[mirror_acme.sh.git] / README.md

# le: means simp`Le`
Simplest shell script for LetsEncrypt free Certificate client

Simple and Powerful, you only need 3 minutes to learn.

Pure written in bash, no dependencies to python, acme-tiny or LetsEncrypt official client.
Just one script, to issue, renew your certificates automatically.

Probably it's the smallest&easiest&smartest shell script to automatically issue & renew the free certificates from LetsEncrypt.

Do NOT require to be `root/sudoer`.

#Tested OS
1. Ubuntu/Debian.
2. CentOS
3. Windows (cygwin with curl, openssl and crontab included)
4. FreeBSD with bash
5. pfsense with bash and curl


#Supported Mode
1. Webroot mode
2. Standalone mode
3. Apache mode
4. Dns mode

#How to use

1. Clone this project: https://github.com/Neilpang/le.git

2. Install le:
```
./le.sh install
```
You don't have to be root then, although it is recommended.

Which does 3 jobs:
* create and copy `le.sh` to your home dir:  `~/.le`
All the certs will be placed in this folder.
* create alias : `le.sh=~/.le/le.sh` and `le=~/.le/le.sh`. 
* create everyday cron job to check and renew the cert if needed.

After install, you must close current terminal and reopen again to make the alias take effect.

Ok, you are ready to issue cert now.
Show help message:
```
root@v1:~# le.sh
https://github.com/Neilpang/le
v1.1.1
Usage: le.sh  [command] ...[args]....
Available commands:

install:
  Install le.sh to your system.
issue:
  Issue a cert.
installcert:
  Install the issued cert to apache/nginx or any other server.
renew:
  Renew a cert.
renewAll:
  Renew all the certs.
uninstall:
  Uninstall le.sh, and uninstall the cron job.
version:
  Show version info.
installcronjob:
  Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
uninstallcronjob:
  Uninstall the cron job. The 'uninstall' command can do this automatically.
createAccountKey:
  Create an account private key, professional use.
createDomainKey:
  Create an domain private key, professional use.
createCSR:
  Create CSR , professional use.


root@v1:~/le# le issue
Usage: le  issue  webroot|no|apache|dns   a.com  [www.a.com,b.com,c.com]|no   [key-length]|no


```

Set the param value to "no" means you want to ignore it.

For example, if you give "no" to "key-length", it will use default length 2048.

And if you give 'no' to 'cert-file-path', it will not copy the issued cert to the "cert-file-path".

In all the cases, the issued cert will be placed in "~/.le/domain.com/"

 
# Just issue a cert:
Example 1:
Only one domain:
```
le issue   /home/wwwroot/aa.com    aa.com 
```

Example 2:
Multiple domains in the same cert:

```
le issue   /home/wwwroot/aa.com    aa.com    www.aa.com,cp.aa.com
```

First argument `/home/wwwroot/aa.com` is the web root folder, You must have `write` access to this folder.

Second argument "aa.com" is the main domain you want to issue cert for.

Third argument is the additional domain list you want to use. Comma separated list,  which is Optional.

You must point and bind all the domains to the same webroot dir:`/home/wwwroot/aa.com`

The cert will be placed in `~/.le/aa.com/`

The issued cert will be renewed every 80 days automatically.

# Install issued cert to apache/nginx etc.
```
le installcert  aa.com /path/to/certfile/in/apache/nginx  /path/to/keyfile/in/apache/nginx  /path/to/ca/certfile/apache/nginx   "service apache2|nginx reload"
```

Install the issued cert/key to the production apache or nginx path.

The cert will be renewed every 80 days by default (which is configurable), Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`


# Use Standalone server to issue cert (requires you be root/sudoer, or you have permission to listen tcp 80 port):
Same usage as all above,  just give `no` as the webroot.
The tcp `80` port must be free to listen, otherwise you will be prompted to free the `80` port and try again.

```
le issue    no    aa.com    www.aa.com,cp.aa.com
```

# Use Apache mode (requires you be root/sudoer, since it is required to interact with apache server):
If you are running a web server, apache or nginx, it is recommended to use the Webroot mode.
Particularly,  if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder.

