greenlock-express.js/README.md

| Sponsored by [ppl](https://ppl.family)
| [greenlock (lib)](https://git.coolaj86.com/coolaj86/greenlock.js)
| [gl-cli](https://git.coolaj86.com/coolaj86/greenlock-cli.js)
| [gl-cluster](https://git.coolaj86.com/coolaj86/greenlock-cluster.js)
| **gl-express**
| [gl-koa](https://git.coolaj86.com/coolaj86/greenlock-koa.js)
| [gl-hapi](https://git.coolaj86.com/coolaj86/greenlock-hapi.js)
|

greenlock-express.js
=================

(formerly letsencrypt-express)

Free SSL for node.js.

Fully automatic HTTPS with Express.js
(and all other middleware systems), including virtual hosting (vhost) support with multiple domains.

Certificate renewals happen in the background between 10 and 14 days before expiration (~78 days).

## Now supports Let's Encrypt v2!!

* Let's Encrypt v1 (aka v01)
* Let's Encrypt v2 (aka v02 or ACME draft 11)
* ACME draft 11 (ACME v2 is a misnomer)
* Wildcard domains!! (via dns-01 challenges)
  * `*.example.com`

Install
=======

```bash
npm install --save greenlock-express@2.x
```

QuickStart
==========
<!--
[![Free SSL with Greenlock.js](https://i.imgur.com/Y8ix6Ts.png)](https://youtu.be/e8vaR4CEZ5s)
-->

### Screencast

Watch the QuickStart demonstration: https://youtu.be/e8vaR4CEZ5s

* [0:00](https://youtu.be/e8vaR4CEZ5s#t=0) - Intro
* [2:22](https://youtu.be/e8vaR4CEZ5s#t=142) - Demonstrating QuickStart Example
* [6:37](https://youtu.be/e8vaR4CEZ5s?t=397) - Troubleshooting / Gotchas

### Working Example Code

Here's a completely working example that will get you started.

```
git clone https://git.coolaj86.com/coolaj86/greenlock-express.js.git
pushd greenlock-express.js
  npm install
popd

# edit 'email' and 'approveDomains' in
# greenlock-express.js/examples/simple.js

node greenlock-express.js/examples/simple.js
```

All you have to do is start the webserver and then visit it at its domain name.

`app.js`:
```javascript
'use strict';

require('greenlock-express').create({

  // Let's Encrypt v2 is ACME draft 11
  version: 'draft-11'

  // You MUST change 'acme-staging-v02' to 'acme-v02' in production
, server: 'https://acme-staging-v02.api.letsencrypt.org/directory'  // staging

  // You MUST change this to a valid email address
, email: 'john.doe@example.com'

  // You MUST NOT build clients that accept the ToS without asking the user
, agreeTos: true

  // You MUST change these to valid domains
  // NOTE: all domains will validated and listed on the certificate
, approveDomains: [ 'example.com', 'www.example.com' ]

  // You MUST have access to write to directory where certs are saved
  // ex: /home/foouser/acme/etc
, configDir: require('path').join(require('os').homedir(), 'acme', 'etc')

, app: require('express')().use('/', function (req, res) {
    res.setHeader('Content-Type', 'text/html; charset=utf-8')
    res.end('Hello, World!\n\n💚 🔒.js');
  })

//, debug: true

}).listen(80, 443);
```

### What if the example didn't work?

Double check the following:

