ACME protocol client for SSL certificates
CoffeeScript JavaScript
Latest commit 574bd4a Dec 23, 2015 themadcreator Update version to 0.2.4
Permalink
Failed to load latest commit information.
bin
certs Update readme and slightly change logging output. Dec 22, 2015
src
.gitignore
LICENSE
README.md Update readme and slightly change logging output. Dec 22, 2015
package.json Update version to 0.2.4 Dec 22, 2015

README.md

acme-express

Automatic Certificate Management Environment (ACME) protocol client for acquiring free SSL certificates.

Letsencrypt.org is a gratis, open source community sponsored service that implements the ACME protocol. This script will allow you to create a signed SSL certificate, suitable to secure your server with HTTPS, using letsencrypt.org or any other certificate authority that supports the ACME protocol.

Installation

  npm install -g acme-express

CLI

  Usage: acme-express --account account.pem --csr csr.der --domain ${DOMAIN} --ca letsencrypt-beta

  Options:

    -h, --help                                           output usage information
    --account <account.pem>                              Account private key PEM file
    --csr <csr.der>                                      Certificate Signing Request file in DER encoding
    --dom <domain>                                       The domain for which we are requesting a certificate. e.g. "mydomain.org"
    --ca <URL|"letsencrypt-beta"|"letsencrypt-staging">  Certificate authority URL running ACME protocol. Default "letsencrypt-staging"
    --agreement <URL|"letsencrypt-1.0.1">                The certificate agreement URL. Default "letsencrypt-1.0.1"
    --log <debug|info|warn|error>                        Set the log level (logs always use STDERR). Default "info"
    --cross-signed                                       Print letsencrypt.org's cross-signed x1 cert to STDOUT

How to Use

  1. Register a domain and point your DNS at your server.
  2. From that server, use this script to verify that you control the domain and acquire a signed certficate.

Sign a Cert

  # Set your domain
  DOMAIN=mydomain.org

  # Create domain key and DER encoded Certificate Signing request
  openssl genrsa 4096 > domain.pem
  openssl req -new -sha256 -key domain.pem -subj "/CN=${DOMAIN}" -outform DER > csr.der

  # Create account key and get letsencrypt.org to sign your cert
  openssl genrsa 4096 > account.pem
  sudo acme-express --account account.pem --csr csr.der --dom "${DOMAIN}" --ca letsencrypt-beta > ${DOMAIN}.pem

  # (Optional) Examine your new certificate
  openssl x509 -in ${DOMAIN}.pem -text

Why Sudo?

To verify ownership of the domain, we use the simple HTTP challenge/response method. This script will briefly host a Node.js HTTP server on port 80 (which requires admin access). The challenge token is served at the well-defined challenge/response URL so that the certificate authority can request it.

See the "challengeResponse" method in src/acme-protocol.coffee

Create an HTTPS Server

Here is an example Node.js express server using a certificate produced by this script:

  let fs      = require('fs');
  let http    = require('http');
  let https   = require('https');
  let express = require('express');
  let app     = express();
  let domain  = 'mydomain.org';

  // Load the HTTPS credentials
  let credentials = {
    key  : fs.readFileSync('domain.pem'),
    cert : fs.readFileSync(domain + '.pem'),

    // If you want to get an 'A' on your ssllabs report card, you need to
    // include the cross-signed cert from letsencrypt.org. Download it
    // directly from letsencrypt.org at the following URL:
    //   https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
    ca   : [fs.readFileSync('lets-encrypt-x1-cross-signed.pem')]
  }

  // Create an HTTPS server with your express app
  https.createServer(credentials, app).listen(443, function() {
    console.log('Listening on HTTPS');
  });

  // (Optional) Create a simple server to redirect all HTTP traffic to HTTPS
  http.createServer(function (req, res) {
    let code = (req.method === 'POST') ? 307 : 302;
    res.writeHead(code, {'Location' : 'https://' + domain + req.url});
    res.end();
  }).listen(80, function() {
    console.log('Redirecting HTTP to HTTPS');
  });