daxi20/acmeclient
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: daxi20:v0.3.0-alpha.3
Branches Tags
daxi20:master daxi20:0.1.x
daxi20:v1.0.2 daxi20:v1.0.1 daxi20:v1.0.0 daxi20:v1.0.0-beta.2 daxi20:v1.0.0-beta.1 daxi20:v0.3.0-beta.4 daxi20:v0.3.0-beta.3 daxi20:v0.3.0-beta.2 daxi20:v0.3.0-beta.1 daxi20:v0.3.0-alpha.3 daxi20:v0.3.0-alpha.2 daxi20:v0.3.0-alpha.1 daxi20:v0.2.14 daxi20:v0.2.13 daxi20:v0.2.12 daxi20:v0.2.11 daxi20:v0.2.10 daxi20:v0.2.9 daxi20:v0.2.8 daxi20:v0.2.7 daxi20:v0.2.6 daxi20:v0.2.5 daxi20:v0.2.4 daxi20:v0.2.3 daxi20:v0.2.2 daxi20:v0.2.1 daxi20:v0.2.0 daxi20:v0.1.0
...
compare: daxi20:master
Branches Tags
daxi20:master daxi20:0.1.x
daxi20:v1.0.2 daxi20:v1.0.1 daxi20:v1.0.0 daxi20:v1.0.0-beta.2 daxi20:v1.0.0-beta.1 daxi20:v0.3.0-beta.4 daxi20:v0.3.0-beta.3 daxi20:v0.3.0-beta.2 daxi20:v0.3.0-beta.1 daxi20:v0.3.0-alpha.3 daxi20:v0.3.0-alpha.2 daxi20:v0.3.0-alpha.1 daxi20:v0.2.14 daxi20:v0.2.13 daxi20:v0.2.12 daxi20:v0.2.11 daxi20:v0.2.10 daxi20:v0.2.9 daxi20:v0.2.8 daxi20:v0.2.7 daxi20:v0.2.6 daxi20:v0.2.5 daxi20:v0.2.4 daxi20:v0.2.3 daxi20:v0.2.2 daxi20:v0.2.1 daxi20:v0.2.0 daxi20:v0.1.0

29 Commits
v0.3.0-alp ... master

Author SHA1 Message Date
Niklas Keller
638dbbe8b7 Move docs to README 2025-08-09 21:27:52 +02:00
Niklas Keller
34909784d0 Update to actions/upload-artifact@v4 2025-08-01 20:35:59 +02:00
Niklas Keller
5c9165d681 Update dependencies 
Most importantly update to kelunik/acme v1.0.1 to fix https://github.com/kelunik/acme/issues/41.
 2025-08-01 20:32:05 +02:00
Niklas Keller
63979e4ec3 Fetch tags for built phar version info 2024-04-03 21:07:12 +02:00
Niklas Keller
b507ddec18 Fix code style 2024-04-03 20:59:31 +02:00
Niklas Keller
6da6baeb6d Add CI setup 
This will also build the PHARs instead of building them locally.
 2024-04-03 20:57:04 +02:00
Niklas Keller
e377d32e64 Upgrade dependencies 2024-04-03 20:48:59 +02:00
dependabot[bot]
7f7b6092b5 Bump amphp/http from 1.6.3 to 1.7.3 (#96) 
Bumps [amphp/http](https://github.com/amphp/http) from 1.6.3 to 1.7.3.
- [Release notes](https://github.com/amphp/http/releases)
- [Commits](https://github.com/amphp/http/compare/v1.6.3...v1.7.3)

---
updated-dependencies:
- dependency-name: amphp/http
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-04-03 20:11:55 +02:00
Bob Weinand
130ae8468c Fix issuance of reordered domain names (#92) 2022-09-17 11:03:39 +02:00
Alexey Shirokov
ee538c53b2 Update register command (#94) 2022-09-17 08:49:59 +02:00
Niklas Keller
361a06ce26 Upgrade dependencies 2021-10-25 22:20:11 +02:00
Niklas Keller
74aa1b82fb Cleanup default parameter in changeOwner 2021-08-10 00:30:37 +02:00
Niklas Keller
b464b52a85 Fix changeOwner → changePermissions 2021-08-10 00:30:37 +02:00
Niklas Keller
82c053fa02 Update usage.md 2021-07-08 23:40:18 +02:00
Niklas Keller
5a8a6d471c Update installation.md 2021-07-08 23:37:01 +02:00
Niklas Keller
1210f0b7fc Update README.md 2021-07-08 23:36:06 +02:00
Niklas Keller
e9b382128d Upgrade to ACME RFC (v2) 2021-07-04 12:40:11 +02:00
Niklas Keller
6bfa43dad9 Update dependencies and code style 2021-06-30 00:28:56 +02:00
Pieter Hordijk
5b112cba3e Fixed required PHP version to run the client (#77) 2019-03-01 19:44:17 +01:00
Niklas Keller
35070bb70a Add logging support for debugging 2018-06-09 19:00:02 +02:00
Niklas Keller
6da46ddaf6 Upgrade dependencies 2018-06-06 21:50:52 +02:00
Niklas Keller
51acff5bd3 Implement --rekey option 
Closes #65.
Closes #19.
 2018-04-15 19:14:36 +02:00
Niklas Keller
ea3e9dc68c Update LICENSE date 2018-04-15 18:27:00 +02:00
Niklas Keller
6f01055884 Upgrade to amphp/process v0.3.x 2018-04-15 18:19:40 +02:00
Niklas Keller
297e1aa9b1 Update dependencies 2018-04-15 18:12:32 +02:00
Niklas Keller
b7cfe3c0f1 Update to amphp/parallel v0.2.5 
This fixes running as PHAR if the PHAR doesn't end with '.phar'.
 2018-03-21 15:52:05 +01:00
Niklas Keller
4053094860 Update .travis.yml 2018-03-21 13:06:30 +01:00
Niklas Keller
a80b7b8497 Remove BlockingDriver usage, as parallel has been fixed 2018-03-21 12:55:25 +01:00
Niklas Keller
f13b0856c7 Update dependencies 2018-03-21 12:54:21 +01:00
33 changed files with 4796 additions and 2114 deletions
Expand all files Collapse all files

3
.acme-client.yml.sample
View File

@@ -28,7 +28,10 @@ certificates:
# user: User running the web server. Challenge files are world readable, # user: User running the web server. Challenge files are world readable,
# but some servers might require to be owner of files they serve. # but some servers might require to be owner of files they serve.
# #
# rekey: Regenerate certificate key pairs even if a key pair already exists.
#
- bits: 4096 - bits: 4096
rekey: true
paths: paths:
/var/www/example: /var/www/example:
- example.org - example.org

81
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,81 @@
name: Continuous Integration
on:
- push
- pull_request
jobs:
tests:
strategy:
matrix:
include:
- operating-system: 'ubuntu-latest'
php-version: '8.1'
name: PHP ${{ matrix.php-version }} ${{ matrix.job-description }}
runs-on: ${{ matrix.operating-system }}
steps:
- name: Set git to use LF
run: |
git config --global core.autocrlf false
git config --global core.eol lf
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php-version }}
ini-values: zend.assertions=1, assert.exception=1
env:
update: true
- name: Get Composer cache directory
id: composer-cache
run: echo "dir=$(composer config cache-dir)" >> $GITHUB_OUTPUT
shell: bash
- name: Cache dependencies
uses: actions/cache@v3
with:
path: ${{ steps.composer-cache.outputs.dir }}
key: composer-${{ runner.os }}-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}-${{ matrix.composer-flags }}
restore-keys: |
composer-${{ runner.os }}-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}-
composer-${{ runner.os }}-${{ matrix.php-version }}-
composer-${{ runner.os }}-
composer-
- name: Install dependencies
uses: nick-invision/retry@v2
with:
timeout_minutes: 5
max_attempts: 5
retry_wait_seconds: 30
command: |
composer update --optimize-autoloader --no-interaction --no-progress ${{ matrix.composer-flags }}
composer info -D
- name: Run tests
run: vendor/bin/phpunit ${{ matrix.phpunit-flags }}
- name: Run style fixer
env:
PHP_CS_FIXER_IGNORE_ENV: 1
run: vendor/bin/php-cs-fixer --diff --dry-run -v fix
if: matrix.php-cs-fixer != 'none'
- name: Build phar
run: php -dphar.readonly=0 vendor/bin/phar-builder package
- name: Upload phar
uses: actions/upload-artifact@v4
with:
name: acme-client.phar
path: |
build/acme-client.phar

3
.gitignore vendored
View File

@@ -3,4 +3,5 @@
/info/ /info/
/vendor/ /vendor/
/config.test.yml /config.test.yml
/.php_cs.cache /.php_cs.cache
/.phpunit.result.cache

46
.php_cs.dist
View File

@@ -1,40 +1,10 @@
<?php <?php
return PhpCsFixer\Config::create() $config = new Amp\CodeStyle\Config;
->setRiskyAllowed(true) $config->getFinder()
->setRules([ ->in(__DIR__ . '/src')
"@PSR1" => true, ->in(__DIR__ . '/test');
"@PSR2" => true,
"braces" => [ $config->setCacheFile(__DIR__ . '/.php_cs.cache');
"allow_single_line_closure" => true,
"position_after_functions_and_oop_constructs" => "same", return $config;
],
"array_syntax" => ["syntax" => "short"],
"cast_spaces" => true,
"combine_consecutive_unsets" => true,
"function_to_constant" => true,
"native_function_invocation" => true,
"no_multiline_whitespace_before_semicolons" => true,
"no_unused_imports" => true,
"no_useless_else" => true,
"no_useless_return" => true,
"no_whitespace_before_comma_in_array" => true,
"no_whitespace_in_blank_line" => true,
"non_printable_character" => true,
"normalize_index_brace" => true,
"ordered_imports" => true,
"php_unit_construct" => true,
"php_unit_dedicate_assert" => true,
"php_unit_fqcn_annotation" => true,
"phpdoc_summary" => true,
"phpdoc_types" => true,
"psr4" => true,
"return_type_declaration" => ["space_before" => "none"],
"short_scalar_cast" => true,
"single_blank_line_before_namespace" => true,
])
->setFinder(
PhpCsFixer\Finder::create()
->in(__DIR__ . "/src")
->in(__DIR__ . "/test")
);

26
.travis.yml
View File

@@ -1,26 +0,0 @@
language: php
php:
- 7.0
- 7.1
- 7.2
- nightly
cache:
directories:
- vendor
install:
- phpenv config-rm xdebug.ini || true
- composer config --global discard-changes true
- composer update
- composer require satooshi/php-coveralls dev-master --dev
- composer show --installed
script:
- find -name "*.php" -not -path "./vendor/*" -print0 | xargs -n 1 -0 php -l
- phpdbg -qrr vendor/bin/phpunit --coverage-text --coverage-clover build/logs/clover.xml
- PHP_CS_FIXER_IGNORE_ENV=1 php vendor/bin/php-cs-fixer --diff --dry-run -v fix
after_script:
- php vendor/bin/coveralls -v

2
LICENSE
View File

@@ -1,6 +1,6 @@
The MIT License (MIT) The MIT License (MIT)
Copyright (c) 2015-2017 Niklas Keller Copyright (c) 2015-2021 Niklas Keller
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

