From c099c2546dff7c6f5ae0c89400f3d0869b0134bb Mon Sep 17 00:00:00 2001 From: srvrco Date: Fri, 29 Jan 2016 13:52:56 +0000 Subject: [PATCH] added option for eliptic curve keys (v0.16) --- README.md | 83 +++++++++++++++++++++++++++++++------------------------ getssl | 20 ++++++++++---- 2 files changed, 62 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index a5b4a59..a915e5b 100644 --- a/README.md +++ b/README.md @@ -3,18 +3,19 @@ get an SSL certificate via LetsEncrypt. Suitable for automating the process in This was written as an addition to checkssl for servers to automatically renew certifictes. In addition it allows the running of this script in standard bash ( on a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access). Potentially I can include FTP as an option for uploading as well. - getssl ver. 0.10 - To obtain a letsencrypt SSL cert - - Usage: getssl [-h|--help] [-d|--debug] [-c] [-w working_dir] domain +``` +getssl ver. 0.16 +Obtain SSL certificates from the letsencrypt.org ACME server - Options: - -h, --help Display this help message and exit. - -d, --debug outputs debug information - -c, Create default config files - -w working_dir working directory - Where 'working_dir' is the Working Directory. +Usage: getssl [-h|--help] [-d|--debug] [-c] [-a|--all] [-w working_dir] domain +Options: + -h, --help Display this help message and exit + -d, --debug Outputs debug information + -c, Create default config files + -a, --all Renew all certificates + -w working_dir Working directory +``` ## Structure @@ -23,35 +24,40 @@ The design aim was to provide flexibility in running the code. The default work Within the **working directory** is a config file, getssl.cfg which is a simple bash file containing variables, an example of which is ``` -# uncomment and modify any variables you need -# The staging server is best for testing +# Uncomment and modify any variables you need +# The staging server is best for testing (hence set as default) CA="https://acme-staging.api.letsencrypt.org" # This server issues full certificates, however has rate limits #CA="https://acme-v01.api.letsencrypt.org" AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" -#set an email address associated with your account -ACCOUNT_EMAIL="me@example.com" +# Set an email address associated with your account - generally set at account level rather than domain. +#ACCOUNT_EMAIL="me@example.com" ACCOUNT_KEY_LENGTH=4096 +ACCOUNT_KEY="/home/andy/.getssl/account.key" -#The default directory for all your certs to be stored within ( in subdirectories by domain name ) -WORKING_DIR=~/.getssl - -# the command needed to reload apache / gninx or whatever you use +# The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" -#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. +# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. RENEW_ALLOW="30" -#Use the following 3 variables if you want to validate via DNS + +# openssl config file. The default should work in most cases. +SSLCONF="/usr/lib/ssl/openssl.cnf" + +# Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= +# If your DNS-server needs extra time to make sure your DNS changes are readable by the ACME-server (time in seconds) +#DNS_EXTRA_WAIT=60 + ``` then, within the **working directory** there will be a folder for each certificate (based on it's domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is; ``` -# uncomment and modify any variables you need +# Uncomment and modify any variables you need # The staging server is best for testing #CA="https://acme-staging.api.letsencrypt.org" # This server issues full certificates, however has rate limits @@ -59,32 +65,37 @@ then, within the **working directory** there will be a folder for each certifica #AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" -#set an email address associated with your account - generally set at account level rather than domain. +# Set an email address associated with your account - generally set at account level rather than domain. #ACCOUNT_EMAIL="me@example.com" #ACCOUNT_KEY_LENGTH=4096 +#ACCOUNT_KEY="/home/andy/.getssl/account.key" -# additional domains - this could be multiple domains / subdomains