mirror of
https://github.com/go-acme/lego
synced 2024-06-09 21:52:12 +02:00
42941ccea6
- Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
163 lines
4.4 KiB
Go
163 lines
4.4 KiB
Go
package cmd
|
|
|
|
import (
|
|
"bufio"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/urfave/cli"
|
|
"github.com/xenolf/lego/certificate"
|
|
"github.com/xenolf/lego/lego"
|
|
"github.com/xenolf/lego/log"
|
|
"github.com/xenolf/lego/registration"
|
|
)
|
|
|
|
func createRun() cli.Command {
|
|
return cli.Command{
|
|
Name: "run",
|
|
Usage: "Register an account, then create and install a certificate",
|
|
Before: func(ctx *cli.Context) error {
|
|
// we require either domains or csr, but not both
|
|
hasDomains := len(ctx.GlobalStringSlice("domains")) > 0
|
|
hasCsr := len(ctx.GlobalString("csr")) > 0
|
|
if hasDomains && hasCsr {
|
|
log.Fatal("Please specify either --domains/-d or --csr/-c, but not both")
|
|
}
|
|
if !hasDomains && !hasCsr {
|
|
log.Fatal("Please specify --domains/-d (or --csr/-c if you already have a CSR)")
|
|
}
|
|
return nil
|
|
},
|
|
Action: run,
|
|
Flags: []cli.Flag{
|
|
cli.BoolFlag{
|
|
Name: "no-bundle",
|
|
Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
|
|
},
|
|
cli.BoolFlag{
|
|
Name: "must-staple",
|
|
Usage: "Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.",
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func run(ctx *cli.Context) error {
|
|
accountsStorage := NewAccountsStorage(ctx)
|
|
|
|
account, client := setup(ctx, accountsStorage)
|
|
|
|
if account.Registration == nil {
|
|
reg, err := register(ctx, client)
|
|
if err != nil {
|
|
log.Fatalf("Could not complete registration\n\t%v", err)
|
|
}
|
|
|
|
account.Registration = reg
|
|
|
|
if err = accountsStorage.Save(account); err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
fmt.Println("!!!! HEADS UP !!!!")
|
|
fmt.Printf(`
|
|
Your account credentials have been saved in your Let's Encrypt
|
|
configuration directory at "%s".
|
|
You should make a secure backup of this folder now. This
|
|
configuration directory will also contain certificates and
|
|
private keys obtained from Let's Encrypt so making regular
|
|
backups of this folder is ideal.`, accountsStorage.GetRootPath())
|
|
}
|
|
|
|
certsStorage := NewCertificatesStorage(ctx)
|
|
certsStorage.CreateRootFolder()
|
|
|
|
cert, err := obtainCertificate(ctx, client)
|
|
if err != nil {
|
|
// Make sure to return a non-zero exit code if ObtainSANCertificate returned at least one error.
|
|
// Due to us not returning partial certificate we can just exit here instead of at the end.
|
|
log.Fatalf("Could not obtain certificates:\n\t%v", err)
|
|
}
|
|
|
|
certsStorage.SaveResource(cert)
|
|
|
|
return nil
|
|
}
|
|
|
|
func handleTOS(ctx *cli.Context, client *lego.Client) bool {
|
|
// Check for a global accept override
|
|
if ctx.GlobalBool("accept-tos") {
|
|
return true
|
|
}
|
|
|
|
reader := bufio.NewReader(os.Stdin)
|
|
log.Printf("Please review the TOS at %s", client.GetToSURL())
|
|
|
|
for {
|
|
fmt.Println("Do you accept the TOS? Y/n")
|
|
text, err := reader.ReadString('\n')
|
|
if err != nil {
|
|
log.Fatalf("Could not read from console: %v", err)
|
|
}
|
|
|
|
text = strings.Trim(text, "\r\n")
|
|
switch text {
|
|
case "", "y", "Y":
|
|
return true
|
|
case "n", "N":
|
|
log.Fatal("You did not accept the TOS. Unable to proceed.")
|
|
default:
|
|
fmt.Println("Your input was invalid. Please answer with one of Y/y, n/N or by pressing enter.")
|
|
}
|
|
}
|
|
}
|
|
|
|
func register(ctx *cli.Context, client *lego.Client) (*registration.Resource, error) {
|
|
accepted := handleTOS(ctx, client)
|
|
if !accepted {
|
|
log.Fatal("You did not accept the TOS. Unable to proceed.")
|
|
}
|
|
|
|
if ctx.GlobalBool("eab") {
|
|
kid := ctx.GlobalString("kid")
|
|
hmacEncoded := ctx.GlobalString("hmac")
|
|
|
|
if kid == "" || hmacEncoded == "" {
|
|
log.Fatalf("Requires arguments --kid and --hmac.")
|
|
}
|
|
|
|
return client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
|
|
TermsOfServiceAgreed: accepted,
|
|
Kid: kid,
|
|
HmacEncoded: hmacEncoded,
|
|
})
|
|
}
|
|
|
|
return client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
|
}
|
|
|
|
func obtainCertificate(ctx *cli.Context, client *lego.Client) (*certificate.Resource, error) {
|
|
bundle := !ctx.Bool("no-bundle")
|
|
|
|
domains := ctx.GlobalStringSlice("domains")
|
|
if len(domains) > 0 {
|
|
// obtain a certificate, generating a new private key
|
|
request := certificate.ObtainRequest{
|
|
Domains: domains,
|
|
Bundle: bundle,
|
|
MustStaple: ctx.Bool("must-staple"),
|
|
}
|
|
return client.Certificate.Obtain(request)
|
|
}
|
|
|
|
// read the CSR
|
|
csr, err := readCSRFile(ctx.GlobalString("csr"))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// obtain a certificate for this CSR
|
|
return client.Certificate.ObtainForCSR(*csr, bundle)
|
|
}
|