diff --git a/README.md b/README.md index 7950359..b06429a 100644 --- a/README.md +++ b/README.md @@ -1,163 +1,9 @@ -# acme +# acme ![MIT license](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square) -![unstable](https://img.shields.io/badge/api-unstable-orange.svg?style=flat-square) -![MIT license](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square) +`kelunik/acme-client` is a standalone ACME client written in PHP. ACME is the protocol that powers the [Let's Encrypt](https://letsencrypt.org) certificate authority. -`kelunik/acme-client` is a standalone ACME client written in PHP. -It's an alternative for the [official client](https://github.com/letsencrypt/letsencrypt) which is written in python. +## Documentation -> **Warning**: This software is under development. Use at your own risk. - -## Installation - -**Requirements** - -* PHP 5.5+ -* Composer - -**Instructions using the Phar** - -```bash -# Go to https://github.com/kelunik/acme-client/releases/latest -# Download the latest release archive - -# Run it. -chmod +x acme-client.phar -./acme-client.phar - -# Or install it globally -mv ./acme-client.phar /usr/local/bin/acme-client -``` - -If you want to update, just replace the old phar with a new one. - -All commands require an additional `--storage` argument when using the phar. That's the path where your keys and certificates will be stored. -On Unix you could use something like `--storage /etc/acme`. - -If you're using the phar, you can add a file called `acme-client.yml` next to it with the two keys `storage` and `server`. -These values will be used as default if you don't specify them, but you can still use another server by explicitly adding it as argument. - -```yml -# Sample YAML configuration: -storage: /etc/acme -server: letsencrypt -``` - -**Instructions using Composer** - -```bash -# Clone repository -git clone https://github.com/kelunik/acme-client && cd acme-client - -# Checkout latest release -git checkout $(git describe --tags `git rev-list --tags --max-count=1`) - -# Install dependencies -composer install --no-dev -``` - -## Migration from 0.1.x to 0.2.x - -```bash -# Start in ./data -cd data - -# Move your account key to new location: - -mkdir accounts -mv account/key.pem accounts/acme-v01.api.letsencrypt.org.directory.pem -# or accounts/acme-staging.api.letsencrypt.org.directory.pem if it's a staging key - -# account should now be empty or contain just a config.json, you can delete the folder then -rm -rf account - -# Migrate certificates to new location: - -cd certs -mkdir acme-v01.api.letsencrypt.org.directory - -# Move all your certificate directories -# Repeat for all directories! -mv example.com acme-v01.api.letsencrypt.org.directory -# or acme-staging.api.letsencrypt.org.directory - -# Delete all config.json files which may exist -find -name "config.json" | xargs rm - -# Update to current version -git checkout master && git pull - -# Check out latest release -git checkout $(git describe --tags `git rev-list --tags --max-count=1`) - -# Update dependencies -composer update --no-dev - -# Reconfigure your webserver to use the new paths -# and check (and fix) your automation commands. -``` - -## Usage - -> **Note**: This client stores all data in `./data`, be sure to backup this folder regularly. -> It contains your account keys, domain keys and certificates. - -Before you can issue certificates, you have to register an account first and read and understand the terms of service of the ACME CA you're using. -For Let's Encrypt there's a [subscriber agreement](https://letsencrypt.org/repository/) you have to accept. - -By using this client you agree to any agreement and any further updates by continued usage. -You're responsible to react to updates and stop the automation if you no longer agree with the terms of service. - -``` -bin/acme setup -s letsencrypt --email me@example.com -``` - -`-s` / `--server` can either be a URI or a shortcut. Available shortcuts: - * `letsencrypt` / `letsencrypt:production` - * `letsencrypt:staging` - -After a successful registration you're able to issue certificates. -This client assumes you have a HTTP server setup and running. -You must have a document root setup in order to use this client. - -``` -bin/acme issue -s letsencrypt -d example.com:www.example.com -p /var/www/example.com -``` - -To revoke a certificate, you need a valid account key currently, just like for issuance. - -``` -bin/acme revoke --name example.com -s letsencrypt -``` - -For renewal, there's the `bin/acme check` subcommand. -It exists with a non-zero exit code, if the certificate is going to expire soon. -Default check time is 30 days, but you can use `--ttl` to customize it. - -You may use this as daily cron: - -``` -bin/acme check --name example.com --ttl 30 -s letsencrypt || bin/acme issue ... -``` - -You can also use a more advanced script to automatically reload the server as well. - -```bash -#!/usr/bin/env bash - -cd /git/kelunik/acme-client - -bin/acme check --name example.com --ttl 30 -s letsencrypt - -if [ $? -eq 1 ]; then - bin/acme issue -d example.com:www.example.com -p /var/www -s letsencrypt - - if [ $? -eq 0 ]; then - nginx -t -q - - if [ $? -eq 0 ]; then - nginx -s reload - fi - fi -fi -``` \ No newline at end of file + * [Installation](./doc/installation.md) + * [Usage](./doc/usage.md) + * [Migration guide for 0.1.x → 0.2.x](./doc/migrations/0.2.0.md) diff --git a/doc/installation.md b/doc/installation.md new file mode 100644 index 0000000..a102b4f --- /dev/null +++ b/doc/installation.md @@ -0,0 +1,66 @@ +# Installation + +## Installation using Phar + +This is the preferred installation method for usage on a production system. + +### Requirements + +* PHP 5.5+ + +### Instructions + +```bash +# Go to https://github.com/kelunik/acme-client/releases/latest +# Download the latest release archive. + +# Make it executable. +chmod +x acme-client.phar + +# Run it. +./acme-client.phar + +# Or install it globally. +mv ./acme-client.phar /usr/local/bin/acme-client +acme-client +``` + +If you want to update, just replace the old `.phar` with a new one. + +All commands require a `--storage` argument