Let's Encrypt ACME protocol

This is a simple Haskell script to obtain a certificate from Let's Encrypt using their ACME protocol.

• The main source of information to write this was https://github.com/diafygi/letsencrypt-nosudo

• The ACME spec: https://letsencrypt.github.io/acme-spec/

There is a more featureful fork of thisrepository at afcady/acme.

Discover the URL for letsencrypt ACME endpoints

API endpoints are listed at https://acme-v01.api.letsencrypt.org/directory and are currently hard-coded in the script.

> curl -s https://acme-v01.api.letsencrypt.org/directory | json_pp
{
   "new-cert" : "https://acme-v01.api.letsencrypt.org/acme/new-cert",
   "new-authz" : "https://acme-v01.api.letsencrypt.org/acme/new-authz",
   "revoke-cert" : "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
   "new-reg" : "https://acme-v01.api.letsencrypt.org/acme/new-reg"
}

Generate user account keys

You need an account with Let's Encrypt to ask and receive certificates for your domains. The account is controlled by a public/private key pair:

openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout > user.pub

Create user account

Generate registration.body by using the acme.hs script then POST it to letsencrypt (note it assumes you agree to their subscriber agreement):

> curl -s -X POST --data-binary "@<domain>/registration.body" \
  https://acme-v01.api.letsencrypt.org/acme/new-reg | json_pp
{
   "agreement" : "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",
   "contact" : [
      "mailto:noteed@gmail.com"
   ],
   "key" : {
      "e" : "...",
      "kty" : "RSA",
      "n" : "..."
   },
   "id" : 36009,
   "createdAt" : "2015-12-04T14:22:08.321951547Z",
   "initialIp" : "80.236.245.73"
}

Request a challenge

Let's Encrypt needs a proof that you control the claimed domain. You can request a challenge with challenge-request.body.

> curl -s -X POST --data-binary "@<domain>/challenge-request.body" \
  https://acme-v01.api.letsencrypt.org/acme/new-authz | json_pp
{
   "expires" : "2015-12-21T18:44:52.331487674Z",
   "challenges" : [
      {
         "status" : "pending",
         "uri" : "https://acme-v01.api.letsencrypt.org/acme/challenge/vXZ1UnZ-y1q7sntnf6NdOfbPAwetJFBqOtvp7FHCjaU/1844047",
         "type" : "tls-sni-01",
         "token" : "oielAbB7MdyCl29mqjzlqGdrCQSB8SyJaxHbAgQBA7Q"
      },
      {
         "uri" : "https://acme-v01.api.letsencrypt.org/acme/challenge/vXZ1UnZ-y1q7sntnf6NdOfbPAwetJFBqOtvp7FHCjaU/1844048",
         "status" : "pending",
         "type" : "http-01",
         "token" : "DjyJpI3HVWAmsAwMT5ZFpW8dj19cel6ml6qaBUeGpCg"
      }
   ],
   "identifier" : {
      "type" : "dns",
      "value" : "aaa.reesd.com"
   },
   "combinations" : [
      [
         0
      ],
      [
         1
      ]
   ],
   "status" : "pending"
}

The script assumes you'll answer the challenge by hosting a file at a location chosen by Let's Encrypt. Extract the token for the http-01 challenge and run the script again. Now you have to host the file at the location reported by the script.

Once this is done, you can ask Let's Encrypt to check the file.

> curl -s -X POST --data-binary "@<domain>/challenge-response.body" \
  https://acme-v01.api.letsencrypt.org/acme/challenge/vXZ1UnZ-y1q7sntnf6NdOfbPAwetJFBqOtvp7FHCjaU/1844048 | json_pp
{
   "token" : "DjyJpI3HVWAmsAwMT5ZFpW8dj19cel6ml6qaBUeGpCg",
   "keyAuthorization" : "DjyJpI3HVWAmsAwMT5ZFpW8dj19cel6ml6qaBUeGpCg.EJe0KReqzCUq6leNOerMC9naZSHxP9TJzGxCcsGkNrw",
   "type" : "http-01",
   "uri" : "https://acme-v01.api.letsencrypt.org/acme/challenge/vXZ1UnZ-y1q7sntnf6NdOfbPAwetJFBqOtvp7FHCjaU/1844048",
   "status" : "pending"
}

The same URL can then be polled until the status becomes valid.

Send CSR / Receive certificate

The CSR is created with:

> ./generate-csr.sh example.com

And the signed certificate can be obtained from Let's Encrypt:

> curl -s -X POST --data-binary "@<domain>/csr-request.body" \
  https://acme-v01.api.letsencrypt.org/acme/new-cert > <domain>/cert.der

Create a certificate for HAProxy

Including explicit DH key exchange parameters to prevent Logjam attack (https://weakdh.org/). See the script below.

> openssl x509 -inform der -in aaa.reesd.com.cert.der \
    -out aaa.reesd.com.cert.pem
> openssl dhparam -out aaa.reesd.com-dhparams.pem 2048
> cat aaa.reesd.com.cert.pem \
    lets-encrypt-x1-cross-signed.pem \
    aaa.reesd.com.key \
    aaa.reesd.com-dhparams.pem > aaa.reesd.com-combined.pem

Using the script acme.hs

The example assumes you want to get a certificate for aaa.example.com.

The first step is to ensure you can serve files at http://aaa.example.com/.well-known/acme-challenge/. To do so create a local directory called aaa.example.com containing a script called serve.sh. The script content is up to you and will be called by acme.hs to upload files to be server at the abore URL. A possible content could be:

> cat aaa.exampe.com/serve.sh
#! /bin/bash

scp $1 aaa.example.com:acme/static/.well-known/acme-challenge/$2

Second step is to generate a server private key and a CSR:

> ./generate-csr.sh aaa.example.com

Third step to is to actually using acme.hs:

> ./acme aaa.example.com

Fourth step is to use the certificate. For HAproxy, a script is given to help generate the appropriate file:

> ./generate-haproxy-cert.sh aaa.example.com