Skip to content
Let's Encrypt CLI to generate certificates
Ruby Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
exe Bump to v0.3.1 with required opts and other tweaks Aug 9, 2018
lib
spec
.gitignore
.rspec
.rubocop.yml
.travis.yml
Gemfile
Gemfile.lock
LICENSE.txt
README.md
Rakefile
lecli.gemspec
lecli_diagram.png

README.md

lecli

lecli is a gem that provides a CLI to generate Let's Encrypt certificates. The name stands for Let's Encrypt CLI.

lecli wraps the lower level ACME protocol Client gem with the intention to create your custom Certbot. This would make it easier for you to automate/script around it. In order to achieve this, lecli pairs well with cron jobs and the recommended whenever gem.

Installation

$ gem install lecli

Getting started

The CLI will use the Let's Encrypt staging endpoint unless explicitly passed the --production flag. All other configuration data is managed by a config file - lecli.yml. To help understand the available options you can run the following in your terminal and a sample YAML file will be generated for you:

$ lecli yaml

Now let's see what's inside...

lecli.yml

---
domains:
- example.com
- test.net
- yetanotherwebsite.com
common_name: example.com
account_email: test@account.com
request_key: request.pem
certificate_key: certificate.pem
challenges_relative_path: challenges
success_callback_script: deploy.sh

Only required options in this file are domains (list of domains), common_name and account_email. All others can be deleted if you're OK with the defaults, all of which will be loaded for you except success_callback_script. If the callback script is not specified nothing will be executed after a successful certificate request.

The flow

From the two available types of validation requests only HTTP (and not DNS) is supported yet. This means you'll need to serve a token (lecli will create them for you) accessible from each domain in the list of domain addresses requested.

The tokens will be written to the challenges_relative_path and need to be served behind each domain you are requesting, i.e. example.com/.well-known/acme-challenge/#{token_filename} needs to return the token created. If requesting multiple domains at once you will probably need some additional setup to route from each domain requested to where the tokens are persisted.

An example of a simple deployment is when working with a single domain and lecli is executed on the host machine. If working with an nginx server you can just point the challenges path to write the tokens on /usr/share/nginx/html/.well-known/acme-challenge/. This way the tokens will be served so that Let's Encrypt is able to reach them.

alt text

After Let's Encrypt is able to access both tokens on the list of domain addresses requested the certificates can be issued. The resulting certificate will be identified by the email and under the common_name provided. The certificates (.pem files) can be renamed with request_key and certificate_key.

Optionally you can specify a script with success_callback_script to be executed. This script will function as a "callback hook" and it will run after successfully exporting the domains' certificate.

Now that you've read about lecli.yml options available (keywords in bold). If you've made sure to: (1) Customize the options config file to create the desired certificate, and (2) made sure the challenges_relative_path path is available for a public internet request, then you're now ready to kick off the validation process by executing the following on your terminal:

lecli generate

Making use of the result Certificates

A simple example nginx.conf excerpt to make use of the result certificates could be the following

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate       /etc/nginx/ssl/request.pem;
  ssl_certificate_key   /etc/nginx/ssl/certificate.pem;

  ...
}

You can script a server restart if needed, or any other setup that you require to make use of the newly created certificates. Just make sure to point the success_callback_script path in your config file (and make the script 'executable') so the CLI can automatically execute it if the request result was successful.

If you pair the CLI with a cron-job (specially using the whenever gem) you've essentially put together a Let's Encrypt bot and can now leverage scripting for more complex deployments. Your certificates will be renewed periodically. When using whenever you'll have lecli CLI in your crontab as easy as:

every :month, at: '4am' do
  command "lecli --production -f /path/to/config/file.yml"
end`

Be sure to run lecli help for more details.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bundle exec rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment. To install this gem onto your local machine, run bundle exec rake install.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/fdoxyz/lecli.

Please include tests if new features are added and make sure rubocop styling guide is met.

License

The gem is available as open source under the terms of the MIT License.

You can’t perform that action at this time.