Project

letscert

0.0
Repository is archived
No commit activity in last 3 years
No release in over 3 years
letscertsdaubert/letscertHomepageDocumentationSource CodeBug TrackerWiki
letscert is a simple Let's Encrypt client written in Ruby. It aims at be as clean as simp_le.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
30,093
Stars
10
Forks
0
Watchers
5
 Releases
Current version
0.6.0
Total releases
14
First release
2016-02-04
Latest release
2017-06-03
 Issues
Open Issues
0
Closed Issues
4
Total Issues
4
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
3
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2017-01-27
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.12
rake
~> 11.0
rspec
~> 3.4
simplecov
~> 0.12
vcr
~> 3.0
yard
~> 0.8

Runtime

acme-client
~> 0.6.1
 Project Readme

Gem Version Build Status

letscert

A simple Let's Encrypt client in ruby.

I think kuba/simp_le do it the right way: it is simple, it is safe as it does not need to be run as root, but it is Python (no one is perfect :-)) So I started to create a clone, but in Ruby.

Usage

Generate a key pair and get signed certificate:

With full chain support (fullchain.pem file will contain all certificates):

letscert -d example.org:/var/www/example.org/html --email my.name@example.org \
  -f account_key.json -f key.pem -f fullchain.pem

else (certificate for example.org is in cert.pem file, rest of certification chain is in chain.pem):

letscert -d example.org:/var/www/example.org/html --email my.name@example.org \
  -f account_key.json -f key.pem -f cert.pem -f chain.pem

Theses commands generate RSA certificates, using a RSA account key. To generate ECDSA keys and certificates, use --cert-ecdsa CURVE (CURVE: prime256v1 or sec384r1) and/or --account-key-type ecdsa options.

Commands are the sames for certificate renewal.

Generate a key pair and get a signed certificate for multi-domains:

Generate a single certificate for example.org and www.example.org:

letscert -d example.org -d www.example.org --default-root /var/www/html \
  --email my.name@example.org -f account_key.json -f key.pem -f fullchain.pem

Command is the same for certificate renewal.

Generate a key pair and get a signed certificate if existing one is valid for less than xx days

In this example, xx is 10:

letscert -d example.org:/var/www/example.org/html --email my.name@example.org \
  -f account_key.json -f key.pem -f cert.pem -f chain.pem --valid-min 10d

Valid time may also be set as number of hours (h suffix), minutes (m suffix) or seconds (no suffix).

Revoke a key pair:

From directory where are stored account_key.json and cert.pem or fullchain.pem:

letscert -d example.org:/var/www/example.org/html --email my.name@example.org --revoke

What letscert do

  • Automagically create a new ACME account if needed.
  • Issue new certificate if no previous one found.
  • Renew certificate only if needed.
  • Only http-01 challenge supported. An existing web server must be alreay running. letscert should have write access to ${webroot}/.well-known/acme-challenge.
  • Crontab friendly: no prompts.
  • No configuration file.
  • Support multiple domains with multiple roots. Always create a single certificate per run (ie a certificate may have multiple SANs).
  • Check the exit code to known if a renewal has happened:
    • 0 if certificate data was created or updated;
    • 1 if renewal not necessary;
    • 2 in case of errors.

Installation

Since v0.4.1, letscert is cryptographically signed. To be sure the gem you install hasn’t been tampered:

  • add my public key as a trusted certificate:
gem cert --add <(curl -Ls https://raw.github.com/sdaubert/letscert/master/certs/gem-public_cert.pem)
  • install letscert gem with a policy:
gem install letscert -P MediumSecurity

The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of letcert’s dependencies are signed, so we cannot use HighSecurity.