* **Public Facing IP** for `http-01` challenges
  * Are you running this *as* a public-facing webserver (good)? or localhost (bad)?
  * Does `ifconfig` show a public address (good)? or a private one - 10.x, 192.168.x, etc (bad)?
  * If you're on a non-public server, are you using the `dns-01` challenge?
* **correct ACME version**
  * Let's Encrypt **v2** (ACME v2) must use `version: 'draft-11'`
  * Let's Encrypt v1 must use `version: 'v01'`
* **valid email**
  * You MUST set `email` to a **valid address**
  * MX records must validate (`dig MX example.com` for `'john@example.com'`)
* **valid DNS records**
  * You MUST set `approveDomains` to real domains
  * Must have public DNS records (test with `dig +trace A example.com; dig +trace www.example.com` for `[ 'example.com', 'www.example.com' ]`)
* **write access**
  * You MUST set `configDir` to a writeable location (test with `touch ~/acme/etc/tmp.tmp`)
* **port binding privileges**
  * You MUST be able to bind to ports 80 and 443
  * You can do this via `sudo` or [`setcap`](https://gist.github.com/firstdoit/6389682)
* **API limits**
  * You MUST NOT exceed the API [**usage limits**](https://letsencrypt.org/docs/staging-environment/) per domain, certificate, IP address, etc
* **Red Lock, Untrusted**
  * You MUST change the `server` value **in production**
  * Shorten the 'acme-staging-v02' part of the server URL to 'acme-v02'

### Get it working in staging first!

There are a number of common problems related to system configuration -
firewalls, ports, permissions, etc - that you are likely to run up against
when using greenlock for your first time.

In order to avoid being blocked by hitting rate limits with bad requests,
you should always test against the `staging` server
(`https://acme-staging-v02.api.letsencrypt.org/directory`) first.

Plugins
=====
**IMPORTANT**: Community plugins may or may not be maintained and working. Please try with the defaults before switching to community plugins.

|                | challenge | store |
|:--------------:|:---------:|:-----:|
| Build Your Own | [le-challenge-SPEC](https://git.coolaj86.com/coolaj86/le-challenge-manual.js.git) | [le-store-SPEC](https://git.coolaj86.com/coolaj86/le-store-SPEC.js.git) |
| Defaults (fs)  | [le-challenge-fs](https://git.coolaj86.com/coolaj86/le-challenge-fs.js.git) | [le-store-certbot](https://git.coolaj86.com/coolaj86/le-store-certbot.js.git) |
| Full List      | [Search le-store- on npm](https://www.npmjs.com/search?q=le-store-) | [Search le-challenge- on npm](https://www.npmjs.com/search?q=le-challenge-) |
| AWS Route 53   | [thadeetrompetter/le-challenge-route53](https://github.com/thadeetrompetter/le-challenge-route53) | - |
| AWS S3         |  | [paco3346/le-store-awss3](https://github.com/paco3346/le-store-awss3) |
| AWS S3         | [llun/le-challenge-s3](https://github.com/llun/le-challenge-s3) | [llun/le-store-s3](https://github.com/llun/le-store-s3) |
| json           | - | [paulgrove/le-store-simple-fs](https://github.com/paulgrove/le-store-simple-fs)
| Redis          | - | [digitalbazaar/le-store-redis](https://github.com/digitalbazaar/le-store-redis) |

Bugs: Please report bugs with the community plugins to the appropriate owner first, then here if you don't get a response.

Usage
=====
The oversimplified example was the bait
(because everyone seems to want an example that fits in 3 lines, even if it's terribly bad practices),
now here's the switch.

We have another completely working example that will provides a little more to build off of.

```
git clone https://git.coolaj86.com/coolaj86/greenlock-express.js.git
pushd greenlock-express.js
  npm install
popd

# replace 'fooCheckDb' in
# greenlock-express.js/examples/normal.js

node greenlock-express.js/examples/normal.js
```

It looks a little more like this:

`serve.js`:
```javascript
'use strict';

// returns an instance of greenlock.js with additional helper methods
var lex = require('greenlock-express').create({
  // set to https://acme-v02.api.letsencrypt.org/directory in production
  server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
, version: 'draft-11' // Let's Encrypt v2 (ACME v2)

// If you wish to replace the default plugins, you may do so here
//
, challenges: { 'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges' }) }
, store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })

// You probably wouldn't need to replace the default sni handler
// See https://git.coolaj86.com/coolaj86/le-sni-auto if you think you do
//, sni: require('le-sni-auto').create({})

, approveDomains: approveDomains
});
```