Just set string "apache" to the first argument, it will use apache plugin automatically.

```
le  issue  apache  aa.com   www.aa.com,user.aa.com
```
All the other arguments are the same with previous.


# Use DNS mode:
Support the latest dns-01 challenge.

```
le  issue   dns   aa.com  www.aa.com,user.aa.com
```

You will get the output like bellow:
```
Add the following txt record:
Domain:_acme-challenge.aa.com
Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c

Add the following txt record:
Domain:_acme-challenge.www.aa.com
Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

Please add those txt records to the domains. Waiting for the dns to take effect.

Then just retry with 'renew' command:

```
le renew  aa.com
```

Ok, it's finished.


#Automatic dns api integeration

If your dns provider supports api access, we can use api to automatically issue certs.
You don't have do anything manually.

###Currently we support:

1. Cloudflare.com api
2. Dnspod.cn api
3. Cloudxns.com api
4. AWS Route 53, see: https://github.com/Neilpang/le/issues/65

More apis are coming soon....

If your dns provider is not in the supported list above, you can write your own script api easily.

For more details: [How to use dns api](dnsapi)


# Issue ECC certificate:
LetsEncrypt now can issue ECDSA certificate.
And we also support it.

Just set the `length` parameter with a prefix `ec-`.
For example:

Single domain:
```
le issue  /home/wwwroot/aa.com    aa.com   no      ec-256
```

SAN multiple domains:
```
le issue  /home/wwwroot/aa.com    aa.com   www.aa.com,cp.aa.com    ec-256
```

Please look at the last parameter above.

Valid values are:

1. ec-256 (prime256v1,  "ECDSA P-256")
2. ec-384 (secp384r1,   "ECDSA P-384")
3. ec-521 (secp521r1,   "ECDSA P-521", which is not supported by letsencrypt yet.)


#Under the Hood

Speak ACME language with bash directly to Let's encrypt.

TODO:


#Acknowledgment
1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme
3. letsencrypt: https://github.com/letsencrypt/letsencrypt


#License & Other

License is GPLv3

Please Star and Fork me.

Issues and pull requests are welcomed.
Commit	Line	Data
7a894c4c	1	# le: means simp`Le`
6c0ab5d2 N	2	Simplest shell script for LetsEncrypt free Certificate client
6c0ab5d2 N	3
cbb5f7ec	4	Simple and Powerful, you only need 3 minutes to learn.
8b92aab7	5
cbb5f7ec	6	Pure written in bash, no dependencies to python, acme-tiny or LetsEncrypt official client.
d8069cd4	7	Just one script, to issue, renew your certificates automatically.
6c0ab5d2	8
cbb5f7ec	9	Probably it's the smallest&easiest&smartest shell script to automatically issue & renew the free certificates from LetsEncrypt.
6c0ab5d2	10
7a894c4c	11	Do NOT require to be `root/sudoer`.
6c0ab5d2	12
7a894c4c	13	#Tested OS
3bfb563b N	14	1. Ubuntu/Debian.
3bfb563b N	15	2. CentOS
4e76098b	16	3. Windows (cygwin with curl, openssl and crontab included)
58b13856	17	4. FreeBSD with bash
54f473d8	18	5. pfsense with bash and curl
6c0ab5d2 N	19
6c0ab5d2 N	20
2c75b3fd	21	#Supported Mode
	22	1. Webroot mode
	23	2. Standalone mode
	24	3. Apache mode
52639149	25	4. Dns mode
2c75b3fd	26
6c0ab5d2 N	27	#How to use
	28
	29	1. Clone this project: https://github.com/Neilpang/le.git
	30
	31	2. Install le:
	32	```
	33	./le.sh install
	34	```
d0064bc3	35	You don't have to be root then, although it is recommended.
7a894c4c	36
db25a3ea N	37	Which does 3 jobs:
db25a3ea N	38	* create and copy `le.sh` to your home dir: `~/.le`
6c0ab5d2	39	All the certs will be placed in this folder.
