lego/README.md

# lego
Let's Encrypt client and ACME library written in Go

[![GoDoc](https://godoc.org/github.com/xenolf/lego/acme?status.svg)](https://godoc.org/github.com/xenolf/lego/acme)
[![Build Status](https://travis-ci.org/xenolf/lego.svg?branch=master)](https://travis-ci.org/xenolf/lego)

This is a work in progress. Please do *NOT* run this on a production server.

Please report any bugs you find!

#### Current Status
The code in this repository is under development.

Current features:
- [x] Registering with a CA
- [x] Requesting Certificates
- [x] Renewing Certificates
- [x] Revoking Certificates
- [ ] Initiating account recovery
- Identifier validation challenges
  - [x] HTTP (http-01)
  - [x] TLS with Server Name Indication (tls-sni-01)
  - [ ] Proof of Possession of a Prior Key (proofOfPossession-01)
  - [ ] DNS (dns-01) - Implemented in branch, blocked by upstream.
- [x] Certificate bundling
- [x] Library support for OCSP

Please keep in mind that CLI switches and APIs are still subject to change.

When using the standard --path option, all certificates and account configurations are saved to a folder *.lego* in the current working directory.

#### Sudo
I tried to not need sudo apart from challenges where binding to a privileged port is necessary.
To run the CLI without sudo, you have two options:
- Use ```setcap 'cap_net_bind_service=+ep' /path/to/program```
- Pass the --port option and specify a custom port to bind to. In this case you have to forward port 443 to this custom port.

#### Usage

```
NAME:
   lego - Let's encrypt client to go!

USAGE:
   ./lego [global options] command [command options] [arguments...]

VERSION:
   0.0.2

COMMANDS:
   run		Register an account, then create and install a certificate
   revoke	Revoke a certificate
   renew	Renew a certificate
   help, h	Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --domains, -d [--domains option --domains option]			Add domains to the process
   --server, -s "https://acme-staging.api.letsencrypt.org/"		CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.
   --email, -m 								Email used for registration and recovery contact.
   --rsa-key-size, -B "2048"						Size of the RSA key.
   --path "CWD/.lego"	Directory to use for storing the data
   --port 								Challenges will use this port to listen on. Please make sure to forward port 443 to this port on your machine. Otherwise use setcap on the binary
   --help, -h								show help
   --version, -v							print the version

```


#### ACME Library Usage

A valid, but bare-bones example use of the acme package:

```go
// You'll need a user or account type that implements acme.User
type MyUser struct {
	Email        string
	Registration *acme.RegistrationResource
	key          *rsa.PrivateKey
}
func (u MyUser) GetEmail() string {
	return u.Email
}
func (u MyUser) GetRegistration() *acme.RegistrationResource {
	return u.Registration
}
func (u MyUser) GetPrivateKey() *rsa.PrivateKey {
	return u.key
}

// Create a user. New accounts need an email and private key to start.
const rsaKeySize = 2048
privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySize)
if err != nil {
	log.Fatal(err)
}
myUser := MyUser{
	Email: "you@yours.com",
	key: privateKey,
}

// A client facilitates communication with the CA server. This CA URL is
// configured for a local dev instance of Boulder running in Docker in a VM.
// We specify an optPort of 5001 because we aren't running as root and can't
// bind a listener to port 443 (used later when we attempt to pass challenge).
client, err := acme.NewClient("http://192.168.99.100:4000", &myUser, rsaKeySize, "5001")
if err != inl {
  log.Fatal(err)
}

// New users will need to register; be sure to save it
reg, err := client.Register()
if err != nil {
	log.Fatal(err)
}
myUser.Registration = reg

// The client has a URL to the current Let's Encrypt Subscriber
// Agreement. The user will need to agree to it.
err = client.AgreeToTOS()
if err != nil {
	log.Fatal(err)
}

// The acme library takes care of completing the challenges to obtain the certificate(s).
// Of course, the hostnames must resolve to this machine or it will fail.
certificates, err := client.ObtainCertificates([]string{"mydomain.com"})
if err != nil {
	log.Fatal(err)
}

// Each certificate comes back with the cert bytes, the bytes of the client's
// private key, and a certificate URL. This is where you should save them to files!
fmt.Printf("%#v\n", certificates)

// ... all done.
```
Create README.md 2015-06-13 02:45:04 +00:00			`# lego`
Update README.md 2015-10-19 17:58:04 +00:00			`Let's Encrypt client and ACME library written in Go`
Create README.md 2015-06-13 02:45:04 +00:00
README.md fix + include godoc link 2015-10-18 23:02:44 +00:00			`[![GoDoc](https://godoc.org/github.com/xenolf/lego/acme?status.svg)](https://godoc.org/github.com/xenolf/lego/acme)`
Update README.md Add travis build status 2015-06-13 19:23:27 +00:00			`[![Build Status](https://travis-ci.org/xenolf/lego.svg?branch=master)](https://travis-ci.org/xenolf/lego)`