259
README.md
View File

@@ -1,14 +1,257 @@
![`kelunik/acme-client`](./res/logo.png) ![`kelunik/acme-client`](./res/logo.png)
`kelunik/acme-client` is an ACME client written in PHP. ACME is the protocol that powers the [Let's Encrypt](https://letsencrypt.org) certificate authority. `kelunik/acme-client` is a command-line ACME client implemented in PHP, enabling the issuance and renewal of certificates via the ACME protocol used by [Let's Encrypt](https://letsencrypt.org). It supports PHP 8.1+ with OpenSSL and runs on Unix-like systems and Windows.
## Requirements ## Installation
* PHP 5.5+ with OpenSSL ### Requirements
* Works on Unix and Windows
## Documentation * PHP 8.1+ with OpenSSL
* Unix-like system or Windows
* [Installation](./doc/installation.md) ### Installation using PHAR
* [Usage](./doc/usage.md)
* [Migration guide for 0.1.x → 0.2.x](./doc/migrations/0.2.0.md) This is the preferred installation method for usage on a production system. You can download `acme-client.phar` in the [release section](https://github.com/kelunik/acme-client/releases).
#### Instructions
```bash
# Go to https://github.com/kelunik/acme-client/releases/latest
# Download the latest release archive.
# Make it executable.
chmod +x acme-client.phar
# Run it.
./acme-client.phar
# Or install it globally.
mv ./acme-client.phar /usr/local/bin/acme-client
acme-client
```
If you want to update, just replace the old `.phar` with a new one.
All commands require a `--storage` argument when using the PHAR. That's the path where your keys and certificates will be stored.
On Unix you could use something like `--storage /etc/acme`.
You can add a file named `acme-client.yml` next to the `.phar` with the two keys `storage` and `server`.
These values will be used as default if you don't specify them, but you can still use another server by explicitly adding it as argument.
```yml
# Sample YAML configuration.
# Storage directory for certificates and keys.
storage: /etc/acme
# Server to use. Available shortcuts: letsencrypt, letsencrypt:staging
# You can also use full URLs to the directory resource of an ACME server
server: letsencrypt
```
### Installation using Composer
If you plan to actively develop this client, you don't want the PHAR but install the dependencies using [Composer](https://getcomposer.org/).
#### Instructions
```bash
# Clone repository
git clone https://github.com/kelunik/acme-client && cd acme-client
# Install dependencies
composer install
```
You can use `./bin/acme` as script instead of the PHAR. Please note, that all data will be stored in `./data` as long as you don't provide the `--storage` argument.
## Usage
The client stores your account keys, domain keys and certificates in a single directory. If you're using the PHAR,
you usually configure the storage in the configuration file. If you're using it with Composer, all data is stored in `./data`.
**Be sure to backup that directory regularly.**
Before you can issue certificates, you have to register an account. You have to read and understand the terms of service
of the certificate authority you're using. For the Let's Encrypt certificate authority, there's a
[subscriber agreement](https://letsencrypt.org/repository/) you have to accept.
By using this client you agree to any agreement and any further updates by continued usage. You're responsible to react
to updates and stop the automation if you no longer agree with the terms of service.
These usage instructions assume you have installed the client globally as a PHAR. If you are using the PHAR,
but don't have it globally, replace `acme-client` with the location to your PHAR or add that path to your `$PATH` variable.
### Configuration
The client can be configured using a (global) configuration file. The client takes the first available of
`./acme-client.yml` (if running as PHAR), `$HOME/.acme-client.yml`, `/etc/acme-client.yml` (if not on Windows).
The configuration file has the following format:
```yml
# Storage directory for certificates and keys.
storage: /etc/acme
# Server to use. URL to the ACME directory.
# "letsencrypt" and "letsencrypt:staging" are valid shortcuts.
server: letsencrypt
# E-mail to use for the setup.
# This e-mail will receive expiration notices from Let's Encrypt.
email: me@example.com
# List of certificates to issue.
certificates:
# For each certificate, there are a few options.
#
# Required: paths
# Optional: bits, user
#
# paths: Map of document roots to domains. Maps each path to one or multiple
# domains. If one domain is given, it's automatically converted to an
# array. The first domain will be the common name.
#
# The client will place a file into $path/.well-known/acme-challenge/
# to verify ownership to the CA
#
# bits: Number of bits for the domain private key
#
# user: User running the web server. Challenge files are world readable,
# but some servers might require to be owner of files they serve.
#
# rekey: Regenerate certificate key pairs even if a key pair already exists.
#
- bits: 4096
rekey: true
paths:
/var/www/example:
- example.org
- www.example.org
# You can have multiple certificate with different users and key options.
- user: www-data
paths:
/var/www: example.org
```
All configuration keys are optional and can be passed as arguments directly (except for `certificates` when using `acme-client auto`).
Before you can issue certificates, you must create an account using `acme-client setup --agree-terms`.
### Certificate Issuance
You can use `acme-client auto` to issue certificates and renew them if necessary. It uses the configuration file to
determine the certificates to request. It will store certificates in the configured storage in a sub directory called `./certs`.
If everything has been successful, you'll see a message for each issued certificate. If nothing has to be renewed,
the script will be quiet to be cron friendly. If an error occurs, the script will dump all available information.
You should execute `acme-client auto` as a daily cron. It's recommended to setup e-mail notifications for all output of
that script.
Create a new script, e.g. in `/usr/local/bin/acme-renew`. The `PATH` might need to be modified to suit your system.
```bash
#!/usr/bin/env bash
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
acme-client auto
RC=$?
if [ $RC = 4 ] || [ $RC = 5 ]; then
service nginx reload
fi
```
```sh
# Cron Job Configuration
0 0 * * * /usr/local/bin/acme-renew
```
| Exit Code | Description |
|-----------|-------------|
| 0 | Nothing to do, all certificates still valid. |
| 1 | Config file invalid. |
| 2 | Issue during account setup. |
| 3 | Error during issuance. |
| 4 | Error during issuance, but some certificates could be renewed. |
| 5 | Everything fine, new certificates have been issued. |
Exit codes `4` and `5` usually need a server reload, to reload the new certificates. It's already handled in the recommended
cron setup.
If you want a more fine grained control or revoke certificates, you can have a look at the [advanced usage](./advanced-usage.md) document. The client allows to handle setup / issuance / revocation and other commands
separately from `acme-client auto`.
## Advanced Usage
Most users should use the `auto` command described above.
### Register an Account
```
acme-client setup --agree-terms --email me@example.com
```
After a successful registration you're able to issue certificates.
This client assumes you have a HTTP server setup and running.
You must have a document root setup in order to use this client.
### Issue a Certificate
```
acme-client issue -d example.com:www.example.com -p /var/www/example.com
```
You can separate multiple domains (`-d`) with `,`, `:` or `;`. You can separate multiple document roots (`-p`) with your system's path separator:
* Colon (`:`) for Unix
* Semicolon (`;`) for Windows
If you specify less paths than domains, the last one will be used for the remaining domains.
Please note that Let's Encrypt has rate limits. Currently it's five certificates per domain per seven days. If you combine multiple subdomains in a single certificate, they count as just one certificate. If you just want to test things out, you can use their staging server, which has way higher rate limits by appending `--server letsencrypt:staging`.
### Revoke a Certificate
To revoke a certificate, you need a valid account key, just like for issuance.
```
acme-client revoke --name example.com
```
`--name` is the common name of the certificate that you want to revoke.
### Renew a Certificate
For renewal, there's the `acme-client check` subcommand.
It exists with a non-zero exit code, if the certificate is going to expire soon.
Default check time is 30 days, but you can use `--ttl` to customize it.
You may use this as daily cron:
```
acme-client check --name example.com || acme-client issue ...
```
You can also use a more advanced script to automatically reload the server as well. For this example we assume you're using Nginx.
Something similar should work for Apache. But usually you shouldn't need any script, see [basic usage](./usage.md).
```bash
#!/usr/bin/env bash
acme-client check --name example.com --ttl 30
if [ $? -eq 1 ]; then
acme-client issue -d example.com:www.example.com -p /var/www
if [ $? -eq 0 ]; then
nginx -t -q
if [ $? -eq 0 ]; then
nginx -s reload
fi
fi
fi
```

21
bin/acme
View File

@@ -1,12 +1,14 @@
#!/usr/bin/env php #!/usr/bin/env php
<?php <?php
use Amp\File\BlockingDriver; use Amp\Http\Client\HttpClientBuilder;
use Amp\Loop; use Amp\Loop;
use Auryn\Injector; use Auryn\Injector;
use Kelunik\AcmeClient\AcmeFactory; use Kelunik\AcmeClient\AcmeFactory;
use Kelunik\AcmeClient\Commands\Command;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Amp\File\filesystem; use function Kelunik\AcmeClient\getBinary;
use function Kelunik\AcmeClient\suggestCommand;
$logo = <<<LOGO $logo = <<<LOGO
____ __________ ___ ___ ____ __________ ___ ___
@@ -53,7 +55,7 @@ $commands = [
'help' => 'Print this help information.', 'help' => 'Print this help information.',
]; ];
$binary = \Kelunik\AcmeClient\getBinary(); $binary = getBinary();
$help = implode(PHP_EOL, array_map(function ($command) use ($commands) { $help = implode(PHP_EOL, array_map(function ($command) use ($commands) {
$help = " <green>{$command}</green>\n"; $help = " <green>{$command}</green>\n";
@@ -83,8 +85,8 @@ if (!in_array(PHP_SAPI, ['cli', 'phpdbg'], true)) {
exit(1); exit(1);
} }
if (PHP_VERSION_ID < 70000) { if (PHP_VERSION_ID < 70400) {
$climate->yellow("You're using an older version of PHP which is no longer supported by this client. Have a look at http://php.net/supported-versions.php and upgrade at least to PHP 7.0!"); $climate->yellow("You're using an older version of PHP which is no longer supported by this client. Have a look at https://php.net/supported-versions.php and upgrade at least to PHP 7.4!");
$climate->br(2); $climate->br(2);
} }
@@ -96,7 +98,7 @@ if (count($argv) === 1 || in_array($argv[1], ['-h', 'help', '--help'], true)) {
if (!array_key_exists($argv[1], $commands)) { if (!array_key_exists($argv[1], $commands)) {
$climate->error("Unknown command '{$argv[1]}'. Use --help for a list of available commands."); $climate->error("Unknown command '{$argv[1]}'. Use --help for a list of available commands.");
$suggestion = \Kelunik\AcmeClient\suggestCommand($argv[1], array_keys($commands)); $suggestion = suggestCommand($argv[1], array_keys($commands));
if ($suggestion) { if ($suggestion) {
$climate->br()->out(" Did you mean '$suggestion'?"); $climate->br()->out(" Did you mean '$suggestion'?");
@@ -107,10 +109,7 @@ if (!array_key_exists($argv[1], $commands)) {
exit(1); exit(1);
} }
// Use blocking driver for now, as amphp/parallel doesn't work inside PHARs /** @var string|Command $class */
filesystem(new BlockingDriver);
/** @var \Kelunik\AcmeClient\Commands\Command $class */
$class = "Kelunik\\AcmeClient\\Commands\\" . ucfirst($argv[1]); $class = "Kelunik\\AcmeClient\\Commands\\" . ucfirst($argv[1]);
$definition = $class::getDefinition(); $definition = $class::getDefinition();
@@ -141,7 +140,7 @@ try {
$injector = new Injector; $injector = new Injector;
$injector->share($climate); $injector->share($climate);
$injector->share(new AcmeFactory); $injector->share(new AcmeFactory);
$injector->share(new Amp\Artax\DefaultClient); $injector->share(HttpClientBuilder::buildDefault());
$command = $injector->make($class); $command = $injector->make($class);
$exitCode = 1; $exitCode = 1;

