2016-04-22 12:14:29 -06:00
[](https://gitter.im/Daplie/letsencrypt-express?utm_source=badge& utm_medium=badge& utm_campaign=pr-badge& utm_content=badge)
2016-04-22 12:17:29 -06:00
| [letsencrypt (library) ](https://github.com/Daplie/node-letsencrypt )
2016-08-09 22:39:39 -04:00
| **letsencrypt-cli**
2016-04-22 12:19:00 -06:00
| [letsencrypt-express ](https://github.com/Daplie/letsencrypt-express )
2016-04-22 12:17:29 -06:00
| [letsencrypt-koa ](https://github.com/Daplie/letsencrypt-koa )
| [letsencrypt-hapi ](https://github.com/Daplie/letsencrypt-hapi )
|
2015-12-19 10:47:00 -08:00
# letsencrypt-cli (for node.js)
2015-12-16 01:16:09 -08:00
CLI for node-letsencrypt modeled after the official client.
2015-12-16 04:00:27 -08:00
* Free SSL Certificates
* 90-day certificate lifetime
* One-off standalone registration / renewal
* On-the-fly registration / renewal via webroot
2015-12-16 03:01:10 -08:00
## Install Node
2015-12-16 03:01:30 -08:00
For **Windows** :
2015-12-16 03:01:10 -08:00
Choose **Stable** from < https: // nodejs . org / en />
2015-12-16 03:01:30 -08:00
For Linux and **OS X** :
2015-12-16 03:01:10 -08:00
```
2016-08-09 17:10:02 -06:00
curl -L bit.ly/nodejs-min | bash
2015-12-16 03:01:10 -08:00
```
# Install LetsEncrypt
2015-12-16 01:16:09 -08:00
```bash
npm install -g letsencrypt-cli
```
## Usage
2015-12-16 03:06:33 -08:00
These commands are shown using the **testing server** .
2015-12-19 14:30:56 -08:00
Want to use the **live server** ?
1. remove the `--server https://acme-staging.api.letsencrypt.org/directory`
2. or change it to `--server https://acme-v01.api.letsencrypt.org/directory`
2015-12-16 03:06:33 -08:00
**Note**: This has really only been tested with single domains so if
multiple domains doesn't work for you, file a bug.
2015-12-16 01:16:09 -08:00
### Standalone
2015-12-19 20:46:24 +00:00
You can run standalone mode to get a cert **on the server** you will be
2016-01-01 14:08:01 -08:00
using it for over ports **80 and 443 (or 5001)** like so:
2015-12-19 20:46:24 +00:00
2015-12-16 01:16:09 -08:00
```bash
letsencrypt certonly \
--agree-tos --email john.doe@example .com \
--standalone \
2015-12-16 03:06:33 -08:00
--domains example.com,www.example.com \
2015-12-16 03:16:25 -08:00
--server https://acme-staging.api.letsencrypt.org/directory \
2015-12-19 20:46:24 +00:00
--config-dir ~/letsencrypt/etc
```
Then you can see your certs at `~/letsencrypt/etc/live` .
2015-12-16 04:58:05 -08:00
2015-12-19 20:46:24 +00:00
```
2015-12-16 05:02:09 -08:00
ls ~/letsencrypt/etc/live
2015-12-16 01:16:09 -08:00
```
2015-12-19 20:46:24 +00:00
This option is great for testing, but since it requires the use of
the same ports that your webserver needs, it isn't a good choice
for production.
### WebRoot (for production)
You can specify the path to where you keep your `index.html` with `webroot` .
For example, if I want to get a domain for `example.com` and my `index.html` is
at `/srv/www/example.com` , then I would use this command:
2015-12-16 01:16:09 -08:00
```bash
2015-12-16 05:02:09 -08:00
sudo letsencrypt certonly \
2015-12-16 01:16:09 -08:00
--agree-tos --email john.doe@example .com \
2015-12-19 20:46:24 +00:00
--webroot --webroot-path /srv/www/example.com \
2015-12-16 05:02:09 -08:00
--config-dir /etc/letsencrypt \
2015-12-16 03:06:33 -08:00
--domains example.com,www.example.com \
--server https://acme-staging.api.letsencrypt.org/directory
2015-12-19 20:46:24 +00:00
```
Note that we use `sudo` because in this example we are using `/etc/letsencrypt`
as the cert directory rather than `~/letsencrypt/etc` , which we used in the previous example.