README.md fix + include godoc link 2015-10-18 23:02:44 +00:00			`This is a work in progress. Please do NOT run this on a production server.`
Create README.md 2015-06-13 02:45:04 +00:00
Update README.md 2015-10-20 20:55:00 +00:00			`Please report any bugs you find!`

README.md fix + include godoc link 2015-10-18 23:02:44 +00:00			`#### Current Status`
Update README.md 2015-10-19 17:58:04 +00:00			`The code in this repository is under development.`

			`Current features:`
			`- [x] Registering with a CA`
			`- [x] Requesting Certificates`
			`- [x] Renewing Certificates`
			`- [x] Revoking Certificates`
			`- [ ] Initiating account recovery`
			`- Identifier validation challenges`
Update README.md 2015-11-14 16:35:31 +00:00			`- [x] HTTP (http-01)`
Mark TLS-SNI implemented in README 2015-11-19 23:34:40 +00:00			`- [x] TLS with Server Name Indication (tls-sni-01)`
Update README.md 2015-11-14 16:35:31 +00:00			`- [ ] Proof of Possession of a Prior Key (proofOfPossession-01)`
Remove simpleHTTP - Update README 2015-11-18 21:15:37 +00:00			`- [ ] DNS (dns-01) - Implemented in branch, blocked by upstream.`
Update README.md 2015-10-25 00:15:58 +00:00			`- [x] Certificate bundling`
			`- [x] Library support for OCSP`
Create README.md 2015-06-13 02:45:04 +00:00
			`Please keep in mind that CLI switches and APIs are still subject to change.`

			`When using the standard --path option, all certificates and account configurations are saved to a folder .lego in the current working directory.`

README.md fix + include godoc link 2015-10-18 23:02:44 +00:00			`#### Sudo`
Create README.md 2015-06-13 02:45:04 +00:00			`I tried to not need sudo apart from challenges where binding to a privileged port is necessary.`
			`To run the CLI without sudo, you have two options:`
			- Use ```setcap 'cap_net_bind_service=+ep' /path/to/program```
			`- Pass the --port option and specify a custom port to bind to. In this case you have to forward port 443 to this custom port.`

