Giter VIP home page Giter VIP logo's People


akulumbeg avatar alvinschiller avatar angel333 avatar arnebjarne avatar bbruun avatar boyanpeychev avatar dkerr64 avatar eagle3386 avatar eastonman avatar edglynes avatar f-plass avatar honzahommer avatar jakelamotta avatar jsoref avatar justmwa avatar marvo2011 avatar mdbraber avatar medmunds avatar neilpang avatar nerlor avatar non7top avatar noplanman avatar phlegx avatar scruel avatar shar0119 avatar stefanabl avatar stilez avatar tresni avatar wsellitti avatar zak905 avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar's Issues

Should not skip regenerating CSR if SubjectAltNames have changed

First try with this script, I typoed a subdomain. I re-ran le issue blah and and it failed to regenerate the CSR, using the same typoed subdomain.

In fact, looking at the code it looks like even if you do FORCE=true le issue it won't regenerate the CSR, making it impossible to add SubjectAltNames to a certificate at a later date, which is something I do regularly with the official client.

I suggest either modifying the current $FORCE logic to force regenerating the entire configuration, or perhaps adding $REGEN_CSR and $REGEN_KEY flags to force regeneration of CSRs and keys. Either way, you have to modify the code in issue() to not clobber the provided arguments with those from $DOMAIN_CONF — or else require the use of le createCSR and le createDomainKey for regeneration, but that seems overly cumbersome.

Add support for tls-sni-01

I found some documentation for how us the tls-sni-01 challenge support to a client:

In general simply changing the VTYPE_HTTP to "tls-sni-01" does all the proper steps but fails to verify with a poorly worded error. My understanding is that if the script where to add the proper subjectAlternativeName to a self signed cert and asking the user to install it before proceeding then it SHOULD world.

nginx: [emerg] cannot get certificate

重启nginx的时候提示这个,是什么引起的? 环境是 oneinstack 安装的
nginx: [emerg] cannot get certificate (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509)
configuration file /usr/local/tengine/conf/nginx.conf test failed


server {
listen 443 ssl spdy;
ssl_certificate /root/.le/;
ssl_certificate_key /root/.le/;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
resolver valid=300s;
resolver_timeout 5s;
access_log /data/wwwlogs/www.xxxxx.com_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/;
if ($host != {
rewrite ^/(.*)$ $scheme://$1 permanent;

location / {
try_files $uri @apache;
location @apache {
include proxy.conf;
location ~ ..(php|php5|cgi|pl)?$ {
include proxy.conf;
location ~ .
.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
expires 30d;
access_log off;
location ~ .*.(js|css)?$ {
expires 7d;
access_log off;

add dns-XXX-rm in dnsapi


Would it be possible to add support to remove "_acme-challenge" TXT records after validation via DNSAPI?


Remove dependency to openssl

Yes, openssl is not reliable everywhere.

We should think about using other ssl implementations. Such as : GnuTls

用了cloudxns 的api ,结果并不能自动添加TXT记录。

Add the following TXT record:
TXT value: wP-0cCLJ2SKkhUdG2CVlR-GrX1hUKj3cK5EWxXbw2KA
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be:
Please add the TXT records to the domains, and retry again.

Apache 2.4 compatibility

You provide the option for apache integration, but you did a small but integral mistake which I was not aware too. The Apache 2.4 handles the permissions different.

Order allow,deny
Allow from all

Needs to been replaced by

Require all granted


Implement account registration update

as the default configuration of no email adress is used, some users might want to add/change their email later on to receive expiration notifications from let's encrypt. the ACME protocol allows updating the email adress assigned to the account. there's a post on let's encrypt's community which explains how updating an existing account would be done:

However, there's another good reason you might want to change the email address on an account: So that you get expiration emails. This is supported in the ACME protocol and in the Boulder software: POST a signed update to your account object (aka registration object) with a new value for the Contacts field. However, unfortunately this is not yet implemented in the Python client. We have an open issue for it: certbot/certbot#1215

maybe could provide an "updateAccount" function that takes the current ACCOUNT_EMAIL value and POSTs it to LE?

.well-known/ removed after success?

Just throwing ideas:

I guess the .well-known/ should be deleted after a success validation, just to respect the original content.

