This repository contains acme test program(s) to test implementations of crypto/acme with a dns01 challenge. The programs are based on the golang acme package, let's encrypt acting as the acme server and the CA, and the cloudflare API to change dns records.
These programs also assume the following:
- There is a directory called LEAcnt and an environmental variable named LEAcnt which points to the folder LEAcnt.
- There is a directory called zoneDir and an environmental variable named zoneDir wich points to that folder.
- There is a directory called certDir and an environmental variable named certDir which points to the certdir.
This folder should contain a file named cfDomainsShort.yaml. The file contains the names and ids of all domains that are served with cloudflare's nameservers from your cloudflare account. The file content is generated by a the program [createDomainList]
This account contains (for now) the private and public key for the Let's Encrypt account. These keys are generated with the program
Program generates a private and public key (LE_private.key and LE_public.key). The key files are stored in the PEM format in the folder LEAcnt/account.
GetLEAcnt retrieves the LE Account. This program can be used to check the existence of the LE Account.
The program, CreateCert, will retrieve the LE Account and generate an Acme client.
Read the a csrList file from LEAcnt and test the domains against the cloudflare domain list.
Generate an authorization order for the domains in the csrList file and obtain challenge tokens.
Insert the challenge tokens into DNS text records with the name _acme_challenge.domain.
Read the DNS text records to see whether the new DNS records are available for inspection and testing by the CA server.
After the challenge tokens appear, create an order and notify the CA server that the challenges have been accepted.
Wait for the CA Server to confirm that it has tested the DNS challenge tokens.
Create a Certificate Request (CSR) template and submit it to the CA server.
This program cretes an account on the Let's Encrypt CA Server.
usage: ./createLEAcnt /acnt=account [/dbg]
program that reads a yaml account file and checks the validity of the account with the LE CA server.
usage: ./checkLEAcnt /acnt=account [/dbg]
program that reads a CsrList yaml file
usage: ./RdCsrList /csr=csrList.yaml
The program createCerts creates x509 certificates. The generated certificates are stored in the directory LEAcnt/certs. The program uses a csr file as input. Csr files are stored in the directory LEAcnt/csrList.
Note: if the csr file contains multiple domain names, only a single certificate containing all domain names is being generated.
usage: ./createCerts /csr=csrList.yaml [/dbg]
The program createMultiCerts creates one x509 certificate pair for each domain name listed in the csr file. The generated certificates are stored in the directory LEAcnt/certs. The program uses a csr file as input. Csr files are stored in the directory LEAcnt/csrList.
usage: ./createCerts /csr=csrList.yaml [/dbg]
The program testDnsChal performs a dns lookup on each domain in the csr file to see whether the domain name server has a acme challenge record. The program tests each domain listed in the csr file.
usage: ./testDnsChal /csr=csrList.yaml /dbg
This program removes all Dns challenge records for the domains listed in the csr file and cleans the csr file.
usage: ./cleanDnsChal /csr=csrList.yaml /dbg
This program reads the public key PEM Certficate file, decodes the files and prints the decoded ouput.
- read CsrList
- read list of domains (zones) managed under cloudflare
- create list of domains for certs
- establish account with Lets Encrypt
- from Let's Encrypt (LE) get authorisation order for the domain target list (step 3) for DNS challenge
- for each domain:
- get authorization url
- get token
- add DNS text record to domain nameserver
- check by reading added Dns TXT record via lookup
- inform LE
- confirm LE has validated challenge
- delete DNS text record from name server
- generate cert key and save as pem file in certDir
- generate CSR request
- submit CSR request to LE
- retrieve cert as bundle (cert chain) and save as pem file in certDir
library that contains utility functions
function that reads the CSR file and returns a csrlist
generates a new acme client
registers the client with Let's Encrypt and creates an LE account
function that converts a domain name into name replacing periods with underscores
saves the private key in a file using the pem format
saves the certificate chain in a file using the pem format
create a CSR (Certificate Signing Request) template
converts a DER key into Pem byte slice
converts a Pem byte slice into a DER key
saves the private and public key of a client in PEM format
reads the private and public keys from files and returns an acme client object
prints a CSR Object
prints an acme account object
prints an acme client object
prints an acme authorisation object
prints an acme directory object
prints an acme order object
prints an acme challenge object
yaml file template for the generation of ssl certificates.
Dns providers are limited to cloudflare initially.