			`#### Usage`

			```
			`NAME:`
			`lego - Let's encrypt client to go!`

			`USAGE:`
Update README.md 2015-10-19 17:58:04 +00:00			`./lego [global options] command [command options] [arguments...]`
Change name of AgreeToTos to AgreeToTOS. According to https://github.com/golang/go/wiki/CodeReviewComments#initialisms 2015-10-23 08:15:57 +00:00
Create README.md 2015-06-13 02:45:04 +00:00			`VERSION:`
Update read 2015-09-26 18:01:36 +00:00			`0.0.2`
Change name of AgreeToTos to AgreeToTOS. According to https://github.com/golang/go/wiki/CodeReviewComments#initialisms 2015-10-23 08:15:57 +00:00
Create README.md 2015-06-13 02:45:04 +00:00			`COMMANDS:`
Update README.md 2015-10-19 17:58:04 +00:00			`run Register an account, then create and install a certificate`
			`revoke Revoke a certificate`
			`renew Renew a certificate`
			`help, h Shows a list of commands or help for one command`
Change name of AgreeToTos to AgreeToTOS. According to https://github.com/golang/go/wiki/CodeReviewComments#initialisms 2015-10-23 08:15:57 +00:00
Create README.md 2015-06-13 02:45:04 +00:00			`GLOBAL OPTIONS:`
Update README.md 2015-10-19 17:58:04 +00:00			`--domains, -d [--domains option --domains option] Add domains to the process`
			`--server, -s "https://acme-staging.api.letsencrypt.org/" CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.`
			`--email, -m Email used for registration and recovery contact.`
			`--rsa-key-size, -B "2048" Size of the RSA key.`
Remove unused CLI option 2015-10-31 23:29:01 +00:00			`--path "CWD/.lego" Directory to use for storing the data`
Update README.md 2015-10-19 17:58:04 +00:00			`--port Challenges will use this port to listen on. Please make sure to forward port 443 to this port on your machine. Otherwise use setcap on the binary`
			`--help, -h show help`
			`--version, -v print the version`
Remove unused CLI option 2015-10-31 23:29:01 +00:00
Create README.md 2015-06-13 02:45:04 +00:00			```
Add bare-bones acme usage example 2015-10-17 21:02:52 +00:00

			`#### ACME Library Usage`

			`A valid, but bare-bones example use of the acme package:`

			```go
			`// You'll need a user or account type that implements acme.User`
			`type MyUser struct {`
			`Email string`
			`Registration *acme.RegistrationResource`
			`key *rsa.PrivateKey`
			`}`
			`func (u MyUser) GetEmail() string {`
			`return u.Email`
			`}`
			`func (u MyUser) GetRegistration() *acme.RegistrationResource {`
			`return u.Registration`
			`}`
			`func (u MyUser) GetPrivateKey() *rsa.PrivateKey {`
			`return u.key`
			`}`

			`// Create a user. New accounts need an email and private key to start.`
Minor correction 2015-10-17 21:07:14 +00:00			`const rsaKeySize = 2048`
Add bare-bones acme usage example 2015-10-17 21:02:52 +00:00			`privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySize)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`myUser := MyUser{`
			`Email: "you@yours.com",`
			`key: privateKey,`
			`}`

			`// A client facilitates communication with the CA server. This CA URL is`
			`// configured for a local dev instance of Boulder running in Docker in a VM.`
			`// We specify an optPort of 5001 because we aren't running as root and can't`
			`// bind a listener to port 443 (used later when we attempt to pass challenge).`
Replaced fatal with print; return errors from NewClient 2015-10-27 23:00:42 +00:00			`client, err := acme.NewClient("http://192.168.99.100:4000", &myUser, rsaKeySize, "5001")`
			`if err != inl {`
			`log.Fatal(err)`
			`}`
Add bare-bones acme usage example 2015-10-17 21:02:52 +00:00
			`// New users will need to register; be sure to save it`
			`reg, err := client.Register()`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`myUser.Registration = reg`

			`// The client has a URL to the current Let's Encrypt Subscriber`
			`// Agreement. The user will need to agree to it.`
Change name of AgreeToTos to AgreeToTOS. According to https://github.com/golang/go/wiki/CodeReviewComments#initialisms 2015-10-23 08:15:57 +00:00			`err = client.AgreeToTOS()`
Add bare-bones acme usage example 2015-10-17 21:02:52 +00:00			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`// The acme library takes care of completing the challenges to obtain the certificate(s).`
			`// Of course, the hostnames must resolve to this machine or it will fail.`
			`certificates, err := client.ObtainCertificates([]string{"mydomain.com"})`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

README.md fix + include godoc link 2015-10-18 23:02:44 +00:00			`// Each certificate comes back with the cert bytes, the bytes of the client's`
Add bare-bones acme usage example 2015-10-17 21:02:52 +00:00			`// private key, and a certificate URL. This is where you should save them to files!`
			`fmt.Printf("%#v\n", certificates)`

			`// ... all done.`
			```