9b292d58	40	* create alias : `le.sh=~/.le/le.sh` and `le=~/.le/le.sh`.
db25a3ea	41	* create everyday cron job to check and renew the cert if needed.
acc1e53a	42
9b292d58	43	After install, you must close current terminal and reopen again to make the alias take effect.
acc1e53a	44
cbb5f7ec	45	Ok, you are ready to issue cert now.
6c0ab5d2 N	46	Show help message:
6c0ab5d2 N	47	```
7a894c4c N	48	root@v1:~# le.sh
	49	https://github.com/Neilpang/le
	50	v1.1.1
	51	Usage: le.sh [command] ...[args]....
d0064bc3	52	Available commands:
7a894c4c N	53
	54	install:
	55	Install le.sh to your system.
	56	issue:
	57	Issue a cert.
	58	installcert:
	59	Install the issued cert to apache/nginx or any other server.
	60	renew:
	61	Renew a cert.
	62	renewAll:
	63	Renew all the certs.
	64	uninstall:
	65	Uninstall le.sh, and uninstall the cron job.
	66	version:
	67	Show version info.
	68	installcronjob:
	69	Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
	70	uninstallcronjob:
	71	Uninstall the cron job. The 'uninstall' command can do this automatically.
	72	createAccountKey:
	73	Create an account private key, professional use.
	74	createDomainKey:
	75	Create an domain private key, professional use.
	76	createCSR:
	77	Create CSR , professional use.
	78
	79
	80	root@v1:~/le# le issue
	81	Usage: le issue webroot\|no\|apache\|dns a.com [www.a.com,b.com,c.com]\|no [key-length]\|no
6c0ab5d2	82
6c0ab5d2 N	83
6c0ab5d2 N	84	```
4e1346dd	85
bcbb64e5 N	86	Set the param value to "no" means you want to ignore it.
	87
	88	For example, if you give "no" to "key-length", it will use default length 2048.
	89
	90	And if you give 'no' to 'cert-file-path', it will not copy the issued cert to the "cert-file-path".
	91
	92	In all the cases, the issued cert will be placed in "~/.le/domain.com/"
	93
6c0ab5d2 N	94
6c0ab5d2 N	95	# Just issue a cert:
2400e41f N	96	Example 1:
	97	Only one domain:
	98	```
	99	le issue /home/wwwroot/aa.com aa.com
	100	```
	101
	102	Example 2:
	103	Multiple domains in the same cert:
	104
6c0ab5d2 N	105	```
	106	le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com
	107	```
2400e41f	108
617ec4e3	109	First argument `/home/wwwroot/aa.com` is the web root folder, You must have `write` access to this folder.
6c0ab5d2	110
d337abca	111	Second argument "aa.com" is the main domain you want to issue cert for.
6c0ab5d2	112
cbb5f7ec	113	Third argument is the additional domain list you want to use. Comma separated list, which is Optional.
6c0ab5d2	114
d337abca	115	You must point and bind all the domains to the same webroot dir:`/home/wwwroot/aa.com`
6c0ab5d2 N	116
	117	The cert will be placed in `~/.le/aa.com/`
	118
7a894c4c	119	The issued cert will be renewed every 80 days automatically.
6c0ab5d2	120
7a894c4c	121	# Install issued cert to apache/nginx etc.
6c0ab5d2	122	```
d0064bc3	123	le installcert aa.com /path/to/certfile/in/apache/nginx /path/to/keyfile/in/apache/nginx /path/to/ca/certfile/apache/nginx "service apache2\|nginx reload"
6c0ab5d2	124	```
7a894c4c N	125
	126	Install the issued cert/key to the production apache or nginx path.
	127
cbb5f7ec	128	The cert will be renewed every 80 days by default (which is configurable), Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`
6c0ab5d2 N	129
6c0ab5d2 N	130
cbb5f7ec	131	# Use Standalone server to issue cert (requires you be root/sudoer, or you have permission to listen tcp 80 port):
4e1346dd	132	Same usage as all above, just give `no` as the webroot.
072290f2 N	133	The tcp `80` port must be free to listen, otherwise you will be prompted to free the `80` port and try again.
