├── .gitignore ├── share └── sslmate │ └── dhparams │ ├── dh2048-group14.pem │ ├── dh3072-group15.pem │ ├── dh4096-group16.pem │ ├── dh6144-group17.pem │ └── dh8192-group18.pem ├── man ├── Makefile ├── man1 │ └── sslmate.1 └── sslmate.xml ├── COPYING ├── perllib ├── SSLMate.pm └── SSLMate │ └── HTTPSClient.pm ├── libexec └── sslmate │ └── approval │ ├── http │ └── documentroot │ └── dns │ ├── cloudflare │ ├── digitalocean │ ├── dnsimple │ └── route53 ├── README.md ├── README ├── Makefile └── NEWS /.gitignore: -------------------------------------------------------------------------------- 1 | /bin/sslmate.bin 2 | -------------------------------------------------------------------------------- /share/sslmate/dhparams/dh2048-group14.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmO 3 | NATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr 4 | +1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXTmmkWP6j9JM9fg2VdI9yjrZYc 5 | YvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhghfDKQXkYuNs474553LBgOhgObJ4Oi7Aei 6 | j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== 7 | -----END DH PARAMETERS----- 8 | -------------------------------------------------------------------------------- /man/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2014 Opsmate, Inc. 3 | # 4 | # See COPYING file for license information. 5 | # 6 | 7 | MANPAGES = man1/sslmate.1 8 | DOCBOOK = xsltproc \ 9 | --param man.output.in.separate.dir 1 \ 10 | --stringparam man.output.base.dir "" \ 11 | --param man.output.subdirs.enabled 1 \ 12 | --param man.authors.section.enabled 0 \ 13 | /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl 14 | 15 | all: $(MANPAGES) 16 | 17 | man1/sslmate.1: sslmate.xml 18 | $(DOCBOOK) $< 19 | 20 | clean: 21 | rm -f $(MANPAGES) 22 | 23 | .PHONY: all clean 24 | -------------------------------------------------------------------------------- /share/sslmate/dhparams/dh3072-group15.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb 3 | IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft 4 | awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT 5 | mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh 6 | fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 7 | 5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM 8 | fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq 9 | ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS 10 | yv//////////AgEC 11 | -----END DH PARAMETERS----- 12 | -------------------------------------------------------------------------------- /share/sslmate/dhparams/dh4096-group16.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb 3 | IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft 4 | awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT 5 | mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh 6 | fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 7 | 5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM 8 | fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq 9 | ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI 10 | ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O 11 | +S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI 12 | HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI= 13 | -----END DH PARAMETERS----- -------------------------------------------------------------------------------- /share/sslmate/dhparams/dh6144-group17.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb 3 | IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft 4 | awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT 5 | mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh 6 | fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 7 | 5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM 8 | fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq 9 | ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI 10 | ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O 11 | +S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI 12 | HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG 13 | 3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU 14 | 7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId 15 | A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha 16 | xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ 17 | 8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA 18 | JP//////////AgEC 19 | -----END DH PARAMETERS----- -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014 Opsmate, Inc. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a 4 | copy of this software and associated documentation files (the "Software"), 5 | to deal in the Software without restriction, including without limitation 6 | the rights to use, copy, modify, merge, publish, distribute, sublicense, 7 | and/or sell copies of the Software, and to permit persons to whom the 8 | Software is furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included 11 | in all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 16 | THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 17 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 18 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 19 | OTHER DEALINGS IN THE SOFTWARE. 20 | 21 | Except as contained in this notice, the name(s) of the above copyright 22 | holders shall not be used in advertising or otherwise to promote the 23 | sale, use or other dealings in this Software without prior written 24 | authorization. 25 | -------------------------------------------------------------------------------- /perllib/SSLMate.pm: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2014-2022 Opsmate, Inc. 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a 5 | # copy of this software and associated documentation files (the "Software"), 6 | # to deal in the Software without restriction, including without limitation 7 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 8 | # and/or sell copies of the Software, and to permit persons to whom the 9 | # Software is furnished to do so, subject to the following conditions: 10 | # 11 | # The above copyright notice and this permission notice shall be included 12 | # in all copies or substantial portions of the Software. 13 | # 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 18 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 19 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 20 | # OTHER DEALINGS IN THE SOFTWARE. 21 | # 22 | # Except as contained in this notice, the name(s) of the above copyright 23 | # holders shall not be used in advertising or otherwise to promote the 24 | # sale, use or other dealings in this Software without prior written 25 | # authorization. 26 | # 27 | 28 | package SSLMate; 29 | 30 | use 5.010; # 5.10 31 | use strict; 32 | use warnings; 33 | 34 | our $VERSION = '1.9.1'; 35 | -------------------------------------------------------------------------------- /share/sslmate/dhparams/dh8192-group18.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb 3 | IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft 4 | awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT 5 | mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh 6 | fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 7 | 5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM 8 | fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq 9 | ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI 10 | ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O 11 | +S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI 12 | HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG 13 | 3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU 14 | 7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId 15 | A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha 16 | xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ 17 | 8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R 18 | WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk 19 | ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw 20 | xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 21 | Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i 22 | aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU 23 | 38gfVuiAuW5xYMmA3Zjt09///////////wIBAg== 24 | -----END DH PARAMETERS----- -------------------------------------------------------------------------------- /libexec/sslmate/approval/http/documentroot: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # 4 | # HTTP approval handler for SSLMate. 5 | # To use, place the following in your http_approval_map file: 6 | # 7 | # www.example.com documentroot /path/to/document/root 8 | # 9 | # where /path/to/document/root is the path to your web server's 10 | # document root for www.example.com. 11 | # 12 | # This program is meant to be invoked by the SSLMate client. Do not 13 | # execute directly. 