acme-express
Automatic Certificate Management Environment (ACME) protocol client for acquiring free SSL certificates.
Letsencrypt.org is a gratis, open source community sponsored service that implements the ACME protocol. This script will allow you to create a signed SSL certificate, suitable to secure your server with HTTPS, using letsencrypt.org or any other certificate authority that supports the ACME protocol.
Installation
npm install -g acme-express
CLI
Usage: acme-express --account account.pem --csr csr.der --domain ${DOMAIN} --ca letsencrypt-beta
Options:
-h, --help output usage information
--account <account.pem> Account private key PEM file
--csr <csr.der> Certificate Signing Request file in DER encoding
--dom <domain> The domain for which we are requesting a certificate. e.g. "mydomain.org"
--ca <URL|"letsencrypt-beta"|"letsencrypt-staging"> Certificate authority URL running ACME protocol. Default "letsencrypt-staging"
--agreement <URL|"letsencrypt-1.0.1"> The certificate agreement URL. Default "letsencrypt-1.0.1"
--log <debug|info|warn|error> Set the log level (logs always use STDERR). Default "info"
--cross-signed Print letsencrypt.org's cross-signed x1 cert to STDOUT
How to Use
- Register a domain and point your DNS at your server.
- From that server, use this script to verify that you control the domain and acquire a signed certficate.
Sign a Cert
# Set your domain DOMAIN=mydomain.org # Create domain key and DER encoded Certificate Signing request openssl genrsa 4096 > domain.pem openssl req -new -sha256 -key domain.pem -subj "/CN=${DOMAIN}" -outform DER > csr.der # Create account key and get letsencrypt.org to sign your cert openssl genrsa 4096 > account.pem sudo acme-express --account account.pem --csr csr.der --dom "${DOMAIN}" --ca letsencrypt-beta > ${DOMAIN}.pem # (Optional) Examine your new certificate openssl x509 -in ${DOMAIN}.pem -text
Why Sudo?
To verify ownership of the domain, we use the simple HTTP challenge/response method. This script will briefly host a Node.js HTTP server on port 80 (which requires admin access). The challenge token is served at the well-defined challenge/response URL so that the certificate authority can request it.
See the "challengeResponse" method in src/acme-protocol.coffee
Create an HTTPS Server
Here is an example Node.js express server using a certificate produced by this script:
let fs = ; let http = ; let https = ; let express = ; let app = ; let domain = 'mydomain.org'; // Load the HTTPS credentials let credentials = key : fs cert : fs // If you want to get an 'A' on your ssllabs report card, you need to // include the cross-signed cert from letsencrypt.org. Download it // directly from letsencrypt.org at the following URL: // https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem ca : fs // Create an HTTPS server with your express app https; // (Optional) Create a simple server to redirect all HTTP traffic to HTTPS http;