The Automatic Certificate Issuance is initiated via SNI (`httpsOptions.SNICallback`).
For security, domain validation MUST have an approval callback in *production*.

```javascript
function approveDomains(opts, certs, cb) {
  // This is where you check your database and associated
  // email addresses with domains and agreements and such


  // The domains being approved for the first time are listed in opts.domains
  // Certs being renewed are listed in certs.altnames
  if (certs) {
    opts.domains = certs.altnames;
  }
  else {
    opts.email = 'john.doe@example.com';
    opts.agreeTos = true;
  }

  // NOTE: you can also change other options such as `challengeType` and `challenge`
  // opts.challengeType = 'http-01';
  // opts.challenge = require('le-challenge-fs').create({});

  cb(null, { options: opts, certs: certs });
}
```


```javascript
// handles acme-challenge and redirects to https
require('http').createServer(lex.middleware(require('redirect-https')())).listen(80, function () {
  console.log("Listening for ACME http-01 challenges on", this.address());
});


var app = require('express')();
app.use('/', function (req, res) {
  res.end('Hello, World!');
});

// handles your app
require('https').createServer(lex.httpsOptions, lex.middleware(app)).listen(443, function () {
  console.log("Listening for ACME tls-sni-01 challenges and serve app on", this.address());
});
```

**Security Warning**:

If you don't do proper checks in `approveDomains(opts, certs, cb)`
an attacker will spoof SNI packets with bad hostnames and that will
cause you to be rate-limited and or blocked from the ACME server.


API
===

This module is an elaborate ruse (to provide an oversimplified example and to nab some SEO).

The API is actually located at [greenlock.js options](https://git.coolaj86.com/coolaj86/greenlock.js)
(because all options are simply passed through to `greenlock.js` proper without modification).

The only "API" consists of two options, the rest is just a wrapper around `greenlock.js` to take LOC from 15 to 5:

* `opts.app` An express app in the format `function (req, res) { ... }` (no `next`).
* `lex.listen(plainPort, tlsPort)` Accepts port numbers (or arrays of port numbers) to listen on.

Brief overview of some simple options for `greenlock.js`:

* `opts.server` set to https://acme-v02.api.letsencrypt.org/directory in production
* `opts.version` set to `v01` for Let's Encrypt v1 or `draft-11` for Let's Encrypt v2 (mistakenly called ACME v2)
* `opts.email` The default email to use to accept agreements.
* `opts.agreeTos` When set to `true`, this always accepts the LetsEncrypt TOS. When a string it checks the agreement url first.
* `opts.approveDomains` can be either of:
  * An explicit array of allowed domains such as `[ 'example.com', 'www.example.com' ]`
  * A callback `function (opts, certs, cb) { cb(null, { options: opts, certs: certs }); }` for setting `email`, `agreeTos`, `domains`, etc (as shown in usage example above)
* `opts.renewWithin` is the **maximum** number of days (in ms) before expiration to renew a certificate.
* `opts.renewBy` is the **minimum** number of days (in ms) before expiration to renew a certificate.
move sponsorship 2018-04-20 06:43:02 +00:00			`\| Sponsored by [ppl](https://ppl.family)`
update urls 2017-11-24 19:02:56 -07:00			`\| [greenlock (lib)](https://git.coolaj86.com/coolaj86/greenlock.js)`
cleanup related repos banner 2018-04-30 15:44:03 +00:00			`\| [gl-cli](https://git.coolaj86.com/coolaj86/greenlock-cli.js)`
			`\| [gl-cluster](https://git.coolaj86.com/coolaj86/greenlock-cluster.js)`
			`\| gl-express`
			`\| [gl-koa](https://git.coolaj86.com/coolaj86/greenlock-koa.js)`
			`\| [gl-hapi](https://git.coolaj86.com/coolaj86/greenlock-hapi.js)`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`\|`

move sponsorship 2018-04-20 06:43:02 +00:00			`greenlock-express.js`
			`=================`

cleanup 2018-04-20 07:15:00 +00:00			`(formerly letsencrypt-express)`
ACME v2 support 2018-04-19 21:27:57 -06:00
cleanup 2018-04-20 07:14:39 +00:00			`Free SSL for node.js.`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00
cleanup 2018-04-20 07:14:39 +00:00			`Fully automatic HTTPS with Express.js`
			`(and all other middleware systems), including virtual hosting (vhost) support with multiple domains.`
Update 'README.md' 2018-04-20 07:09:34 +00:00
cleanup 2018-04-20 07:14:39 +00:00			`Certificate renewals happen in the background between 10 and 14 days before expiration (~78 days).`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00			`## Now supports Let's Encrypt v2!!`

