crazyguitar / acme-lw Goto Github PK

This project is yet another Let's Encrypt client. It has the following properties.

• The main artifact is a C++ static library.
• Functionality only supports creating and updating certificates using http challenges.
• All code runs 'in process', i.e., no processes are spawned.

Building requires cmake, openssl and curl. On Debian based systems this will install them.

apt-get install cmake libssl-dev libcurl4-gnutls-dev

On Red Hat based systems this will do it.

yum install cmake openssl-devel curl-devel

On macOS you'll install prerequisites with your package manager of choice.

To build and install run:

cmake .
make
make install

To use any Let's Encrypt client you need to sign requests with the private key of a Let's Encrypt's account. You'll want to keep control of that key in case you ever need to revoke the certificates that you issue. (In addition, Let's Encrypt rate limits account creation, so you'll normally want to re-use the same account.)

This library uses a private key in PEM format. The acme-tiny library has good documentation on how to create a new one or convert an existing certbot key to PEM format.

The command line client is run as follows.

acme_lw_client <filename of account private key> <domain name> ...

Multiple domain names can be on the command line.

The behavior is similar to the official Let's Encrypt client run as follows:

certbot certonly --manual -d <domain name>

The API of the library is documented in its header file. The command line client source provides an example of how it's used.

All methods report errors by throwing std::exception, which will normally be an instance of acme_lw::AcmeException. Note that this means you should compile your client code and this code with the same compiler and ideally with the same compiler options.

If your code is in main.cpp, something like this will build and link.

g++ main.cpp -lacme_lw -lcurl -lcrypto

The library itself is fairly agnostic about security. It doesn't read or write to disk (swapping aside.) If you use the library you'll need to decide for yourself how you want to protect the account private key and the private key associated with the certificates issued.

The command line client writes the certificate and private key to disk, readable only by the current user. It reads the account private key (in PEM format) from disk, so it needs to be readable by the current user. You'll need to decide whether that's acceptable and if so which user you want to use. (You probably want to create one solely for this purpose.)

The certificate issued uses a 4,096 bit RSA key.