Skip to content
Permalink
Browse files
renamed project to dehydrated and main script to dehydrated.sh
  • Loading branch information
lukas2511 committed Sep 13, 2016
1 parent 992beec commit 64e35463cbbfc35ad1bf8537b60602707be2daaf
Show file tree
Hide file tree
Showing 13 changed files with 49 additions and 43 deletions.
@@ -1,10 +1,14 @@
# Change Log
This file contains a log of major changes in letsencrypt.sh
This file contains a log of major changes in dehydrated.sh

This comment has been minimized.

Copy link
@leonklingele

leonklingele Sep 13, 2016

Contributor

Terrible decision imo.


## [x.x.x] - xxxx-xx-xx
## Changed
- ...

## [0.3.1] - 2016-09-13
## Changed
- Renamed project to `dehydrated` and main script to `dehydrated.sh`.

## [0.3.0] - 2016-09-07
## Changed
- Config is now named `config` instead of `config.sh`!
@@ -1,4 +1,6 @@
# letsencrypt.sh [![Build Status](https://travis-ci.org/lukas2511/letsencrypt.sh.svg?branch=master)](https://travis-ci.org/lukas2511/letsencrypt.sh)
# dehydrated.sh [![Build Status](https://travis-ci.org/lukas2511/dehydrated.svg?branch=master)](https://travis-ci.org/lukas2511/dehydrated)

![](docs/logo.jpg)

This is a client for signing certificates with an ACME-server (currently only provided by letsencrypt) implemented as a relatively simple bash-script.