14 | # 15 | 16 | # 17 | # Copyright (c) 2015 Opsmate, Inc. 18 | # 19 | # Permission is hereby granted, free of charge, to any person obtaining a 20 | # copy of this software and associated documentation files (the "Software"), 21 | # to deal in the Software without restriction, including without limitation 22 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 23 | # and/or sell copies of the Software, and to permit persons to whom the 24 | # Software is furnished to do so, subject to the following conditions: 25 | # 26 | # The above copyright notice and this permission notice shall be included 27 | # in all copies or substantial portions of the Software. 28 | # 29 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 30 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 31 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 32 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 33 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 34 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 35 | # OTHER DEALINGS IN THE SOFTWARE. 36 | # 37 | # Except as contained in this notice, the name(s) of the above copyright 38 | # holders shall not be used in advertising or otherwise to promote the 39 | # sale, use or other dealings in this Software without prior written 40 | # authorization. 41 | # 42 | 43 | USAGE="$0 add|del hostname path contents" 44 | 45 | umask 022 46 | 47 | if [ $# != 4 ] 48 | then 49 | echo "Usage: $USAGE" >&2 50 | exit 2 51 | fi 52 | action=$1 53 | hostname=$2 54 | path=$3 55 | contents=$4 56 | 57 | if [ "$PARAMS" != "0" ] 58 | then 59 | echo "documentroot: Error: unexpected parameters (expected exactly 1 parameter)" >&2 60 | exit 3 61 | fi 62 | 63 | document_root=$PARAM_0 64 | 65 | if ! [ -d "$document_root" ] 66 | then 67 | echo "documentroot: Error: $document_root: no such directory" >&2 68 | exit 1 69 | fi 70 | if ! [ -w "$document_root" ] 71 | then 72 | echo "documentroot: Error: $document_root: not writable" >&2 73 | exit 1 74 | fi 75 | 76 | if [ $action = "add" ] 77 | then 78 | mkdir -p "$(dirname "$document_root$path")" 79 | printf "documentroot: Writing $document_root$path... " 80 | printf "%s" "$contents" > "$document_root$path" 81 | printf "Done.\n" 82 | elif [ $action = "del" ] 83 | then 84 | printf "documentroot: Removing $document_root$path... " 85 | rm -f "$document_root$path" 86 | printf "Done.\n" 87 | elif [ $action = "noop" ] 88 | then 89 | : 90 | else 91 | echo "Usage: $USAGE" >&2 92 | exit 2 93 | fi 94 | 95 | exit 0 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## SSLMate command line client 2 | 3 | `sslmate` is the command line client for [SSLMate](https://sslmate.com), a service for purchasing and managing SSL certificates. SSLMate provides easy-to-use tools for buying, renewing, and revoking certificates, for monitoring the expiration date of your certificates, and for synchronizing your certificates between your servers. 4 | 5 | SSLMate emphasizes speed, ease-of-use, and automation. For example, the command to purchase a certificate (sslmate buy) typically completes in under a minute and automates the steps of generating a private key, generating a CSR, and building a certificate bundle. SSLMate can automatically renew your certificates, and you can run sslmate download from a cron job so that renewed certificates are automatically downloaded to your server. 6 | 7 | To use the `sslmate` command, you must create a free account at https://sslmate.com. 8 | 9 | ## Dependencies 10 | 11 | SSLMate officially supports: 12 | 13 | * Debian 9 and newer 14 | * Ubuntu 18.04 and newer 15 | * RHEL/CentOS 7 and 8 16 | * Amazon Linux 1 and 2 17 | * Fedora 27 and newer 18 | 19 | Packages (.deb, .rpm) for the above operating systems [are available](https://sslmate.com/help/cmdline/install). 20 | 21 | SSLMate can run on other Unix-based operating systems provided the following software is installed: 22 | 23 | * Perl v5.10.0 or newer. 24 | * The following Perl modules, which can be installed by running `cpan MODULENAME` or by installing the corresponding distro package. 25 | 26 | ``` 27 | Module Name Debian/Ubuntu Package RHEL/CentOS Package 28 | ----------------------------------------------------------------------------- 29 | URI liburi-perl perl-URI 30 | Term::ReadKey libterm-readkey-perl perl-TermReadKey 31 | JSON::PP [1] libjson-perl perl-JSON 32 | LWP (>= 6) [2] libwww-perl perl-libwww-perl 33 | LWP::Protocol::https [2] liblwp-protocol-https-perl perl-LWP-Protocol-https 34 | ``` 35 | 36 | Notes: 37 | 38 | 1. `JSON::PP` is included with Perl 5.14 and later. 39 | 2. `LWP` is optional; if not available SSLMate will fall back to executing the `curl` command directly. 40 | 41 | 42 | ## Installation 43 | 44 | Run `make` and `make install`. 45 | 46 | The following Makefile variables can be passed on the command line to `make` and `make install`: 47 | 48 | * `PREFIX=/path` - Install to given path (default: `/usr/local`) 49 | * `DESTDIR=/path` - Stage installed files under the given path instead of installing directly to the filesystem (intended for package building) 50 | 51 | Example: 52 | 53 | ``` 54 | make PREFIX=/usr 55 | make install PREFIX=/usr DESTDIR=/tmp/pkgroot 56 | ``` 57 | 58 | ## Getting started 59 | 60 | See SSLMate's [guide to getting started](https://sslmate.com/help/cmdline/getting_started). 61 | 62 | ## Getting help 63 | 64 | * Run `sslmate help`. 65 | * Read the sslmate(1) man page. 66 | * Consult [SSLMate's help documentation](https://sslmate.com/help). 67 | * Email [support@sslmate.com](mailto:support@sslmate.com). 68 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | sslmate is the command line client for SSLMate , a 2 | service for purchasing and managing SSL certificates. SSLMate provides 3 | easy-to-use tools for buying, renewing, and revoking certificates, for 4 | monitoring the expiration date of your certificates, and for synchronizing 5 | your certificates between your servers. 6 | 7 | SSLMate emphasizes speed, ease-of-use, and automation. For example, the 8 | command to purchase a certificate (sslmate buy) typically completes in 9 | under a minute and automates the steps of generating a private key, 10 | generating a CSR, and building a certificate bundle. SSLMate can 11 | automatically renew your certificates, and you can run sslmate download 12 | from a cron job so that renewed certificates are automatically downloaded 13 | to your server. 14 | 15 | To use the sslmate command, you must create a free account at 16 | . 17 | 18 | 19 | DEPENDENCIES 20 | 21 | SSLMate officially supports: 22 | 23 | * Debian 9 and newer 24 | * Ubuntu 18.04 and newer 25 | * RHEL/CentOS 7 and 8 26 | * Amazon Linux 1 and 2 27 | * Fedora 27 and newer 28 | 29 | Packages (.deb, .rpm) for the above operating systems are available 30 | from . 31 | 32 | SSLMate can run on other Unix-based operating systems provided the 33 | following software is installed: 34 | 35 | * Perl v5.10.0 or newer. 36 | 37 | * The following Perl modules, which can be installed by running 38 | `cpan MODULENAME` or by installing the corresponding distro package. 39 | 40 | Module Name Debian/Ubuntu Package RHEL/CentOS Package 41 | ----------------------------------------------------------------------------- 42 | URI liburi-perl perl-URI 43 | Term::ReadKey libterm-readkey-perl perl-TermReadKey 44 | JSON::PP [1] libjson-perl perl-JSON 45 | LWP (>= 6) [2] libwww-perl perl-libwww-perl 46 | LWP::Protocol::https [2] liblwp-protocol-https-perl perl-LWP-Protocol-https 47 | 48 | 49 | Notes: 50 | [1] JSON::PP is included with Perl 5.14 and later. 51 | 52 | [2] LWP is optional; if not available SSLMate will fall back to 53 | executing the `curl` command directly. 54 | 55 | 56 | INSTALLATION 57 | 58 | Run `make` and `make install`. 59 | 60 | The following Makefile variables can be passed on the command line to 61 | `make` and `make install`: 62 | 63 | PREFIX=/path Install to given path (default: /usr/local) 64 | 65 | DESTDIR=/path Stage installed files under the given path instead of 66 | installing directly to the filesystem (intended for 67 | package building) 68 | 69 | Example: 70 | 71 | make PREFIX=/usr 72 | make install PREFIX=/usr DESTDIR=/tmp/pkgroot 73 | 74 | 75 | GETTING STARTED 76 | 77 | See . 78 | 79 | 80 | GETTING HELP 81 | 82 | * Run `sslmate help`. 83 | 84 | * Read the sslmate(1) man page. 85 | 86 | * Consult . 87 | 88 | * Email . 89 | 90 | 91 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2014-2022 Opsmate, Inc. 3 | # 4 | # See COPYING file for license information. 5 | # 6 | 7 | PROJECT = sslmate 8 | VERSION = 1.9.1 9 | 10 | PREFIX ?= /usr/local 11 | BINDIR ?= $(PREFIX)/bin 12 | DOCDIR ?= $(PREFIX)/share/doc/sslmate 13 | MANDIR ?= $(PREFIX)/share/man 14 | PERLLIBDIR ?= $(PREFIX)/share/sslmate/perllib 15 | LIBEXECDIR ?= $(PREFIX)/libexec/sslmate 16 | SHAREDIR ?= $(PREFIX)/share/sslmate 17 | DISTDIR ?= $(PROJECT)-$(VERSION) 18 | DISTFILE ?= $(DISTDIR).tar 19 | 20 | all: build 21 | 22 | # 23 | # Build 24 | # 25 | build: build-bin build-man 26 | 27 | build-bin: bin/sslmate.bin 28 | 29 | build-man: 30 | # $(MAKE) -C man all 31 | 32 | bin/sslmate.bin: bin/sslmate 33 | sed \ 34 | -e "s|DEFAULT_LIBEXEC_DIR = undef|DEFAULT_LIBEXEC_DIR = '$(LIBEXECDIR)'|" \ 35 | -e "s|DEFAULT_SHARE_DIR = undef|DEFAULT_SHARE_DIR = '$(SHAREDIR)'|" \ 36 | -e "s|^use lib.