in a comma separated list -SANS=www.testdomain.com +# Additional domains - this could be multiple domains / subdomains in a comma separated list +SANS=www.example.org,example.edu,example.net,example.org,www.example.com,www.example.edu,www.example.net -#Acme Challenge Location. The first line for the domain, the following ones for each additional domain -#if these start with ssh: then the next variable is assumed to be the hostname and the rest the location. -#an ssh key will be needed to provide you with access to the remote server. -#ACL=('/var/www/testdomain.com/web/.well-known/acme-challenge' -# 'ssh:server5:/var/www/testdomain.com/web/.well-known/acme-challenge') +# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. +# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. +# An ssh key will be needed to provide you with access to the remote server. +#ACL=('/var/www/example.com/web/.well-known/acme-challenge' +# 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge') -# location for all your certs these can either be on the server ( so full path name) or using ssh as for the ACL +# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL #DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" #DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" #CA_CERT_LOCATION="/etc/ssl/chain.crt" -#DOMAIN_PEM_LOCATION="/etc/ssl/domain-bundle.pem" -# the command needed to reload apache / gninx or whatever you use -#RELOAD_CMD="ssh:server5:service apache2 reload" -#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. +#DOMAIN_PEM_LOCATION="" + +# The command needed to reload apache / nginx or whatever you use +#RELOAD_CMD="" +# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. #RENEW_ALLOW="30" -#Use the following 3 variables if you want to validate via DNS -#VALIDATE_VIA_DNS=\"true\" + +# Use the following 3 variables if you want to validate via DNS +#VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= +# If your DNS-server needs extra time to make sure your DNS changes are readable by the ACME-server (time in seconds) +#DNS_EXTRA_WAIT=60 ``` if a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path. diff --git a/getssl b/getssl index f59fc55..558c487 100755 --- a/getssl +++ b/getssl @@ -31,10 +31,11 @@ # 2016-01-28 changed DNS checks to use nslookup and allow hyphen in domain names (v0.13) # 2016-01-29 Fix ssh-reload-command, extra waiting for DNS-challenge, add some error_exit and cleanup help message (v0.14) # 2016-01-29 added -a|--all option to renew all configured certificates (v0.15) +# 2016-01-29 added option for eliptic curve keys (v0.16) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="0.15" +VERSION="0.16" # defaults CA="https://acme-staging.api.letsencrypt.org" @@ -42,10 +43,11 @@ AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" ACCOUNT_KEY_LENGTH=4096 WORKING_DIR=~/.getssl DOMAIN_KEY_LENGTH=4096 -SSLCONF=/etc/ssl/openssl.cnf +SSLCONF="$(openssl version -d | cut -d\" -f2)/openssl.cnf" VALIDATE_VIA_DNS="" RELOAD_CMD="" RENEW_ALLOW="30" +PRIVATE_KEY_ALG="rsa" _USE_DEBUG=0 _CREATE_CONFIG=0 _RENEW_ALL=0 @@ -127,7 +129,8 @@ write_getssl_template() { #ACCOUNT_EMAIL="me@example.com" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="$WORKING_DIR/account.key" - + PRIVATE_KEY_ALG="rsa" + # The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. @@ -159,7 +162,8 @@ write_domain_template() { #ACCOUNT_EMAIL="me@example.com" #ACCOUNT_KEY_LENGTH=4096 #ACCOUNT_KEY="$WORKING_DIR/account.key" - + PRIVATE_KEY_ALG="rsa" + # Additional domains - this could be multiple domains / subdomains in a comma separated list SANS=${EX_SANS} @@ -459,7 +463,13 @@ if [ -f "$ACCOUNT_KEY" ]; then debug "Account key exists at $ACCOUNT_KEY skipping generation" else info "creating account key $ACCOUNT_KEY" - openssl genrsa $ACCOUNT_KEY_LENGTH > "$ACCOUNT_KEY" + if [[ "${PRIVATE_KEY_ALG}" == "rsa" ]]; then + openssl genrsa $ACCOUNT_KEY_LENGTH > "$ACCOUNT_KEY" + elif [[ "${PRIVATE_KEY_ALG}" == "prime256v1" ]]; then + openssl ecparam -genkey -name prime256v1 > "$ACCOUNT_KEY" + else + error_exit "unknown private key algorithm type ${PRIVATE_KEY_ALG}" + fi fi if [ -f "$DOMAIN_DIR/${DOMAIN}.key" ]; then