29
composer.json
View File

@@ -11,19 +11,22 @@
"tls" "tls"
], ],
"require": { "require": {
"php": ">=7", "php": ">=7.2",
"ext-openssl": "*", "ext-openssl": "*",
"amphp/process": "^0.2", "amphp/process": "^1.1",
"kelunik/acme": "^0.5", "amphp/parallel": "^1.4",
"kelunik/acme": "^1",
"kelunik/certificate": "^1", "kelunik/certificate": "^1",
"league/climate": "^3.2", "league/climate": "^3.4",
"rdlowrey/auryn": "^1.4.2", "rdlowrey/auryn": "^1.4.4",
"webmozart/assert": "^1.2", "webmozart/assert": "^1.3",
"symfony/yaml": "^3.0" "symfony/yaml": "^5.3.2",
"amphp/log": "^1",
"ext-posix": "*"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^6", "phpunit/phpunit": "^8 || ^9",
"friendsofphp/php-cs-fixer": "^2.9", "amphp/php-cs-fixer-config": "dev-master",
"macfja/phar-builder": "^0.2.6" "macfja/phar-builder": "^0.2.6"
}, },
"license": "MIT", "license": "MIT",
@@ -43,7 +46,7 @@
}, },
"config": { "config": {
"platform": { "platform": {
"php": "7.0.0" "php": "7.4.0"
} }
}, },
"extra": { "extra": {
@@ -51,7 +54,11 @@
"compression": "GZip", "compression": "GZip",
"name": "acme-client.phar", "name": "acme-client.phar",
"output-dir": "build", "output-dir": "build",
"include": ["info", "src", "vendor/kelunik/acme/res"], "include": [
"info",
"src",
"vendor/kelunik/acme/res"
],
"include-dev": false, "include-dev": false,
"skip-shebang": false, "skip-shebang": false,
"entry-point": "bin/acme", "entry-point": "bin/acme",

5299
composer.lock generated
View File

File diff suppressed because it is too large Load Diff

70
doc/advanced-usage.md
View File

@@ -1,70 +0,0 @@
## Advanced Usage
Please read the document about [basic usage](./usage.md) first.
## Register an Account
```
acme-client setup --email me@example.com
```
After a successful registration you're able to issue certificates.
This client assumes you have a HTTP server setup and running.
You must have a document root setup in order to use this client.
## Issue a Certificate
```
acme-client issue -d example.com:www.example.com -p /var/www/example.com
```
You can separate multiple domains (`-d`) with `,`, `:` or `;`. You can separate multiple document roots (`-p`) with your system's path separator:
* Colon (`:`) for Unix
* Semicolon (`;`) for Windows
If you specify less paths than domains, the last one will be used for the remaining domains.
Please note that Let's Encrypt has rate limits. Currently it's five certificates per domain per seven days. If you combine multiple subdomains in a single certificate, they count as just one certificate. If you just want to test things out, you can use their staging server, which has way higher rate limits by appending `--s letsencrypt:staging`.
## Revoke a Certificate
To revoke a certificate, you need a valid account key, just like for issuance.
```
acme-client revoke --name example.com
```
`--name` is the common name of the certificate that you want to revoke.
## Renew a Certificate
For renewal, there's the `acme-client check` subcommand.
It exists with a non-zero exit code, if the certificate is going to expire soon.
Default check time is 30 days, but you can use `--ttl` to customize it.
You may use this as daily cron:
```
acme-client check --name example.com || acme-client issue ...
```
You can also use a more advanced script to automatically reload the server as well. For this example we assume you're using Nginx.
Something similar should work for Apache. But usually you shouldn't need any script, see [basic usage](./usage.md).
```bash
#!/usr/bin/env bash
acme-client check --name example.com --ttl 30
if [ $? -eq 1 ]; then
acme-client issue -d example.com:www.example.com -p /var/www
if [ $? -eq 0 ]; then
nginx -t -q
if [ $? -eq 0 ]; then
nginx -s reload
fi
fi
fi
```

66
doc/installation.md
View File

@@ -1,66 +0,0 @@
# Installation
## Installation using Phar
This is the preferred installation method for usage on a production system. You can download `acme-client.phar` in the [release section](https://github.com/kelunik/acme-client/releases).
### Requirements
* PHP 5.5+
### Instructions
```bash
# Go to https://github.com/kelunik/acme-client/releases/latest
# Download the latest release archive.
# Make it executable.
chmod +x acme-client.phar
# Run it.
./acme-client.phar
# Or install it globally.
mv ./acme-client.phar /usr/local/bin/acme-client
acme-client
```
If you want to update, just replace the old `.phar` with a new one.
All commands require a `--storage` argument when using the Phar. That's the path where your keys and certificates will be stored.
On Unix you could use something like `--storage /etc/acme`.
You can add a file named `acme-client.yml` next to the `.phar` with the two keys `storage` and `server`.
These values will be used as default if you don't specify them, but you can still use another server by explicitly adding it as argument.
```yml
# Sample YAML configuration.
# Storage directory for certificates and keys.
storage: /etc/acme
# Server to use. Available shortcuts: letsencrypt, letsencrypt:staging
# You can also use full URLs to the directory resource of an ACME server
server: letsencrypt
```
## Installation using Composer
If you plan to actively develop this client, you probably don't want the Phar but install the dependencies using Composer.
### Requirements
* PHP 5.5+
* [Composer](https://getcomposer.org/)
### Instructions
```bash
# Clone repository
git clone https://github.com/kelunik/acme-client && cd acme-client
# Install dependencies
composer install
```
You can use `./bin/acme` as script instead of the Phar. Please note, that all data will be stored in `./data` as long as you don't provide the `--storage` argument.

43
doc/migrations/0.2.0.md
View File

@@ -1,43 +0,0 @@
# Migration from 0.1.x to 0.2.x
If you used this client before `0.2.0`, you have a different directory structure than the current one. If you want to upgrade, but keep all your data, here's a migration guide.
```bash
# Start in ./data
cd data
# Move your account key to new location:
mkdir accounts
mv account/key.pem accounts/acme-v01.api.letsencrypt.org.directory.pem
# or accounts/acme-staging.api.letsencrypt.org.directory.pem if it's a staging key
# account should now be empty or contain just a config.json, you can delete the folder then
rm -rf account
# Migrate certificates to new location:
cd certs
mkdir acme-v01.api.letsencrypt.org.directory
# Move all your certificate directories
# Repeat for all directories!
mv example.com acme-v01.api.letsencrypt.org.directory
# or acme-staging.api.letsencrypt.org.directory
# Delete all config.json files which may exist
find -name "config.json" | xargs rm
# Update to current version
# Alternatively have a look at the new installation instructions and use the Phar
git checkout master && git pull
# Check out latest release
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
# Update dependencies
composer update --no-dev
# Reconfigure your webserver to use the new paths
# and check (and fix) your automation commands.
```

5
doc/migrations/0.3.0.md
View File

@@ -1,5 +0,0 @@
# Migration from 0.2.x to 0.3.x
If you used this client before `0.3.0` via the command line, nothing should change with this release. It is an internal rewrite to Amp v2, which is the underlying concurrency framework.
If you're depending on this package's internals, some things might have changed slightly. A detailed changelog can't be provided. My focus is the public command line API.

114
doc/usage.md
View File

@@ -1,114 +0,0 @@
# Basic Usage
The client stores your account keys, domain keys and certificates in a single directory. If you're using the PHAR,
you usually configure the storage in the configuration file. If you're using it with Composer, all data is stored in `./data`.
**Be sure to backup that directory regularly.**
Before you can issue certificates, you have to register an account. You have to read and understand the terms of service
of the certificate authority you're using. For the Let's Encrypt certificate authority, there's a
[subscriber agreement](https://letsencrypt.org/repository/) you have to accept.
By using this client you agree to any agreement and any further updates by continued usage. You're responsible to react
to updates and stop the automation if you no longer agree with the terms of service.
These usage instructions assume you have installed the client globally as a PHAR. If you are using the PHAR,
but don't have it globally, replace `acme-client` with the location to your PHAR or add that path to your `$PATH` variable.
## Configuration
The client can be configured using a (global) configuration file. The client takes the first available of
`./acme-client.yml` (if running as PHAR), `$HOME/.acme-client.yml`, `/etc/acme-client.yml` (if not on Windows).
The configuration file has the following format:
```yml
# Storage directory for certificates and keys.
storage: /etc/acme
# Server to use. URL to the ACME directory.
# "letsencrypt" and "letsencrypt:staging" are valid shortcuts.
server: letsencrypt
# E-mail to use for the setup.
# This e-mail will receive expiration notices from Let's Encrypt.
email: me@example.com
# List of certificates to issue.
certificates:
# For each certificate, there are a few options.
#
# Required: paths
# Optional: bits, user
#
# paths: Map of document roots to domains. Maps each path to one or multiple
# domains. If one domain is given, it's automatically converted to an
# array. The first domain will be the common name.
#
# The client will place a file into $path/.well-known/acme-challenge/
# to verify ownership to the CA
#
# bits: Number of bits for the domain private key
#
# user: User running the web server. Challenge files are world readable,
# but some servers might require to be owner of files they serve.
#
- bits: 4096
paths:
/var/www/example:
- example.org
- www.example.org
# You can have multiple certificate with different users and key options.
- user: www-data
paths:
/var/www: example.org
```
All configuration keys are optional and can be passed as arguments directly (except for `certificates` when using `acme-client auto`).
## Certificate Issuance
You can use `acme-client auto` to issue certificates and renew them if necessary. It uses the configuration file to
determine the certificates to request. It will store certificates in the configured storage in a sub directory called `./certs`.
If everything has been successful, you'll see a message for each issued certificate. If nothing has to be renewed,
the script will be quiet to be cron friendly. If an error occurs, the script will dump all available information.
You should execute `acme-client auto` as a daily cron. It's recommended to setup e-mail notifications for all output of
that script.
Create a new script, e.g. in `/usr/local/bin/acme-renew`. The `PATH` might need to be modified to suit your system.
```bash
#!/usr/bin/env bash
export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
acme-client auto
RC=$?
if [ $RC = 4 ] || [ $RC = 5 ]; then
service nginx reload
fi
```
```sh
# Cron Job Configuration
0 0 * * * /usr/local/bin/acme-renew
```
| Exit Code | Description |
|-----------|-------------|
| 0 | Nothing to do, all certificates still valid. |
| 1 | Config file invalid. |
| 2 | Issue during account setup. |
| 3 | Error during issuance. |
| 4 | Error during issuance, but some certificates could be renewed. |
| 5 | Everything fine, new certificates have been issued. |
Exit codes `4` and `5` usually need a server reload, to reload the new certificates. It's already handled in the recommended
cron setup.
If you want a more fine grained control or revoke certificates, you can have a look at the [advanced usage](./advanced-usage.md) document. The client allows to handle setup / issuance / revocation and other commands
separately from `acme-client auto`.

