le.sh v2.0.0

1. Unix-like command api
2. 100% compatible with le.sh 1.x command api.
3. Support different webroot for each domain in the same cert.
```
le.sh  --issue  -d a.com  -w /wwwroot/a.com  -d b.com -w /wwwroot/b.com
```
4. Support different authentication methods for each domain in the same cert. Hybrid usage:
```
le.sh  --issue  -d a.com -w /wwwroot/a.com  -d  b.com -dns dns-cf
```

5. Two different debug levels to provide useful debug info. `--debug`  or `--debug 2`
6. Support to install `fullchain.cer` after renewal.
7. Better performance.
This commit is contained in:
neil 2016-04-09 23:40:59 +08:00
parent 6cb415f57e
commit a63b05a9e7
6 changed files with 654 additions and 437 deletions

134
README.md
View File

@ -60,7 +60,7 @@ Clone this project:
``` ```
git clone https://github.com/Neilpang/le.git git clone https://github.com/Neilpang/le.git
cd le cd le
./le.sh install ./le.sh --install
``` ```
You don't have to be root then, although it is recommended. You don't have to be root then, although it is recommended.
@ -78,76 +78,73 @@ Show help message:
``` ```
root@v1:~# le.sh root@v1:~# le.sh
https://github.com/Neilpang/le https://github.com/Neilpang/le
v1.2.3 v2.0.0
Usage: le.sh [command] ...[args].... Usage: le.sh command ...[parameters]....
Available commands: Commands:
--help, -h Show this help message.
--version, -v Show version info.
--install Install le.sh to your system.
--uninstall Uninstall le.sh, and uninstall the cron job.
--issue Issue a cert.
--installcert Install the issued cert to apache/nginx or any other server.
--renew, -r Renew a cert.
--renewAll Renew all the certs
--revoke Revoke a cert.
--installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
--uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
--toPkcs Export the certificate and key to a pfx file.
--createAccountKey, -cak Create an account private key, professional use.
--createDomainKey, -cdk Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
install: Parameters:
Install le.sh to your system. --domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
issue: --force, -f Used to force to install or force to renew a cert immediately.
Issue a cert. --staging, --test Use staging server, just for test.
installcert: --debug Output debug info.
Install the issued cert to apache/nginx or any other server.
renew:
Renew a cert.
renewAll:
Renew all the certs.
uninstall:
Uninstall le.sh, and uninstall the cron job.
revoke:
Revoke a cert.
version:
Show version info.
installcronjob:
Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
uninstallcronjob:
Uninstall the cron job. The 'uninstall' command can do this automatically.
toPkcs:
Export the certificate and key to a pfx file.
createAccountKey:
Create an account private key, professional use.
createDomainKey:
Create an domain private key, professional use.
createCSR:
Create CSR , professional use.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
--apache Use apache mode.
--dns [dns-cf|dns-dp|dns-cx|/path/to/api/file] Use dns mode or dns api.
--keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
--accountkeylength, -ak [2048] Specifies the account key length.
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
root@v1:~/le# le issue --certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no --keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
--reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.
--accountconf Specifies a customized account config file.
--leworkingdir Specifies the home dir for le.sh
``` ```
Set the param value to "no" means you want to ignore it.
For example, if you give "no" to "key-length", it will use default length 2048.
And if you give 'no' to 'cert-file-path', it will not copy the issued cert to the "cert-file-path".
In all the cases, the issued cert will be placed in "~/.le/domain.com/"
# Just issue a cert: # Just issue a cert:
Example 1: Example 1:
Only one domain: Only one domain:
``` ```
le issue /home/wwwroot/aa.com aa.com le --issue -d aa.com -w /home/wwwroot/aa.com
``` ```
Example 2: Example 2:
Multiple domains in the same cert: Multiple domains in the same cert:
``` ```
le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com le --issue -d aa.com -d www.aa.com -d cp.aa.com -w /home/wwwroot/aa.com
``` ```
First argument `/home/wwwroot/aa.com` is the web root folder, You must have `write` access to this folder. The parameter `/home/wwwroot/aa.com` is the web root folder, You must have `write` access to this folder.