			`* Let's Encrypt v1 (aka v01)`
			`* Let's Encrypt v2 (aka v02 or ACME draft 11)`
			`* ACME draft 11 (ACME v2 is a misnomer)`
update 2018-04-20 04:18:34 +00:00			`* Wildcard domains!! (via dns-01 challenges)`
			* `*.example.com`
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00
v2.0.0 2016-08-12 03:02:33 -04:00			`Install`
			`=======`

			```bash
letsencrypt to greenlock 2017-01-25 15:02:16 -07:00			`npm install --save greenlock-express@2.x`
v2.0.0 2016-08-12 03:02:33 -04:00			```

letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`QuickStart`
update headers 2016-08-15 19:14:57 -04:00			`==========`
remove screencast preview (buggy in gitea) 2018-04-23 20:04:07 +00:00			`<!--`
add Screencast 2018-04-23 19:55:03 +00:00			`[![Free SSL with Greenlock.js](https://i.imgur.com/Y8ix6Ts.png)](https://youtu.be/e8vaR4CEZ5s)`
remove screencast preview (buggy in gitea) 2018-04-23 20:04:07 +00:00			`-->`
add Screencast 2018-04-23 19:55:03 +00:00
update screencast 2018-04-23 20:02:50 +00:00			`### Screencast`

			`Watch the QuickStart demonstration: https://youtu.be/e8vaR4CEZ5s`

			`* [0:00](https://youtu.be/e8vaR4CEZ5s#t=0) - Intro`
			`* [2:22](https://youtu.be/e8vaR4CEZ5s#t=142) - Demonstrating QuickStart Example`
			`* [6:37](https://youtu.be/e8vaR4CEZ5s?t=397) - Troubleshooting / Gotchas`

			`### Working Example Code`

cleanup 2018-04-20 07:14:39 +00:00			`Here's a completely working example that will get you started.`

note 'normal' example and git clone 2018-04-20 08:59:33 +00:00			```
			`git clone https://git.coolaj86.com/coolaj86/greenlock-express.js.git`
			`pushd greenlock-express.js`
			`npm install`
			`popd`

			`# edit 'email' and 'approveDomains' in`
			`# greenlock-express.js/examples/simple.js`

			`node greenlock-express.js/examples/simple.js`
			```

cleanup 2018-04-20 07:14:39 +00:00			`All you have to do is start the webserver and then visit it at its domain name.`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`app.js`:
v2.0.0 2016-08-12 03:02:33 -04:00			```javascript
			`'use strict';`

letsencrypt to greenlock 2017-01-25 15:02:16 -07:00			`require('greenlock-express').create({`
v2.0.0 2016-08-12 03:02:33 -04:00
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`// Let's Encrypt v2 is ACME draft 11`
			`version: 'draft-11'`

			`// You MUST change 'acme-staging-v02' to 'acme-v02' in production`
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00			`, server: 'https://acme-staging-v02.api.letsencrypt.org/directory' // staging`
v2.0.0 2016-08-12 03:02:33 -04:00
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`// You MUST change this to a valid email address`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`, email: 'john.doe@example.com'`
v2.0.0 2016-08-12 03:02:33 -04:00
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`// You MUST NOT build clients that accept the ToS without asking the user`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`, agreeTos: true`
v2.0.0 2016-08-12 03:02:33 -04:00
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`// You MUST change these to valid domains`
			`// NOTE: all domains will validated and listed on the certificate`
			`, approveDomains: [ 'example.com', 'www.example.com' ]`