20
src/AcmeFactory.php
View File

@@ -2,12 +2,26 @@
namespace Kelunik\AcmeClient; namespace Kelunik\AcmeClient;
use Amp\Log\ConsoleFormatter;
use Amp\Log\StreamHandler;
use Kelunik\Acme\AcmeClient; use Kelunik\Acme\AcmeClient;
use Kelunik\Acme\AcmeService; use Kelunik\Acme\AcmeService;
use Kelunik\Acme\Crypto\PrivateKey; use Kelunik\Acme\Crypto\PrivateKey;
use Monolog\Logger;
use Monolog\Processor\PsrLogMessageProcessor;
use function Amp\ByteStream\getStderr;
class AcmeFactory { class AcmeFactory
public function build(string $directory, PrivateKey $keyPair): AcmeService { {
return new AcmeService(new AcmeClient($directory, $keyPair)); public function build(string $directory, PrivateKey $keyPair): AcmeService
{
$handler = new StreamHandler(getStderr());
$handler->setFormatter(new ConsoleFormatter(null, null, true, true));
$logger = new Logger('acme');
$logger->pushProcessor(new PsrLogMessageProcessor);
$logger->pushHandler($handler);
return new AcmeService(new AcmeClient($directory, $keyPair, null, null, $logger), $logger);
} }
} }

126
src/Commands/Auto.php
View File

@@ -2,7 +2,6 @@
namespace Kelunik\AcmeClient\Commands; namespace Kelunik\AcmeClient\Commands;
use Amp\ByteStream\Message;
use Amp\File; use Amp\File;
use Amp\File\FilesystemException; use Amp\File\FilesystemException;
use Amp\Process\Process; use Amp\Process\Process;
@@ -14,32 +13,65 @@ use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use Symfony\Component\Yaml\Exception\ParseException; use Symfony\Component\Yaml\Exception\ParseException;
use Symfony\Component\Yaml\Yaml; use Symfony\Component\Yaml\Yaml;
use function Amp\ByteStream\buffer;
use function Amp\call; use function Amp\call;
class Auto implements Command { class Auto implements Command
const EXIT_CONFIG_ERROR = 1; {
const EXIT_SETUP_ERROR = 2; private const EXIT_CONFIG_ERROR = 1;
const EXIT_ISSUANCE_ERROR = 3; private const EXIT_SETUP_ERROR = 2;
const EXIT_ISSUANCE_PARTIAL = 4; private const EXIT_ISSUANCE_ERROR = 3;
const EXIT_ISSUANCE_OK = 5; private const EXIT_ISSUANCE_PARTIAL = 4;
private const EXIT_ISSUANCE_OK = 5;
const STATUS_NO_CHANGE = 0; private const STATUS_NO_CHANGE = 0;
const STATUS_RENEWED = 1; private const STATUS_RENEWED = 1;
public static function getDefinition(): array
{
$server = AcmeClient\getArgumentDescription('server');
$storage = AcmeClient\getArgumentDescription('storage');
$server['required'] = false;
$storage['required'] = false;
$args = [
'server' => $server,
'storage' => $storage,
'config' => [
'prefix' => 'c',
'longPrefix' => 'config',
'description' => 'Configuration file to read.',
'required' => true,
],
];
$configPath = AcmeClient\getConfigPath();
if ($configPath) {
$args['config']['required'] = false;
$args['config']['defaultValue'] = $configPath;
}
return $args;
}
private $climate; private $climate;
public function __construct(CLImate $climate) { public function __construct(CLImate $climate)
{
$this->climate = $climate; $this->climate = $climate;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$configPath = $args->get('config'); $configPath = $args->get('config');
try { try {
/** @var array $config */ /** @var array $config */
$config = Yaml::parse( $config = Yaml::parse(
yield File\get($configPath) yield File\read($configPath)
); );
} catch (FilesystemException $e) { } catch (FilesystemException $e) {
$this->climate->error("Config file ({$configPath}) not found."); $this->climate->error("Config file ({$configPath}) not found.");
@@ -86,6 +118,13 @@ class Auto implements Command {
return self::EXIT_CONFIG_ERROR; return self::EXIT_CONFIG_ERROR;
} }
foreach ($config['certificates'] as $certificateConfig) {
if (isset($certificateConfig['rekey']) && !\is_bool($certificateConfig['rekey'])) {
$this->climate->error("Config file ({$configPath}) defines an invalid 'rekey' value.");
return self::EXIT_CONFIG_ERROR;
}
}
$concurrency = isset($config['challenge-concurrency']) ? (int) $config['challenge-concurrency'] : null; $concurrency = isset($config['challenge-concurrency']) ? (int) $config['challenge-concurrency'] : null;
$process = new Process([ $process = new Process([
@@ -105,8 +144,8 @@ class Auto implements Command {
if ($exit !== 0) { if ($exit !== 0) {
$this->climate->error("Registration failed ({$exit})"); $this->climate->error("Registration failed ({$exit})");
$this->climate->br()->out(yield new Message($process->getStdout())); $this->climate->br()->out(yield buffer($process->getStdout()));
$this->climate->br()->error(yield new Message($process->getStderr())); $this->climate->br()->error(yield buffer($process->getStderr()));
return self::EXIT_SETUP_ERROR; return self::EXIT_SETUP_ERROR;
} }
@@ -140,7 +179,10 @@ class Auto implements Command {
foreach ($values as $i => $value) { foreach ($values as $i => $value) {
if ($value === self::STATUS_RENEWED) { if ($value === self::STATUS_RENEWED) {
$certificate = $config['certificates'][$i]; $certificate = $config['certificates'][$i];
$this->climate->info('Certificate for ' . \implode(', ', \array_keys($this->toDomainPathMap($certificate['paths']))) . ' successfully renewed.'); $this->climate->info('Certificate for ' . \implode(
', ',
\array_keys($this->toDomainPathMap($certificate['paths']))
) . ' successfully renewed.');
} }
} }
} }
@@ -148,7 +190,10 @@ class Auto implements Command {
if ($status['failure'] > 0) { if ($status['failure'] > 0) {
foreach ($errors as $i => $error) { foreach ($errors as $i => $error) {
$certificate = $config['certificates'][$i]; $certificate = $config['certificates'][$i];
$this->climate->error('Issuance for the following domains failed: ' . \implode(', ', \array_keys($this->toDomainPathMap($certificate['paths'])))); $this->climate->error('Issuance for the following domains failed: ' . \implode(
', ',
\array_keys($this->toDomainPathMap($certificate['paths']))
));
$this->climate->error("Reason: {$error}"); $this->climate->error("Reason: {$error}");
} }
@@ -175,12 +220,16 @@ class Auto implements Command {
* @throws AcmeException if something does wrong * @throws AcmeException if something does wrong
* @throws \Throwable * @throws \Throwable
*/ */
private function checkAndIssue(array $certificate, string $server, string $storage, int $concurrency = null): \Generator { private function checkAndIssue(
array $certificate,
string $server,
string $storage,
int $concurrency = null
): \Generator {
$domainPathMap = $this->toDomainPathMap($certificate['paths']); $domainPathMap = $this->toDomainPathMap($certificate['paths']);
$domains = \array_keys($domainPathMap); $domains = \array_keys($domainPathMap);
$commonName = \reset($domains); $commonName = \reset($domains);
$processArgs = [
$process = new Process([
PHP_BINARY, PHP_BINARY,
$GLOBALS['argv'][0], $GLOBALS['argv'][0],
'check', 'check',
@@ -192,7 +241,13 @@ class Auto implements Command {
$commonName, $commonName,
'--names', '--names',
\implode(',', $domains), \implode(',', $domains),
]); ];
if ($certificate['rekey'] ?? false) {
$processArgs[] = '--rekey';
}
$process = new Process($processArgs);
$process->start(); $process->start();
$exit = yield $process->join(); $exit = yield $process->join();
@@ -249,7 +304,8 @@ class Auto implements Command {
throw new AcmeException("Unexpected exit code ({$exit}) for '{$process->getCommand()}'."); throw new AcmeException("Unexpected exit code ({$exit}) for '{$process->getCommand()}'.");
} }
private function toDomainPathMap(array $paths) { private function toDomainPathMap(array $paths)
{
$result = []; $result = [];
foreach ($paths as $path => $domains) { foreach ($paths as $path => $domains) {
@@ -302,32 +358,4 @@ MESSAGE;
return $result; return $result;
} }
public static function getDefinition(): array {
$server = AcmeClient\getArgumentDescription('server');
$storage = AcmeClient\getArgumentDescription('storage');
$server['required'] = false;
$storage['required'] = false;
$args = [
'server' => $server,
'storage' => $storage,
'config' => [
'prefix' => 'c',
'longPrefix' => 'config',
'description' => 'Configuration file to read.',
'required' => true,
],
];
$configPath = AcmeClient\getConfigPath();
if ($configPath) {
$args['config']['required'] = false;
$args['config']['defaultValue'] = $configPath;
}
return $args;
}
} }

62
src/Commands/Check.php
View File

@@ -10,15 +10,43 @@ use Kelunik\Certificate\Certificate;
use League\CLImate\Argument\Manager; use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Amp\call; use function Amp\call;
use function Kelunik\AcmeClient\getArgumentDescription;
class Check implements Command
{
public static function getDefinition(): array
{
return [
'server' => getArgumentDescription('server'),
'storage' => getArgumentDescription('storage'),
'name' => [
'longPrefix' => 'name',
'description' => 'Common name of the certificate to check.',
'required' => true,
],
'ttl' => [
'longPrefix' => 'ttl',
'description' => 'Minimum valid time in days.',
'defaultValue' => 30,
'castTo' => 'int',
],
'names' => [
'longPrefix' => 'names',
'description' => 'Names that must be covered by the certificate identified based on the common name. Names have to be separated by commas.',
'required' => false,
],
];
}
class Check implements Command {
private $climate; private $climate;
public function __construct(CLImate $climate) { public function __construct(CLImate $climate)
{
$this->climate = $climate; $this->climate = $climate;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$server = AcmeClient\resolveServer($args->get('server')); $server = AcmeClient\resolveServer($args->get('server'));
$server = AcmeClient\serverToKeyname($server); $server = AcmeClient\serverToKeyname($server);
@@ -44,7 +72,10 @@ class Check implements Command {
$missingNames = \array_diff($names, $cert->getNames()); $missingNames = \array_diff($names, $cert->getNames());
if ($missingNames) { if ($missingNames) {
$this->climate->comment(' The following names are not covered: ' . \implode(', ', $missingNames))->br(); $this->climate->comment(' The following names are not covered: ' . \implode(
', ',
$missingNames
))->br();
return 1; return 1;
} }
@@ -59,27 +90,4 @@ class Check implements Command {
return 1; return 1;
}); });
} }
public static function getDefinition(): array {
return [
'server' => \Kelunik\AcmeClient\getArgumentDescription('server'),
'storage' => \Kelunik\AcmeClient\getArgumentDescription('storage'),
'name' => [
'longPrefix' => 'name',
'description' => 'Common name of the certificate to check.',
'required' => true,
],
'ttl' => [
'longPrefix' => 'ttl',
'description' => 'Minimum valid time in days.',
'defaultValue' => 30,
'castTo' => 'int',
],
'names' => [
'longPrefix' => 'names',
'description' => 'Names that must be covered by the certificate identified based on the common name. Names have to be separated by commas.',
'required' => false,
],
];
}
} }

