Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow letsencrypt client to pass the web root path on cmd for creation of SimplyHTTP/ACME challenge file #742

Closed
centminmod opened this issue Sep 1, 2015 · 16 comments

Comments

@centminmod
Copy link

Related to https://community.letsencrypt.org/t/manual-authenticator-way-to-automate-the-acme-challenge-file-creation/583

Passing the webroot via the command line it would help for those sites that have non-standard web roots i.e. frameworks like Laravel and node.js web apps would likely have their /path/to/projectname/public as their web root. WHM/Cpanel, Directadmin, Webmin etc all would have their own web root paths.

If you can pass this as a variable in Letsencrypt client, it will probably be easier for respective control panels and distros to come up with their own integration methods ?

@jdkasten
Copy link
Contributor

jdkasten commented Sep 1, 2015

Is the existing --server-root not sufficient?
On Aug 31, 2015 10:41 PM, "George Liu (eva2000)" notifications@github.com
wrote:

Related to
https://community.letsencrypt.org/t/manual-authenticator-way-to-automate-the-acme-challenge-file-creation/583

Passing the webroot via the command line it would help for those sites
that have non-standard web roots i.e. frameworks like Laravel would likely
have their /path/to/projectname/public as their web root. WHM/Cpanel,
Directadmin, Webmin etc all would have their own web root paths.

If you can pass this as a variable in Letsencrypt client probably be
easier for respective control panels and distros to could up with their own
integration methods ?


Reply to this email directly or view it on GitHub
#742.

@centminmod
Copy link
Author

I don't see that option only --nginx-server-root which which for me would be /usr/local/nginx but my vhost web root are in format /home/nginx/domains/domain.com/public

 ./venv/bin/letsencrypt --help nginx
usage: 
  letsencrypt [SUBCOMMAND] [options] [domains]

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert.  

positional arguments:
  SUBCOMMAND
    run                 Obtain a certificate and install.
    auth                Authenticate & obtain cert, but do not install it.
    install             Install a previously obtained cert in a server.
    revoke              Revoke a previously obtained certificate.
    rollback            Rollback server configuration changes made during
                        install.
    config_changes      Show changes made to server config during installation
    plugins             List server software plugins.

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        config file path (default: None)

nginx:
  Nginx Web Server

  --nginx-server-root NGINX_SERVER_ROOT
                        Nginx server root directory. (default: /etc/nginx)
  --nginx-ctl NGINX_CTL
                        Path to the 'nginx' binary, used for 'configtest' and
                        retrieving nginx version number. (default: nginx)

@kuba
Copy link
Contributor

kuba commented Sep 1, 2015

It doesn't matter where your webroot is. Certificates and keys are never copied to your public_html! Let's Encrypt doesn't care what you have in your public_html. Certificates and keys are copied (or symlinked) to the configuration directory, which you should specify using --nginx-server-root.

@kuba
Copy link
Contributor

kuba commented Sep 1, 2015

Ah, you want to specify directory where SimplyHTTP challenge response files should be written (aka, automatic execution of manual plugin, without executing Python's builtin webserver)...

Please update the title of this ticket to make this more clear.

@centminmod centminmod changed the title Allow letsencrypt client to pass the web root path on command line for non-standard server configs Allow letsencrypt client to pass the web root path on cmd for creation of ACME challenge file Sep 1, 2015
@centminmod centminmod changed the title Allow letsencrypt client to pass the web root path on cmd for creation of ACME challenge file Allow letsencrypt client to pass the web root path on cmd for creation of SimplyHTTP/ACME challenge file Sep 1, 2015
@centminmod
Copy link
Author

ok changed the title.. yup @kuba for creation of the well-known uris for verification :)

right now I have to manually do it via

cd /home/nginx/domains/le1.http2ssl.xyz/public
mkdir -p .well-known/acme-challenge
echo -n '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vnWsLw

where /home/nginx/domains/le1.http2ssl.xyz/public is my web root path

being able to do it on cmd line

./venv/bin/letsencrypt -d domain.com -webroot /home/nginx/domains/domain.com/public auth

with auto creation of the .well-known file would bring manual authentication one step closer to automation that can be scripted by end user

@kuba
Copy link
Contributor

kuba commented Sep 1, 2015

Mind, you can always stop your current web server and use fully automated standalone plugin...

@centminmod
Copy link
Author

Yeah unfortunately that would be a problem for other non-443 port sites running on the server. The aim is to integrate Letsencrypt into my LEMP stack's Nginx vhost auto generation routine which currently auto creates the nginx vhost for http and https (self-signed ssl) so hoping it can do that fully from command line for invoking letsencrypt client as I already have the fully running Nginx vhost for https/443 running and setup.

Unfortunately, I am not a python programmer so can't do that myself for adding public web root command line support. Not sure if it's as simple as making the expected Ubuntu Apache/Nginx public web root a variable that changes depending on what's passed to the cmd line flag for web root ? If no web root flag is passed it defaults to expected Ubuntu Apache/Nginx public web roots

kuba added a commit to kuba/letsencrypt that referenced this issue Sep 2, 2015
@kuba
Copy link
Contributor

kuba commented Sep 2, 2015

I quickly created plugin that should suit your needs, @centminmod. It's not ready to be sent as PR yet, but you can still check it out... Just git clone -b simplefs https://github.com/kuba/letsencrypt instead of git clone https://github.com/letsencrypt/letsencrypt and follow normal instructions from http://letsencrypt.readthedocs.org/en/latest/using.html. Then run letsencrypt -a simplefs --simplefs-root /your/public_html auth and voila!

