From bd51ca2b0e50a43336f224d94fc2ab859525326a Mon Sep 17 00:00:00 2001 From: Willy Sudiarto Raharjo Date: Wed, 9 Dec 2015 15:27:01 +0700 Subject: system/letsencrypt: Added (Manage X.509 certificates). Signed-Off-by: Robby Workman Signed-off-by: Willy Sudiarto Raharjo --- system/letsencrypt/README | 6 ++ system/letsencrypt/README.Slackware | 73 +++++++++++++++++++++ system/letsencrypt/letsencrypt.SlackBuild | 101 ++++++++++++++++++++++++++++++ system/letsencrypt/letsencrypt.info | 10 +++ system/letsencrypt/slack-desc | 19 ++++++ 5 files changed, 209 insertions(+) create mode 100644 system/letsencrypt/README create mode 100644 system/letsencrypt/README.Slackware create mode 100644 system/letsencrypt/letsencrypt.SlackBuild create mode 100644 system/letsencrypt/letsencrypt.info create mode 100644 system/letsencrypt/slack-desc (limited to 'system/letsencrypt') diff --git a/system/letsencrypt/README b/system/letsencrypt/README new file mode 100644 index 0000000000..6e439e00c5 --- /dev/null +++ b/system/letsencrypt/README @@ -0,0 +1,6 @@ +The Let's Encrypt Client is a tool to automatically receive and +install X.509 certificates to enable TLS on servers. +The client will interoperate with the Let's Encrypt CA which will be +issuing browser-trusted certificates for free. + +See README.Slackware for more detailed instructions. diff --git a/system/letsencrypt/README.Slackware b/system/letsencrypt/README.Slackware new file mode 100644 index 0000000000..aba3417580 --- /dev/null +++ b/system/letsencrypt/README.Slackware @@ -0,0 +1,73 @@ +PLUGIN SUPPORT +letsencrypt support five plugins to obtain/install certificates and many more to come in the future. +However, we will only cover standalone plugin because apache plugin only works on Debian-based OS for now +and nginx is still considered very experimental. + +OBTAINING CERTIFICATE USING STANDALONE PLUGIN +Since Slackware is not yet supported, instead of running "letsencrypt-auto certonly" +as instructed, you can run "letsencrypt certonly" to install certificates manually using standalone plugin. + +Here's what i use to create a certificate using port 443 for domain validation +letsencrypt certonly --webroot-path= --standalone-supported-challenges tls-sni-01 -d \ +--email --renew-by-default --agree-tos --text --standalone + +If you want to use port 80 for domain validation, replace +--standalone-supported-challenges tls-sni-01 +with +--standalone-supported-challenges http-01 + +NOTE: +You need to make sure that the port (80 or 443) is NOT USED before running above command (ie. you may need to +temporarily stop your exising webserver) +All domain-spesific configuration files are stored in /etc/letsencrypt/live/ + +Once certificate is created, you need to enable and configure httpd-ssl.conf + +RENEWAL PROCESS +Best way is to use a simple bash script that perform following actions: +- turn off httpd service +- give some delay (2s is enough) +- run the above command to renew automatically +- start httpd service + +RATE LIMIT +Rate limit on registrations per IP is now 10 per 3 hours. +Rate limit on certificates per Domain is now 5 per 7 days. + +CONFIGURATION FILES + +It is possible to specify configuration file with letsencrypt --config cli.ini (or shorter -c cli.ini). +An example configuration file is shown below: + +# This is an example of the kind of things you can do in a configuration file. +# All flags used by the client can be configured here. Run Let's Encrypt with +# "--help" to learn more about the available options. + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Always use the staging/testing server +server = https://acme-staging.api.letsencrypt.org/directory + +# Uncomment and update to register with the specified e-mail address +# email = foo@example.com + +# Uncomment and update to generate certificates for the specified +# domains. +# domains = example.com, www.example.com + +# Uncomment to use a text interface instead of ncurses +# text = True + +# Uncomment to use the standalone authenticator on port 443 +# authenticator = standalone +# standalone-supported-challenges = tls-sni-01 + +# Uncomment to use the webroot authenticator. Replace webroot-path with the +# path to the public_html / webroot folder being served by your web server. +# authenticator = webroot +# webroot-path = /usr/share/nginx/html + +By default, the following locations are searched: +/etc/letsencrypt/cli.ini +$XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set). diff --git a/system/letsencrypt/letsencrypt.SlackBuild b/system/letsencrypt/letsencrypt.SlackBuild new file mode 100644 index 0000000000..08714080f8 --- /dev/null +++ b/system/letsencrypt/letsencrypt.SlackBuild @@ -0,0 +1,101 @@ +#!/bin/sh + +# Slackware build script for letsencrypt + +# Copyright 2015 Willy Sudiarto Raharjo +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=letsencrypt +VERSION=${VERSION:-0.1.0} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz || tar xvf $CWD/v$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +# install acme-protocol first +cd acme +python setup.py install --root=$PKG + +# install letsencrypt client +cd .. +python setup.py install --root=$PKG + +# this plugins are not working for Slackware yet, but we will keep it here + +# install apache plugin +#cd letsencrypt-apache +#python setup.py install --root=$PKG + +# install nginx plugin +#cd ../letsencrypt-nginx +#python setup.py install --root=$PKG + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a *.rst *.md *.txt *.in $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/letsencrypt/letsencrypt.info b/system/letsencrypt/letsencrypt.info new file mode 100644 index 0000000000..db7cae53ee --- /dev/null +++ b/system/letsencrypt/letsencrypt.info @@ -0,0 +1,10 @@ +PRGNAM="letsencrypt" +VERSION="0.1.0" +HOMEPAGE="https://letsencrypt.org/" +DOWNLOAD="https://github.com/letsencrypt/letsencrypt/archive/v0.1.0.tar.gz" +MD5SUM="eb1208bcf5c33a6f030da9419718bf6b" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="configobj mock python-requests pytz python2-pythondialog zope.component pyrfc3339 pyOpenSSL psutil python-parsedatetime python-configargparse werkzeug ndg_httpsclient python-augeas pyparsing" +MAINTAINER="Willy Sudiarto Raharjo" +EMAIL="willysr@slackbuilds.org" diff --git a/system/letsencrypt/slack-desc b/system/letsencrypt/slack-desc new file mode 100644 index 0000000000..87d971c033 --- /dev/null +++ b/system/letsencrypt/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +letsencrypt: letsencrypt (Manage X.509 certificates) +letsencrypt: +letsencrypt: The Let's Encrypt Client is a tool to automatically receive and +letsencrypt: install X.509 certificates to enable TLS on servers. +letsencrypt: The client will interoperate with the Let's Encrypt CA which will be +letsencrypt: issuing browser-trusted certificates for free. +letsencrypt: +letsencrypt: +letsencrypt: Project URL: https://letsencrypt.org/ +letsencrypt: +letsencrypt: -- cgit v1.2.3