3
src/Commands/Command.php
View File

@@ -5,7 +5,8 @@ namespace Kelunik\AcmeClient\Commands;
use Amp\Promise; use Amp\Promise;
use League\CLImate\Argument\Manager; use League\CLImate\Argument\Manager;
interface Command { interface Command
{
public function execute(Manager $args): Promise; public function execute(Manager $args): Promise;
public static function getDefinition(): array; public static function getDefinition(): array;

216
src/Commands/Issue.php
View File

@@ -10,6 +10,9 @@ use Kelunik\Acme\Crypto\Backend\OpensslBackend;
use Kelunik\Acme\Crypto\PrivateKey; use Kelunik\Acme\Crypto\PrivateKey;
use Kelunik\Acme\Crypto\RsaKeyGenerator; use Kelunik\Acme\Crypto\RsaKeyGenerator;
use Kelunik\Acme\Csr\OpensslCsrGenerator; use Kelunik\Acme\Csr\OpensslCsrGenerator;
use Kelunik\Acme\Protocol\Authorization;
use Kelunik\Acme\Protocol\Challenge;
use Kelunik\Acme\Protocol\Order;
use Kelunik\Acme\Verifiers\Http01; use Kelunik\Acme\Verifiers\Http01;
use Kelunik\AcmeClient; use Kelunik\AcmeClient;
use Kelunik\AcmeClient\AcmeFactory; use Kelunik\AcmeClient\AcmeFactory;
@@ -21,17 +24,66 @@ use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Amp\call; use function Amp\call;
use function Kelunik\Acme\generateKeyAuthorization; use function Kelunik\Acme\generateKeyAuthorization;
use function Kelunik\AcmeClient\getArgumentDescription;
use function Kelunik\AcmeClient\normalizePath;
use function Kelunik\AcmeClient\resolveServer;
use function Kelunik\AcmeClient\serverToKeyname;
class Issue implements Command
{
public static function getDefinition(): array
{
return [
'server' => getArgumentDescription('server'),
'storage' => getArgumentDescription('storage'),
'domains' => [
'prefix' => 'd',
'longPrefix' => 'domains',
'description' => 'Colon / Semicolon / Comma separated list of domains to request a certificate for.',
'required' => true,
],
'path' => [
'prefix' => 'p',
'longPrefix' => 'path',
'description' => 'Colon (Unix) / Semicolon (Windows) separated list of paths to the document roots. The last one will be used for all remaining ones if fewer than the amount of domains is given.',
'required' => true,
],
'user' => [
'prefix' => 'u',
'longPrefix' => 'user',
'description' => 'User running the web server.',
],
'bits' => [
'longPrefix' => 'bits',
'description' => 'Length of the private key in bit.',
'defaultValue' => 2048,
'castTo' => 'int',
],
'challenge-concurrency' => [
'longPrefix' => 'challenge-concurrency',
'description' => 'Number of challenges to be solved concurrently.',
'defaultValue' => 10,
'castTo' => 'int',
],
'rekey' => [
'longPrefix' => 'rekey',
'description' => 'Regenerate the key pair even if a key pair already exists.',
'noValue' => true,
],
];
}
class Issue implements Command {
private $climate; private $climate;
private $acmeFactory; private $acmeFactory;
public function __construct(CLImate $climate, AcmeFactory $acmeFactory) { public function __construct(CLImate $climate, AcmeFactory $acmeFactory)
{
$this->climate = $climate; $this->climate = $climate;
$this->acmeFactory = $acmeFactory; $this->acmeFactory = $acmeFactory;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$user = null; $user = null;
@@ -68,10 +120,10 @@ class Issue implements Command {
); );
} }
$keyStore = new KeyStore(\Kelunik\AcmeClient\normalizePath($args->get('storage'))); $keyStore = new KeyStore(normalizePath($args->get('storage')));
$server = \Kelunik\AcmeClient\resolveServer($args->get('server')); $server = resolveServer($args->get('server'));
$keyFile = \Kelunik\AcmeClient\serverToKeyname($server); $keyFile = serverToKeyname($server);
try { try {
$key = yield $keyStore->get("accounts/{$keyFile}.pem"); $key = yield $keyStore->get("accounts/{$keyFile}.pem");
@@ -84,10 +136,41 @@ class Issue implements Command {
$acme = $this->acmeFactory->build($server, $key); $acme = $this->acmeFactory->build($server, $key);
$concurrency = \min(20, \max($args->get('challenge-concurrency'), 1)); $concurrency = \min(20, \max($args->get('challenge-concurrency'), 1));
/** @var Order $order */
$order = yield $acme->newOrder($domains);
/** @var \Throwable[] $errors */ /** @var \Throwable[] $errors */
list($errors) = yield AcmeClient\concurrentMap($concurrency, $domains, function ($domain, $i) use ($acme, $key, $docRoots, $user) { [$errors] = yield AcmeClient\concurrentMap(
return $this->solveChallenge($acme, $key, $domain, $docRoots[$i], $user); $concurrency,
}); $order->getAuthorizationUrls(),
function ($authorizationUrl) use ($acme, $key, $domains, $docRoots, $user) {
/** @var Authorization $authorization */
$authorization = yield $acme->getAuthorization($authorizationUrl);
if ($authorization->getIdentifier()->getType() !== 'dns') {
throw new AcmeException('Invalid identifier: ' . $authorization->getIdentifier()->getType());
}
$name = $authorization->getIdentifier()->getValue();
if ($authorization->isWildcard()) {
$name .= '*.';
}
$index = \array_search($name, $domains, true);
if ($index === false) {
throw new AcmeException('Unknown identifier returned: ' . $name);
}
return yield from $this->solveChallenge(
$acme,
$key,
$authorization,
$name,
$docRoots[$index],
$user
);
}
);
if ($errors) { if ($errors) {
foreach ($errors as $error) { foreach ($errors as $error) {
@@ -97,14 +180,22 @@ class Issue implements Command {
throw new AcmeException('Issuance failed, not all challenges could be solved.'); throw new AcmeException('Issuance failed, not all challenges could be solved.');
} }
$path = 'certs/' . $keyFile . '/' . \reset($domains) . '/key.pem'; yield $acme->pollForOrderReady($order->getUrl());
$keyPath = 'certs/' . $keyFile . '/' . \reset($domains) . '/key.pem';
$bits = $args->get('bits'); $bits = $args->get('bits');
$regenerateKey = $args->get('rekey');
try { try {
$key = yield $keyStore->get($path); $key = yield $keyStore->get($keyPath);
} catch (KeyStoreException $e) { } catch (KeyStoreException $e) {
$regenerateKey = true;
}
if ($regenerateKey) {
$this->climate->whisper(' Generating new key pair ...');
$key = (new RsaKeyGenerator($bits))->generateKey(); $key = (new RsaKeyGenerator($bits))->generateKey();
$key = yield $keyStore->put($path, $key);
} }
$this->climate->br(); $this->climate->br();
@@ -112,11 +203,18 @@ class Issue implements Command {
$csr = yield (new OpensslCsrGenerator)->generateCsr($key, $domains); $csr = yield (new OpensslCsrGenerator)->generateCsr($key, $domains);
$location = yield $acme->requestCertificate($csr); yield $acme->finalizeOrder($order->getFinalizationUrl(), $csr);
$certificates = yield $acme->pollForCertificate($location); yield $acme->pollForOrderValid($order->getUrl());
$path = AcmeClient\normalizePath($args->get('storage')) . '/certs/' . $keyFile; /** @var Order $order */
$order = yield $acme->getOrder($order->getUrl());
$certificates = yield $acme->downloadCertificates($order->getCertificateUrl());
$path = normalizePath($args->get('storage')) . '/certs/' . $keyFile;
$certificateStore = new CertificateStore($path); $certificateStore = new CertificateStore($path);
yield $keyStore->put($keyPath, $key);
yield $certificateStore->put($certificates); yield $certificateStore->put($certificates);
$this->climate->info(' Successfully issued certificate.'); $this->climate->info(' Successfully issued certificate.');
@@ -127,17 +225,20 @@ class Issue implements Command {
}); });
} }
private function solveChallenge(AcmeService $acme, PrivateKey $key, string $domain, string $path, string $user = null): \Generator { private function solveChallenge(
list($location, $challenges) = yield $acme->requestChallenges($domain); AcmeService $acme,
$goodChallenges = $this->findSuitableCombination($challenges); PrivateKey $key,
Authorization $authorization,
if (empty($goodChallenges)) { string $domain,
string $path,
string $user = null
): \Generator {
$httpChallenge = $this->findHttpChallenge($authorization);
if ($httpChallenge === null) {
throw new AcmeException("Couldn't find any combination of challenges which this client can solve!"); throw new AcmeException("Couldn't find any combination of challenges which this client can solve!");
} }
$challenge = $challenges->challenges[\reset($goodChallenges)]; $token = $httpChallenge->getToken();
$token = $challenge->token;
if (!\preg_match('#^[a-zA-Z0-9-_]+$#', $token)) { if (!\preg_match('#^[a-zA-Z0-9-_]+$#', $token)) {
throw new AcmeException('Protocol violation: Invalid Token!'); throw new AcmeException('Protocol violation: Invalid Token!');
} }
@@ -152,8 +253,8 @@ class Issue implements Command {
yield $challengeStore->put($token, $payload, $user); yield $challengeStore->put($token, $payload, $user);
yield (new Http01)->verifyChallenge($domain, $token, $payload); yield (new Http01)->verifyChallenge($domain, $token, $payload);
yield $acme->answerChallenge($challenge->uri, $payload); yield $acme->finalizeChallenge($httpChallenge->getUrl());
yield $acme->pollForChallenge($location); yield $acme->pollForAuthorization($authorization->getUrl());
$this->climate->comment(" {$domain} is now authorized."); $this->climate->comment(" {$domain} is now authorized.");
} finally { } finally {
@@ -161,17 +262,17 @@ class Issue implements Command {
} }
} }
private function checkDnsRecords(array $domains): \Generator { private function checkDnsRecords(array $domains): \Generator
{
$promises = AcmeClient\concurrentMap(10, $domains, function (string $domain): Promise { $promises = AcmeClient\concurrentMap(10, $domains, function (string $domain): Promise {
return Dns\resolve($domain); return Dns\resolve($domain);
}); });
list($errors) = yield Promise\any($promises); [$errors] = yield Promise\any($promises);
if ($errors) { if ($errors) {
$failedDomains = \implode(', ', \array_keys($errors)); $failedDomains = \implode(', ', \array_keys($errors));
$reasons = \implode("\n\n", \array_map(function ($exception) { $reasons = \implode("\n\n", \array_map(static function (\Throwable $exception) {
/** @var \Throwable $exception */
return \get_class($exception) . ': ' . $exception->getMessage(); return \get_class($exception) . ': ' . $exception->getMessage();
}, $errors)); }, $errors));
@@ -179,59 +280,16 @@ class Issue implements Command {
} }
} }
private function findSuitableCombination(\stdClass $response): array { private function findHttpChallenge(Authorization $authorization): ?Challenge
$challenges = $response->challenges ?? []; {
$combinations = $response->combinations ?? []; $challenges = $authorization->getChallenges();
$goodChallenges = [];
foreach ($challenges as $i => $challenge) { foreach ($challenges as $challenge) {
if ($challenge->type === 'http-01') { if ($challenge->getType() === 'http-01') {
$goodChallenges[] = $i; return $challenge;
} }
} }
foreach ($goodChallenges as $i => $challenge) { return null;
if (!\in_array([$challenge], $combinations, true)) {
unset($goodChallenges[$i]);
}
}
return $goodChallenges;
}
public static function getDefinition(): array {
return [
'server' => AcmeClient\getArgumentDescription('server'),
'storage' => AcmeClient\getArgumentDescription('storage'),
'domains' => [
'prefix' => 'd',
'longPrefix' => 'domains',
'description' => 'Colon / Semicolon / Comma separated list of domains to request a certificate for.',
'required' => true,
],
'path' => [
'prefix' => 'p',
'longPrefix' => 'path',
'description' => 'Colon (Unix) / Semicolon (Windows) separated list of paths to the document roots. The last one will be used for all remaining ones if fewer than the amount of domains is given.',
'required' => true,
],
'user' => [
'prefix' => 'u',
'longPrefix' => 'user',
'description' => 'User running the web server.',
],
'bits' => [
'longPrefix' => 'bits',
'description' => 'Length of the private key in bit.',
'defaultValue' => 2048,
'castTo' => 'int',
],
'challenge-concurrency' => [
'longPrefix' => 'challenge-concurrency',
'description' => 'Number of challenges to be solved concurrently.',
'defaultValue' => 10,
'castTo' => 'int',
],
];
} }
} }