Btw, I love this implementation! is the simplest and easiest from all that I checked.


ew-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: DNS name does not have enough labels","status":400}
这个是什么原因导致的呢? 真心解决不了了. 还请帮忙解答, 非常感谢

FYI, pfsense doesn't work

[2.2.6-RELEASE][[email protected]]/root/le: bash ./ issue /root/certs/ o.example,,,
Use default length 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Use default length 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
error on line -1 of /dev/fd/63
675592508:error:02001002:system library:fopen:No such file or directory:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:169:fopen('/dev/fd/63','rb')
675592508:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:172:
675592508:error:0E078072:configuration file routines:DEF_LOAD:no such file:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:197:
Create CSR error.

_initpath() calls sudo...

The _initpath() function calls sudo despite the "Do NOT require to be root/sudoer." comment on the 4th line of

This leads to spurious errors from cron jobs being sent to system administrators.

I can't issue single domain ECC certificate

If i trying to create single domain certificate with ecc algorithm,
le issue /usr/share/nginx/html domain.tld ec-384
using this command, le sets ec-384 as a alternative name.
So it makes error.
How can I issue it?

Error message when hitting rate limit

when hitting the rate limits for certificates per domain & week, returns a 429 response. should handle it and inform the user. currently there's just an empty error message outputted:

Verify finished, start to sign.
Sign failed:

the contents of curl.header is

HTTP/1.1 100 Continue
Expires: Fri, 05 Feb 2016 18:18:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 429 Unknown
Server: nginx
Content-Type: application/problem+json
Content-Length: 142
Replay-Nonce: LzW9_1jn3SFxJ7ypBRKdmVkn3M0ZW5dG1EVQZU_viD0
Expires: Fri, 05 Feb 2016 18:18:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 05 Feb 2016 18:18:17 GMT
Connection: close

the json body payload would contain the exact error message but is not shown:
{"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for:","status":429}

Is there a rationale behind using "cp -p" instead of "mv"

in installcert? On some filesystems this return errors like
cp: preserving permissions for ‘/etc/pve/local/pve-ssl.pem.bak’: Function not implemented

no harm done and permissions are in fact preserved, but we all don't like error messages, are we?

I would wait with a PR after decision on #84 so there won't be merge conflicts

Private key file should not be readable for anyone

www-data@my-host:~/.le/$ ls -lh
total 20K
-rw-r--r-- 1 www-data www-data 1.7K Jan 27 17:30 ca.cer
-rw-r--r-- 1 www-data www-data 2.1K Jan 27 17:30
-rw-r--r-- 1 www-data www-data  487 Jan 27 17:30
-rw-r--r-- 1 www-data www-data 1.6K Jan 27 17:30
-rw-r--r-- 1 www-data www-data 3.2K Jan 27 17:30
    ^^^^^^ WTFFFFFF

Generated private key can be read by any user on this machine which is not secure.


[root@s2 le]# le issue /data/wwwroot/
Use default length 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Use default length 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
multi domain
cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find 'distinguished_name' in config
problems making Certificate Request
140032319231816:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name
Registering account
verify each domain
Verifing domain

[root@s2 le]# lsb_release -a
LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.6 (Final)
Release: 6.6
Codename: Final

cronjob typo ?

is this a typo ?

0 0 * * *  WORKING_DIR="/root/.le" "/root/.le"/ cron > /dev/null

should be ?

0 0 * * *  WORKING_DIR="/root/.le" /root/.le/ cron > /dev/null

Automatic CloudFlare DNS fails for Free plans?

Hey there!
I've been trying to automatize the process of renewing my certificates with le using the automatic CloudFlare API integration, I've tried with all my domains on my account, all of them are "Free plan" except for one that is "Pro plan", somehow it only works for the "Pro plan" one and the others end up in an Error without number.

Error add txt for

The v4 API documentation states that creating and updating DNS records into a zone is available for all plans.
Did anyone experience something similar with Free plans?
I opened a support ticket with CloudFlare explaining the problem and I'll post the answer in here when I get one

Unclear commandline options

In the readme you explain the options:

[key-length]|no [cert-file-path]|no [key-file-path]|no

It seems they are optional. What happens if I write no ?? Are the certs not issued? Where are they saved?