*|use lib '$(PERLLIBDIR)';|" \ 37 | < bin/sslmate > bin/sslmate.bin 38 | 39 | # 40 | # Clean 41 | # 42 | clean: clean-bin clean-man 43 | 44 | clean-bin: 45 | rm -f bin/sslmate.bin 46 | 47 | clean-man: 48 | # $(MAKE) -C man clean 49 | 50 | # 51 | # Install 52 | # 53 | install: install-bin install-doc install-man install-perllib install-libexec install-share 54 | 55 | install-bin: bin/sslmate.bin 56 | mkdir -m 755 -p $(DESTDIR)$(BINDIR) 57 | install -m 755 bin/sslmate.bin $(DESTDIR)$(BINDIR)/sslmate 58 | 59 | install-doc: 60 | mkdir -m 755 -p $(DESTDIR)$(DOCDIR) 61 | install -m 644 README NEWS $(DESTDIR)$(DOCDIR)/ 62 | 63 | install-man: 64 | mkdir -m 755 -p $(DESTDIR)$(MANDIR)/man1 65 | install -m 644 man/man1/sslmate.1 $(DESTDIR)$(MANDIR)/man1/ 66 | 67 | install-perllib: 68 | mkdir -m 755 -p $(DESTDIR)$(PERLLIBDIR)/SSLMate 69 | install -m 644 perllib/SSLMate.pm $(DESTDIR)$(PERLLIBDIR)/ 70 | install -m 644 perllib/SSLMate/*.pm $(DESTDIR)$(PERLLIBDIR)/SSLMate/ 71 | 72 | install-libexec: 73 | mkdir -m 755 -p $(DESTDIR)$(LIBEXECDIR)/approval/http 74 | mkdir -m 755 -p $(DESTDIR)$(LIBEXECDIR)/approval/dns 75 | install -m 755 libexec/sslmate/approval/http/documentroot $(DESTDIR)$(LIBEXECDIR)/approval/http/documentroot 76 | install -m 755 libexec/sslmate/approval/dns/cloudflare $(DESTDIR)$(LIBEXECDIR)/approval/dns/cloudflare 77 | install -m 755 libexec/sslmate/approval/dns/digitalocean $(DESTDIR)$(LIBEXECDIR)/approval/dns/digitalocean 78 | install -m 755 libexec/sslmate/approval/dns/dnsimple $(DESTDIR)$(LIBEXECDIR)/approval/dns/dnsimple 79 | install -m 755 libexec/sslmate/approval/dns/route53 $(DESTDIR)$(LIBEXECDIR)/approval/dns/route53 80 | 81 | install-share: 82 | mkdir -m 755 -p $(DESTDIR)$(SHAREDIR)/dhparams 83 | install -m 644 share/sslmate/dhparams/dh2048-group14.pem $(DESTDIR)$(SHAREDIR)/dhparams/ 84 | install -m 644 share/sslmate/dhparams/dh3072-group15.pem $(DESTDIR)$(SHAREDIR)/dhparams/ 85 | install -m 644 share/sslmate/dhparams/dh4096-group16.pem $(DESTDIR)$(SHAREDIR)/dhparams/ 86 | install -m 644 share/sslmate/dhparams/dh6144-group17.pem $(DESTDIR)$(SHAREDIR)/dhparams/ 87 | install -m 644 share/sslmate/dhparams/dh8192-group18.pem $(DESTDIR)$(SHAREDIR)/dhparams/ 88 | 89 | install-paths: 90 | mkdir -m 755 -p $(DESTDIR)/etc/paths.d $(DESTDIR)/etc/manpaths.d 91 | echo $(BINDIR) > $(DESTDIR)/etc/paths.d/sslmate 92 | echo $(MANDIR) > $(DESTDIR)/etc/manpaths.d/sslmate 93 | 94 | # 95 | # Uninstall 96 | # 97 | uninstall: uninstall-bin uninstall-doc uninstall-man uninstall-perllib uninstall-libexec uninstall-share 98 | 99 | uninstall-bin: 100 | rm -f $(DESTDIR)$(BINDIR)/sslmate 101 | 102 | uninstall-doc: 103 | rm -f $(DESTDIR)$(DOCDIR)/README 104 | rm -f $(DESTDIR)$(DOCDIR)/NEWS 105 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(DOCDIR) 106 | 107 | uninstall-man: 108 | rm -f $(DESTDIR)$(MANDIR)/man1/sslmate.1 109 | 110 | uninstall-perllib: 111 | rm -f $(DESTDIR)$(PERLLIBDIR)/SSLMate/*.pm 112 | rm -f $(DESTDIR)$(PERLLIBDIR)/SSLMate.pm 113 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(PERLLIBDIR)/SSLMate 114 | 115 | uninstall-libexec: 116 | rm -f $(DESTDIR)$(LIBEXECDIR)/approval/http/documentroot 117 | rm -f $(DESTDIR)$(LIBEXECDIR)/approval/dns/cloudflare 118 | rm -f $(DESTDIR)$(LIBEXECDIR)/approval/dns/digitalocean 119 | rm -f $(DESTDIR)$(LIBEXECDIR)/approval/dns/dnsimple 120 | rm -f $(DESTDIR)$(LIBEXECDIR)/approval/dns/route53 121 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(LIBEXECDIR)/approval/http 122 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(LIBEXECDIR)/approval/dns 123 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(LIBEXECDIR)/approval 124 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(LIBEXECDIR) 125 | 126 | uninstall-share: 127 | rm -f $(DESTDIR)$(SHAREDIR)/dhparams/dh2048-group14.pem 128 | rm -f $(DESTDIR)$(SHAREDIR)/dhparams/dh3072-group15.pem 129 | rm -f $(DESTDIR)$(SHAREDIR)/dhparams/dh4096-group16.pem 130 | rm -f $(DESTDIR)$(SHAREDIR)/dhparams/dh6144-group17.pem 131 | rm -f $(DESTDIR)$(SHAREDIR)/dhparams/dh8192-group18.pem 132 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(SHAREDIR)/dhparams 133 | rmdir --ignore-fail-on-non-empty $(DESTDIR)$(SHAREDIR) 134 | 135 | uninstall-paths: 136 | rm -f $(DESTDIR)/etc/paths.d/sslmate $(DESTDIR)/etc/manpaths.d/sslmate 137 | 138 | # 139 | # 'make dist' 140 | # 141 | dist: 142 | git archive --prefix=$(DISTDIR)/ $(VERSION) | gzip -n9 > $(DISTFILE).gz 143 | 144 | # 145 | # Misc. 146 | # 147 | get-version: 148 | @echo $(VERSION) 149 | 150 | .PHONY: all \ 151 | build build-bin build-man \ 152 | clean clean-bin clean-man \ 153 | install install-bin install-man install-perllib install-libexec install-share install-paths \ 154 | uninstall uninstall-bin uninstall-man uninstall-perllib uninstall-libexec uninstall-share uninstall-paths \ 155 | dist get-version 156 | -------------------------------------------------------------------------------- /libexec/sslmate/approval/dns/cloudflare: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | # 4 | # DNS approval handler for SSLMate using CloudFlare. 5 | # To use, place the following in your dns_approval_map file: 6 | # 7 | # example.com. cloudflare PARAMS... 8 | # 9 | # where example.com. is your domain name (note the trailing dot), and 10 | # PARAMS... is zero or more of the following parameters, space-separated: 11 | # 12 | # email=ADDRESS 13 | # The email address of your CloudFlare account 14 | # 15 | # key=KEY 16 | # Your CloudFlare API key 17 | # 18 | # Example: 19 | # 20 | # example.com. cloudflare email=admin@example.com key=adc83b19e793491b1c6ea0fd8b46cd9f32e59 21 | # 22 | # This program is meant to be invoked by the SSLMate client. Do not 23 | # execute directly. 24 | # 25 | 26 | # 27 | # Copyright (c) 2015 Opsmate, Inc. 28 | # 29 | # Permission is hereby granted, free of charge, to any person obtaining a 30 | # copy of this software and associated documentation files (the "Software"), 31 | # to deal in the Software without restriction, including without limitation 32 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 33 | # and/or sell copies of the Software, and to permit persons to whom the 34 | # Software is furnished to do so, subject to the following conditions: 35 | # 36 | # The above copyright notice and this permission notice shall be included 37 | # in all copies or substantial portions of the Software. 38 | # 39 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 40 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 41 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 42 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 43 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 44 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 45 | # OTHER DEALINGS IN THE SOFTWARE. 46 | # 47 | # Except as contained in this notice, the name(s) of the above copyright 48 | # holders shall not be used in advertising or otherwise to promote the 49 | # sale, use or other dealings in this Software without prior written 50 | # authorization. 51 | # 52 | 53 | use 5.010; # 5.10 54 | use strict; 55 | use warnings; 56 | use SSLMate::HTTPSClient; 57 | use JSON::PP; 58 | use IO::Handle; 59 | 60 | sub bad_usage { 61 | print STDERR "Usage: $0 add|del name type value\n"; 62 | exit(2); 63 | } 64 | 65 | sub env { 66 | my ($name) = @_; 67 | if (not defined($ENV{$name})) { 68 | print STDERR "cloudflare: Error: missing required environment variable $name - was this program invoked by SSLMate?\n"; 69 | exit(3); 70 | } 71 | return $ENV{$name}; 72 | } 73 | 74 | bad_usage if @ARGV != 4; 75 | my ($action, $rr_name, $rr_type, $rr_value) = @ARGV; 76 | my ($cloudflare_email, $cloudflare_key); 77 | 78 | for my $name (split(' ', env('PARAMS'))) { 79 | if ($name eq 'email') { 80 | $cloudflare_email = env('PARAM_email'); 81 | } elsif ($name eq 'key') { 82 | $cloudflare_key = env('PARAM_key'); 83 | } else { 84 | print STDERR "cloudflare: Error: Unrecognized parameter $name\n"; 85 | exit(3); 86 | } 87 | } 88 | 89 | unless (defined($cloudflare_email) && defined($cloudflare_key)) { 90 | print STDERR "cloudflare: Error: email and key parameters not provided\n"; 91 | exit(4); 92 | } 93 | 94 | my $https_client; 95 | sub call_cloudflare { 96 | my ($method, $command, $query_string, $post_data) = @_; 97 | 98 | $https_client //= SSLMate::HTTPSClient->new; 99 | 100 | my $headers = { 101 | 'X-Auth-Email' => $cloudflare_email, 102 | 'X-Auth-Key' => $cloudflare_key, 103 | }; 104 | $headers->{'Content-Type'} = 'application/json' if defined($post_data); 105 | 106 | $query_string = SSLMate::HTTPSClient::make_query_string($query_string) if ref($query_string) eq 'HASH'; 107 | $post_data = encode_json($post_data) if ref($post_data) eq 'HASH'; 108 | $command .= "?$query_string" if defined($query_string) && length($query_string); 109 | 110 | my ($http_status, $content_type, $response_data) = eval { 111 | $https_client->request($method, "https://api.cloudflare.com$command", $headers, undef, $post_data) 112 | }; 113 | if (not defined $http_status) { 114 | print STDERR "cloudflare: Error: Unable to contact CloudFlare server: $@"; 115 | return undef; 116 | } 117 | 118 | $content_type //= ''; 119 | $content_type =~ s/;.