帮酷LOGO
  • 显示原文与译文双语对照的内容
文章标签:acm  protocol  LET  proto  protoc  
A Ruby client for the letsencrypt's ACME protocol.

  • 源代码名称:acme-client
  • 源代码网址:http://www.github.com/unixcharles/acme-client
  • acme-client源代码文档
  • acme-client源代码下载
  • Git URL:
    git://www.github.com/unixcharles/acme-client.git
  • Git Clone代码到本地:
    git clone http://www.github.com/unixcharles/acme-client
  • Subversion代码到本地:
    $ svn co --depth empty http://www.github.com/unixcharles/acme-client
    Checked out revision 1.
    $ cd repo
    $ svn up trunk
  • Acme::Client

    Build Status

    acme-client 是 ruby 中 ACME 协议的客户端实现。

    你可以在go和中找到服务器插件的ACME参考实现( in ) 。

    ACME是项目的一部分,目的是为获取和更新流程提供免费的SSL/TLS 证书。

    安装

    通过 RubyGems:

    $ gem install acme-client

    或者将它的添加到 Gemfile:

    gem 'acme-client'

    用法

    register-客户端

    为了对客户进行身份验证,我们必须创建一个帐户。

    # We're going to need a private key.require'openssl'private_key =OpenSSL::PKey::RSA.new(4096)# We need an ACME server to talk to, see github.com/letsencrypt/boulder# WARNING: This endpoint is the production endpoint, which is rate limited and will produce valid certificates.# You should probably use the staging endpoint for all your experimentation:# endpoint = 'https://acme-staging.api.letsencrypt.org/'endpoint ='https://acme-v01.api.letsencrypt.org/'# Initialize the clientrequire'acme-client'client =Acme::Client.new(private_key: private_key, endpoint: endpoint, connection_options: { request: { open_timeout:5, timeout:5 } })# If the private key is not known to the server, we need to register it for the first time.registration = client.register(contact:'mailto:contact@example.com')# You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)registration.agree_terms

    域授权

    在你能够获得域证书之前,你必须证明你正在控制它。

    authorization = client.authorize(domain:'example.org')# If authorization.status returns 'valid' here you can already get a certificate# and _must not_ try to solve another challenge.authorization.status # => 'pending'# You can can store the authorization's URI to fully recover it and# any associated challenges via Acme::Client#fetch_authorization.authorization.uri # => '...'# This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.challenge = authorization.http01# The http-01 method will require you to respond to a HTTP request.# You can retrieve the challenge tokenchallenge.token # =>"some_token"# You can retrieve the expected path for the file.challenge.filename # =>".well-known/acme-challenge/:some_token"# You can generate the body of the expected response.challenge.file_content # => 'string token and JWK thumbprint'# You are not required to send a Content-Type. This method will return the right Content-Type should you decide to include one.challenge.content_type# Save the file. We'll create a public directory to serve it from, and inside it we'll create the challenge file.FileUtils.mkdir_p( File.join( 'public', File.dirname( challenge.filename ) ) )# We'll write the content of the fileFile.write( File.join( 'public', challenge.filename), challenge.file_content )# Optionally save the authorization URI for use at another time (eg: by a background job processor)File.write('authorization_uri', authorization.uri)# The challenge file can be served with a Ruby webserver.# You can run a webserver in another console for that purpose. You may need to forward ports on your router.## $ ruby -run -e httpd public -p 8080 --bind-address 0.0.0.0# Load a challenge based on stored authorization URI. This is only required if you need to reuse a challenge as outlined above.challenge = client.fetch_authorization(File.read('authorization_uri')).http01# Once you are ready to serve the confirmation request you can proceed.challenge.request_verification # => truechallenge.authorization.verify_status # => 'pending'# Wait a bit for the server to make the request, or just blink. It should be fast.sleep(1)# Rely on authorization.verify_status more than on challenge.verify_status,# if the former is 'valid' you can already issue a certificate and the status of# the challenge is not relevant and in fact may never change from pending.challenge.authorization.verify_status # => 'valid'challenge.error # => nil# If authorization.verify_status is 'invalid', you can get at the error# message only through the failed challenge.authorization.verify_status # => 'invalid'authorization.http01.error # => {"type" =>"...","detail" =>"..."}

    获得证书

    你的帐户已经授权到域,因此你应该能够获得它的证书。

    # We're going to need a certificate signing request. If not explicitly# specified, the first name listed becomes the common name.csr =Acme::Client::CertificateRequest.new(names:%w[example.org www.example.org])# We can now request a certificate. You can pass anything that returns# a valid DER encoded CSR when calling to_der on it. For example an# OpenSSL::X509::Request should work too.certificate = client.new_certificate(csr) # => #<Acme::Client::Certificate.. ..># Save the certificate and the private key to filesFile.write("privkey.pem", certificate.request.private_key.to_pem)File.write("cert.pem", certificate.to_pem)File.write("chain.pem", certificate.chain_to_pem)File.write("fullchain.pem", certificate.fullchain_to_pem)# Start a webserver, using your shiny new certificate# ruby -r openssl -r webrick -r 'webrick/https' -e"s = WEBrick::HTTPServer.new(# :Port => 8443,# :DocumentRoot => Dir.pwd,# :SSLEnable => true,# :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('privkey.pem') ),# :SSLCertificate => OpenSSL::X509::Certificate.new( File.read('cert.pem') )); trap('INT') { s.shutdown }; s.start"
    不实现
    • 未实现恢复方法。
    要求

    ruby> = 2.1

    插件开发

    所有测试都使用VCR来与服务器交互,但是如果需要记录服务器的新交互,只需克隆博尔德并使用正常运行。

    请求请求?

    许可证

    MIT许可证



    文章标签:proto  protocol  protoc  LET  acm  

    Copyright © 2011 HelpLib All rights reserved.    知识分享协议 京ICP备05059198号-3  |  如果智培  |  酷兔英语