greenlock-store-fs.js/README.md

# le-store-fs

A greenlock keypair and certificate storage strategy with wildcard support (simpler successor to le-store-certbot).

# Usage

```js
var greenlock = require('greenlock');
var gl = greenlock.create({
  configDir: '~/.config/acme'
, store: require('le-store-fs')
, approveDomains: approveDomains
, ...
});
```

# File System

The default file system layout mirrors that of le-store-certbot in order to make transitioning effortless,
in most situations:

```
acme
├── accounts
│   └── acme-staging-v02.api.letsencrypt.org
│       └── directory
│           └── sites@example.com.json
└── live
    ├── example.com
    │   ├── bundle.pem
    │   ├── cert.pem
    │   ├── chain.pem
    │   ├── fullchain.pem
    │   └── privkey.pem
    └── www.example.com
        ├── bundle.pem
        ├── cert.pem
        ├── chain.pem
        ├── fullchain.pem
        └── privkey.pem
```

# Wildcards & AltNames

Working with wildcards and multiple altnames requires greenlock >= v2.7.

To do so you must set `opts.subject` and `opts.domains` within the `approvedomains()` callback.

`subject` refers to "the subject of the ssl certificate" as opposed to `domain` which indicates "the domain servername
used in the current request". For single-domain certificates they're always the same, but for multiple-domain
certificates `subject` must be the name no matter what `domain` is receiving a request. `subject` is used as
part of the name of the file storage path where the certificate will be saved (or retrieved).

`domains` should be the list of "altnames" on the certificate, which should include the `subject`.

## Simple Example

```js
function approveDomains(opts) {
  // Allow only example.com and *.example.com (such as foo.example.com)

  // foo.example.com => *.example.com
  var wild = '*.' + opts.domain.split('.').slice(1).join('.');
  if ('example.com' !== opts.domain && '*.example.com' !== wild) {
    cb(new Error(opts.domain + " is not allowed"));
  }

  opts.subject = 'example.com';
  opts.domains = [ 'example.com', '*.example.com' ];

  return Promise.resolve(opts);
}
```

## Realistic Example

```js
function approveDomains(opts, certs, cb) {
  var related = getRelated(opts.domain);
  if (!related) { cb(new Error(opts.domain + " is not allowed")); };

  opts.subject = related.subject;
  opts.domains = related.domains;

  cb({ options: opts, certs: certs });
}
```

```js
function getRelated(domain) {
  var related;
  var wild = '*.' + domain.split('.').slice(1).join('.');
  if (Object.keys(allAllowedDomains).some(function (k) {
    return allAllowedDomains[k].some(function (name) {
      if (domain === name || wild === name) {
        related = { subject: k, altnames: allAllowedDomains[k] };
        return true;
      }
    });
  })) {
    return related;
  }
}
```

```js
var allAllowedDomains = {
  'example.com': ['example.com', '*.example.com']
, 'example.net': ['example.net', '*.example.net']
}
```
initial commit 2019-04-01 01:56:41 -06:00			`# le-store-fs`

			`A greenlock keypair and certificate storage strategy with wildcard support (simpler successor to le-store-certbot).`

			`# Usage`

			```js
			`var greenlock = require('greenlock');`
			`var gl = greenlock.create({`
			`configDir: '~/.config/acme'`
			`, store: require('le-store-fs')`
			`, approveDomains: approveDomains`
			`, ...`
			`});`
			```

			`# File System`

			`The default file system layout mirrors that of le-store-certbot in order to make transitioning effortless,`
			`in most situations:`

			```
			`acme`
			`├── accounts`
			`│ └── acme-staging-v02.api.letsencrypt.org`
			`│ └── directory`
			`│ └── sites@example.com.json`
			`└── live`
			`├── example.com`
			`│ ├── bundle.pem`
			`│ ├── cert.pem`
			`│ ├── chain.pem`
			`│ ├── fullchain.pem`
			`│ └── privkey.pem`
			`└── www.example.com`
			`├── bundle.pem`
			`├── cert.pem`
			`├── chain.pem`
			`├── fullchain.pem`
			`└── privkey.pem`
			```

			`# Wildcards & AltNames`

			`Working with wildcards and multiple altnames requires greenlock >= v2.7.`

			To do so you must set `opts.subject` and `opts.domains` within the `approvedomains()` callback.

			`subject` refers to "the subject of the ssl certificate" as opposed to `domain` which indicates "the domain servername
			`used in the current request". For single-domain certificates they're always the same, but for multiple-domain`
			certificates `subject` must be the name no matter what `domain` is receiving a request. `subject` is used as
			`part of the name of the file storage path where the certificate will be saved (or retrieved).`

			`domains` should be the list of "altnames" on the certificate, which should include the `subject`.

			`## Simple Example`

			```js
v1.0.0: update docs, burn the logs, cleanup comments, etc 2019-04-02 22:24:07 -06:00			`function approveDomains(opts) {`
			`// Allow only example.com and *.example.com (such as foo.example.com)`

initial commit 2019-04-01 01:56:41 -06:00			`// foo.example.com => *.example.com`
			`var wild = '*.' + opts.domain.split('.').slice(1).join('.');`
v1.0.0: update docs, burn the logs, cleanup comments, etc 2019-04-02 22:24:07 -06:00			`if ('example.com' !== opts.domain && '*.example.com' !== wild) {`
			`cb(new Error(opts.domain + " is not allowed"));`
			`}`
initial commit 2019-04-01 01:56:41 -06:00
v1.0.0: update docs, burn the logs, cleanup comments, etc 2019-04-02 22:24:07 -06:00			`opts.subject = 'example.com';`
			`opts.domains = [ 'example.com', '*.example.com' ];`
initial commit 2019-04-01 01:56:41 -06:00
v1.0.0: update docs, burn the logs, cleanup comments, etc 2019-04-02 22:24:07 -06:00			`return Promise.resolve(opts);`
initial commit 2019-04-01 01:56:41 -06:00			`}`
			```

			`## Realistic Example`

			```js
			`function approveDomains(opts, certs, cb) {`
			`var related = getRelated(opts.domain);`
v0.9.1: whitspace fixes 2019-04-01 01:58:47 -06:00			`if (!related) { cb(new Error(opts.domain + " is not allowed")); };`
initial commit 2019-04-01 01:56:41 -06:00
v0.9.1: whitspace fixes 2019-04-01 01:58:47 -06:00			`opts.subject = related.subject;`
			`opts.domains = related.domains;`
initial commit 2019-04-01 01:56:41 -06:00
			`cb({ options: opts, certs: certs });`
			`}`
			```

			```js
			`function getRelated(domain) {`
			`var related;`
			`var wild = '*.' + domain.split('.').slice(1).join('.');`
v0.9.1: whitspace fixes 2019-04-01 01:58:47 -06:00			`if (Object.keys(allAllowedDomains).some(function (k) {`
			`return allAllowedDomains[k].some(function (name) {`
			`if (domain === name \|\| wild === name) {`
initial commit 2019-04-01 01:56:41 -06:00			`related = { subject: k, altnames: allAllowedDomains[k] };`
v0.9.1: whitspace fixes 2019-04-01 01:58:47 -06:00			`return true;`
			`}`
			`});`
initial commit 2019-04-01 01:56:41 -06:00			`})) {`
			`return related;`
			`}`
			`}`
			```

			```js
			`var allAllowedDomains = {`
			`'example.com': ['example.com', '*.example.com']`
			`, 'example.net': ['example.net', '*.example.net']`
			`}`
			```