2015-12-16 04:58:05 -08:00
2015-12-19 20:46:24 +00:00
Then see your brand new shiny certs:
```
2015-12-16 05:02:09 -08:00
ls /etc/letsencrypt/live/
2015-12-16 01:16:09 -08:00
```
2015-12-16 11:01:10 +00:00
2015-12-19 20:46:24 +00:00
You can use a cron job to run the script above every 80 days (the certificates expire after 90 days)
so that you always have fresh certificates.
2015-12-16 05:32:00 -08:00
## Test with a free domain
```bash
# Install Daplie DNS
npm install -g ddns-cli
# see terms of use
ddns --help
# agree to terms and get domain
ddns --random --email user@example .com --agree
2015-12-16 05:33:17 -08:00
# the default is to use the ip address from which
# you can the command, but you can also assign the
# ip manually
ddns --random --email user@example .com --agree -a '127.0.0.1'
2015-12-16 05:32:00 -08:00
```
Example domain:
```
rubber-duck-42.daplie.me
```
2015-12-16 03:16:25 -08:00
## Run without Root
If you'd like to allow node.js to use privileged ports `80` and `443`
(and everything under 1024 really) without being run as `root` or `sudo` ,
you can use `setcap` to do so. (it may need to be run any time you reinstall node as well)
```bash
sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
```
2015-12-16 05:02:09 -08:00
By default `node-letsencrypt` assumes your home directory `~/letsencrypt/` , but if
you really want to use `/etc/letsencrypt` , `/var/lib/letsencrypt/` , and `/var/log/letsencrypt`
you could change the permissions on them. **Probably a BAD IDEA** . Probabry a security risk.
```
# PROBABLY A BAD IDEA
2016-08-09 22:39:39 -04:00
sudo chown -R $(whoami) /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt
2015-12-16 05:02:09 -08:00
```
2015-12-16 11:01:10 +00:00
## Command line Options
```
Usage:
letsencrypt [OPTIONS] [ARGS]
Options:
--email EMAIL Email used for registration and recovery contact. (default: null)
--domains URL Domain names to apply. For multiple domains you can enter a comma
separated list of domains as a parameter. (default: [])
--duplicate BOOLEAN Allow getting a certificate that duplicates an existing one
--agree-tos BOOLEAN Agree to the Let's Encrypt Subscriber Agreement
--debug BOOLEAN show traces and logs
2016-08-09 22:39:39 -04:00
--tls-sni-01-port NUMBER Use TLS-SNI-01 challenge type with this port. (Default is 443)
(must be 443 with most production servers) (Boulder allows 5001 in testing mode)
2015-12-16 11:01:10 +00:00
2016-08-09 22:39:39 -04:00
--http-01-port [NUMBER] Use HTTP-01 challenge type with this port, used for SimpleHttp challenge. (Default is 80)
(must be 80 with most production servers)
--dns-01 Use DNS-01 challenge type.
2015-12-16 11:01:10 +00:00
--rsa-key-size [NUMBER] Size (in bits) of the RSA key. (Default is 2048)
--cert-path STRING Path to where new cert.pem is saved
(Default is :conf/live/:hostname/cert.pem)
--fullchain-path [STRING] Path to where new fullchain.pem (cert + chain) is saved
(Default is :conf/live/:hostname/fullchain.pem)
--chain-path [STRING] Path to where new chain.pem is saved
(Default is :conf/live/:hostname/chain.pem)
--domain-key-path STRING Path to privkey.pem to use for domain (default: generate new)
2015-12-16 03:17:06 -08:00
--config-dir STRING Configuration directory. (Default is ~/letsencrypt/etc/)
2015-12-16 11:01:10 +00:00
--server [STRING] ACME Directory Resource URI. (Default is https://acme-v01.api.letsencrypt.org/directory))
--standalone [BOOLEAN] Obtain certs using a "standalone" webserver. (Default is true)
2016-08-09 23:39:07 -04:00
--manual [BOOLEAN] Print the token and key to the screen and wait for you to hit enter,
giving you time to copy it somewhere before continuing. (Default is false)
2015-12-16 11:01:10 +00:00
--webroot BOOLEAN Obtain certs by placing files in a webroot directory.
--webroot-path STRING public_html / webroot path.
-h, --help Display help and usage details
```
2015-12-16 05:03:03 -08:00
Note: some of the options may not be fully implemented. If you encounter a problem, please report a bug on the issues page.