			`// You MUST have access to write to directory where certs are saved`
			`// ex: /home/foouser/acme/etc`
			`, configDir: require('path').join(require('os').homedir(), 'acme', 'etc')`
lex v2.x 2016-08-15 21:15:16 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`, app: require('express')().use('/', function (req, res) {`
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`res.setHeader('Content-Type', 'text/html; charset=utf-8')`
			`res.end('Hello, World!\n\n💚 🔒.js');`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`})`
v2.0.0 2016-08-12 03:02:33 -04:00
added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`//, debug: true`

letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`}).listen(80, 443);`
v2.0.0 2016-08-12 03:02:33 -04:00			```

added checklist for 'example doesn't work' 2018-04-20 04:35:39 +00:00			`### What if the example didn't work?`

cleanup 2018-04-20 07:23:22 +00:00			`Double check the following:`

			* Public Facing IP for `http-01` challenges
			`* Are you running this as a public-facing webserver (good)? or localhost (bad)?`
			* Does `ifconfig` show a public address (good)? or a private one - 10.x, 192.168.x, etc (bad)?
			* If you're on a non-public server, are you using the `dns-01` challenge?
			`* correct ACME version`
			* Let's Encrypt v2 (ACME v2) must use `version: 'draft-11'`
			* Let's Encrypt v1 must use `version: 'v01'`
			`* valid email`
			* You MUST set `email` to a valid address
			* MX records must validate (`dig MX example.com` for `'john@example.com'`)
			`* valid DNS records`
			* You MUST set `approveDomains` to real domains
			* Must have public DNS records (test with `dig +trace A example.com; dig +trace www.example.com` for `[ 'example.com', 'www.example.com' ]`)
			`* write access`
			* You MUST set `configDir` to a writeable location (test with `touch ~/acme/etc/tmp.tmp`)
			`* port binding privileges`
Update 'README.md' 2018-04-21 02:24:50 +00:00			`* You MUST be able to bind to ports 80 and 443`
cleanup 2018-04-20 07:23:22 +00:00			* You can do this via `sudo` or [`setcap`](https://gist.github.com/firstdoit/6389682)
			`* API limits`
			`* You MUST NOT exceed the API [usage limits](https://letsencrypt.org/docs/staging-environment/) per domain, certificate, IP address, etc`
			`* Red Lock, Untrusted`
			* You MUST change the `server` value in production
			`* Shorten the 'acme-staging-v02' part of the server URL to 'acme-v02'`
v2.0.0 2016-08-12 03:02:33 -04:00
Update 'README.md' 2018-04-20 07:09:34 +00:00			`### Get it working in staging first!`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`There are a number of common problems related to system configuration -`
			`firewalls, ports, permissions, etc - that you are likely to run up against`
letsencrypt to greenlock 2017-01-25 15:02:16 -07:00			`when using greenlock for your first time.`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`In order to avoid being blocked by hitting rate limits with bad requests,`
clarify 2018-04-20 05:29:33 +00:00			you should always test against the `staging` server
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00			(`https://acme-staging-v02.api.letsencrypt.org/directory`) first.
v2.0.0 2016-08-12 03:02:33 -04:00
Add plugins 2018-04-30 15:42:33 +00:00			`Plugins`
			`=====`
Update 'README.md' 2018-04-30 15:46:34 +00:00			`IMPORTANT: Community plugins may or may not be maintained and working. Please try with the defaults before switching to community plugins.`
Add plugins 2018-04-30 15:42:33 +00:00
			`\| \| challenge \| store \|`
			`\|:--------------:\|:---------:\|:-----:\|`
			`\| Build Your Own \| [le-challenge-SPEC](https://git.coolaj86.com/coolaj86/le-challenge-manual.js.git) \| [le-store-SPEC](https://git.coolaj86.com/coolaj86/le-store-SPEC.js.git) \|`
			`\| Defaults (fs) \| [le-challenge-fs](https://git.coolaj86.com/coolaj86/le-challenge-fs.js.git) \| [le-store-certbot](https://git.coolaj86.com/coolaj86/le-store-certbot.js.git) \|`
			`\| Full List \| [Search le-store- on npm](https://www.npmjs.com/search?q=le-store-) \| [Search le-challenge- on npm](https://www.npmjs.com/search?q=le-challenge-) \|`
			`\| AWS Route 53 \| [thadeetrompetter/le-challenge-route53](https://github.com/thadeetrompetter/le-challenge-route53) \| - \|`
			`\| AWS S3 \| \| [paco3346/le-store-awss3](https://github.com/paco3346/le-store-awss3) \|`
			`\| AWS S3 \| [llun/le-challenge-s3](https://github.com/llun/le-challenge-s3) \| [llun/le-store-s3](https://github.com/llun/le-store-s3) \|`
			`\| json \| - \| [paulgrove/le-store-simple-fs](https://github.com/paulgrove/le-store-simple-fs)`
			`\| Redis \| - \| [digitalbazaar/le-store-redis](https://github.com/digitalbazaar/le-store-redis) \|`