*$//; 120 | if ($content_type ne 'application/json') { 121 | print STDERR "cloudflare: Error: received unexpected response from CloudFlare server: response not JSON (content-type=$content_type; status=$http_status)\n"; 122 | return undef; 123 | } 124 | 125 | my $response_obj = eval { decode_json($$response_data) }; 126 | if (!defined($response_obj)) { 127 | chomp $@; 128 | print STDERR "cloudflare: Error: received malformed response from CloudFlare server: $@\n"; 129 | return undef; 130 | } 131 | 132 | if (not $response_obj->{success}) { 133 | for my $error (@{$response_obj->{errors}}) { 134 | if ($error->{code} == 9103) { 135 | print STDERR "cloudflare: Error (for $rr_name): Invalid account email or API key\n"; 136 | } else { 137 | print STDERR "cloudflare: Error (for $rr_name): " . $error->{message} . " (" . $error->{code} . ")\n"; 138 | } 139 | } 140 | return undef; 141 | } 142 | 143 | return $response_obj; 144 | } 145 | 146 | # CloudFlare doesn't like trailing dots 147 | $rr_name =~ s/\.$//; 148 | $rr_value =~ s/\.$// if $rr_type eq 'CNAME' or $rr_type eq 'NS'; 149 | 150 | # 1. Determine the ID of the zone 151 | my $zone_id; 152 | my $domain = $rr_name; 153 | while (1) { 154 | my $response = call_cloudflare('GET', "/client/v4/zones", { name => $domain }) or exit(4); 155 | if (@{$response->{result}}) { 156 | $zone_id = $response->{result}->[0]->{id}; 157 | last; 158 | } 159 | 160 | if ($domain =~ /^[^.]+[.](.*)$/) { 161 | $domain = $1; 162 | } else { 163 | last; 164 | } 165 | } 166 | 167 | if (not defined($zone_id)) { 168 | print STDERR "cloudflare: Error: Unable to find a zone for $rr_name in account $cloudflare_email. Does your CloudFlare account contain a zone for this domain?\n"; 169 | exit(4); 170 | } 171 | 172 | exit(0) if $action eq 'noop'; 173 | 174 | # 2. Check if the record already exists 175 | my $response = call_cloudflare('GET', "/client/v4/zones/$zone_id/dns_records", { type => $rr_type, name => $rr_name }) or exit(1); 176 | my $existing_record_id; 177 | for my $result (@{$response->{result}}) { 178 | if ($result->{content} eq $rr_value) { 179 | $existing_record_id = $result->{id}; 180 | last; 181 | } 182 | } 183 | 184 | # 3. Add or remove the record 185 | if ($action eq 'add') { 186 | if (not defined($existing_record_id)) { 187 | print "cloudflare: Adding $rr_type record for $rr_name... "; 188 | STDOUT->flush; 189 | call_cloudflare('POST', "/client/v4/zones/$zone_id/dns_records", undef, { type => $rr_type, name => $rr_name, content => $rr_value, ttl => 120 }) or exit(1); 190 | sleep(10); # CloudFlare doesn't provide an API for reporting when DNS records become visible, but tests indicate that they become visible in well under 10 seconds. 191 | print "Done.\n"; 192 | } 193 | } elsif ($action eq 'del') { 194 | if (defined $existing_record_id) { 195 | print "cloudflare: Removing $rr_type record for $rr_name... "; 196 | STDOUT->flush; 197 | call_cloudflare('DELETE', "/client/v4/zones/$zone_id/dns_records/$existing_record_id") or exit(1); 198 | print "Done.\n"; 199 | } 200 | } else { 201 | bad_usage; 202 | } 203 | 204 | exit(0); 205 | -------------------------------------------------------------------------------- /libexec/sslmate/approval/dns/digitalocean: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | # 4 | # DNS approval handler for SSLMate using DigitalOcean. 5 | # To use, place the following in your dns_approval_map file: 6 | # 7 | # example.com. digitalocean PARAMS... 8 | # 9 | # where example.com. is your domain name (note the trailing dot), and 10 | # PARAMS... is zero or more of the following parameters, space-separated: 11 | # 12 | # key=KEY 13 | # Your DigitalOcean API key 14 | # 15 | # Example: 16 | # 17 | # example.com. digitalocean key=62d020a5eb6fe22c0e86e4ed29f7ab77df4df8ec8ccdb9014409a84aee1b33c6 18 | # 19 | # This program is meant to be invoked by the SSLMate client. Do not 20 | # execute directly. 21 | # 22 | 23 | # 24 | # Copyright (c) 2015 Opsmate, Inc. 25 | # 26 | # Permission is hereby granted, free of charge, to any person obtaining a 27 | # copy of this software and associated documentation files (the "Software"), 28 | # to deal in the Software without restriction, including without limitation 29 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 30 | # and/or sell copies of the Software, and to permit persons to whom the 31 | # Software is furnished to do so, subject to the following conditions: 32 | # 33 | # The above copyright notice and this permission notice shall be included 34 | # in all copies or substantial portions of the Software. 35 | # 36 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 37 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 38 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 39 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 40 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 41 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 42 | # OTHER DEALINGS IN THE SOFTWARE. 43 | # 44 | # Except as contained in this notice, the name(s) of the above copyright 45 | # holders shall not be used in advertising or otherwise to promote the 46 | # sale, use or other dealings in this Software without prior written 47 | # authorization. 48 | # 49 | 50 | use 5.010; # 5.10 51 | use strict; 52 | use warnings; 53 | use SSLMate::HTTPSClient; 54 | use JSON::PP; 55 | use IO::Handle; 56 | 57 | sub bad_usage { 58 | print STDERR "Usage: $0 add|del name type value\n"; 59 | exit(2); 60 | } 61 | 62 | sub env { 63 | my ($name) = @_; 64 | if (not defined($ENV{$name})) { 65 | print STDERR "digitalocean: Error: missing required environment variable $name - was this program invoked by SSLMate?\n"; 66 | exit(3); 67 | } 68 | return $ENV{$name}; 69 | } 70 | 71 | bad_usage if @ARGV != 4; 72 | my ($action, $rr_name, $rr_type, $rr_value) = @ARGV; 73 | my ($api_key); 74 | 75 | for my $name (split(' ', env('PARAMS'))) { 76 | if ($name eq 'key') { 77 | $api_key = env('PARAM_key'); 78 | } else { 79 | print STDERR "digitalocean: Error: Unrecognized parameter $name\n"; 80 | exit(3); 81 | } 82 | } 83 | 84 | unless (defined $api_key) { 85 | print STDERR "digitalocean: Error: key parameter not provided\n"; 86 | exit(4); 87 | } 88 | 89 | my $https_client; 90 | sub call_digitalocean { 91 | my ($method, $command, $post_data, $missing_ok) = @_; 92 | 93 | $https_client //= SSLMate::HTTPSClient->new; 94 | 95 | my $headers = { 96 | 'Authorization' => "Bearer $api_key", 97 | }; 98 | if (defined($post_data)) { 99 | $headers->{'Content-Type'} = 'application/json'; 100 | $post_data = encode_json($post_data) if ref($post_data) eq 'HASH'; 101 | } 102 | 103 | my ($http_status, $content_type, $response_data) = eval { 104 | $https_client->request($method, "https://api.digitalocean.com/v2$command", $headers, undef, $post_data) 105 | }; 106 | if (not defined $http_status) { 107 | print STDERR "digitalocean: Error: Unable to contact DigitalOcean server: $@"; 108 | return undef; 109 | } 110 | 111 | my $response_obj; 112 | if (defined $content_type) { 113 | $content_type =~ s/;.*$//; 114 | if ($content_type ne 'application/json') { 115 | print STDERR "digitalocean: Error: received unexpected response from DigitalOcean server: response not JSON (content-type=$content_type; status=$http_status)\n"; 116 | return undef; 117 | } 118 | 119 | $response_obj = eval { decode_json($$response_data) }; 120 | if (!defined($response_obj)) { 121 | chomp $@; 122 | print STDERR "digitalocean: Error: received malformed response from DigitalOcean server: $@\n"; 123 | return undef; 124 | } 125 | } else { 126 | $response_obj = {}; 127 | } 128 | 129 | if (int($http_status / 100) == 2 || ($http_status == 404 && $missing_ok)) { 130 | return ($http_status, $response_obj); 131 | } elsif ($http_status == 401) { 132 | print STDERR "digitalocean: Error (for $rr_name): Invalid API key\n"; 133 | return undef; 134 | } else { 135 | print STDERR "digitalocean: Error (for $rr_name): " . $response_obj->{message} . " ($http_status)\n"; 136 | return undef; 137 | } 138 | 139 | } 140 | 141 | # DigitalOcean doesn't use trailing dots 142 | $rr_name =~ s/\.$//; 143 | my $dotless_rr_value = $rr_value; 144 | $dotless_rr_value =~ s/\.$// if $rr_type eq 'CNAME' or $rr_type eq 'NS'; 145 | 146 | # 1. Determine the domain of the hosted zone 147 | my @subdomain; 148 | my $domain = $rr_name; 149 | my $response; 150 | while (defined $domain) { 151 | my $status; 152 | ($status, $response) = call_digitalocean('GET', "/domains/$domain/records", undef, 1); 153 | defined($response) or exit(4); 154 | last if int($status / 100) == 2; 155 | if ($domain =~ /^([^.]+)[.](.*)$/) { 156 | push @subdomain, $1; 157 | $domain = $2; 158 | } else { 159 | $domain = undef; 160 | } 161 | } 162 | 163 | if (not defined($domain)) { 164 | print STDERR "digitalocean: Error: Unable to find a zone for $rr_name. Does your DigitalOcean account contain a zone for this domain?