diafygi / acme-tiny

acme-tiny This is a tiny, auditable script that you can throw on your server to issue and renew Let's Encrypt certificates. Since it has to be run on your server and have access to your private Let's Encrypt account key, I tried to make it as tiny as possible (currently less than 200 lines). The only prerequisites are python and openssl. **PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT WITH YOUR PRIVATE ACCOUNT KEY!** Donate If this script is useful to you, please donate to the EFF. I don't work there, but they do fantastic work. https://eff.org/donate/ How to use this script If you already have a Let's Encrypt issued certificate and just want to renew, you should only have to do Steps 3 and 6. Step 1: Create a Let's Encrypt account private key (if you haven't already) You must have a public key registered with Let's Encrypt and sign your requests with the corresponding private key. If you don't understand what I just said, this script likely isn't for you! Please use the official Let's Encrypt client. To accomplish this you need to initially create a key, that can be used by acme-tiny, to register an account for you and sign all following requests. Use existing Let's Encrypt key Alternatively you can convert your key, previously generated by the original Let's Encrypt client. The private account key from the Let's Encrypt client is saved in the JWK format. is using the PEM key format. To convert the key, you can use the tool conversion script by JonLundy: Step 2: Create a certificate signing request (CSR) for your domains. The ACME protocol (what Let's Encrypt uses) requires a CSR file to be submitted to it, even for renewals. You can use the same CSR for multiple renewals. NOTE: you can't use your account private key as your domain private key! Step 3: Make your website host challenge files You must prove you own the domains you want a certificate for, so Let's Encrypt requires you host some files on them. This script will generate and write those files in the folder you specify, so all you need to do is make sure that this folder is served under the ".well-known/acme-challenge/" url path. NOTE: Let's Encrypt will perform a plain HTTP request to port 80 on your server, so you must serve the challenge files via HTTP (a redirect to HTTPS is fine too). Step 4: Get a signed certificate! Now that you have setup your server and generated all the needed files, run this script on your server with the permissions needed to write to the above folder and read your private account key and CSR. Step 5: Install the certificate The signed https certificate chain that is output by this script can be used along with your private key to run an https server. You need to include them in the https settings in your web server's configuration. Here's an example on how to configure an nginx server: Step 6: Setup an auto-renew cronjob Congrats! Your website is now using https! Unfortunately, Let's Encrypt certificates only last for 90 days, so you need to renew them often. No worries! It's automated! Just make a bash script and add it to your crontab (see below for example script). Example of a : **NOTE:** Since Let's Encrypt's ACME v2 release (acme-tiny 4.0.0+), the intermediate certificate is included in the issued certificate download, so you no longer have to independently download the intermediate certificate and concatenate it to your signed certificate. If you have an shell script or Makefile using acme-tiny <4.0 (e.g. before 2018-03-17) with acme-tiny 4.0.0+, then you may be adding the intermediate certificate to your signed_chain.crt twice (which causes issues with at least GnuTLS 3.7.0 besides making the certificate slightly larger than it needs to be). To fix, simply remove the bash code where you're downloading the intermediate and adding it to the acme-tiny certificate output. Permissions The biggest problem you'll likely come across while setting up and running this script is permissions. You want to limit access to your account private key and challenge web folder as much as possible. I'd recommend creating a user specifically for handling this script, the account private key, and the challenge folder. Then add the ability for that user to write to your installed certificate file (e.g. ) and reload your webserver. That way, the cron script will do its thing, overwrite your old certificate, and reload your webserver without having permission to do anything else. **BE SURE TO:** • Backup your account private key (e.g. ) • Don't allow this script to be able to read your domain private key! • Don't allow this script to be run as root! Staging Environment Let's Encrypt recommends testing new configurations against their staging servers, so when testing out your new setup, you can use to issue fake test certificates instead of real ones from Let's Encrypt's production servers. See https://letsencrypt.org/docs/staging-environment/ for more details. Feedback/Contributing This project has a very, very limited scope and codebase. I'm happy to receive bug reports and pull requests, but please don't add any new features. This script must stay under 200 lines of code to ensure it can be easily audited by anyone who wants to run it. If you want to add features for your own setup to make things easier for you, please do! It's open source, so feel free to fork it and modify as necessary.