Skip to content
forked from namark/acme-lw

Another Let's Encrypt client library

License

Notifications You must be signed in to change notification settings

vircadia/acme-lw

 
 

Repository files navigation

Fork info

This is WIP fork of acme-lw adapted for use in Vircadia project:

  • curl has been replaced with Qt.
  • The API has been completely reworked to support asynchronous operation (interface-implementing split is lost).
  • No API for cancellation of the asynchronous operations.
  • Error handling is not entirely consistent (exceptions are sometimes passed to callbacks, sometimes thrown).
  • No standalone build configuration (full source is included as a submodule in a Qt project).
  • ACME External Account Binding
  • IP Identifier Validation Extension
  • ZeroSSL REST API

Acme Lightweight Client

This project is yet another Let's Encrypt client. It has the following properties.

  • The main artifact is a C++ static library.
  • Functionality only supports creating and updating certificates using http challenges.
  • All code runs 'in process', i.e., no processes are spawned.

Building and Installing

Building requires cmake, openssl and curl. On Debian based systems this will install them.

apt-get install cmake libssl-dev libcurl4-gnutls-dev

On Red Hat based systems this will do it.

yum install cmake openssl-devel curl-devel

On macOS you'll install prerequisites with your package manager of choice.

To build and install run:

cmake .
make
make install

To run against the Let's Encrypt staging environment generate your makefiles with this.

cmake -D STAGING=ON .

Let's Encrypt Credentials

To use any Let's Encrypt client you need to sign requests with your existing Let's Encrypt's account's private key. This library uses a private key in PEM format. If you want to use an existing Let's Encrypt private key, it's in JWK format. The acme-tiny library has good documentation on how to convert it.

Command Line Client

The command line client is run as follows.

acme_lw_client <filename of account private key> <domain name> ...

Multiple domain names can be on the command line.

The behavior is similar to the official Let's Encrypt client run as follows:

certbot certonly --manual -d <domain name>

Library API

The API of the library is documented in its header file. The command line client source provides an example of how it's used.

All methods report errors by throwing std::exception, which will normally be an instance of acme_lw::AcmeException. Note that this means you should compile your client code and this code with the same compiler and ideally with the same compiler options.

If your code is in main.cpp, something like this will build and link.

g++ main.cpp -lacme_lw -lcurl -lcrypto

Security

The library itself is fairly agnostic about security. It doesn't read or write to disk. If you use the library you'll need to decide for yourself how you want to protect the account private key and the private key associated with the certificates issued.

The command line client writes the certificate and private key to disk, readable only by the current user. It reads the account private key (in PEM format) from disk, so it needs to be readable by the current user. You'll need to decide whether that's acceptable and if so which user you want to use. (You probably want to create one solely for this purpose.)

The certificate issued uses a 2,048 bit RSA key.

About

Another Let's Encrypt client library

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 100.0%