Update 'README.md' 2018-04-30 15:46:34 +00:00			`Bugs: Please report bugs with the community plugins to the appropriate owner first, then here if you don't get a response.`

update headers 2016-08-15 19:14:57 -04:00			`Usage`
			`=====`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`The oversimplified example was the bait`
			`(because everyone seems to want an example that fits in 3 lines, even if it's terribly bad practices),`
note 'normal' example and git clone 2018-04-20 08:59:33 +00:00			`now here's the switch.`

			`We have another completely working example that will provides a little more to build off of.`

			```
			`git clone https://git.coolaj86.com/coolaj86/greenlock-express.js.git`
			`pushd greenlock-express.js`
			`npm install`
			`popd`

			`# replace 'fooCheckDb' in`
			`# greenlock-express.js/examples/normal.js`

			`node greenlock-express.js/examples/normal.js`
			```

			`It looks a little more like this:`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`serve.js`:
			```javascript
			`'use strict';`
v2.0.0 2016-08-12 03:02:33 -04:00
node-greenlock -> greenlock.js 2018-04-20 05:32:15 +00:00			`// returns an instance of greenlock.js with additional helper methods`
letsencrypt to greenlock 2017-01-25 15:02:16 -07:00			`var lex = require('greenlock-express').create({`
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00			`// set to https://acme-v02.api.letsencrypt.org/directory in production`
			`server: 'https://acme-staging-v02.api.letsencrypt.org/directory'`
			`, version: 'draft-11' // Let's Encrypt v2 (ACME v2)`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`// If you wish to replace the default plugins, you may do so here`
			`//`
fix #79 put colon in example in the right place 2016-08-19 13:31:37 -06:00			`, challenges: { 'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges' }) }`
Update README.md 2016-08-18 00:27:47 -06:00			`, store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })`
fix issue #77 don't show replacing le-sni-auto in example 2016-08-18 12:58:40 -06:00
			`// You probably wouldn't need to replace the default sni handler`
update urls 2017-11-24 19:02:56 -07:00			`// See https://git.coolaj86.com/coolaj86/le-sni-auto if you think you do`
fix issue #77 don't show replacing le-sni-auto in example 2016-08-18 12:58:40 -06:00			`//, sni: require('le-sni-auto').create({})`
clarify / normalize some options 2016-08-12 03:48:21 -04:00
Update README.md 2016-08-17 09:11:10 -06:00			`, approveDomains: approveDomains`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`});`
Update README.md 2016-08-17 09:09:43 -06:00			```
v2.0.0 2016-08-12 03:02:33 -04:00
Update 'README.md' 2018-04-20 07:09:34 +00:00			The Automatic Certificate Issuance is initiated via SNI (`httpsOptions.SNICallback`).
			`For security, domain validation MUST have an approval callback in production.`

Update README.md 2016-08-17 09:11:10 -06:00			```javascript
			`function approveDomains(opts, certs, cb) {`
			`// This is where you check your database and associated`
			`// email addresses with domains and agreements and such`


			`// The domains being approved for the first time are listed in opts.domains`
			`// Certs being renewed are listed in certs.altnames`
			`if (certs) {`
			`opts.domains = certs.altnames;`
			`}`
			`else {`
			`opts.email = 'john.doe@example.com';`
			`opts.agreeTos = true;`
			`}`

note changing challengeType in approveDomains 2016-10-14 13:37:53 -06:00			// NOTE: you can also change other options such as `challengeType` and `challenge`
			`// opts.challengeType = 'http-01';`
			`// opts.challenge = require('le-challenge-fs').create({});`

Update README.md 2016-08-17 09:11:10 -06:00			`cb(null, { options: opts, certs: certs });`
			`}`
			```