Second argument "aa.com" is the main domain you want to issue cert for. Second argument "aa.com" is the main domain you want to issue cert for.
You must have at least domain there.
Third argument is the additional domain list you want to use. Comma separated list, which is Optional.
You must point and bind all the domains to the same webroot dir:`/home/wwwroot/aa.com` You must point and bind all the domains to the same webroot dir:`/home/wwwroot/aa.com`
@ -155,41 +152,60 @@ The cert will be placed in `~/.le/aa.com/`
The issued cert will be renewed every 80 days automatically. The issued cert will be renewed every 80 days automatically.
More examples: https://github.com/Neilpang/le/wiki/How-to-issue-a-cert
# Install issued cert to apache/nginx etc. # Install issued cert to apache/nginx etc.
After you issue a cert, you probably want to install the cert to you nginx/apache or other servers to use.
``` ```
le installcert aa.com /path/to/certfile/in/apache/nginx /path/to/keyfile/in/apache/nginx /path/to/ca/certfile/apache/nginx "service apache2|nginx reload" le --installcert -d aa.com \
--certpath /path/to/certfile/in/apache/nginx \
--keypath /path/to/keyfile/in/apache/nginx \
--capath /path/to/ca/certfile/apache/nginx \
--fullchainpath path/to/fullchain/certfile/apache/nginx \
--reloadcmd "service apache2|nginx reload"
``` ```
Only the domain is required, all the other parameters are optional.
Install the issued cert/key to the production apache or nginx path. Install the issued cert/key to the production apache or nginx path.
The cert will be renewed every 80 days by default (which is configurable), Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload` The cert will be renewed every 80 days by default (which is configurable), Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`
# Use Standalone server to issue cert (requires you be root/sudoer, or you have permission to listen tcp 80 port): # Use Standalone server to issue cert
(requires you be root/sudoer, or you have permission to listen tcp 80 port):
Same usage as all above, just give `no` as the webroot. Same usage as all above, just give `no` as the webroot.
The tcp `80` port must be free to listen, otherwise you will be prompted to free the `80` port and try again. The tcp `80` port must be free to listen, otherwise you will be prompted to free the `80` port and try again.
``` ```
le issue no aa.com www.aa.com,cp.aa.com le --issue --standalone -d aa.com -d www.aa.com -d cp.aa.com
``` ```
# Use Apache mode (requires you be root/sudoer, since it is required to interact with apache server): More examples: https://github.com/Neilpang/le/wiki/How-to-issue-a-cert
# Use Apache mode
(requires you be root/sudoer, since it is required to interact with apache server):
If you are running a web server, apache or nginx, it is recommended to use the Webroot mode. If you are running a web server, apache or nginx, it is recommended to use the Webroot mode.
Particularly, if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder. Particularly, if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder.
Just set string "apache" to the first argument, it will use apache plugin automatically. Just set string "apache" to the first argument, it will use apache plugin automatically.
``` ```
le issue apache aa.com www.aa.com,user.aa.com le --issue --apache -d aa.com -d www.aa.com -d user.aa.com
``` ```
All the other arguments are the same with previous.
More examples: https://github.com/Neilpang/le/wiki/How-to-issue-a-cert
# Use DNS mode: # Use DNS mode:
Support the latest dns-01 challenge. Support the dns-01 challenge.
``` ```
le issue dns aa.com www.aa.com,user.aa.com le --issue --dns -d aa.com -d www.aa.com -d user.aa.com
``` ```
You will get the output like bellow: You will get the output like bellow:
@ -208,7 +224,7 @@ Please add those txt records to the domains. Waiting for the dns to take effect.
Then just retry with 'renew' command: Then just retry with 'renew' command:
``` ```
le renew aa.com le --renew -d aa.com
``` ```
Ok, it's finished. Ok, it's finished.
@ -242,12 +258,12 @@ For example:
Single domain: Single domain:
``` ```
le issue /home/wwwroot/aa.com aa.com no ec-256 le --issue -w /home/wwwroot/aa.com -d aa.com --keylength ec-256
``` ```
SAN multiple domains: SAN multiple domains:
``` ```
le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com ec-256 le --issue -w /home/wwwroot/aa.com -d aa.com -d www.aa.com --keylength ec-256
``` ```
Please look at the last parameter above. Please look at the last parameter above.