36
src/Commands/Revoke.php
View File

@@ -14,16 +14,32 @@ use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Amp\call; use function Amp\call;
class Revoke implements Command { class Revoke implements Command
{
public static function getDefinition(): array
{
return [
'server' => AcmeClient\getArgumentDescription('server'),
'storage' => AcmeClient\getArgumentDescription('storage'),
'name' => [
'longPrefix' => 'name',
'description' => 'Common name of the certificate to be revoked.',
'required' => true,
],
];
}
private $climate; private $climate;
private $acmeFactory; private $acmeFactory;
public function __construct(CLImate $climate, AcmeFactory $acmeFactory) { public function __construct(CLImate $climate, AcmeFactory $acmeFactory)
{
$this->climate = $climate; $this->climate = $climate;
$this->acmeFactory = $acmeFactory; $this->acmeFactory = $acmeFactory;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$keyStore = new KeyStore(AcmeClient\normalizePath($args->get('storage'))); $keyStore = new KeyStore(AcmeClient\normalizePath($args->get('storage')));
@@ -39,7 +55,7 @@ class Revoke implements Command {
$path = AcmeClient\normalizePath($args->get('storage')) . '/certs/' . $keyFile . '/' . $args->get('name') . '/cert.pem'; $path = AcmeClient\normalizePath($args->get('storage')) . '/certs/' . $keyFile . '/' . $args->get('name') . '/cert.pem';
try { try {
$pem = yield File\get($path); $pem = yield File\read($path);
$cert = new Certificate($pem); $cert = new Certificate($pem);
} catch (FilesystemException $e) { } catch (FilesystemException $e) {
throw new \RuntimeException("There's no such certificate (" . $path . ')'); throw new \RuntimeException("There's no such certificate (" . $path . ')');
@@ -63,16 +79,4 @@ class Revoke implements Command {
return 0; return 0;
}); });
} }
public static function getDefinition(): array {
return [
'server' => AcmeClient\getArgumentDescription('server'),
'storage' => AcmeClient\getArgumentDescription('storage'),
'name' => [
'longPrefix' => 'name',
'description' => 'Common name of the certificate to be revoked.',
'required' => true,
],
];
}
} }

96
src/Commands/Setup.php
View File

@@ -5,11 +5,10 @@ namespace Kelunik\AcmeClient\Commands;
use Amp\Dns; use Amp\Dns;
use Amp\Dns\NoRecordException; use Amp\Dns\NoRecordException;
use Amp\Dns\Record; use Amp\Dns\Record;
use Amp\Dns\ResolutionException;
use Amp\Promise; use Amp\Promise;
use Kelunik\Acme\AcmeException; use Kelunik\Acme\AcmeException;
use Kelunik\Acme\Crypto\RsaKeyGenerator; use Kelunik\Acme\Crypto\RsaKeyGenerator;
use Kelunik\Acme\Registration; use Kelunik\Acme\Protocol\Account;
use Kelunik\AcmeClient; use Kelunik\AcmeClient;
use Kelunik\AcmeClient\AcmeFactory; use Kelunik\AcmeClient\AcmeFactory;
use Kelunik\AcmeClient\Stores\KeyStore; use Kelunik\AcmeClient\Stores\KeyStore;
@@ -18,28 +17,66 @@ use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use Symfony\Component\Yaml\Yaml; use Symfony\Component\Yaml\Yaml;
use function Amp\call; use function Amp\call;
use function Kelunik\AcmeClient\normalizePath;
use function Kelunik\AcmeClient\resolveServer;
use function Kelunik\AcmeClient\serverToKeyname;
class Setup implements Command
{
public static function getDefinition(): array
{
$args = [
'server' => AcmeClient\getArgumentDescription('server'),
'storage' => AcmeClient\getArgumentDescription('storage'),
'email' => [
'longPrefix' => 'email',
'description' => 'E-mail for important issues, will be sent to the ACME server.',
'required' => true,
],
'agree-terms' => [
'longPrefix' => 'agree-terms',
'description' => 'Agree to terms of service of the configured ACME server.',
'defaultValue' => false,
'noValue' => true,
],
];
$configPath = AcmeClient\getConfigPath();
if ($configPath) {
$config = Yaml::parse(\file_get_contents($configPath));
if (isset($config['email']) && \is_string($config['email'])) {
$args['email']['required'] = false;
$args['email']['defaultValue'] = $config['email'];
}
}
return $args;
}
class Setup implements Command {
private $climate; private $climate;
private $acmeFactory; private $acmeFactory;
public function __construct(CLImate $climate, AcmeFactory $acmeFactory) { public function __construct(CLImate $climate, AcmeFactory $acmeFactory)
{
$this->climate = $climate; $this->climate = $climate;
$this->acmeFactory = $acmeFactory; $this->acmeFactory = $acmeFactory;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$email = $args->get('email'); $email = $args->get('email');
yield from $this->checkEmail($email); yield from $this->checkEmail($email);
$server = AcmeClient\resolveServer($args->get('server')); $server = resolveServer($args->get('server'));
$keyFile = AcmeClient\serverToKeyname($server); $keyFile = serverToKeyname($server);
$path = "accounts/{$keyFile}.pem"; $path = "accounts/{$keyFile}.pem";
$bits = 4096; $bits = 4096;
$keyStore = new KeyStore(\Kelunik\AcmeClient\normalizePath($args->get('storage'))); $keyStore = new KeyStore(normalizePath($args->get('storage')));
$this->climate->br(); $this->climate->br();
@@ -59,16 +96,18 @@ class Setup implements Command {
$this->climate->whisper(' Registering with ' . \substr($server, 8) . ' ...'); $this->climate->whisper(' Registering with ' . \substr($server, 8) . ' ...');
/** @var Registration $registration */ /** @var Account $account */
$registration = yield $acme->register($email); $account = yield $acme->register($email, $args->get('agree-terms'));
$this->climate->info(' Registration successful. Contacts: ' . \implode(', ', $registration->getContact())); $contacts = \implode(', ', \array_map("strval", $account->getContacts()));
$this->climate->info(' Registration successful. Contacts: ' . $contacts);
$this->climate->br(); $this->climate->br();
return 0; return 0;
}); });
} }
private function checkEmail(string $email) { private function checkEmail(string $email): \Generator
{
$host = \substr($email, \strrpos($email, '@') + 1); $host = \substr($email, \strrpos($email, '@') + 1);
if (!$host) { if (!$host) {
@@ -79,33 +118,12 @@ class Setup implements Command {
yield Dns\query($host, Record::MX); yield Dns\query($host, Record::MX);
} catch (NoRecordException $e) { } catch (NoRecordException $e) {
throw new AcmeException("No MX record defined for '{$host}'"); throw new AcmeException("No MX record defined for '{$host}'");
} catch (ResolutionException $e) { } catch (Dns\DnsException $e) {
throw new AcmeException("Dns query for an MX record on '{$host}' failed for the following reason: " . $e->getMessage(), null, $e); throw new AcmeException(
"Dns query for an MX record on '{$host}' failed for the following reason: " . $e->getMessage(),
null,
$e
);
} }
} }
public static function getDefinition(): array {
$args = [
'server' => AcmeClient\getArgumentDescription('server'),
'storage' => AcmeClient\getArgumentDescription('storage'),
'email' => [
'longPrefix' => 'email',
'description' => 'E-mail for important issues, will be sent to the ACME server.',
'required' => true,
],
];
$configPath = AcmeClient\getConfigPath();
if ($configPath) {
$config = Yaml::parse(\file_get_contents($configPath));
if (isset($config['email']) && \is_string($config['email'])) {
$args['email']['required'] = false;
$args['email']['defaultValue'] = $config['email'];
}
}
return $args;
}
} }

