diff options
| author | Andrew Cady <d@jerkface.net> | 2016-01-26 14:12:13 -0500 |
|---|---|---|
| committer | Andrew Cady <d@jerkface.net> | 2016-01-26 14:22:16 -0500 |
| commit | 64e8a8ef7833fb7a9325372c09bcb9a682e1ed30 (patch) | |
| tree | 275bd316cf63d4406714b332234e7b27480b6342 /README.md | |
| parent | 7373a3ede2216048d2766f8f27e77d014b82dc43 (diff) | |
Pre-generate DH params
The program now outputs a combined PEM certificate.
A new option allows DH-param generation to be disabled.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 52 |
1 files changed, 32 insertions, 20 deletions
| @@ -1,31 +1,35 @@ | |||
| 1 | # Let's Encrypt ACME protocol | 1 | # `acme-certify` -- A `Let's Encrypt!` ACME client |
| 2 | 2 | ||
| 3 | ``` | 3 | ``` |
| 4 | Let's Encrypt! ACME client | 4 | Let's Encrypt! ACME client |
| 5 | 5 | ||
| 6 | Usage: acme-certify --key FILE --domain DOMAIN --challenge-dir DIR | 6 | Usage: acme-certify --key FILE --domain DOMAIN --challenge-dir DIR |
| 7 | [--domain-dir DIR] [--email ADDRESS] [--terms URL] | 7 | [--domain-dir DIR] [--email ADDRESS] [--terms URL] |
| 8 | [--staging] | 8 | [--skip-dhparams] [--staging] [--skip-provision-check] |
| 9 | This program will generate a signed TLS certificate using the ACME protocol | 9 | This program will generate a signed TLS certificate using the ACME protocol |
| 10 | and the free Let's Encrypt! CA. | 10 | and the free Let's Encrypt! CA. |
| 11 | 11 | ||
| 12 | Available options: | 12 | Available options: |
| 13 | -h,--help Show this help text | 13 | -h,--help Show this help text |
| 14 | --key FILE filename of your private RSA key | 14 | --key FILE Filename of your private RSA key |
| 15 | --domain DOMAIN the domain name(s) to certify; specify more than once | 15 | --domain DOMAIN The domain name(s) to certify; specify more than once |
| 16 | for a multi-domain certificate | 16 | for a multi-domain certificate |
| 17 | --challenge-dir DIR output directory for ACME challenges | 17 | --challenge-dir DIR Output directory for ACME challenges |
| 18 | --domain-dir DIR directory in which to domain certificates and keys | 18 | --domain-dir DIR Directory in which to domain certificates and keys |
| 19 | are stored; the default is to use the (first) domain | 19 | are stored; the default is to use the (first) domain |
| 20 | name as a directory name | 20 | name as a directory name |
| 21 | --email ADDRESS an email address with which to register an account | 21 | --email ADDRESS An email address with which to register an account |
| 22 | --terms URL the terms param of the registration request | 22 | --terms URL The terms param of the registration request |
| 23 | --staging use staging servers instead of live servers | 23 | --skip-dhparams Don't generate DH params for combined cert |
| 24 | --staging Use staging servers instead of live servers | ||
| 24 | (generated certificates will not be trusted!) | 25 | (generated certificates will not be trusted!) |
| 26 | --skip-provision-check Don't test whether HTTP provisioning works before | ||
| 27 | making ACME requests; only useful for testing. | ||
| 25 | ``` | 28 | ``` |
| 26 | 29 | ||
| 27 | This program can be used to obtain a certificate from | 30 | This program can be used to obtain a certificate from the |
| 28 | [Let's Encrypt](https://letsencrypt.org/) using their ACME protocol. | 31 | [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their |
| 32 | ACME protocol. | ||
| 29 | 33 | ||
| 30 | ## Rate Limits | 34 | ## Rate Limits |
| 31 | 35 | ||
| @@ -63,27 +67,35 @@ openssl genrsa 4096 > ${DOMAIN}/rsa.key | |||
| 63 | 67 | ||
| 64 | ## Receive certificate | 68 | ## Receive certificate |
| 65 | 69 | ||
| 66 | The signed certificate will be saved by this program in | 70 | The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`. |
| 67 | ``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS | 71 | A combined certificate, containing the issuer certificate, the private key, and |
| 68 | server is configured to read it. | 72 | (possibly) DH parameters, will be saved in `./${DOMAIN}/cert.combined.pem`. You |
| 73 | can copy that file to the place your TLS server is configured to read it. | ||
| 69 | 74 | ||
| 70 | You can also view the certificate like so: | 75 | You can also view the certificate like so: |
| 71 | 76 | ||
| 72 | ``` | 77 | ``` |
| 73 | openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text | less | 78 | openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less |
| 74 | ``` | 79 | ``` |
| 75 | 80 | ||
| 76 | ## Create a certificate for HAProxy | 81 | ## Create a certificate for HAProxy |
| 77 | 82 | ||
| 78 | Vo Minh Thu, the original author of this program, suggests to include explicit | 83 | Vo Minh Thu, the original author of this program, suggests to include explicit |
| 79 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). | 84 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). |
| 85 | This is now automatically performed by default. | ||
| 86 | |||
| 87 | Note: generating DH params is CPU-intensive and takes a long time. For that | ||
| 88 | reason, it is done once per domain, and the result is saved in | ||
| 89 | `${DOMAIN}/dhparams.pem`. | ||
| 90 | |||
| 91 | You can also disable DH generation it with `--skip-dhparams`. | ||
| 92 | |||
| 93 | The certificate is generated by this program equivalently to this: | ||
| 80 | 94 | ||
| 81 | ``` | 95 | ``` |
| 82 | > openssl x509 -inform der -in ${DOMAIN}/cert.der \ | 96 | openssl dhparam -out ${DOMAIN}/dhparams.pem 2048 |
| 83 | -out ${DOMAIN}/cert.pem | 97 | cat ${DOMAIN}/cert.pem \ |
| 84 | > openssl dhparam -out ${DOMAIN}/dhparams.pem 2048 | ||
| 85 | > cat ${DOMAIN}/cert.pem \ | ||
| 86 | lets-encrypt-x1-cross-signed.pem \ | 98 | lets-encrypt-x1-cross-signed.pem \ |
| 87 | ${DOMAIN}/rsa.key \ | 99 | ${DOMAIN}/rsa.key \ |
| 88 | ${DOMAIN}/dhparams.pem > aaa.reesd.com-combined.pem | 100 | ${DOMAIN}/dhparams.pem > ${DOMAIN}/cert.combined.pem |
| 89 | ``` | 101 | ``` |