v2.0.0 2016-08-12 03:02:33 -04:00
Update README.md 2016-08-17 09:09:43 -06:00			```javascript
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`// handles acme-challenge and redirects to https`
update example 2016-08-19 16:22:57 -06:00			`require('http').createServer(lex.middleware(require('redirect-https')())).listen(80, function () {`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`console.log("Listening for ACME http-01 challenges on", this.address());`
			`});`
v2.0.0 2016-08-12 03:02:33 -04:00


letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`var app = require('express')();`
			`app.use('/', function (req, res) {`
			`res.end('Hello, World!');`
			`});`
v2.0.0 2016-08-12 03:02:33 -04:00
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`// handles your app`
le -> lex 2016-08-17 09:08:47 -06:00			`require('https').createServer(lex.httpsOptions, lex.middleware(app)).listen(443, function () {`
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00			`console.log("Listening for ACME tls-sni-01 challenges and serve app on", this.address());`
			`});`
v2.0.0 2016-08-12 03:02:33 -04:00			```

Update README.md 2016-08-17 09:25:07 -06:00			`Security Warning:`

			If you don't do proper checks in `approveDomains(opts, certs, cb)`
			`an attacker will spoof SNI packets with bad hostnames and that will`
			`cause you to be rate-limited and or blocked from the ACME server.`


update headers 2016-08-15 19:14:57 -04:00			`API`
			`===`
explain more options 2016-08-12 03:56:19 -04:00
lex v2.x 2016-08-15 21:15:16 -04:00			`This module is an elaborate ruse (to provide an oversimplified example and to nab some SEO).`

node-greenlock -> greenlock.js 2018-04-20 05:32:15 +00:00			`The API is actually located at [greenlock.js options](https://git.coolaj86.com/coolaj86/greenlock.js)`
			(because all options are simply passed through to `greenlock.js` proper without modification).
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00
node-greenlock -> greenlock.js 2018-04-20 05:32:15 +00:00			The only "API" consists of two options, the rest is just a wrapper around `greenlock.js` to take LOC from 15 to 5:
letsencrypt-express v2.x 2016-08-15 19:12:39 -04:00
lex v2.x 2016-08-15 21:15:16 -04:00			* `opts.app` An express app in the format `function (req, res) { ... }` (no `next`).
			* `lex.listen(plainPort, tlsPort)` Accepts port numbers (or arrays of port numbers) to listen on.
explain more options 2016-08-12 03:56:19 -04:00
node-greenlock -> greenlock.js 2018-04-20 05:32:15 +00:00			Brief overview of some simple options for `greenlock.js`:
explain more options 2016-08-12 03:56:19 -04:00
node-greenlock -> greenlock.js 2018-04-20 05:32:15 +00:00			* `opts.server` set to https://acme-v02.api.letsencrypt.org/directory in production
update for Let's Encrypt v2 2018-04-19 21:37:56 -06:00			* `opts.version` set to `v01` for Let's Encrypt v1 or `draft-11` for Let's Encrypt v2 (mistakenly called ACME v2)
lex v2.x 2016-08-15 21:15:16 -04:00			* `opts.email` The default email to use to accept agreements.
			* `opts.agreeTos` When set to `true`, this always accepts the LetsEncrypt TOS. When a string it checks the agreement url first.
Update README.md 2016-08-17 09:25:07 -06:00			* `opts.approveDomains` can be either of:
			* An explicit array of allowed domains such as `[ 'example.com', 'www.example.com' ]`
			* A callback `function (opts, certs, cb) { cb(null, { options: opts, certs: certs }); }` for setting `email`, `agreeTos`, `domains`, etc (as shown in usage example above)
lex v2.x 2016-08-15 21:15:16 -04:00			* `opts.renewWithin` is the maximum number of days (in ms) before expiration to renew a certificate.
			* `opts.renewBy` is the minimum number of days (in ms) before expiration to renew a certificate.