when using the Phar. That's the path where your keys and certificates will be stored. +On Unix you could use something like `--storage /etc/acme`. + +You can add a file named `acme-client.yml` next to the `.phar` with the two keys `storage` and `server`. +These values will be used as default if you don't specify them, but you can still use another server by explicitly adding it as argument. + +```yml +# Sample YAML configuration. + +# Storage directory for certificates and keys. +storage: /etc/acme + +# Server to use. Available shortcuts: letsencrypt, letsencrypt:staging +# You can also use full URLs to the directory resource of an ACME server +server: letsencrypt +``` + +## Installation using Composer + +If you plan to actively develop this client, you probably don't want the Phar but install the dependencies using Composer. + +### Requirements + +* PHP 5.5+ +* [Composer](https://getcomposer.org/) + +### Instructions + +```bash +# Clone repository +git clone https://github.com/kelunik/acme-client && cd acme-client + +# Install dependencies +composer install +``` + +You can use `./bin/acme` as script instead of the Phar. Please note, that all data will be stored in `./data` as long as you don't provide the `--storage` argument. diff --git a/doc/migrations/0.2.0.md b/doc/migrations/0.2.0.md new file mode 100644 index 0000000..8a09b3a --- /dev/null +++ b/doc/migrations/0.2.0.md @@ -0,0 +1,43 @@ +# Migration from 0.1.x to 0.2.x + +If you used this client before `0.2.0`, you have a different directory structure than the current one. If you want to upgrade, but keep all your data, here's a migration guide. + +```bash +# Start in ./data +cd data + +# Move your account key to new location: + +mkdir accounts +mv account/key.pem accounts/acme-v01.api.letsencrypt.org.directory.pem +# or accounts/acme-staging.api.letsencrypt.org.directory.pem if it's a staging key + +# account should now be empty or contain just a config.json, you can delete the folder then +rm -rf account + +# Migrate certificates to new location: + +cd certs +mkdir acme-v01.api.letsencrypt.org.directory + +# Move all your certificate directories +# Repeat for all directories! +mv example.com acme-v01.api.letsencrypt.org.directory +# or acme-staging.api.letsencrypt.org.directory + +# Delete all config.json files which may exist +find -name "config.json" | xargs rm + +# Update to current version +# Alternatively have a look at the new installation instructions and use the Phar +git checkout master && git pull + +# Check out latest release +git checkout $(git describe --tags `git rev-list --tags --max-count=1`) + +# Update dependencies +composer update --no-dev + +# Reconfigure your webserver to use the new paths +# and check (and fix) your automation commands. +``` diff --git a/doc/usage.md b/doc/usage.md new file mode 100644 index 0000000..abb8b61 --- /dev/null +++ b/doc/usage.md @@ -0,0 +1,79 @@ +# Usage + +**The client stores all data in `./data` if you're using the Composer installation method, otherwise in the directory you configured. Be sure to backup this folder regularly. It contains your account keys, domain keys and certificates.** + +Before you can issue certificates, you have to register an account first and read and understand the terms of service of the ACME CA you're using. +For the Let's Encrypt certificate authority, there's a [subscriber agreement](https://letsencrypt.org/repository/) you have to accept. + +By using this client you agree to any agreement and any further updates by continued usage. +You're responsible to react to updates and stop the automation if you no longer agree with the terms of service. + +These usage instructions assume you have installed the client globally as a Phar. If you are using the Phar, but don't have it globally, replace `acme-client` with the location to your Phar. + +If you're using the client with Composer, replace `acme-client` with `bin/acme`. You have to specify the server with `-s` / `--server`, because there's currently no config file support for this installation method. + +## Register an Account + +``` +acme-client setup --email me@example.com +``` + +After a successful registration you're able to issue certificates. +This client assumes you have a HTTP server setup and running. +You must have a document root setup in order to use this client. + +## Issue a Certificate + +``` +acme-client issue -d example.com:www.example.com -p /var/www/example.com +``` + +You can separate multiple domains (`-d`) with `,`, `:` or `;`. You can separate multiple document roots (`-p`) with your system's path separator: + * Colon (`:`) for Unix + * Semicolon (`;`) for Windows + +If you specify less paths than domains, the last one will be used for the remaining domains. + +Please note that Let's Encrypt has rate limits. Currently it's five certificates per domain per seven days. If you combine multiple subdomains in a single certificate, they count as just one certificate. If you just want to test things out, you can use their staging server, which has way higher rate limits by appending `--s letsencrypt:staging`. + +## Revoke a Certificate + +To revoke a certificate, you need a valid account key, just like for issuance. + +``` +acme-client revoke --name example.com +``` + +`--name` is the common name of the certificate that you want to revoke. + +## Renewing a Certificate + +For renewal, there's the `acme-client check` subcommand. +It exists with a non-zero exit code, if the certificate is going to expire soon. +Default check time is 30 days, but you can use `--ttl` to customize it. + +You may use this as daily cron: + +``` +acme-client check --name example.com || acme-client issue ... +``` + +You can also use a more advanced script to automatically reload the server as well. For this example we assume you're using Nginx. Something similar should work for Apache. + +```bash +#!/usr/bin/env bash + +acme-client check --name example.com --ttl 30 + +if [ $? -eq 1 ]; then + acme-client issue -d example.com:www.example.com -p /var/www + + if [ $? -eq 0 ]; then + nginx -t -q + + if [ $? -eq 0 ]; then + nginx -s reload + fi + fi +fi +```