@@ -28,7 +30,7 @@ If you have any problems take a look at our [Troubleshooting](docs/troubleshooti
## Usage:

```text
Usage: ./letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Usage: ./dehydrated.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Default command: help
@@ -1,7 +1,7 @@
#!/usr/bin/env bash

# letsencrypt.sh by lukas2511
# Source: https://github.com/lukas2511/letsencrypt.sh
# dehydrated.sh by lukas2511
# Source: https://github.com/lukas2511/dehydrated
#
# This script is licensed under The MIT License (see LICENSE for more information).

@@ -25,7 +25,7 @@ BASEDIR="${SCRIPTDIR}"
# Create (identifiable) temporary files
_mktemp() {
# shellcheck disable=SC2068
mktemp ${@:-} "${TMPDIR:-/tmp}/letsencrypt.sh-XXXXXX"
mktemp ${@:-} "${TMPDIR:-/tmp}/dehydrated.sh-XXXXXX"
}

# Check for script dependencies
@@ -94,7 +94,7 @@ verify_config() {
load_config() {
# Check for config in various locations
if [[ -z "${CONFIG:-}" ]]; then
for check_config in "/etc/letsencrypt.sh" "/usr/local/etc/letsencrypt.sh" "${PWD}" "${SCRIPTDIR}"; do
for check_config in "/etc/dehydrated.sh" "/usr/local/etc/dehydrated.sh" "${PWD}" "${SCRIPTDIR}"; do

This comment has been minimized.

Copy link
@leonklingele

leonklingele Sep 13, 2016

Contributor

Wow. Really? This will break every installation?

This comment has been minimized.

Copy link
@lukas2511

lukas2511 Sep 13, 2016

Author Member

@leonklingele I totally agree with that, but I didn't have a choice. See b95b15c.

This comment has been minimized.

Copy link
@leonklingele

leonklingele via email Sep 13, 2016

Contributor

This comment has been minimized.

Copy link
@Rayne

Rayne Sep 13, 2016

Is it forbidden to be backwards compatible and test /etc/letsencrypt.sh and friends or do you prefer a clean cut?

Some ideas: You could also add a symbolic link or a letsencrypt.sh script with a big deprecation warning which forwards the arguments to dehydrated.

This comment has been minimized.

Copy link
@lukas2511

lukas2511 Sep 13, 2016

Author Member

@Rayne i didn't want to keep the old name around in places. yes this will break some things now, but I'm hoping for package maintainers to work around this, and I hope that people who are pulling from master will figure it out themselfes

This comment has been minimized.

Copy link
@lukas2511

lukas2511 Sep 13, 2016

Author Member

@leonklingele yes :(

if [[ -f "${check_config}/config" ]]; then
BASEDIR="${check_config}"
CONFIG="${check_config}/config"
@@ -181,7 +181,7 @@ load_config() {

[[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
[[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/letsencrypt"
[[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/dehydrated"
[[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
[[ -n "${PARAM_NO_LOCK:-}" ]] && LOCKFILE=""

@@ -246,7 +246,7 @@ init_system() {

# If we generated a new private key in the step above we have to register it with the acme-server
if [[ "${register_new_key}" = "yes" ]]; then
echo "+ Registering account key with letsencrypt..."
echo "+ Registering account key with ACME server..."
[[ ! -z "${CA_NEW_REG}" ]] || _exiterr "Certificate authority doesn't allow registrations."
# If an email for the contact has been provided then adding it to the registration request
FAILED=false
@@ -924,7 +924,7 @@ command_help() {
# Usage: --env (-e)
# Description: Output configuration variables for use in other scripts
command_env() {
echo "# letsencrypt.sh configuration"
echo "# dehydrated.sh configuration"
load_config
typeset -p CA LICENSE CERTDIR CHALLENGETYPE DOMAINS_D DOMAINS_TXT HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
}
@@ -19,4 +19,4 @@ Or when you do have a DNS API, pass the details accordingly to achieve the same

You can delete the TXT record when called with operation clean_challenge, when $2 is also the domain name.

Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-DNS-01-hooks)
Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)
@@ -1,6 +1,6 @@
### domains.txt

letsencrypt.sh uses the file `domains.txt` as configuration for which certificates should be requested.
dehydrated.sh uses the file `domains.txt` as configuration for which certificates should be requested.

The file should have the following format:

@@ -1,10 +1,10 @@
########################################################
# This is the main config file for letsencrypt.sh #
# This is the main config file for dehydrated.sh #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/letsencrypt.sh/config #
# /etc/letsencrypt.sh/config #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
@@ -42,8 +42,8 @@
# Directory for account keys and registration information
#ACCOUNTDIR="${BASEDIR}/accounts"

# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/letsencrypt)
#WELLKNOWN="/var/www/letsencrypt"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
#WELLKNOWN="/var/www/dehydrated"

# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
@@ -9,7 +9,7 @@ See below for an example on how the calls change:

### HOOK_CHAIN="no" (default behaviour)
```
# INFO: Using main config file /etc/letsencrypt.sh/config
# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
@@ -31,13 +31,13 @@ HOOK: clean_challenge www.lukas.im blublublu blublublu.supersecure
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152442
HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152442
+ Done!
```

### HOOK_CHAIN="yes"
```
# INFO: Using main config file /etc/letsencrypt.sh/config
# INFO: Using main config file /etc/dehydrated/config
Processing lukas.im with alternative names: www.lukas.im
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
@@ -57,7 +57,7 @@ HOOK: clean_challenge lukas.im blablabla blablabla.supersecure www.lukas.im blub
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
HOOK: deploy_cert lukas.im /etc/letsencrypt.sh/certs/lukas.im/privkey.pem /etc/letsencrypt.sh/certs/lukas.im/cert.pem /etc/letsencrypt.sh/certs/lukas.im/fullchain.pem /etc/letsencrypt.sh/certs/lukas.im/chain.pem 1460152408
HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152408
+ Done!
```

@@ -1,3 +1,3 @@
# Import

If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/letsencrypt.sh/wiki/Import-from-official-letsencrypt-client).
If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/dehydrated/wiki/Import-from-official-letsencrypt-client).
BIN +46.5 KB docs/logo.jpg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@@ -1,6 +1,6 @@
# Config on per-certificate base

letsencrypt.sh allows a few configuration variables to be set on a per-certificate base.
dehydrated.sh allows a few configuration variables to be set on a per-certificate base.

To use this feature create a `config` file in the certificates output directory (e.g. `certs/example.org/config`).

@@ -6,7 +6,7 @@ Generally if the following information doesn't provide a solution to your proble

You probably changed from staging-CA to production-CA (or the other way).

Currently letsencrypt.sh doesn't detect a missing registration on the selected CA,
Currently dehydrated.sh doesn't detect a missing registration on the selected CA,
the current workaround is to move `private_key.pem` (and, if you care, `private_key.json`) out of the way so the scripts generates and registers a new one.

This will hopefully be fixed in the future.
@@ -19,13 +19,13 @@ LICENSE1 and LICENSE2 are just placeholders for the real values in this troubles

## "Error creating new cert :: Too many certificates already issued for: [...]"

This is not an issue with letsencrypt.sh but an API limit with letsencrypt.
This is not an issue with dehydrated.sh but an API limit with boulder (the ACME server).

At the time of writing this you can only create 5 certificates per domain in a sliding window of 7 days.

## "Certificate request has 123 names, maximum is 100."

This also is an API limit from letsencrypt, you are requesting to sign a certificate with way too many domains.
This also is an API limit from boulder, you are requesting to sign a certificate with way too many domains.

## Invalid challenges

@@ -5,15 +5,15 @@ It will do that for any (sub-)domain you want to sign a certificate for.

At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).

letsencrypt.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
dehydrated.sh has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.

If you only have one docroot on your server you could easily do something like `WELLKNOWN=/var/www/.well-known/acme-challenge`, for anything else look at the example below.

## Example Usage

If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.

An example would be to create a directory `/var/www/letsencrypt` and set `WELLKNOWN=/var/www/letsencrypt` in the scripts config.
An example would be to create a directory `/var/www/dehydrated` and set `WELLKNOWN=/var/www/dehydrated` in the scripts config.

You'll need to configure aliases on your Webserver:

@@ -25,7 +25,7 @@ With Nginx you'll need to add this to any of your `server`/VHost config blocks:
server {
[...]
location /.well-known/acme-challenge {
alias /var/www/letsencrypt;
alias /var/www/dehydrated;
}
[...]
}
@@ -36,9 +36,9 @@ server {
With Apache just add this to your config and it should work in any VHost:

```apache
Alias /.well-known/acme-challenge /var/www/letsencrypt
Alias /.well-known/acme-challenge /var/www/dehydrated
<Directory /var/www/letsencrypt>
<Directory /var/www/dehydrated>
Options None
AllowOverride None
@@ -63,6 +63,6 @@ With Lighttpd just add this to your config and it should work in any VHost:
modules += "alias"
alias.url += (
"/.well-known/acme-challenge/" => "/var/www/letsencrypt/"
"/.well-known/acme-challenge/" => "/var/www/dehydrated/"
)
```
22 test.sh
@@ -84,7 +84,7 @@ TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':'
TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
echo "Couldn't get an url from ngrok, not a dehydrated.sh bug, tests can't continue."
exit 1
fi

@@ -104,23 +104,23 @@ touch domains.txt

# Check if help command is working
_TEST "Checking if help command is working..."
./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Default command: help"
_CHECK_LOG "--help (-h)"
_CHECK_LOG "--domain (-d) domain.tld"
_CHECK_ERRORLOG

# Run in cron mode with empty domains.txt (should only generate private key and exit)
_TEST "First run in cron mode, checking if private key is generated and registered"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Registering account key"
_CHECK_FILE accounts/*/account_key.pem
_CHECK_ERRORLOG

# Temporarily move config out of the way and try signing certificate by using temporary config location
_TEST "Try signing using temporary config location and with domain as command line parameter"
mv config tmp_config
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
@@ -133,7 +133,7 @@ mv tmp_config config

# Add third domain to command-lime, should force renewal.
_TEST "Run in cron mode again, this time adding third domain, should force renewal."
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Domain name(s) are not matching!"
_CHECK_LOG "Forcing renew."
_CHECK_LOG "Generating private key"
@@ -151,7 +151,7 @@ echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt

# Run in cron mode again (should find a non-expiring certificate and do nothing)
_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Skipping renew"
_CHECK_ERRORLOG
@@ -161,7 +161,7 @@ echo 'PRIVATE_KEY_RENEW="no"' >> config

# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Ignoring because renew was forced!"
_CHECK_NOT_LOG "Generating private key"
@@ -175,15 +175,15 @@ _CHECK_ERRORLOG

# Check if signcsr command is working
_TEST "Running signcsr command"
./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "BEGIN CERTIFICATE"
_CHECK_LOG "END CERTIFICATE"
_CHECK_NOT_LOG "ERROR"

# Check if renewal works
_TEST "Run in cron mode again, to check if renewal works"
echo 'RENEW_DAYS="300"' >> config
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Renewing!"
_CHECK_ERRORLOG
@@ -202,7 +202,7 @@ _CHECK_ERRORLOG

# Revoke certificate using certificate key
_TEST "Revoking certificate..."
./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
_CHECK_LOG "Done."
@@ -211,7 +211,7 @@ _CHECK_ERRORLOG

# Test cleanup command
_TEST "Cleaning up certificates"
./letsencrypt.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
./dehydrated.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"

0 comments on commit 64e3546

Please sign in to comment.