\n"; 165 | exit(4); 166 | } 167 | 168 | exit(0) if $action eq 'noop'; 169 | 170 | my $subdomain = @subdomain ? join('.', @subdomain) : '@'; 171 | 172 | # 2. Check if the record already exists 173 | my $existing_record_id; 174 | while (1) { 175 | for my $record (@{$response->{domain_records}}) { 176 | if ($record->{name} eq $subdomain && 177 | $record->{type} eq $rr_type && 178 | ($record->{data} eq $rr_value || $record->{data} eq $dotless_rr_value)) { 179 | $existing_record_id = $record->{id}; 180 | last; 181 | } 182 | } 183 | last if defined($existing_record_id); 184 | 185 | my $next_page = $response->{links}->{pages}->{next}; 186 | last if not defined($next_page); 187 | $next_page =~ s|^https://api.digitalocean.com/v2||; 188 | 189 | (undef, $response) = call_digitalocean('GET', $next_page); 190 | defined($response) or exit(1); 191 | } 192 | 193 | # 3. Add or remove the record 194 | if ($action eq 'add') { 195 | if (not defined($existing_record_id)) { 196 | print "digitalocean: Adding $rr_type record for $rr_name... "; 197 | STDOUT->flush; 198 | call_digitalocean('POST', "/domains/$domain/records", { type => $rr_type, name => $subdomain, data => $rr_value }) or exit(1); 199 | sleep(30); # DigitalOcean doesn't provide an API for reporting when DNS records become visible, but tests indicate that they become visible within 30 seconds. 200 | print "Done.\n"; 201 | } 202 | } elsif ($action eq 'del') { 203 | if (defined $existing_record_id) { 204 | print "digitalocean: Removing $rr_type record for $rr_name... "; 205 | STDOUT->flush; 206 | call_digitalocean('DELETE', "/domains/$domain/records/$existing_record_id") or exit(1); 207 | print "Done.\n"; 208 | } 209 | } else { 210 | bad_usage; 211 | } 212 | 213 | exit(0); 214 | -------------------------------------------------------------------------------- /libexec/sslmate/approval/dns/dnsimple: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | # 4 | # DNS approval handler for SSLMate using DNSimple. 5 | # To use, place the following in your dns_approval_map file: 6 | # 7 | # example.com. dnsimple PARAMS... 8 | # 9 | # where example.com. is your domain name (note the trailing dot), and 10 | # PARAMS... is zero or more of the following parameters, space-separated: 11 | # 12 | # email=ADDRESS 13 | # The email address of your DNSimple account 14 | # 15 | # token=KEY 16 | # Your DNSimple API token 17 | # 18 | # Example: 19 | # 20 | # example.com. dnsimple email=admin@example.com token=1234567890 21 | # 22 | # This program is meant to be invoked by the SSLMate client. Do not 23 | # execute directly. 24 | # 25 | 26 | # 27 | # Copyright (c) 2015 Opsmate, Inc. 28 | # 29 | # Permission is hereby granted, free of charge, to any person obtaining a 30 | # copy of this software and associated documentation files (the "Software"), 31 | # to deal in the Software without restriction, including without limitation 32 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 33 | # and/or sell copies of the Software, and to permit persons to whom the 34 | # Software is furnished to do so, subject to the following conditions: 35 | # 36 | # The above copyright notice and this permission notice shall be included 37 | # in all copies or substantial portions of the Software. 38 | # 39 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 40 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 41 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 42 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 43 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 44 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 45 | # OTHER DEALINGS IN THE SOFTWARE. 46 | # 47 | # Except as contained in this notice, the name(s) of the above copyright 48 | # holders shall not be used in advertising or otherwise to promote the 49 | # sale, use or other dealings in this Software without prior written 50 | # authorization. 51 | # 52 | 53 | use 5.010; # 5.10 54 | use strict; 55 | use warnings; 56 | use SSLMate::HTTPSClient; 57 | use JSON::PP; 58 | use IO::Handle; 59 | 60 | sub bad_usage { 61 | print STDERR "Usage: $0 add|del name type value\n"; 62 | exit(2); 63 | } 64 | 65 | sub env { 66 | my ($name) = @_; 67 | if (not defined($ENV{$name})) { 68 | print STDERR "dnsimple: Error: missing required environment variable $name - was this program invoked by SSLMate?\n"; 69 | exit(3); 70 | } 71 | return $ENV{$name}; 72 | } 73 | 74 | bad_usage if @ARGV != 4; 75 | my ($action, $rr_name, $rr_type, $rr_value) = @ARGV; 76 | my ($dnsimple_email, $dnsimple_token, $dnsimple_endpoint, $dnsimple_password); 77 | 78 | for my $name (split(' ', env('PARAMS'))) { 79 | if ($name eq 'email') { 80 | $dnsimple_email = env('PARAM_email'); 81 | } elsif ($name eq 'token') { 82 | $dnsimple_token = env('PARAM_token'); 83 | } elsif ($name eq 'password') { 84 | $dnsimple_password = env('PARAM_password'); 85 | } elsif ($name eq 'endpoint') { 86 | $dnsimple_endpoint = env('PARAM_endpoint'); 87 | } else { 88 | print STDERR "dnsimple: Error: Unrecognized parameter $name\n"; 89 | exit(3); 90 | } 91 | } 92 | 93 | $dnsimple_endpoint //= 'https://api.dnsimple.com/v1'; 94 | 95 | unless (defined($dnsimple_email) && (defined($dnsimple_token) || defined($dnsimple_password))) { 96 | print STDERR "dnsimple: Error: email and token parameters not provided\n"; 97 | exit(4); 98 | } 99 | 100 | my $https_client; 101 | sub call_dnsimple { 102 | my ($method, $command, $post_data, $missing_ok) = @_; 103 | 104 | $https_client //= SSLMate::HTTPSClient->new; 105 | 106 | my $headers = { 107 | 'Accept' => 'application/json', 108 | }; 109 | my $creds; 110 | if (defined($dnsimple_token)) { 111 | $headers->{'X-DNSimple-Token'} = join(':', $dnsimple_email, $dnsimple_token); 112 | } elsif (defined($dnsimple_password)) { 113 | $creds = { username => $dnsimple_email, password => $dnsimple_password }; 114 | } 115 | if (defined($post_data)) { 116 | $headers->{'Content-Type'} = 'application/json'; 117 | $post_data = encode_json($post_data) if ref($post_data) eq 'HASH'; 118 | } 119 | 120 | my ($http_status, $content_type, $response_data) = eval { 121 | $https_client->request($method, "$dnsimple_endpoint$command", $headers, $creds, $post_data) 122 | }; 123 | if (not defined $http_status) { 124 | print STDERR "dnsimple: Error: Unable to contact DNSimple server: $@"; 125 | return undef; 126 | } 127 | 128 | my $response_obj; 129 | if (defined $content_type) { 130 | $content_type =~ s/;.*$//; 131 | if ($content_type ne 'application/json') { 132 | print STDERR "dnsimple: Error: received unexpected response from DNSimple server: response not JSON (content-type=$content_type; status=$http_status)\n"; 133 | return undef; 134 | } 135 | 136 | $response_obj = eval { decode_json($$response_data) }; 137 | if (!defined($response_obj)) { 138 | chomp $@; 139 | print STDERR "dnsimple: Error: received malformed response from DNSimple server: $@\n"; 140 | return undef; 141 | } 142 | } else { 143 | $response_obj = {}; 144 | } 145 | 146 | if (int($http_status / 100) == 2 || ($http_status == 404 && $missing_ok)) { 147 | return ($http_status, $response_obj); 148 | } elsif ($http_status == 401) { 149 | print STDERR "dnsimple: Error (for $rr_name): Invalid email address or token\n"; 150 | return undef; 151 | } else { 152 | print STDERR "dnsimple: Error (for $rr_name): " . $response_obj->{message} . " ($http_status)\n"; 153 | return undef; 154 | } 155 | } 156 | 157 | # DNSimple doesn't use trailing dots 158 | $rr_name =~ s/\.$//; 159 | $rr_value =~ s/\.$// if $rr_type eq 'CNAME' or $rr_type eq 'NS'; 160 | 161 | # 1. Determine the domain of the hosted zone 162 | my @subdomain; 163 | my $domain = $rr_name; 164 | my $response; 165 | while (defined $domain) { 166 | my $status; 167 | ($status, $response) = call_dnsimple('GET', "/domains/$domain/records", undef, 1); 168 | defined($response) or exit(4); 169 | last if int($status / 100) == 2; 170 | if ($domain =~ /^([^.]+)[.](.*)$/) { 171 | push @subdomain, $1; 172 | $domain = $2; 173 | } else { 174 | $domain = undef; 175 | } 176 | } 177 | 178 | if (not defined($domain)) { 179 | print STDERR "dnsimple: Error: Unable to find a domain for $rr_name in your DNSimple account.\n"; 180 | exit(4); 181 | } 182 | 183 | exit(0) if $action eq 'noop'; 184 | 185 | my $subdomain = @subdomain ? join('.', @subdomain) : '@'; 186 | 187 | # 2. Check if the record already exists 188 | my $existing_record_id; 189 | for my $record (@{$response}) { 190 | $record = $record->{record}; 191 | if ($record->{name} eq $subdomain && 192 | $record->{record_type} eq $rr_type && 193 | $record->{content} eq $rr_value) { 194 | $existing_record_id = $record->{id}; 195 | last; 196 | } 197 | } 198 | 199 | # 3. Add or remove the record 200 | if ($action eq 'add') { 201 | if (not defined($existing_record_id)) { 202 | print "dnsimple: Adding $rr_type record for $rr_name... "; 203 | STDOUT->flush; 204 | call_dnsimple('POST', "/domains/$domain/records", { record => { record_type => $rr_type, name => $subdomain, content => $rr_value } }) or exit(1); 205 | sleep(30); # DNSimple doesn't provide an API for reporting when DNS records become visible, so sleep 30 seconds and hope for the best. 206 | print "Done.