Add concatenation of site and CA certs for nginx


As nginx requires that CA certificate should be concatenated with site ceritificate, please consider to change installcert to something like that:

  if [ "$Le_RealCertPath" ] ; then
    if [ -f "$Le_RealCertPath" ] ; then
      cp -p "$Le_RealCertPath" "$Le_RealCertPath".bak
    cat "$CERT_PATH" > "$Le_RealCertPath"
    if [[ "$Le_ReloadCmd" =~ "nginx" ]] ; then
      cat "$CA_CERT_PATH" >> "$Le_RealCertPath"

Support for Multiple Webroots

I currently run a letsencrypt-auto command like:

$ /opt/letsencrypt/letsencrypt-auto certonly \
--webroot --agree-tos --keep-until-expiring --rsa-key-size 4096 \
-w /srv/www/ -d -d \
-w /srv/www/ -d

It would be great to be able to request a single webroot cert for multiple webroots and groups of domain names.

Write default account.conf sample

Write a sample ~/.le/account.conf file when installed for the first time.

Write all the supported macros in it.
such as:


Verify error:Error parsing key authorization file: Invalid key authorization: malformed token

Hi, I've posted my problem here:

Basically, I have the following error:
Verify error:Error parsing key authorization file: Invalid key authorization: malformed token

I'm using an url of type

Do you know what's a token? Why is it malformed? How can I fix it?

Here is an excerpt of my (without DEBUG flag) output:

root@somewhere:~# le issue /home/path/www 4096
Creating account key
Account key exists, skip
Creating domain key
Use length 4096
Creating csr
Registering account
Already registered
Verify each domain
Getting token for
Getting token for error:Error parsing key authorization file: Invalid key authorization: malformed token

Hardcoded command line order vs. getopts

I feel like we're getting to the limits of harcoded arguments (with no meaning default) vs. optional arguments. Wouldn't it be easier to give "-c certfile", "-C cafile", etc.? Especially when bash has a builtin getopts.

Support for AWS Route 53?

I wanted to check to see what your thoughts are in regards to the dnsapi plugins. I wrote a AWS Route 53 API plugin but it uses the python awscli tool and jq to parse JSON and I wasn't sure if you had strict requirements for using only bash or if 3rd party libraries could be a requirement. This probably needs some additional error checking but it's worked decently for me so far:

distinguish ECC key based certificates from RSA certificates

currently when issuing a ECC key based certificate uses the same directory as for RSA key based certificates. as such it is not possible to issue both a RSA and a (separate) ECC cert for the same domain. maybe suffixing the key type to the directory for non-RSA certificates would be a futureproof fix for this:

RSA key certificate for $LE_WORKING_DIR/
ECC key certificate for $LE_WORKING_DIR/

Just want to say thanks

Sadly Github as far as I know has no way (other than giving you a star) of saying thanks!

We as a hosting company implemented Let's Encrypt using the official client, not only it has too many dependencies, but they basically removed some functionality that made it almost impossible to issue certificates for our customers.

Saw your script, gave it a test - works like charm! So I just wanted to say thanks on behalf of our company.

That also means we might actually be able to contribute! One nice feature (That I really like from the official client) is that you can define multiple web-roots - also if you want to create a SAN certificate this would be a great feature in this script, but I'll see if I can come up with a way to do it, and submit a pull request!

Standalone mode, nc -q 1 : bad argument

I just tested the script in standalone mode and I encounter an error on line 227 and 229.
man nc (-q arg does not exist)
I removed it and the script works.

Not working on alpine linux

I just tried to run this on alpine linux, and I get the following error:

egrep: bad regex '{[^{]*"type":"http-01"[^}]*': Invalid contents of {}

le issue fails unless there is service on port 80?

USAGE: ./le issue /var/www/hostname.sld.tld/htdocs hostname.sld.tld

Requires that I enable a Virtualhost listening on port 80 for hostname.sld.tld.

Must I have port 80 open and listening for that host or is there a way to allow everything to work on a server that is only serving over port 443?

If I use apache mode instead can I do this without having to expose port 80 and just listen on 443?