52
src/Commands/Status.php
View File

@@ -12,20 +12,40 @@ use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Amp\call; use function Amp\call;
use function Kelunik\AcmeClient\getArgumentDescription; use function Kelunik\AcmeClient\getArgumentDescription;
use function Kelunik\AcmeClient\normalizePath;
use function Kelunik\AcmeClient\resolveServer;
use function Kelunik\AcmeClient\serverToKeyname;
class Status
{
public static function getDefinition(): array
{
return [
'server' => getArgumentDescription('server'),
'storage' => getArgumentDescription('storage'),
'ttl' => [
'longPrefix' => 'ttl',
'description' => 'Minimum valid time in days, shows ⭮ if renewal is required.',
'defaultValue' => 30,
'castTo' => 'int',
],
];
}
class Status {
private $climate; private $climate;
public function __construct(CLImate $climate) { public function __construct(CLImate $climate)
{
$this->climate = $climate; $this->climate = $climate;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
return call(function () use ($args) { return call(function () use ($args) {
$server = \Kelunik\AcmeClient\resolveServer($args->get('server')); $server = resolveServer($args->get('server'));
$keyName = \Kelunik\AcmeClient\serverToKeyname($server); $keyName = serverToKeyname($server);
$storage = \Kelunik\AcmeClient\normalizePath($args->get('storage')); $storage = normalizePath($args->get('storage'));
try { try {
$keyStore = new KeyStore($storage); $keyStore = new KeyStore($storage);
@@ -44,15 +64,16 @@ class Status {
$certificateStore = new CertificateStore($storage . "/certs/{$keyName}"); $certificateStore = new CertificateStore($storage . "/certs/{$keyName}");
/** @var array $domains */ /** @var array $domains */
$domains = yield File\scandir($storage . "/certs/{$keyName}"); $domains = yield File\listFiles($storage . "/certs/{$keyName}");
foreach ($domains as $domain) { foreach ($domains as $domain) {
$pem = yield $certificateStore->get($domain); $pem = yield $certificateStore->get($domain);
$cert = new Certificate($pem); $cert = new Certificate($pem);
$symbol = \time() > $cert->getValidTo() ? '<red> ✗ </red>' : '<green> ✓ </green>'; $validTo = $cert->getValidTo();
$symbol = \time() > $validTo ? '<red> ✗ </red>' : '<green> ✓ </green>';
if (\time() < $cert->getValidTo() && \time() + $args->get('ttl') * 24 * 60 * 60 > $cert->getValidTo()) { if (\time() < $validTo && \time() + $args->get('ttl') * 24 * 60 * 60 > $validTo) {
$symbol = '<yellow> ⭮ </yellow>'; $symbol = '<yellow> ⭮ </yellow>';
} }
@@ -63,17 +84,4 @@ class Status {
} }
}); });
} }
public static function getDefinition(): array {
return [
'server' => getArgumentDescription('server'),
'storage' => getArgumentDescription('storage'),
'ttl' => [
'longPrefix' => 'ttl',
'description' => 'Minimum valid time in days, shows ⭮ if renewal is required.',
'defaultValue' => 30,
'castTo' => 'int',
],
];
}
} }

44
src/Commands/Version.php
View File

@@ -6,15 +6,30 @@ use Amp\Promise;
use Amp\Success; use Amp\Success;
use League\CLImate\Argument\Manager; use League\CLImate\Argument\Manager;
use League\CLImate\CLImate; use League\CLImate\CLImate;
use function Kelunik\AcmeClient\ellipsis;
class Version implements Command
{
public static function getDefinition(): array
{
return [
'deps' => [
'longPrefix' => 'deps',
'description' => 'Show also the bundled dependency versions.',
'noValue' => true,
],
];
}
class Version implements Command {
private $climate; private $climate;
public function __construct(CLImate $climate) { public function __construct(CLImate $climate)
{
$this->climate = $climate; $this->climate = $climate;
} }
public function execute(Manager $args): Promise { public function execute(Manager $args): Promise
{
$version = $this->getVersion(); $version = $this->getVersion();
$buildTime = $this->readFileOr('info/build.time', \time()); $buildTime = $this->readFileOr('info/build.time', \time());
@@ -41,13 +56,15 @@ class Version implements Command {
return new Success; return new Success;
} }
private function getDescription($package) { private function getDescription($package): string
return \Kelunik\AcmeClient\ellipsis($package->description ?? ''); {
return ellipsis($package->description ?? '');
} }
private function getVersion() { private function getVersion(): string
{
if (\file_exists(__DIR__ . '/../../.git')) { if (\file_exists(__DIR__ . '/../../.git')) {
$version = `git describe --tags`; $version = \shell_exec("git describe --tags");
} else { } else {
$version = $this->readFileOr('info/build.version', '-unknown'); $version = $this->readFileOr('info/build.version', '-unknown');
} }
@@ -55,7 +72,8 @@ class Version implements Command {
return \substr(\trim($version), 1); return \substr(\trim($version), 1);
} }
private function readFileOr($file, $default = '') { private function readFileOr(string $file, $default = '')
{
if (\file_exists(__DIR__ . '/../../' . $file)) { if (\file_exists(__DIR__ . '/../../' . $file)) {
return \file_get_contents(__DIR__ . '/../../' . $file); return \file_get_contents(__DIR__ . '/../../' . $file);
} }
@@ -66,14 +84,4 @@ class Version implements Command {
return $default; return $default;
} }
public static function getDefinition(): array {
return [
'deps' => [
'longPrefix' => 'deps',
'description' => 'Show also the bundled dependency versions.',
'noValue' => true,
],
];
}
} }

3
src/ConfigException.php
View File

@@ -2,5 +2,6 @@
namespace Kelunik\AcmeClient; namespace Kelunik\AcmeClient;
class ConfigException extends \Exception { class ConfigException extends \Exception
{
} }

47
src/Stores/CertificateStore.php
View File

@@ -7,26 +7,30 @@ use Amp\File\FilesystemException;
use Amp\Promise; use Amp\Promise;
use Kelunik\Certificate\Certificate; use Kelunik\Certificate\Certificate;
use function Amp\call; use function Amp\call;
use function Amp\Uri\isValidDnsName; use function Amp\Dns\isValidName;
class CertificateStore { class CertificateStore
{
private $root; private $root;
public function __construct(string $root) { public function __construct(string $root)
{
$this->root = \rtrim(\str_replace("\\", '/', $root), '/'); $this->root = \rtrim(\str_replace("\\", '/', $root), '/');
} }
public function get(string $name): Promise { public function get(string $name): Promise
{
return call(function () use ($name) { return call(function () use ($name) {
try { try {
return yield File\get($this->root . '/' . $name . '/cert.pem'); return yield File\read($this->root . '/' . $name . '/cert.pem');
} catch (FilesystemException $e) { } catch (FilesystemException $e) {
throw new CertificateStoreException('Failed to load certificate.', 0, $e); throw new CertificateStoreException('Failed to load certificate.', 0, $e);
} }
}); });
} }
public function put(array $certificates): Promise { public function put(array $certificates): Promise
{
return call(function () use ($certificates) { return call(function () use ($certificates) {
if (empty($certificates)) { if (empty($certificates)) {
throw new \Error('Empty array not allowed'); throw new \Error('Empty array not allowed');
@@ -39,7 +43,7 @@ class CertificateStore {
throw new CertificateStoreException("Certificate doesn't have a common name."); throw new CertificateStoreException("Certificate doesn't have a common name.");
} }
if (!isValidDnsName($commonName)) { if (!isValidName($commonName)) {
throw new CertificateStoreException("Invalid common name: '{$commonName}'"); throw new CertificateStoreException("Invalid common name: '{$commonName}'");
} }
@@ -47,38 +51,33 @@ class CertificateStore {
$chain = \array_slice($certificates, 1); $chain = \array_slice($certificates, 1);
$path = $this->root . '/' . $commonName; $path = $this->root . '/' . $commonName;
if (!yield File\isdir($path)) { yield File\createDirectoryRecursively($path, 0755);
yield File\mkdir($path, 0755, true);
if (!yield File\isdir($path)) { yield File\write($path . '/cert.pem', $certificates[0]);
throw new FilesystemException("Couldn't create certificate directory: '{$path}'"); yield File\changePermissions($path . '/cert.pem', 0644);
}
}
yield File\put($path . '/cert.pem', $certificates[0]); yield File\write($path . '/fullchain.pem', \implode("\n", $certificates));
yield File\chmod($path . '/cert.pem', 0644); yield File\changePermissions($path . '/fullchain.pem', 0644);
yield File\put($path . '/fullchain.pem', \implode("\n", $certificates)); yield File\write($path . '/chain.pem', \implode("\n", $chain));
yield File\chmod($path . '/fullchain.pem', 0644); yield File\changePermissions($path . '/chain.pem', 0644);
yield File\put($path . '/chain.pem', \implode("\n", $chain));
yield File\chmod($path . '/chain.pem', 0644);
} catch (FilesystemException $e) { } catch (FilesystemException $e) {
throw new CertificateStoreException("Couldn't save certificates for '{$commonName}'", 0, $e); throw new CertificateStoreException("Couldn't save certificates for '{$commonName}'", 0, $e);
} }
}); });
} }
public function delete(string $name): Promise { public function delete(string $name): Promise
{
return call(function () use ($name) { return call(function () use ($name) {
/** @var array $files */ /** @var array $files */
$files = yield File\scandir($this->root . '/' . $name); $files = yield File\listFiles($this->root . '/' . $name);
foreach ($files as $file) { foreach ($files as $file) {
yield File\unlink($this->root . '/' . $name . '/' . $file); yield File\deleteFile($this->root . '/' . $name . '/' . $file);
} }
yield File\rmdir($this->root . '/' . $name); yield File\deleteDirectory($this->root . '/' . $name);
}); });
} }
} }

3
src/Stores/CertificateStoreException.php
View File

@@ -2,5 +2,6 @@
namespace Kelunik\AcmeClient\Stores; namespace Kelunik\AcmeClient\Stores;
class CertificateStoreException extends \Exception { class CertificateStoreException extends \Exception
{
} }

32
src/Stores/ChallengeStore.php
View File

@@ -6,14 +6,17 @@ use Amp\File;
use Amp\Promise; use Amp\Promise;
use function Amp\call; use function Amp\call;
class ChallengeStore { class ChallengeStore
{
private $docroot; private $docroot;
public function __construct(string $docroot) { public function __construct(string $docroot)
{
$this->docroot = \rtrim(\str_replace("\\", '/', $docroot), '/'); $this->docroot = \rtrim(\str_replace("\\", '/', $docroot), '/');
} }
public function put(string $token, string $payload, string $user = null): Promise { public function put(string $token, string $payload, string $user = null): Promise
{
return call(function () use ($token, $payload, $user) { return call(function () use ($token, $payload, $user) {
$path = $this->docroot . '/.well-known/acme-challenge'; $path = $this->docroot . '/.well-known/acme-challenge';
$userInfo = null; $userInfo = null;
@@ -22,39 +25,34 @@ class ChallengeStore {
throw new ChallengeStoreException("Document root doesn't exist: '{$this->docroot}'"); throw new ChallengeStoreException("Document root doesn't exist: '{$this->docroot}'");
} }
if (!yield File\isdir($path)) { yield File\createDirectoryRecursively($path, 0755);
yield File\mkdir($path, 0755, true);
if (!yield File\isdir($path)) {
throw new ChallengeStoreException("Couldn't create key directory: '{$path}'");
}
}
if ($user && !$userInfo = \posix_getpwnam($user)) { if ($user && !$userInfo = \posix_getpwnam($user)) {
throw new ChallengeStoreException("Unknown user: '{$user}'"); throw new ChallengeStoreException("Unknown user: '{$user}'");
} }
if ($userInfo !== null) { if ($userInfo !== null) {
yield File\chown($this->docroot . '/.well-known', $userInfo['uid'], -1); yield File\changeOwner($this->docroot . '/.well-known', $userInfo['uid']);
yield File\chown($this->docroot . '/.well-known/acme-challenge', $userInfo['uid'], -1); yield File\changeOwner($this->docroot . '/.well-known/acme-challenge', $userInfo['uid']);
} }
yield File\put("{$path}/{$token}", $payload); yield File\write("{$path}/{$token}", $payload);
if ($userInfo !== null) { if ($userInfo !== null) {
yield File\chown("{$path}/{$token}", $userInfo['uid'], -1); yield File\changeOwner("{$path}/{$token}", $userInfo['uid']);
} }
yield File\chmod("{$path}/{$token}", 0644); yield File\changePermissions("{$path}/{$token}", 0644);
}); });
} }
public function delete(string $token): Promise { public function delete(string $token): Promise
{
return call(function () use ($token) { return call(function () use ($token) {
$path = $this->docroot . "/.well-known/acme-challenge/{$token}"; $path = $this->docroot . "/.well-known/acme-challenge/{$token}";
if (yield File\exists($path)) { if (yield File\exists($path)) {
yield File\unlink($path); yield File\deleteFile($path);
} }
}); });
} }