View File

@ -134,38 +134,8 @@ _cf_rest() {
_err "error $ep" _err "error $ep"
return 1 return 1
fi fi
_debug response "$response" _debug2 response "$response"
return 0 return 0
} }
_debug() {
if [ -z "$DEBUG" ] ; then
return
fi
if [ -z "$2" ] ; then
echo $1
else
echo "$1"="$2"
fi
}
_info() {
if [ -z "$2" ] ; then
echo "$1"
else
echo "$1"="$2"
fi
}
_err() {
if [ -z "$2" ] ; then
echo "$1" >&2
else
echo "$1"="$2" >&2
fi
}

View File

@ -194,7 +194,7 @@ _rest() {
_err "error $ep" _err "error $ep"
return 1 return 1
fi fi
_debug response "$response" _debug2 response "$response"
if ! printf "$response" | grep '"message":"success"' > /dev/null ; then if ! printf "$response" | grep '"message":"success"' > /dev/null ; then
return 1 return 1
fi fi
@ -202,33 +202,3 @@ _rest() {
} }
_debug() {
if [ -z "$DEBUG" ] ; then
return
fi
if [ -z "$2" ] ; then
echo $1
else
echo "$1"="$2"
fi
}
_info() {
if [ -z "$2" ] ; then
echo "$1"
else
echo "$1"="$2"
fi
}
_err() {
if [ -z "$2" ] ; then
echo "$1" >&2
else
echo "$1"="$2" >&2
fi
}

View File

@ -182,7 +182,7 @@ _rest() {
if [ "$3" ] ; then if [ "$3" ] ; then
data="$3" data="$3"
_debug data "$data" _debug2 data "$data"
response="$(curl --silent -X $m "$url" -d $data)" response="$(curl --silent -X $m "$url" -d $data)"
else else
response="$(curl --silent -X $m "$url" )" response="$(curl --silent -X $m "$url" )"
@ -192,38 +192,8 @@ _rest() {
_err "error $ep" _err "error $ep"
return 1 return 1
fi fi
_debug response "$response" _debug2 response "$response"
return 0 return 0
} }
_debug() {
if [ -z "$DEBUG" ] ; then
return
fi
if [ -z "$2" ] ; then
echo $1
else
echo "$1"="$2"
fi
}
_info() {
if [ -z "$2" ] ; then
echo "$1"
else
echo "$1"="$2"
fi
}
_err() {
if [ -z "$2" ] ; then
echo "$1" >&2
else
echo "$1"="$2" >&2
fi
}

View File

@ -25,37 +25,38 @@ dns-myapi-add() {
#################### Private functions bellow ################################## #################### Private functions bellow ##################################
_debug() {
if [ -z "$DEBUG" ] ; then
return
fi
if [ -z "$2" ] ; then
echo $1
else
echo "$1"="$2"
fi
}
_info() { _info() {
if [ -z "$2" ] ; then if [[ -z "$2" ]] ; then
echo "$1" echo "[$(date)] $1"
else else
echo "$1"="$2" echo "[$(date)] $1"="'$2'"
fi fi
} }
_err() { _err() {
if [ -z "$2" ] ; then _info "$@" >&2
echo "$1" >&2 return 1
else }
echo "$1"="$2" >&2
_debug() {
if [[ -z "$DEBUG" ]] ; then
return
fi fi
_err "$@"
return 0
}
_debug2() {
if [[ "$DEBUG" -ge "2" ]] ; then
_debug "$@"
fi
return
} }
#################### Private functions bellow ##################################

810
le.sh

File diff suppressed because it is too large Load Diff