Also, I keep my certs in /etc/httpd/ssl/hostname.sld.tld/ and create symlinks to /root/.le/hostname.sld.tld/ for the certs and key, so can I just issue the following which installs the cronjob to renew by default every 80 days?:

le installcert hostname.sld.tld /root/.le/hostname.sld.tld/hostname.sld.tld.cer /root/.le/hostname.sld.tld/hostname.sld.tld.key /root/.le/hostname.sld.tld/ca.cer "/etc/rc.d/rc.httpd reload"

This would install the cronjob which renews and overwrites the /root/.le/hostname.sld.tld/hostname.sld.tld.cer - right?

If so, I'm thinking to add functionality for 'le issue...' or le issue apache...' to create the symlinks in the respective subdirectory under /etc/httpd/ssl// for the .key, ca.cer, and .cer files.

renew does not return correct error code

the return code of the issue function call within renew() is not caught, renewalways returns 0 even when an error during renewal happens (f.e. when signing fails due to hitting certs per domain & week limit).

Small change required to work with nc on CentOS 5

On Line 333, I had to make some small adjustments to the nc command so it would work with the native netcat on CentOS 5, basically just removing the -p and making sure _NC was set to "nc". It was an easy fix though, and thanks for such a handy utility.

< _NC="nc"
< echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l $Le_HTTPPort -v
> echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort -vv
< echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l $Le_HTTPPort > /dev/null
> echo -e -n "HTTP/1.1 200 OK\r\n\r\n$content" | $_NC -l -p $Le_HTTPPort > /dev/null

nginx reload not parsed correctly

I used this command to set everything up:

le issue /srv/acme 2048 /srv/ /srv/ "sudo /usr/sbin/service nginx reload"

/usr/sbin/service is set up for this user to be run with sudo without password.

However in the .le/ file the following is set up:


The rest looks ok and i fixed these entries manually, so it is not a big deal for me, but maybe something that can be resolved in an update.

Also thank you for the work, this was the only solution i got working automated :D

Multi-domain doesn't seem to work anymore

I noticed that I could not get a certificate with aliases for a new domain as the verification fails with a 404 (it looks like the wrong file is requested, no corresponding file exists in the file system), while without aliases everything went fine.

In order to check if it could be repeated, I tried to force a renewal on another system for an existing certificate which also has an alias ( in addition to the domain name ( The original multi-domain certificate was acquired through on January 13:

% FORCE=1 ./ renewAll
Account key exists, skip
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Registering account
Already registered
Verify each domain
Geting token for
Geting token for error:Invalid response from []: 404

When I check, indeed, no file with this name is present, another one is:

% ls -l $SITEROOT/.well-known/acme-challenge/
-rw------- 1 sam users 87 Jan 22 19:15 A-xLbrJyK-Zq8cIHa2iMFYXUzj4QxS9L_AphO7UeErA

Is the multi-domain certificate acquisition broken?

In addition, the umask has been honoured, which is probably not a good idea, I'll open another issue for that.

setting Le_ReloadCmd

Hi just need some clarification of how to populate and set the Le_ReloadCmd flag from the below code

does that mean to set flag to say /usr/bin/ngxreload I would need use command for subdomain

le issue /path/to/webroot no 4096 no no no /usr/bin/ngxreload


issue() {
  if [ -z "$2" ] ; then
    _err "Usage: le  issue  webroot|no|apache|dns  [,,]|no   [key-length]|no"
    return 1

  _initpath $Le_Domain

  if [ -f "$DOMAIN_CONF" ] ; then
    Le_NextRenewTime=$(grep "^Le_NextRenewTime=" "$DOMAIN_CONF" | cut -d '=' -f 2)
    if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(date -u "+%s" )" -lt "$Le_NextRenewTime" ] ; then 
      _info "Skip, Next renewal time is: $(grep "^Le_NextRenewTimeStr" "$DOMAIN_CONF" | cut -d '=' -f 2)"
      return 2

  if [ "$Le_Alt" == "no" ] ; then
  if [ "$Le_Keylength" == "no" ] ; then
  if [ "$Le_RealCertPath" == "no" ] ; then
  if [ "$Le_RealKeyPath" == "no" ] ; then
  if [ "$Le_RealCACertPath" == "no" ] ; then
  if [ "$Le_ReloadCmd" == "no" ] ; then

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.