\n"; 207 | } 208 | } elsif ($action eq 'del') { 209 | if (defined $existing_record_id) { 210 | print "dnsimple: Removing $rr_type record for $rr_name... "; 211 | STDOUT->flush; 212 | call_dnsimple('DELETE', "/domains/$domain/records/$existing_record_id") or exit(1); 213 | print "Done.\n"; 214 | } 215 | } else { 216 | bad_usage; 217 | } 218 | 219 | exit(0); 220 | -------------------------------------------------------------------------------- /libexec/sslmate/approval/dns/route53: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # 4 | # DNS approval handler for SSLMate using Route 53. 5 | # To use, place the following in your dns_approval_map file: 6 | # 7 | # example.com. route53 PARAMS... 8 | # 9 | # where example.com. is your domain name (note the trailing dot), and 10 | # PARAMS... is zero or more of the following parameters, space-separated: 11 | # 12 | # aws_access_key_id=ID 13 | # aws_secret_access_key=KEY 14 | # AWS credentials. If these parameters are not specified, credentials 15 | # are read from ~/.aws/credentials. 16 | # 17 | # aws_credentials_profile=PROFILE 18 | # The section in ~/.aws/credentials from which to read credentials. 19 | # Defaults to 'default'. Only applicable if aws_access_key_id and 20 | # aws_secret_access_key parameters not specified. 21 | # 22 | # hosted_zone_id=ID 23 | # The Route 53 hosted zone ID for this domain. This parameter is 24 | # optional; normally the hosted zone ID is auto-detected. 25 | # 26 | # Example: 27 | # 28 | # example.com. route53 aws_access_key_id=AKIAJCXHASUVYTZGFSZA aws_secret_access_key=a9MXAPifglXkAK41X733imBjOi4FBuSQlP/3Fq3U 29 | # 30 | # The AWS credentials must have the following IAM permissions: 31 | # 32 | # - route53:ListHostedZones on * 33 | # - route53:GetChange on arn:aws:route53:::change/* 34 | # - route53:ListResourceRecordSets on arn:aws:route53:::hostedzone/HOSTED_ZONE_ID 35 | # - route53:ChangeResourceRecordSets on arn:aws:route53:::hostedzone/HOSTED_ZONE_ID 36 | # 37 | # This handler requires Python and Boto. 38 | # 39 | # This program is meant to be invoked by the SSLMate client. Do not 40 | # execute directly. 41 | # 42 | 43 | # 44 | # Copyright (c) 2015 Opsmate, Inc. 45 | # 46 | # Permission is hereby granted, free of charge, to any person obtaining a 47 | # copy of this software and associated documentation files (the "Software"), 48 | # to deal in the Software without restriction, including without limitation 49 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 50 | # and/or sell copies of the Software, and to permit persons to whom the 51 | # Software is furnished to do so, subject to the following conditions: 52 | # 53 | # The above copyright notice and this permission notice shall be included 54 | # in all copies or substantial portions of the Software. 55 | # 56 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 57 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 58 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 59 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 60 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 61 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 62 | # OTHER DEALINGS IN THE SOFTWARE. 63 | # 64 | # Except as contained in this notice, the name(s) of the above copyright 65 | # holders shall not be used in advertising or otherwise to promote the 66 | # sale, use or other dealings in this Software without prior written 67 | # authorization. 68 | # 69 | 70 | 71 | import time 72 | import sys 73 | import os 74 | try: 75 | import ConfigParser # Python 2 76 | except ImportError: 77 | import configparser as ConfigParser # Python 3 78 | try: 79 | from boto import connect_route53 80 | from boto.route53.record import ResourceRecordSets 81 | except ImportError: 82 | sys.stderr.write("route53: Error: Version 2.2 or higher of the boto python module must be installed to configure DNS approval through Route 53\n") 83 | sys.exit(5) 84 | 85 | def bad_usage(): 86 | sys.stderr.write('Usage: %s add|del name type value\n' % sys.argv[0]) 87 | sys.exit(2) 88 | 89 | if len(sys.argv) != 5: 90 | bad_usage(); 91 | 92 | action = sys.argv[1] 93 | rr_name = sys.argv[2] 94 | rr_type = sys.argv[3] 95 | rr_value = sys.argv[4] 96 | 97 | aws_access_key_id = None 98 | aws_secret_access_key = None 99 | hosted_zone_id = None 100 | aws_credentials_profile = 'default' 101 | try: 102 | for name in os.environ['PARAMS'].split(): 103 | if name == 'aws_access_key_id': 104 | aws_access_key_id = os.environ['PARAM_' + name] 105 | elif name == 'aws_secret_access_key': 106 | aws_secret_access_key = os.environ['PARAM_' + name] 107 | elif name == 'hosted_zone_id': 108 | hosted_zone_id = os.environ['PARAM_' + name] 109 | elif name == 'aws_credentials_profile': 110 | aws_credentials_profile = os.environ['PARAM_' + name] 111 | else: 112 | sys.stderr.write('route53: Error: Unrecognized parameter %s\n' % name) 113 | sys.exit(3) 114 | except KeyError as e: 115 | sys.stderr.write('route53: Error: Missing required environment variable %s - was this program invoked by SSLMate?\n' % e.args[0]) 116 | sys.exit(3) 117 | 118 | if aws_access_key_id is None: 119 | # Get AWS credentials from ~/.aws/credentials, an INI-style file (see http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs) 120 | aws_credentials_path = os.path.join(os.path.expanduser("~"), '.aws', 'credentials') 121 | if not os.path.exists(aws_credentials_path): 122 | sys.stderr.write('route53: Error: %s does not exist; please place your AWS credentials in either this file or in the SSLMate DNS approval map file\n' % aws_credentials_path) 123 | sys.exit(4) 124 | try: 125 | aws_credentials_config = ConfigParser.RawConfigParser() 126 | aws_credentials_config.read(aws_credentials_path) 127 | aws_access_key_id = aws_credentials_config.get(aws_credentials_profile, 'aws_access_key_id') 128 | aws_secret_access_key = aws_credentials_config.get(aws_credentials_profile, 'aws_secret_access_key') 129 | except ConfigParser.Error as e: 130 | sys.stderr.write('route53: Error: %s: %s\n' % (aws_credentials_path, e)) 131 | sys.exit(4) 132 | 133 | try: 134 | conn = connect_route53(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key) 135 | 136 | if hosted_zone_id is None: 137 | result = conn.get_all_hosted_zones() 138 | for zone in sorted(result['ListHostedZonesResponse']['HostedZones'], key=lambda zone: zone['Name'].count('.'), reverse=True): 139 | if rr_name == zone['Name'] or rr_name.endswith('.' + zone['Name']): 140 | hosted_zone_id = zone['Id'][12:] # Slice off '/hostedzone/' prefix to get the actual ID 141 | break 142 | if hosted_zone_id is None: 143 | sys.stderr.write('route53: Error: Unable to find a hosted zone for %s (when using access key ID %s). Does your Route 53 account contain a hosted zone for this domain?\n' % (rr_name, aws_access_key_id)) 144 | sys.exit(4) 145 | except Exception as e: 146 | sys.stderr.write('route53: Error (for %s): %s\n' % (rr_name, e)) 147 | sys.exit(4) 148 | 149 | if action == 'noop': 150 | sys.exit(0) 151 | 152 | try: 153 | current = conn.get_all_rrsets(hosted_zone_id, rr_type, rr_name, maxitems=1) 154 | currently_exists = len(current) > 0 and rr_value in current[0].resource_records 155 | 156 | if action == 'add': 157 | if not currently_exists: 158 | sys.stdout.write('route53: Adding %s record for %s... ' % (rr_type, rr_name)) 159 | sys.stdout.flush() 160 | changes = ResourceRecordSets(conn, hosted_zone_id) 161 | changes.add_change('UPSERT', rr_name, rr_type, ttl=5).add_value(rr_value) 162 | result = changes.commit() 163 | change_id = result['ChangeResourceRecordSetsResponse']['ChangeInfo']['Id'].split('/')[-1] 164 | while True: 165 | change = conn.get_change(change_id) 166 | status = change['GetChangeResponse']['ChangeInfo']['Status'] 167 | if status == 'INSYNC': 168 | break 169 | elif status == 'PENDING': 170 | time.sleep(2) 171 | else: 172 | sys.stderr.write('route53: Error: bad response from AWS: unknown status %s for change %s\n' % (status, change_id)) 173 | sys.exit(1) 174 | sys.stdout.write('Done.\n') 175 | sys.stdout.flush() 176 | elif action == 'del': 177 | if currently_exists: 178 | sys.stdout.write('route53: Removing %s record for %s... ' % (rr_type, rr_name)) 179 | sys.stdout.flush() 180 | changes = ResourceRecordSets(conn, hosted_zone_id) 181 | changes.add_change('DELETE', rr_name, rr_type, ttl=5).add_value(rr_value) 182 | changes.commit() 183 | sys.stdout.write('Done.\n') 184 | sys.stdout.flush() 185 | else: 186 | bad_usage(); 187 | except Exception as e: 188 | sys.stderr.write('route53: Error (for %s): %s\n' % (rr_name, e)) 189 | sys.exit(1) 190 | 191 | sys.exit(0) 192 | -------------------------------------------------------------------------------- /perllib/SSLMate/HTTPSClient.pm: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (c) 2014-2015 Opsmate, Inc. 3 | # 4 | # Permission is hereby granted, free of charge, to any person obtaining a 5 | # copy of this software and associated documentation files (the "Software"), 6 | # to deal in the Software without restriction, including without limitation 7 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, 8 | # and/or sell copies of the Software, and to permit persons to whom the 9 | # Software is furnished to do so, subject to the following conditions: 10 | # 11 | # The above copyright notice and this permission notice shall be included 12 | # in all copies or substantial portions of the Software. 