search

hlandau / acmetool

:lock: acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)
https://hlandau.github.io/acmetool/
2.06k stars 130 forks source link

Has acmetool become abandonware? #317

Closed metaminimalist closed 5 years ago

metaminimalist commented 5 years ago

no release in over a year now, no visible work on acme2 branch in half a year, no *.deb-archive for bionic LTS, undisputed complaints about "dead open source project" in #314 ... - hence the blunt question.

I do not want to blame you for anything, I just want to be able to plan on my software deployments.

If acmetool is indeed dead, you may consider publishing this fact in a prominent place in readme and website.

In either case: thank you for acmetool! :)

kpcyrd commented 5 years ago

It looks like acmetool is going to stop working for new deployments by the end of 2019: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

LucaFilipozzi commented 5 years ago

Hi Hugo,

Thank you for acmetool. I love it.

Can you let us know what kind of support you require with acmetool? Would you be open to call for co-maintainers? Or would do you need more testers?

Let us know so that we can help you keep acmetool going.

Luca

hlandau commented 5 years ago

Sorry I've been AWOL. Will be making a release imminently.

hlandau commented 5 years ago

A beta of support for ACMEv2 is now available, see https://github.com/hlandau/acmetool/issues/322.

Amunak commented 4 years ago

@hlandau, sorry to press, but how is it going now? Still nothing since the last beta- ACMEv2 is waiting for binaries and official release (#322).

Now LE has revoked some certificates due to error on their side, and since AcmeTool is missing some fairly critical features (force renewal; #290 / #274), it has become quite hard to renew them without also nuking live certificates.

metaminimalist commented 4 years ago

I ended up using lego (https://go-acme.github.io/lego/) and a bunch of scripts, which basically keep me from calling lego directly while forgetting --path= 

install -b -m 755 /dev/null /usr/local/bin/lego-run-example.org

cat > /usr/local/bin/lego-run-example.org <<RUN
#!/bin/bash
# lego-run-example.org      Register an account, then create and install a certificate

# only as root
if [[ $(id -u) -ne 0 ]] ; then echo "please run as root" ; exit 1 ; fi

mkdir -p /var/lib/lego
lego --path="/var/lib/lego" --email="admin@example.org" --accept-tos --http.port="127.0.0.1:65455" --http --domains="example.org" run

echo '»» fix certificate permissions »»'
getent group acme >/dev/null 2>&1 || addgroup --system acme
chown -R root:acme /var/lib/lego/certificates/example.org.*
chmod 640          /var/lib/lego/certificates/example.org.*
find               /var/lib/lego/certificates/example.org.* -type f -ls
RUN

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

install -b -m 755 /dev/null /usr/local/bin/lego-renew-example.org

cat > /usr/local/bin/lego-renew-example.org <<RENEW
#!/bin/bash
# lego-renew-example.org    Renew a certificate

# only as root
if [[ $(id -u) -ne 0 ]] ; then echo "please run as root" ; exit 1 ; fi

lego --path="/var/lib/lego" --email="admin@example.org" --accept-tos --http.port="127.0.0.1:65455" --http --domains="example.org" renew

echo '»» fix certificate permissions »»'
getent group acme >/dev/null 2>&1 || addgroup --system acme
chown -R root:acme /var/lib/lego/certificates/example.org.*
chmod 640          /var/lib/lego/certificates/example.org.*
find               /var/lib/lego/certificates/example.org.* -type f -ls
RENEW

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

install -b -m 755 /dev/null /usr/local/bin/lego-renew-45-example.org

cat > /usr/local/bin/lego-renew-45-example.org  <<RENEW45
#!/bin/bash
# lego-renew-45-example.org    Renew a certificate, if it expires in less than 45 days

# only as root
if [[ $(id -u) -ne 0 ]] ; then echo "please run as root" ; exit 1 ; fi

APP_NAME=$(basename "$0" .sh)
export APP_NAME

TIME_STAMP="$(date '+%Y%m%d%H%M%S')"
LOG_DIR="/var/log/acme"
mkdir -p "${LOG_DIR}"

LOG_FILE="${LOG_DIR}/${TIME_STAMP}-${APP_NAME}.log"

# saving file descriptors
exec 6>&1
exec 7>&2

# logfile beschicken
exec 1>"${LOG_FILE}"
exec 2>&1

echo '==============================================================================='
echo '»» start »»'
date
echo '- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -'
echo '»» handle certificate renewal »»'
lego --path="/var/lib/lego" --email="admin@example.org" --accept-tos --http.port="127.0.0.1:65455" --http --domains="example.org"        renew --days="45"

echo '»» fix certificate permissions »»'
getent group acme >/dev/null 2>&1 || addgroup --system acme
chown -R root:acme /var/lib/lego/certificates/example.org.*
chmod 640          /var/lib/lego/certificates/example.org.*
find /var/lib/lego/certificates/example.org.* -type f -ls

echo '»» restart dependent services »»'
systemctl reload  nginx
systemctl restart mosquitto
echo '- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -'
echo '»» end »»'
date
echo '-------------------------------------------------------------------------------'

# release ...
exec 1>&6  # restore STDOUT
exec 2>&7  # restore STDERR
exec 6>&-  # close copy of STDOUT
exec 7>&-  # close copy of STDERR

RENEW45

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

install -b -m 755 /dev/null /usr/local/bin/lego-revoke-example.org

cat > /usr/local/bin/lego-revoke-example.org <<REVOKE
#!/bin/bash
# lego-revoke-example.org    Revoke a certificate

# only as root
if [[ $(id -u) -ne 0 ]] ; then echo "please run as root" ; exit 1 ; fi

lego --path="/var/lib/lego" --email="admin@example.org" --accept-tos --http.port="127.0.0.1:65455" --http --domains="example.org" revoke
REVOKE

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# "DOT" is important, "." will prevent cron from using the file, see github.com/lyda/chkcrontab
install -b -m 755 /dev/null /etc/cron.d/lego-renew-45-exampleDOTorg

cat > /etc/cron.d/lego-renew-45-exampleDOTorg <<CRON
SHELL=/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
MAILTO=info@example.org
# m h dom mon dow user command

# each even day between 1:00 and 2:00 try to renew the certificate
0 1 2-30/2 * * root sleep $(( $(hexdump -n 2 -e '/2 "\%u"' /dev/urandom) \% 59 )) ; /usr/local/bin/lego-renew-45-example.org

CRON

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    ### ACMEtool setup for NGINX
    location /.well-known/acme-challenge {
        allow all;
        satisfy any;
        access_log off;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:65455;
    }