')
.filter(function (ca) { .filter(function (ca) {
return ca.trim(); return ca.trim();
@ -113,9 +125,16 @@ function run() {
})); }));
}, []); }, []);
if (argv['serve-chain']) { if (argv['serve-root']) {
content = opts.ca.join('\r\n'); content = opts.ca.join('\r\n');
} }
// TODO * `--verify /path/to/root.pem` require peers to present certificates from said authority
if (argv.verify) {
opts.ca = peerCa;
opts.requestCert = true;
opts.rejectUnauthorized = true;
}
} }
opts.servername = 'localhost.daplie.com'; opts.servername = 'localhost.daplie.com';