13 | # 14 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 | # THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR 18 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 19 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 20 | # OTHER DEALINGS IN THE SOFTWARE. 21 | # 22 | # Except as contained in this notice, the name(s) of the above copyright 23 | # holders shall not be used in advertising or otherwise to promote the 24 | # sale, use or other dealings in this Software without prior written 25 | # authorization. 26 | # 27 | 28 | package SSLMate::HTTPSClient; 29 | 30 | use 5.010; # 5.10 31 | use strict; 32 | use warnings; 33 | 34 | use SSLMate; 35 | use IPC::Open2; 36 | use URI::Escape; 37 | use POSIX qw(:sys_wait_h); 38 | 39 | our $TIMEOUT = 300; 40 | 41 | sub new_curl { 42 | my $curl = WWW::Curl::Easy->new; 43 | $curl->setopt(WWW::Curl::Easy::CURLOPT_PROTOCOLS(), 3); # Only safe protocols (HTTP and HTTPS, not SMTP, SSH, etc.) 44 | $curl->setopt(WWW::Curl::Easy::CURLOPT_FOLLOWLOCATION(), 1); # Follow redirects 45 | $curl->setopt(WWW::Curl::Easy::CURLOPT_MAXREDIRS(), 20); # Allow at most 20 redirections 46 | $curl->setopt(WWW::Curl::Easy::CURLOPT_SSL_VERIFYPEER(), 1); # Check certificates 47 | $curl->setopt(WWW::Curl::Easy::CURLOPT_SSL_VERIFYHOST(), 2); # Check certificates (2 is not a typo) 48 | $curl->setopt(WWW::Curl::Easy::CURLOPT_USERAGENT(), "SSLMate/$SSLMate::VERSION WWW-Curl/$WWW::Curl::VERSION"); 49 | $curl->setopt(WWW::Curl::Easy::CURLOPT_TIMEOUT(), $TIMEOUT); 50 | return $curl; 51 | } 52 | 53 | sub new_lwp_ua { 54 | my $ua = LWP::UserAgent->new; 55 | $ua->agent("SSLMate/$SSLMate::VERSION "); 56 | $ua->protocols_allowed( [ 'http', 'https'] ); 57 | $ua->ssl_opts(verify_hostname => 1); 58 | $ua->timeout($TIMEOUT); 59 | return $ua; 60 | } 61 | 62 | 63 | sub has_curl_command { 64 | my $pid = fork; 65 | die "Error: fork failed: $!" unless defined $pid; 66 | if ($pid == 0) { 67 | open(STDIN, '<', '/dev/null'); 68 | open(STDOUT, '>', '/dev/null'); 69 | open(STDERR, '>', '/dev/null'); 70 | exec('curl', '--version'); 71 | exit 1; 72 | } 73 | waitpid($pid, 0) or die "Error: waitpid failed: $!"; 74 | return $? == 0; 75 | } 76 | 77 | sub escape_curl_param { 78 | my ($param) = @_; 79 | $param =~ s/\\/\\\\/g; 80 | $param =~ s/\"/\\\"/g; 81 | $param =~ s/\t/\\t/g; 82 | $param =~ s/\n/\\n/g; 83 | $param =~ s/\r/\\r/g; 84 | $param =~ s/\v/\\v/g; 85 | return $param; 86 | } 87 | 88 | sub decode_curl_error { 89 | my ($exit_code) = @_; 90 | 91 | return "Unable to resolve server address" if $exit_code == 6; 92 | return "Unable to connect to server" if $exit_code == 7; 93 | return "Timeout" if $exit_code == 28; 94 | return "SSL handshake failed" if $exit_code == 35; 95 | return "SSL certificate error" if $exit_code == 51; 96 | return "SSL certificate cannot be authenticated" if $exit_code == 60; 97 | 98 | return "curl exited with status $exit_code"; 99 | } 100 | 101 | 102 | 103 | sub request_via_lwp { 104 | my $self = shift; 105 | my ($method, $uri, $headers, $creds, $post_data) = @_; 106 | 107 | $self->{ua} //= new_lwp_ua; 108 | my $req = HTTP::Request->new($method, $uri); 109 | if (defined $headers) { 110 | for my $name (keys %$headers) { 111 | $req->header($name => $headers->{$name}); 112 | } 113 | } 114 | if (defined $creds) { 115 | die "Usernames may not contain colons\n" if $creds->{username} =~ /:/; 116 | $req->authorization_basic($creds->{username}, $creds->{password}); 117 | } 118 | if (defined $post_data) { 119 | $req->content($post_data); 120 | } 121 | 122 | my $response = $self->{ua}->request($req); 123 | if (defined(my $msg = $response->header('X-Died'))) { 124 | # This is how LWP::UserAgent reports timeouts 125 | die "$msg\n"; 126 | } 127 | if (($response->header('Client-Warning')//'') eq 'Internal response') { 128 | die $response->content . "\n"; 129 | } 130 | 131 | return ($response->code, $response->content_type, \$response->content); 132 | } 133 | 134 | sub request_via_curl_module { 135 | my $self = shift; 136 | my ($method, $uri, $headers, $creds, $post_data) = @_; 137 | my @headers; 138 | 139 | $self->{curl} //= new_curl; 140 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_CUSTOMREQUEST(), $method); 141 | if (defined $post_data) { 142 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_HTTPGET(), 0); 143 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_NOBODY(), 0); 144 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_UPLOAD(), 0); 145 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_POSTFIELDS(), $post_data); 146 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_POSTFIELDSIZE(), length $post_data); 147 | } else { 148 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_HTTPGET(), 1); 149 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_UPLOAD(), 0); 150 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_NOBODY(), $method eq 'HEAD' ? 1 : 0); 151 | } 152 | if ($headers) { 153 | for my $name (keys %$headers) { 154 | my $value = $headers->{$name}; 155 | push @headers, "$name: $value"; 156 | } 157 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_HTTPHEADER(), \@headers); 158 | } 159 | if ($creds) { 160 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_USERNAME(), $creds->{username}); 161 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_PASSWORD(), $creds->{password}); 162 | } 163 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_URL(), $uri); 164 | 165 | my $response_data = ''; 166 | open(my $response_fh, '>', \$response_data); 167 | $self->{curl}->setopt(WWW::Curl::Easy::CURLOPT_WRITEDATA(), $response_fh); 168 | 169 | my $result = $self->{curl}->perform; 170 | close($response_fh); 171 | if ($result != 0) { 172 | my $err = $self->{curl}->strerror($result); 173 | undef $self->{curl}; 174 | die "$err\n"; 175 | } 176 | my $http_status = $self->{curl}->getinfo(WWW::Curl::Easy::CURLINFO_HTTP_CODE()); 177 | my $content_type = $self->{curl}->getinfo(WWW::Curl::Easy::CURLINFO_CONTENT_TYPE()); 178 | 179 | return ($http_status, $content_type, \$response_data); 180 | } 181 | 182 | sub request_via_curl_command { 183 | my $self = shift; 184 | my ($method, $uri, $headers, $creds, $post_data) = @_; 185 | 186 | local $SIG{PIPE} = 'IGNORE'; 187 | 188 | my ($response_fh, $config_fh); 189 | my $curl_pid = eval { open2($response_fh, $config_fh, 'curl', '-q', '-K', '-') }; 190 | die "Unable to execute the 'curl' command - is curl installed?\n" unless defined($curl_pid); 191 | print $config_fh "user-agent = \"" . escape_curl_param("SSLMate/$SSLMate::VERSION curl") . "\"\n"; 192 | print $config_fh "silent\n"; 193 | print $config_fh "include\n"; 194 | print $config_fh "max-time = \"" . escape_curl_param($TIMEOUT) . "\"\n"; 195 | print $config_fh "request = \"" . escape_curl_param($method) . "\"\n"; 196 | print $config_fh "url = \"" . escape_curl_param($uri) . "\"\n"; 197 | if ($headers) { 198 | for my $name (keys %$headers) { 199 | my $value = $headers->{$name}; 200 | print $config_fh "header = \"" . escape_curl_param("$name: $value") . "\"\n"; 201 | } 202 | } 203 | if ($creds) { 204 | print $config_fh "user = \"" . escape_curl_param(join(':', $creds->{username}, $creds->{password})) . "\"\n"; 205 | } 206 | if ($method eq 'POST') { 207 | $post_data //= ''; 208 | print $config_fh "data = \"" . escape_curl_param($post_data) . "\"\n"; 209 | } 210 | close($config_fh); 211 | 212 | my ($http_status, $content_type, $response_data); 213 | if (!eof($response_fh)) { 214 | do { 215 | # HTTP/1.1 200 OK 216 | my $http_status_line = <$response_fh>; 217 | $http_status_line =~ s/\r?\n$//; 218 | (undef, $http_status, undef) = split(' ', $http_status_line); 219 | 220 | # Content-Type: application/json 221 | $content_type = undef; 222 | while (defined(my $line = <$response_fh>)) { 223 | $line =~ s/\r?\n$//; 224 | last if $line eq ''; # end of headers 225 | if ($line =~ /^Content-Type:\s*(.*)$/i) { 226 | $content_type = $1; 227 | } 228 | } 229 | } while ($http_status == 100); 230 | 231 | $response_data = do { local $/; <$response_fh> }; 232 | } 233 | close($response_fh); 234 | waitpid($curl_pid, 0) or die "waitpid failed: $!"; 235 | if ($? != 0) { 236 | if (WIFEXITED($?)) { 237 | die decode_curl_error(WEXITSTATUS($?)) . "\n"; 238 | } else { 239 | die "curl command terminated with status $?\n"; 240 | } 241 | } 242 | if (not $http_status) { 243 | die "curl command produced unexpected output\n"; 244 | } 245 | 246 | return ($http_status, $content_type, \$response_data); 247 | } 248 | 249 | sub request { 250 | my $self = shift; 251 | my ($method, $uri, $headers, $creds, $post_data) = @_; 252 | 253 | if ($self->{has_curl_command}) { 254 | return $self->request_via_curl_command($method, $uri, $headers, $creds, $post_data); 255 | } elsif ($self->{has_lwp}) { 256 | return $self->request_via_lwp($method, $uri, $headers, $creds, $post_data); 257 | } elsif ($self->{has_curl_module}) { 258 | return $self->request_via_curl_module($method, $uri, $headers, $creds, $post_data); 259 | } else { 260 | die "Neither LWP (>= 6) nor the curl command are installed\n"; 261 | } 262 | } 263 | 264 | sub new { 265 | my $class = shift; 266 | my $self = { 267 | has_curl_command => has_curl_command, 268 | has_curl_module => eval { require WWW::Curl::Easy; 1 } // 0, 269 | has_lwp => eval { require LWP::UserAgent; require LWP::Protocol::https; $LWP::UserAgent::VERSION >= 6 && $LWP::Protocol::https::VERSION >= 6 } // 0, # LWP5 does not properly validate certs! 