	134
	135	```
	136	le issue no aa.com www.aa.com,cp.aa.com
	137	```
	138
cbb5f7ec	139	# Use Apache mode (requires you be root/sudoer, since it is required to interact with apache server):
bc1c69ff	140	If you are running a web server, apache or nginx, it is recommended to use the Webroot mode.
2c75b3fd	141	Particularly, if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder.
	142
	143	Just set string "apache" to the first argument, it will use apache plugin automatically.
	144
	145	```
7a894c4c	146	le issue apache aa.com www.aa.com,user.aa.com
2c75b3fd	147	```
	148	All the other arguments are the same with previous.
	149
6c0ab5d2	150
a947dbc6 N	151	# Use DNS mode:
	152	Support the latest dns-01 challenge.
	153
	154	```
7a894c4c	155	le issue dns aa.com www.aa.com,user.aa.com
a947dbc6 N	156	```
a947dbc6 N	157
6e89f811	158	You will get the output like bellow:
a947dbc6 N	159	```
	160	Add the following txt record:
	161	Domain:_acme-challenge.aa.com
	162	Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
	163
	164	Add the following txt record:
	165	Domain:_acme-challenge.www.aa.com
	166	Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	167	```
	168
	169	Please add those txt records to the domains. Waiting for the dns to take effect.
	170
6e89f811	171	Then just retry with 'renew' command:
a947dbc6 N	172
	173	```
	174	le renew aa.com
	175	```
	176
	177	Ok, it's finished.
	178
	179
08094865	180	#Automatic dns api integeration
6c0ab5d2	181
cbb5f7ec	182	If your dns provider supports api access, we can use api to automatically issue certs.
08094865	183	You don't have do anything manually.
ab497961	184
855d9499	185	###Currently we support:
855d9499	186
cbb5f7ec	187	1. Cloudflare.com api
	188	2. Dnspod.cn api
	189	3. Cloudxns.com api
	190	4. AWS Route 53, see: https://github.com/Neilpang/le/issues/65
ab497961	191
7bd9a3b1	192	More apis are coming soon....
ab497961	193
39c6df29	194	If your dns provider is not in the supported list above, you can write your own script api easily.
ab497961	195
855d9499	196	For more details: [How to use dns api](dnsapi)
ab497961	197
ab497961	198
1add47a6	199	# Issue ECC certificate:
	200	LetsEncrypt now can issue ECDSA certificate.
	201	And we also support it.
	202
8b92aab7	203	Just set the `length` parameter with a prefix `ec-`.
1add47a6	204	For example:
9e6c4208 N	205
	206	Single domain:
	207	```
	208	le issue /home/wwwroot/aa.com aa.com no ec-256
1add47a6	209	```
9e6c4208 N	210
9e6c4208 N	211	SAN multiple domains:
1add47a6	212	```
9e6c4208 N	213	le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com ec-256
	214	```
	215
1add47a6	216	Please look at the last parameter above.
	217
	218	Valid values are:
	219
	220	1. ec-256 (prime256v1, "ECDSA P-256")
	221	2. ec-384 (secp384r1, "ECDSA P-384")
8b92aab7	222	3. ec-521 (secp521r1, "ECDSA P-521", which is not supported by letsencrypt yet.)
1add47a6	223
	224
	225
6c0ab5d2 N	226	#Under the Hood
6c0ab5d2 N	227
1162f82e	228	Speak ACME language with bash directly to Let's encrypt.
6c0ab5d2 N	229
	230	TODO:
	231
	232
63f04675 N	233	#Acknowledgment
	234	1. Acme-tiny: https://github.com/diafygi/acme-tiny
	235	2. ACME protocol: https://github.com/ietf-wg-acme/acme
	236	3. letsencrypt: https://github.com/letsencrypt/letsencrypt
	237
	238
	239
6c0ab5d2 N	240	#License & Other
	241
	242	License is GPLv3
	243
1d06c947	244	Please Star and Fork me.
6c0ab5d2	245
18ab2c5c	246	Issues and pull requests are welcomed.
6c0ab5d2 N	247
	248
	249