3
src/Stores/ChallengeStoreException.php
View File

@@ -2,5 +2,6 @@
namespace Kelunik\AcmeClient\Stores; namespace Kelunik\AcmeClient\Stores;
class ChallengeStoreException extends \Exception { class ChallengeStoreException extends \Exception
{
} }

27
src/Stores/KeyStore.php
View File

@@ -8,19 +8,22 @@ use Amp\Promise;
use Kelunik\Acme\Crypto\PrivateKey; use Kelunik\Acme\Crypto\PrivateKey;
use function Amp\call; use function Amp\call;
class KeyStore { class KeyStore
{
private $root; private $root;
public function __construct(string $root = '') { public function __construct(string $root = '')
{
$this->root = \rtrim(\str_replace("\\", '/', $root), '/'); $this->root = \rtrim(\str_replace("\\", '/', $root), '/');
} }
public function get(string $path): Promise { public function get(string $path): Promise
{
return call(function () use ($path) { return call(function () use ($path) {
$file = $this->root . '/' . $path; $file = $this->root . '/' . $path;
try { try {
$privateKey = yield File\get($file); $privateKey = yield File\read($file);
// Check key here to be valid, PrivateKey doesn't do that, we fail early here // Check key here to be valid, PrivateKey doesn't do that, we fail early here
$res = \openssl_pkey_get_private($privateKey); $res = \openssl_pkey_get_private($privateKey);
@@ -36,23 +39,17 @@ class KeyStore {
}); });
} }
public function put(string $path, PrivateKey $key): Promise { public function put(string $path, PrivateKey $key): Promise
{
return call(function () use ($path, $key) { return call(function () use ($path, $key) {
$file = $this->root . '/' . $path; $file = $this->root . '/' . $path;
try { try {
$dir = \dirname($file); $dir = \dirname($file);
if (!yield File\isdir($dir)) { yield File\createDirectoryRecursively($dir, 0755);
yield File\mkdir($dir, 0755, true); yield File\write($file, $key->toPem());
yield File\changePermissions($file, 0600);
if (!yield File\isdir($dir)) {
throw new FilesystemException("Couldn't create key directory: '{$dir}'");
}
}
yield File\put($file, $key->toPem());
yield File\chmod($file, 0600);
} catch (FilesystemException $e) { } catch (FilesystemException $e) {
throw new KeyStoreException('Could not save key: ' . $e->getMessage(), 0, $e); throw new KeyStoreException('Could not save key: ' . $e->getMessage(), 0, $e);
} }

3
src/Stores/KeyStoreException.php
View File

@@ -2,5 +2,6 @@
namespace Kelunik\AcmeClient\Stores; namespace Kelunik\AcmeClient\Stores;
class KeyStoreException extends \Exception { class KeyStoreException extends \Exception
{
} }

36
src/functions.php
View File

@@ -12,7 +12,8 @@ use Symfony\Component\Yaml\Yaml;
use function Amp\call; use function Amp\call;
use function Amp\coroutine; use function Amp\coroutine;
function concurrentMap(int $concurrency, array $values, callable $functor): array { function concurrentMap(int $concurrency, array $values, callable $functor): array
{
$semaphore = new LocalSemaphore($concurrency); $semaphore = new LocalSemaphore($concurrency);
return \array_map(coroutine(function ($value, $key) use ($semaphore, $functor) { return \array_map(coroutine(function ($value, $key) use ($semaphore, $functor) {
@@ -36,7 +37,8 @@ function concurrentMap(int $concurrency, array $values, callable $functor): arra
* *
* @return string suggestion or empty string if no command is similar enough * @return string suggestion or empty string if no command is similar enough
*/ */
function suggestCommand(string $badCommand, array $commands, int $suggestThreshold = 70): string { function suggestCommand(string $badCommand, array $commands, int $suggestThreshold = 70): string
{
$badCommand = \strtolower($badCommand); $badCommand = \strtolower($badCommand);
$bestMatch = ''; $bestMatch = '';
@@ -63,11 +65,12 @@ function suggestCommand(string $badCommand, array $commands, int $suggestThresho
* *
* @return string resolved URI * @return string resolved URI
*/ */
function resolveServer(string $uri): string { function resolveServer(string $uri): string
{
$shortcuts = [ $shortcuts = [
'letsencrypt' => 'https://acme-v01.api.letsencrypt.org/directory', 'letsencrypt' => 'https://acme-v02.api.letsencrypt.org/directory',
'letsencrypt:production' => 'https://acme-v01.api.letsencrypt.org/directory', 'letsencrypt:production' => 'https://acme-v02.api.letsencrypt.org/directory',
'letsencrypt:staging' => 'https://acme-staging.api.letsencrypt.org/directory', 'letsencrypt:staging' => 'https://acme-staging-v02.api.letsencrypt.org/directory',
]; ];
if (isset($shortcuts[$uri])) { if (isset($shortcuts[$uri])) {
@@ -94,7 +97,8 @@ function resolveServer(string $uri): string {
* *
* @return string identifier usable as file name * @return string identifier usable as file name
*/ */
function serverToKeyname(string $server): string { function serverToKeyname(string $server): string
{
$server = \substr($server, \strpos($server, '://') + 3); $server = \substr($server, \strpos($server, '://') + 3);
$keyFile = \str_replace('/', '.', $server); $keyFile = \str_replace('/', '.', $server);
@@ -109,7 +113,8 @@ function serverToKeyname(string $server): string {
* *
* @return bool {@code true} if running as Phar, {@code false} otherwise * @return bool {@code true} if running as Phar, {@code false} otherwise
*/ */
function isPhar(): bool { function isPhar(): bool
{
if (!\class_exists('Phar')) { if (!\class_exists('Phar')) {
return false; return false;
} }
@@ -124,7 +129,8 @@ function isPhar(): bool {
* *
* @return string normalized path * @return string normalized path
*/ */
function normalizePath(string $path): string { function normalizePath(string $path): string
{
return \rtrim(\str_replace("\\", '/', $path), '/'); return \rtrim(\str_replace("\\", '/', $path), '/');
} }
@@ -133,7 +139,8 @@ function normalizePath(string $path): string {
* *
* @return string|null Resolves to the config path or null. * @return string|null Resolves to the config path or null.
*/ */
function getConfigPath() { function getConfigPath(): ?string
{
$paths = isPhar() ? [\substr(\dirname(Phar::running()), \strlen('phar://')) . '/acme-client.yml'] : []; $paths = isPhar() ? [\substr(\dirname(Phar::running()), \strlen('phar://')) . '/acme-client.yml'] : [];
if (0 !== \stripos(PHP_OS, 'WIN')) { if (0 !== \stripos(PHP_OS, 'WIN')) {
@@ -164,7 +171,8 @@ function getConfigPath() {
* @throws AcmeException if the provided acme-client.yml file is invalid * @throws AcmeException if the provided acme-client.yml file is invalid
* @throws ConfigException if the provided configuration file is invalid * @throws ConfigException if the provided configuration file is invalid
*/ */
function getArgumentDescription($argument): array { function getArgumentDescription(string $argument): array
{
$config = []; $config = [];
if ($configPath = getConfigPath()) { if ($configPath = getConfigPath()) {
@@ -229,7 +237,8 @@ function getArgumentDescription($argument): array {
* *
* @return string binary callable, shortened based on PATH and CWD * @return string binary callable, shortened based on PATH and CWD
*/ */
function getBinary(): string { function getBinary(): string
{
$binary = 'bin/acme'; $binary = 'bin/acme';
if (isPhar()) { if (isPhar()) {
@@ -265,7 +274,8 @@ function getBinary(): string {
* *
* @return string shortened string * @return string shortened string
*/ */
function ellipsis($text, $max = 70, $append = '…'): string { function ellipsis(string $text, int $max = 70, string $append = '…'): string
{
if (\strlen($text) <= $max) { if (\strlen($text) <= $max) {
return $text; return $text;
} }

34
test/FunctionsTest.php
View File

@@ -4,25 +4,39 @@ namespace Kelunik\AcmeClient;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
class FunctionsTest extends TestCase { class FunctionsTest extends TestCase
public function testResolveServer() { {
$this->assertSame('https://acme-v01.api.letsencrypt.org/directory', resolveServer('letsencrypt')); public function testResolveServer(): void
$this->assertSame('https://acme-v01.api.letsencrypt.org/directory', resolveServer('letsencrypt:production')); {
$this->assertSame('https://acme-staging.api.letsencrypt.org/directory', resolveServer('letsencrypt:staging')); $this->assertSame('https://acme-v02.api.letsencrypt.org/directory', resolveServer('letsencrypt'));
$this->assertSame('https://acme-v01.api.letsencrypt.org/directory', resolveServer('acme-v01.api.letsencrypt.org/directory')); $this->assertSame('https://acme-v02.api.letsencrypt.org/directory', resolveServer('letsencrypt:production'));
$this->assertSame('https://acme-v01.api.letsencrypt.org/directory', resolveServer('https://acme-v01.api.letsencrypt.org/directory')); $this->assertSame(
'https://acme-staging-v02.api.letsencrypt.org/directory',
resolveServer('letsencrypt:staging')
);
$this->assertSame(
'https://acme-v01.api.letsencrypt.org/directory',
resolveServer('acme-v01.api.letsencrypt.org/directory')
);
$this->assertSame(
'https://acme-v01.api.letsencrypt.org/directory',
resolveServer('https://acme-v01.api.letsencrypt.org/directory')
);
} }
public function testSuggestCommand() { public function testSuggestCommand(): void
{
$this->assertSame('acme', suggestCommand('acme!', ['acme'])); $this->assertSame('acme', suggestCommand('acme!', ['acme']));
$this->assertSame('', suggestCommand('issue', ['acme'])); $this->assertSame('', suggestCommand('issue', ['acme']));
} }
public function testIsPhar() { public function testIsPhar(): void
{
$this->assertFalse(isPhar()); $this->assertFalse(isPhar());
} }
public function testNormalizePath() { public function testNormalizePath(): void
{
$this->assertSame('/etc/foobar', normalizePath('/etc/foobar')); $this->assertSame('/etc/foobar', normalizePath('/etc/foobar'));
$this->assertSame('/etc/foobar', normalizePath('/etc/foobar/')); $this->assertSame('/etc/foobar', normalizePath('/etc/foobar/'));
$this->assertSame('/etc/foobar', normalizePath('/etc/foobar/')); $this->assertSame('/etc/foobar', normalizePath('/etc/foobar/'));