bruncsak / ght-acme.sh Goto Github PK

Get publicly trusted certificate via ACME protocol from LetsEncrypt or from BuyPass

License: GNU General Public License v2.0

PHP 0.14% Shell 99.86%

acme-client acme-v2 letsencrypt letsencrypt-certificates certificate server-certificate ssl-certificates dns-01 http-01 tls-certificate

ght-acme.sh's Introduction

letsencrypt.sh

This script is used to run the required steps to let letsencrypt sign a server certificate for certain domains.

For the most basic workflow an account key must be created and the private key of the server must be available. The following example is for a nginx server, because it is the easiest to setup.

Create an Account

letsencrypt needs an account key for verification of domains and requesting the signed certificate. If such a key already exists and is registered, the following steps can be skipped.

create an account key:

# umask 0177
# openssl genrsa -out account.key 4096
# umask 0022

# ./letsencrypt.sh register -a account.key -e [email protected]

Setup Challenge Response

To verify a domain the letsencrypt service gives you a challenge, to which a response must be stored under this domain.

The response is a simple concatenation of a challenge token, a dot ".", and the thumbprint of the account with which the verification request was made. This must be stored at a well known location.

The thumbprint of the private account key can be obtained with this command:

# ./letsencrypt.sh thumbprint -a account.key

With this thumbprint nginx can be configured to create a valid response dynamically. The following configuration must be added to the server section of each domain to be validated:

location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]*)$" {
    default_type text/plain;
    return 200 "$1.ACCOUNT_THUMBPRINT";
}

The string ACCOUNT_THUMBPRINT in the return statement must be replaced by the actual thumbprint of the account key. Please note that the verification service of letsencrypt asks for the response over a HTTP and not over a HTTPS connection. Do not forget to reload the configuration.

Request a Signed Certificate

When every domain for which the certificate should be used is setup, the signing of the certificate can be requested:

# ./letsencrypt.sh sign -a account.key -k server.key -c server.pem www.example.org www1.example.org example.org

If the script runs successfully the signed certificate is stored in the file server.pem and can be used with the server. Please note that the file only contains the signed server certificate and not the complete chain, which might be needed by some servers.

Renew a Certificate

This is done like the first signing request:

# ./letsencrypt.sh sign -a account.key -k server.key -c server.pem www.example.org www1.example.org example.org

Revoke a Certificate

This is done with the same account key the certificate was originally signed:

# ./letsencrypt.sh revoke -a account.key -c server.pem

Alternatively, it is possible to revoke the certificate with its server key:

# ./letsencrypt.sh revoke -k server.key -c server.pem

Custom push scripts

You may need to use the -P option together with a custom script to set up the response to the challenge from letsencrypt. This might be because you want to sign the certificate from a different server than the one that runs your web site or your DNS, or your DNS is managed externally and you need to use a specific API. Basic example scripts provided by other users are available in contrib/, for example contrib/push-ionos-dns.sh. These may be of quite varying quality but should help you get started.

ght-acme.sh's People

Contributors

Stargazers

Watchers

Forkers

kowloon12 msjang ra2003 snoopsd swipswaps jsandoval857 rrresistor rdoeffinger septicredhead

ght-acme.sh's Issues

Cannot handle HTTP/2 responses

Curl seems to do HTTP/2 requests lately, which breaks the script. Adding --http1.1 to the curl calls helps, but this feels like a hack.

domain_dns_challenge() - nsupdate of external DNS zones needs additional options

'nsupdate' without further options can run only on the DNS directly. Update accesses from external networks are refused generally.

The following adaptions in the function 'domain_dns_challenge()' allow the 'DNS challenge' on an external DNS server:

# SDuesterhaupt: 2019-12-19 - 'nsupdate' without further options can run only on the DNS directly
#                             External accesses are refused generally.
#                             
#                             Additional options: File with TSIG key (DNS_TSIG)
#                                                 DNS server (DNS_SERVER)
#                                                 Zone which shall be updated (DNS_ZONE)
#printf 'update %s _acme-challenge.%s. 300 IN TXT "%s"\n\n' "$1" "$DOMAIN" "$DNS_CHALLENGE" |
    #nsupdate || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"
MyDNSChallengeContent="server $DNS_SERVER"
#MyDNSChallengeContent="$MyDNSChallengeContent\ndebug yes"
MyDNSChallengeContent="$MyDNSChallengeContent\nzone $DNS_ZONE."
MyDNSChallengeContent="$MyDNSChallengeContent\nupdate $1 _acme-challenge.$DOMAIN. 300 IN TXT $DNS_CHALLENGE"
#MyDNSChallengeContent="$MyDNSChallengeContent\nshow"
MyDNSChallengeContent="$MyDNSChallengeContent\nsend\n\n"

#echo -e "$MyDNSChallengeContent" > nsupdate.txt
#nsupdate -k "$DNS_TSIG" -v nsupdate.txt || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"

echo -e "$MyDNSChallengeContent" | nsupdate -k "$DNS_TSIG" || die "Could not $1 $CHALLENGE_TYPE type challenge token with value $DNS_CHALLENGE for domain $DOMAIN via nsupdate"

Additionally the following options have to be considered:

dns-server|d)
	DNS_SERVER="$OPTARG"
	;;
dns-tsig|t)
	DNS_TSIG="$OPTARG"
	;;
dns-zone|z)
	DNS_ZONE="$OPTARG"
	;;

Call sequence:

# Wildcard certificate, call with options
./letsencrypt_v2.sh sign -l dns-01 -d root-dns.example365.com -t tsig.key -z exampleABC.com -a letsencrypt_account.key -k abc.exampleABC.com.key.pem -w /var/www/default/.well-known/acme-challenge -c ./tmp/abc.exampleABC.com.cert.pem abc.exampleABC.com *.abc.exampleABC.com

Replace the functionality of xxd

xxd is hard to get in distributions like CentOS.