@centminmod
Copy link
Author

sweet @kuba thanks so much.. will doing this override and wipe the existing /etc/letsencrypt files/config and obtained ssl certs ?

@kuba
Copy link
Contributor

kuba commented Sep 4, 2015

No, it will not wipe the config files.

I'm a bit concerned why do you ask, though. Currently issued certificates have no much value... (https://github.com/letsencrypt/letsencrypt#disclaimer)

@centminmod
Copy link
Author

Cheers @kuba the question is thinking forward for when you do go live :) Pretty sure some folks like myself would run into such a situation if living on bleeding edge :)

@centminmod
Copy link
Author

Okay tried it and it works nicely with command

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public -d le4.http2ssl.xyz auth

but if i true to skip the prompts and just text I with

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --agree-eula true --agree-tos true -d le4.http2ssl.xyz auth

I get

/root/tools/letsencrypt/venv/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
  DeprecationWarning
usage: 
  letsencrypt [SUBCOMMAND] [options] [domains]

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert.  
letsencrypt: error: argument SUBCOMMAND: invalid choice: 'true' (choose from 'rollback', 'auth', 'run', 'install', 'plugins', 'revoke', 'config_changes')

@centminmod
Copy link
Author

this works though

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text  -d le4.http2ssl.xyz auth    

output

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text  -d le4.http2ssl.xyz auth                                  
/root/tools/letsencrypt/venv/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
  DeprecationWarning

-------------------------------------------------------------------------------
This is a PREVIEW RELEASE of a client application for the Let's Encrypt
certificate authority and other services using the ACME protocol. The Let's
Encrypt certificate authority is NOT YET ISSUING CERTIFICATES TO THE PUBLIC.

Until publicly-trusted certificates can be issued by Let's Encrypt, this
software CANNOT OBTAIN A PUBLICLY-TRUSTED CERTIFICATE FOR YOUR WEB SERVER.  You
should only use this program if you are a developer interested in experimenting
with the ACME protocol or in helping to improve this software.  If you want to
configure your web site with HTTPS in the meantime, please obtain a certificate
from a different authority.

For updates on the status of Let's Encrypt, please visit the Let's Encrypt home
page at https://letsencrypt.org/.
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

IMPORTANT NOTES:
 - Automatic renewal and deployment has been enabled for your
   certificate. These settings can be configured in the directories
   under /etc/letsencrypt/configs.

is there a way to pass the Agree on command line ?

thanks

@centminmod
Copy link
Author

okay figured it out !

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth 

perfect @kuba your work taken care of automating non-standard Ubuntu Apache/Nginx setups provided they already have the ssl vhost and web root for their respective domains setup prior !

ls -lah /etc/letsencrypt/live/
total 28K
drwx------ 7 root root 4.0K Sep  4 08:10 .
drwxr-xr-x 8 root root 4.0K Aug 29 07:52 ..
drwxr-xr-x 2 root root 4.0K Aug 29 07:52 le1.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Aug 30 08:07 le2.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 07:53 le3.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 08:07 le4.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 08:10 le4.http2ssl.xyz-0001

ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz
total 8.0K
drwxr-xr-x 2 root root 4.0K Sep  4 08:07 .
drwx------ 7 root root 4.0K Sep  4 08:10 ..
lrwxrwxrwx 1 root root   40 Sep  4 08:07 cert.pem -> ../../archive/le4.http2ssl.xyz/cert1.pem
lrwxrwxrwx 1 root root   41 Sep  4 08:07 chain.pem -> ../../archive/le4.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root   45 Sep  4 08:07 fullchain.pem -> ../../archive/le4.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root   43 Sep  4 08:07 privkey.pem -> ../../archive/le4.http2ssl.xyz/privkey1.pem

ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz-0001/
total 8.0K
drwxr-xr-x 2 root root 4.0K Sep  4 08:10 .
drwx------ 7 root root 4.0K Sep  4 08:10 ..
lrwxrwxrwx 1 root root   45 Sep  4 08:10 cert.pem -> ../../archive/le4.http2ssl.xyz-0001/cert1.pem
lrwxrwxrwx 1 root root   46 Sep  4 08:10 chain.pem -> ../../archive/le4.http2ssl.xyz-0001/chain1.pem
lrwxrwxrwx 1 root root   50 Sep  4 08:10 fullchain.pem -> ../../archive/le4.http2ssl.xyz-0001/fullchain1.pem
lrwxrwxrwx 1 root root   48 Sep  4 08:10 privkey.pem -> ../../archive/le4.http2ssl.xyz-0001/privkey1.pem

@kuba
Copy link
Contributor

kuba commented Sep 4, 2015 via email

@centminmod
Copy link
Author

@kuba oh sorry thought feedback on your plugin by a end user would be on topic :)

cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants