Mac Client For Lets Encrypt



Outlook 2016 was the best email client for Mac 2016 in the category of business email clients, and it has ended in the second place overall this year. Outlook’s user interface is getting better with each year, and no other email client comes even close when it comes to the broad range of features Outlook offers. NAME: lego - Let's Encrypt client written in Go USAGE: lego global options command command options arguments. COMMANDS: run Register an account, then create and install a certificate revoke Revoke a certificate renew Renew a certificate dnshelp Shows additional help for the '-dns' global option list Display certificates and accounts information.

Let’s Encrypt is a new certificate authority backedby Mozilla, Akamai, EFF, Facebook and others, which provides free, automatedSSL/TLS certificates. The public beta started on December 3, 2015 and a whole lot of certificates have been issued already:

Several clients to automate issuing, renewing and revoking certificates have been released both by the community and the Let’s Encrypt team. This post is an overview and comparison of 10 popular Let’s Encrypt clients:

I'm running Debian and have certbot for creating Let's Encrypt certificate. I act as client towards a TLS server, and needs to handover my client certificate for approval. I've got the following files generated by certbot.

  • letsencrypt-auto, the official Let’s Encrypt client
  • acme-tiny, a tiny semi-automatic Python implementation
  • gethttpsforfree.com, a static website to assist the manual process
  • simp_le, another Python implementation
  • letsencrypt-nosudo, the predecessor of acme-tiny and gethttpsforfree
  • acmetool, an ACME client in Go
  • lego, an ACME client and library written in Go
  • letsencrypt.sh, a Bash ACME client implemenation
  • acme, ACME implementation in PHP
  • lescript, a PHP library
Mac Client For Lets Encrypt

ACME

The Automated Certificate Management Environment (ACME)protocol defines a way of automatically obtaining trusted certificateswithout human intervention. First, the control of a domain has to be proven,then the agent can request, renew and revoke certificates:

Certificates issued by Let’s Encrypt are valid for 90 days, and are expected to be renewed automatically. More background information can be found on the Let’s Encrypt - How It Works page.

At the time of writing, these rate limits has been in place:

  • 10 Registrations per IP per 3 hours
  • 5 Certificates per Domain per 7 days (incl. subdomains)

SSL Certificates & Signing

Obtaining a valid SSL certificate generally includes the following steps:

  1. You create a private and public key pair on the server.
  2. You create a Certificate Signing Request (CSR) which includes the domain name, organization name, the public key, and other information. The CSR is signed with your private key.
  3. You send the CSR to the certificate authority (in this case Let’s Encrypt).
  4. The certificate authority signs the request, thus producing a public certificate.
  5. You use the public certificate in your webserver.

For more information on configuring a webserver with certificates, check out these links:

  • cipherli.st - Example configuration for Apache, nginx and Lighttpd

These tests are going to obtain a certificate for a domain such as www.example.comand setting up automatic certificate renewal.

Domain ownership verification requires the ACME server being able to access a specific fileon the domain. To accomplish this, we assume a webserver is running and servesfiles from /var/www/htdocs/ (the webroot) and it’s subdirectories. For instance, a file at /var/www/htdocs/.well-known/acme-challenge/8303 should be accessible via www.example.com/.well-known/acme-challenge/8303.

Official Let’s Encrypt Client

  • github.com/letsencrypt/letsencrypt
    • 4,355 commits, 131 contributors
  • Mode: Automatic / Interactive / Manual
  • License: Apache 2.0
  • Language: Python
  • Lines of code: 8,612 (core), ~16,000 (total)
  • Dependencies: many

The official Let’s Encrypt client, letsencrypt-auto, isa heavyweight, fully automated Python program with various modes of operation and installers (for instance to automagically update Apache and nginx configurations).

The standard client automatically installs various system dependencies via the standard package manager (see the source code and /bootstrap/), and sets up a virtualenv witha number of Python dependencies. The client is also available as a Docker image,which avoids the necessity to install packages system-wide.

In case of an error (eg. the ACME server is not reachable), the official client gracefully terminates with an info message.

The official Let’s Encrypt client also supports config files, which may beeasier to automate with a cronjob (see this postfor more infos).

  • Official client, active community
  • Well documented, and well tested
  • Can do a lot of things, including server configs (experimental!)
  • Accessible for non-technical users
  • Complex program, many moving parts, hard to review
  • Runs as root and installs dependencies without asking

Standard Installation

Obtaining a certificate

To obtain a certificate without stopping a running webserver, we are going to use the webroot method, whichonly requires write access for the webroot to save the authentication file.

This command creates the private and public keys, generate a certificate signing request, get the challenge from the ACME server, saves it to the webroot, and downloads the signed certificate in /etc/letsencrypt/live/example.com/. The processis fully automated and results in the certificate and private key, ready to be used by your webserver.

Alternatively the offial Let’s Encrypt client includes a manual plugin, whichcan generate a certificate from another computer than the webserver(akin to gethttpsforfree.com or letsencrypt-nosudo).You can run this plugin with the command ./letsencrypt-auto certonly --manual.

Renewal

To renew certificates automatically, simply add the --renew parameter to the above command:

acme-tiny

Encrypt Mac Files

  • github.com/diafygi/acme-tiny
    • 55 commits, 11 contributors
  • Mode: Automatic / Semi-Automatic
  • License: MIT
  • Language: Python
  • Lines of code: ~200
  • Dependencies: None

Acme-tiny is a tiny Python script which assists with issuing and renewing certificates. You generatethe private key and create a certificate signing request (CSR) manually, and acme-tiny handles the rest (submitting the CSRto the ACME server, receiving the authentication files, putting it in the acme-challenge folder and receiving the final certificate). The output of this script is the signed certificate.

  • Documentation (in the README)
  • Super simple, no dependencies
  • Easy to embed in custom Python application

Installation

Obtaining a certificate

At this point chained.pem contains the signed certificate chain and, along with domain.key, can be used to run a http server(more infos).

Renewal simply requires running this script again with the same parameters.

gethttpsforfree.com

  • github.com/diafygi/gethttpsforfree
    • 70 commits, 10 contributors
  • Mode: Semi-Manual
  • License: MIT
  • Language: HTML & JavaScript
  • Lines of code: 1228 JS, 443 HTML

gethttpsforfree.com is a website which helps users to manually generate all the necessary information to create a certificate signing request (CSR), guiding a user through the whole ACME process:

  1. Manually create a public and private key.
  2. Manually create a certificate signing request (CSR).
  3. Manually sign a number of requests with the private key.
  4. Manually verify ownership by serving the signed requests (either through an existing webserver or a simple Python webserver).
  5. The website tells the ACME server to check for the verifications, and in case of success provides you with the signed certificate.

The website provides OpenSSL commands at each step, and waits for the output of the commands to be pasted back into the website to verify the success. The website never asks for any kind of private key. It can be saved and used locally without any server side logic.

  • Works as advertised
  • Static site allows to save and use later

simp_le

  • github.com/kuba/simp_le
    • 112 commits, 9 contributors
  • Mode: Fully or Semi-Automatic
  • License: GPLv3
  • Language: Python
  • Lines of code: 775 Python, 126 Shell Script, 41 YAML
  • Dependencies: Some

simp_le is an ACME client written in Python. It works similar to acme-tiny, but canalso generate the private key and CSR automatically. Requires a small number of dependencies to be installed.

Installation

Obtaining a certificate

On success, this command produces 4 files: account_key.json, cert.pem, fullchain.pem and key.pem,which can be used from your webserver’s SSL configuration (see here for an example integration in Apache).

Renewal works by using the same command.

Exit codes:

  • 0 if certificate data was created or updated;
  • 1 if renewal not necessary;
  • 2 in case of errors.

letsencrypt-nosudo

  • github.com/diafygi/letsencrypt-nosudo
    • 45 commits, 5 contributors
  • Mode: Manual (assisted)
  • License: AGPL
  • Language: Python
  • Lines of code: 400
  • Dependencies: None

This program is a predecessor of acme-tiny and functionally equivalent to gethttpsforfree.com (made by the same author). The script guides you through the whole process and ask you do run all the necessary commands in the terminal.

You generate a private key and certificate signing request (CSR), then run sign_csr.py to get the signed certificate. The script goes through the ACME protocol with the Let’s Encrypt certificate authority and outputs the signed certificate to stdout.

Installation

Obtaining a certificate

acmetool

  • github.com/hlandau/acme
    • 103 commits, 1 contributors
  • Mode: Automatic / Interactive
  • License: MIT
  • Language: Go
  • Lines of code: ~6,000
  • Dependencies: None (Binary Release)

acmetool is an ACME client written in Go, supporting automatic domain verification with webroot and standalone methods as well as an interactive wizard. acmetool stores credentials and certificates at /var/lib/acme/live/HOSTNAME/{cert,chain,fullchain,privkey} by default and includes support to import certificates from the official client.

acmetool furthermore provides a reconcile option which makes sure all desired hostnameshave valid certificates which don’t expire soon.

Installation

You can either get a binary release, or build from source as described in the Readme:

Obtaining a certificate

You need to set the webroot to /var/run/acme/acme-challenge as describedin the docs, or use the proxy method. The command acmetool want tries all available methods.

lego

  • github.com/xenolf/lego
    • 162 commits, 4 contributors
  • Mode: Automatic
  • License: MIT
  • Language: Go
  • Lines of code: ~2,000
  • Dependencies: None (Binary Release)

Lego is an ACME library and standalone application written in Go. It can be downloaded asa binary release or build by yourself.

Running the standalone version requires the permission to bind to port 80 and 443,which conflicts with a webserver which is already running.

Installation

Obtaining a certificate

letsencrypt.sh

  • github.com/lukas2511/letsencrypt.sh
    • 111 commits, 6 contributors
  • Mode: Automatic
  • License: Unspecified
  • Language: Shell Script (Bash)
  • Lines of code: ~600 (Bash)
  • Dependencies: None / OpenSSL, curl, sed
Client

Installation

Obtaining a certificate

Create a file called domains.txt which contains the domains and subdomains you want togenerate certificates for:

Encrypt

This requests two certificates, for example.com and example.net. The other domains in the corresponding line are their alternative names.

letsencrypt.sh writes the challenge files by default into the directory '${SCRIPTDIR}/.acme-challenges'. To adjust this to your webroot, you need to create a config file (config.sh) with another $WELLKNOWN path (see config.sh.example):

Then simply run letsencrypt.sh (⇾ show output).

acme-client

  • github.com/kelunik/acme-client
    • 3 commits, 1 contributors
  • Mode: Automatic
  • License: MIT
  • Language: PHP (7)
  • Lines of code: ~400
  • Dependencies: Few

acme-client is an ACME client written in PHP, built on top of the acme PHP library by the same author.

It requires PHP 7 and composer to install it’s dependencies.

Installation

Obtaining a certificate

lescript

  • github.com/analogic/lescript
    • 3 commits, 1 contributors
  • Mode: Automatic
  • License: BSD
  • Language: PHP
  • Lines of code: ~450
  • Dependencies: PHP 5.4.8+ with OpenSSL and curl extension

lescript is a very simplistic PHP ACME client library, with an example CLI wrapper.

Installation

Obtaining a certificate

Use the library as shown in _example.php.

ClientUser ModeDeps.LanguageLOCLicenseCapabilitiesDomain Authentication
Official Let's Encrypt Client (Docs)Automatic / Interactive / ManualManyPython~8.600Apache 2.0Issue, Renew, Revoke, Server ConfigWebroot, Standalone, Manual
acme-tinyAutomatic / Semi-AutomaticNonePython~200MITIssue, RenewWebroot
gethttpsforfree
.com (Source)
Semi-ManualNoneHTML/JS~1200MITIssue, RenewWebroot
simp_leAutomatic / Semi-AutomaticSomePython~800GPLv3Issue, Renew, RevokeWebroot
letsencrypt-nosudoManual (assisted)NonePython~400AGPLIssue, Renew, RevokeStandalone
acmetoolAutomatic / InteractiveNoneGo~6,000MITIssue, RenewWebroot, Standalone
legoAutomaticNoneGo~2,000MITIssue, Renew, RevokeStandalone
letsencrypt.shAutomaticNoneBash~600?Issue, Renew, RevokeWebroot
acme-clientSemi-AutomaticSome (incl. PHP 7)PHP~400MITIssue, Renew, RevokeWebroot
lescriptSemi-AutomaticNonePHP~450BSDIssue, RenewWebroot

If you have suggestions or feedback, please let me know via @metachris.

Lego can be use as a CLI.

Usage

When using the standard --path option, all certificates and account configurations are saved to a folder .lego in the current working directory.

Let’s Encrypt ACME server

Mac client for lets encryption

lego defaults to communicating with the production Let’s Encrypt ACME server.If you’d like to test something without issuing real certificates, consider using the staging endpoint instead:

Running without root privileges

The CLI does not require root permissions but needs to bind to port 80 and 443 for certain challenges.To run the CLI without sudo, you have four options:

  • Use setcap 'cap_net_bind_service=+ep' /path/to/lego (Linux only)
  • Pass the --http.port or/and the --tls.port option and specify a custom port to bind to. In this case you have to forward port 80443 to these custom ports (see Port Usage).
  • Pass the --http.webroot option and specify the path to your webroot folder. In this case the challenge will be written in a file in .well-known/acme-challenge/ inside your webroot.
  • Pass the --dns option and specify a DNS provider.

Mac Client For Lets Encrypt

Port Usage

By default lego assumes it is able to bind to ports 80 and 443 to solve challenges.If this is not possible in your environment, you can use the --http.port and --tls.port options to instructlego to listen on that interface:port for any incoming challenges.

If you are using this option, make sure you proxy all of the following traffic to these ports.

Mac Client For Lets Encryption

HTTP Port: All plaintext HTTP requests to port 80 which begin with a request path of /.well-known/acme-challenge/ for the HTTP challenge.1

TLS Port: All TLS handshakes on port 443 for the TLS-ALPN challenge.

This traffic redirection is only needed as long as lego solves challenges. As soon as you have received your certificates you can deactivate the forwarding.

Let's Encrypt Certbot

  1. You must ensure that incoming validation requests contains the correct value for the HTTP Host header. If you operate lego behind a non-transparent reverse proxy (such as Apache or NGINX), you might need to alter the header field using --http.proxy-header X-Forwarded-Host. [return]