Maybe it's better to include an alternative functionality like this:

hex2string() {
  MyRun=true
  while $MyRun; do
    if [ ! -z "$1" ]; then
      MyPart=$1
      MyRun=false
    else
      read MyPart
      MyTest=$?
      if [ $MyTest -ne 0 ]; then
        MyRun=false
      fi
    fi
    I=0
    while [ $I -lt ${#MyPart} ];
    do
      echo -en "\x"${MyPart:$I:2}
      let "I += 2"
    done
  done
}

The usage is for example in the function key_get_modulus():

#sed -e 's/^Modulus=//' < "$OPENSSL_OUT" \
# | xxd -r -p \
# | base64url
sed -e 's/^Modulus=//' < "$OPENSSL_OUT" \
 | hex2string \
 | base64url

Push token example collection

It would be nice to have a place to collect push token implementations.
Many (like mine) will be pretty bad, but with multiple users they have a chance of getting polished, and even if not it will be a starting point for anyone using the same provider.
I have attached my solution for using the IONOS (1and1) DNS API, maybe it helps someone.

#!/bin/sh
COMMAND='{ "disabled": true, "content": "null" }'
if [ "$1" = "add" ] ; then
  COMMAND='{ "disabled": false, "content": "'$3'" }'
fi
# Note: this script is only able to update existing entries
# to reduce the risk of making a mess and to make it simpler
# so you must create all _acme-challenge DNS entries before using it
URL="https://api.hosting.ionos.com/dns/v1/zones/<insert you zone ID>/records/<insert your _acme-challenge entry ID>"
# add a condition on to make URL depend on $2 to support multiple domains

# header.txt should contain your API key
# Could also use the -H @header.txt syntax,
# then header.txt only consists of
# X-API-Key: publicprefix.encryptionkey
curl -X PUT "$URL" -K header.txt -H 'accept: application/json' -H 'Content-Type: application/json' -d "$COMMAND"

pushdns.txt

Adapt the owner/permission of the token within the funtion push_domain_response()

Sometimes I have problems to read the token:

check verification of <domain>
<domain>: invalid
  Invalid response from <domain>/.well-known/acme-challenge/cwlfR7Vf83erv_zziIWrruVpokwJgaGCquXvT_y0FSk [IP]: \ (urn:ietf:params:acme:error:unauthorized)
remove response for <domain>

The token is created with that owner which also runs the letsencrypt.sh. Here it was root.

The webserver executes the webcontent with a owner which is not root. Generally in the default installation it's apache (CentOS) or www-data (Debian?).

So maybe we should set the owner and optionally the permission within the function push_domain_response() by:

# SDuesterhaupt: 2019-11-30 - Adapt the owner/permission of the token
MyUser="$(stat -c '%U' $TOKEN_DIR)"
MyGroup="$(stat -c '%G' $TOKEN_DIR)"
chown "$MyUser:$MyGroup" "$TOKEN_DIR/$DOMAIN_TOKEN"
#chmod 660 "$TOKEN_DIR/$DOMAIN_TOKEN"

The user and group names are inherited by the TOKEN_DIR.

Add a meaningful User-Agent

AFAICT, this client sends User-Agent: curl/<version> by default. Please update it to set a User-Agent string that defines the client name and version. Thanks!

how to issue wildcard certificate?

How can I get a domain wildcard certificate?

Account creation broken

Account creation is broken on the newest version. I also tried on a random older version (9d78136), and it works fine there.

Here's what happens on the newest version:

$ openssl genrsa -out account.key 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................................++
...................................................................++
e is 65537 (0x10001)
$ ./letsencrypt.sh register -a account.key -e [email protected]
pwnedkeys.com claims: account key is not compromised
register account
unhandled response while registering account

HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Wed, 24 Jun 2020 20:17:53 GMT
Content-Type: application/problem+json
Content-Length: 114
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001a3IX76GwuWP45fsUjQ0ziDPOLqPyZrBhQ2214DAsUm0

{
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key exponent must be 65537",
  "status": 400
}

OS: Debian 8.1. Bash 4.3.30.

request challenge for XXX
error while requesting challenge for XXX
  {
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce a_und1PinIcRvGo9HQ6HaOzlrmIgum_AfiwnaLllAD8",
  "status": 400
} ({
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has invalid anti-replay nonce a_und1PinIcRvGo9HQ6HaOzlrmIgum_AfiwnaLllAD8",
  "status": 400
})

The error usually disappears when relaunching the script.

Thanks for your help