270 | }; 271 | # print STDERR "has_curl_command=" . $self->{has_curl_command} . "\n"; 272 | # print STDERR "has_curl_module=" . $self->{has_curl_module} . "\n"; 273 | # print STDERR "has_lwp=" . $self->{has_lwp} . "\n"; 274 | bless $self, $class; 275 | return $self; 276 | } 277 | 278 | sub qs_escape { 279 | my ($str) = @_; 280 | return uri_escape_utf8($str, '^A-Za-z0-9\-\._'); 281 | } 282 | 283 | sub make_query_string { 284 | my ($request_data) = @_; 285 | 286 | my @elts; 287 | for my $key (keys %$request_data) { 288 | next unless defined $request_data->{$key}; 289 | if (ref($request_data->{$key}) eq 'ARRAY') { 290 | for my $value (@{$request_data->{$key}}) { 291 | next unless defined $value; 292 | push @elts, qs_escape($key) . '=' . qs_escape($value); 293 | } 294 | } elsif (ref($request_data->{$key}) eq 'SCALAR') { 295 | push @elts, qs_escape($key) . '=' . qs_escape(${$request_data->{$key}}); 296 | } else { 297 | push @elts, qs_escape($key) . '=' . qs_escape($request_data->{$key}); 298 | } 299 | } 300 | $request_data = join('&', @elts); 301 | } 302 | 303 | 1; 304 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | v1.9.1 (2022-05-03) 2 | * Improve error message when HTTP approval is not configured. 3 | 4 | v1.9.0 (2021-09-07) 5 | * Client-side DNS approval handlers have been deprecated and will be removed 6 | in SSLMate 2. To continue automatically approving certificates using DNS, 7 | please integrate your SSLMate account with your DNS provider by visiting the 8 | following page: https://sslmate.com/account/integrations 9 | * The Route 53 approval handler now uses Python 3. 10 | 11 | v1.8.0 (2021-06-22) 12 | * buy: add --no-auto-san option to disable addition of an alt name for the 13 | base domain or www. sub-domain. 14 | * edit: allow the automatic alt name (for the base domain or www. sub-domain) 15 | to be removed with --rm-name just like any other alt name. 16 | * show: always show the alt names, even if they have the default values. 17 | * Deprecate --multi and --no-multi options. There is no longer a distinction 18 | between multi-hostname and single-hostname certificates. 19 | * Remove import sub-command. 20 | * Remove support for EV certificates. 21 | * buy, renew: fix bug that would display the wrong price for multi-hostname 22 | certificates that contained the same SANs as a standard, non-multi cert. 23 | * reissue, rekey: eliminate spurious "this certificate is not active" errors. 24 | 25 | v1.7.1 (2019-03-08) 26 | * Bugfix release. 27 | * sslmate download: don't prevent further downloads if there is an error 28 | with just one certificate. 29 | 30 | v1.7.0 (2018-06-20) 31 | * Add support for wildcards in multi-hostname certificates. 32 | 33 | v1.6.0 (2017-08-03) 34 | * Add support for HTTP approval (see https://sslmate.com/help/approval/http). 35 | * Fix compatibility bug with OpenSSL 1.1 affecting elliptic curve certificates. 36 | * Fix invalid argument error when setting file ownership under Perl 5.24. 37 | * Various refinements and documentation improvements. 38 | 39 | v1.5.2 (2017-07-14) 40 | * Bugfix release. 41 | * Fix pagination bug in digitalocean DNS handler. 42 | * Ensure NS records are properly handled by DNS handlers. 43 | * Ensure parent directories are created by documentroot HTTP handler. 44 | * Check for missing argument to retry-approval. 45 | * Clarify some unclear error and warning messages. 46 | * Fix typo in man page. 47 | 48 | v1.5.1 (2015-12-10) 49 | * Bugfix release. 50 | * Fix bug with renewing multi-hostname certs where it said 51 | "Error: the price of this certificate has changed". 52 | * Fix bug where single-hostname certs were sometimes treated 53 | as multi-hostname certs incorrectly. 54 | 55 | v1.5.0 (2015-09-22) 56 | * Replace 'sslmate resend-email' with 'sslmate retry-approval', which 57 | supports non-email approval. 'resend-email' will be removed in 58 | SSLMate 2.0. 59 | * Rebrand "multi-domain" certs as "multi-hostname" certs. 60 | * Add '--multi' option to 'sslmate buy' to force the purchase of a 61 | multi-hostname certificate with just a single hostname. 62 | * Add '--multi' and --no-multi options to 'sslmate edit' to convert 63 | between a multi-hostname and single-hostname certificate. 64 | * Improve user experience when using DNS approval. 65 | 66 | v1.4.0 (2015-07-02) 67 | * Add support for multi-domain certificates. 68 | - Specify multiple hostnames on command line to 'sslmate buy'. 69 | - Use 'sslmate edit' to add/remove alternative names. 70 | - Use 'sslmate reissue --same-key' to reissue after adding/removing 71 | names. 72 | * Add 'sslmate rekey' option to generate a new key and reissue. 73 | * Add '--same-key' option to 'sslmate reissue' to reissue without 74 | generating a new key. IMPORTANT: starting with SSLMate 2.0, 75 | --same-key will be implied when running 'sslmate reissue'. 76 | Please start using 'sslmate rekey' if you want to reissue with a 77 | new key. 78 | * Add 'sslmate show' command to show detailed information about a 79 | certificate. 80 | * Fix bug when importing certificates with upper case common names. 81 | 82 | v1.3.0 (2015-06-18) 83 | * Add support for creating certificate files in alternative 84 | formats. To enable a format, put "cert_formats.FORMAT yes" 85 | in your config file, where FORMAT is one of: 86 | - chained (Certificate by chain) (enabled by default) 87 | - combined (Key, cert, and chain concatenated together) 88 | - p12 (PKCS#12 file) 89 | - jks (Java Keystore file) 90 | - root (Root certificate) 91 | - chain+root (Chain and root concatenated together) 92 | * Preserve existing filesystem permissions of key and certificate files. 93 | * Minor bug fixes/enhancements. 94 | 95 | v1.2.3 (2015-06-13) 96 | * Bugfix release. 97 | * Correctly display unhandled subjectAltNames when importing. 98 | * Fix Makefile so it works with FreeBSD make. 99 | 100 | v1.2.2 (2015-05-29) 101 | * Bugfix release. 102 | * Don't try to use LWP for HTTPS if LWP::Protocol::https not installed. 103 | * Document that LWP::Protocol::https is required in addition to LWP. 104 | * Properly report errors from LWP. 105 | 106 | v1.2.1 (2015-05-26) 107 | * Fix certificate errors on OS X by preferring curl over LWP Perl module. 108 | 109 | v1.2.0 (2015-05-26) 110 | * Install strong Diffie-Hellman parameters to /usr/share/sslmate. 111 | * Add support for Diffie-Hellman parameters in mkconfig config templates. 112 | * If available, use LWP Perl module for HTTPS client instead of 113 | spawning a curl process. 114 | 115 | v1.1.1 (2015-05-13) 116 | * Avoid a warning message if WWW::Curl::Perl is not installed. 117 | 118 | v1.1.0 (2015-05-12) 119 | * Support DNS approval with CloudFlare, DigitalOcean, and DNSimple. 120 | * Allow DNS approval to be selected from approver email list. 121 | * Allow type of cert (dv/ev) to be changed by `sslmate edit`. 122 | * Add --timeout option to buy, reissue, renew 123 | * Minor bug fixes/enhancements. 124 | 125 | v1.0.1 (2015-04-22) 126 | * Minor bug fixes. 127 | * Fix segfault on Ubuntu 14.10 by using external curl command for 128 | HTTP client. 129 | 130 | v1.0.0 (2015-04-20) 131 | * Add `sslmate import` command for importing existing certificates to 132 | your account. 133 | * Add `sslmate list` command for listing your account's certificates. 134 | * Add `sslmate edit` command for changing the settings of a certificate 135 | (e.g. auto-renew, approver email address). 136 | * Add `sslmate resend-email` command for resending the approval email 137 | for a pending certificate. 138 | * Add support for DNS approval. 139 | * Add support for EV certs. 140 | * Add support for ECDSA keys and certs. 141 | * Add support for daily purchase limit. 142 | * Add wildcard_filename config option for setting the character used 143 | in a wildcard cert filename, instead of '*'. 144 | * buy/reissue/renew now exit with status 12 if cert is not downloaded 145 | and --no-wait is not used. 146 | * Print path to private key when buy/reissue terminates before cert 147 | can be downloaded. 148 | * Improve display of key and cert paths. 149 | * Preserve permissions of original .key file when reissuing. 150 | * Deprecate honor_umask config option. 151 | * Better support for non-ASCII domain names. 152 | * Require --force to buy a certificate when an active certificate with 153 | that name already exists in your account. 154 | * Fix bug where reissue and renew commands could exit with a non-zero 155 | status upon success. 156 | * Add global --batch option. 157 | * Add global --verbose option. 158 | * Add support for alternative key/certificate formats, such as PKCS#12 159 | (experimental). 160 | * Add support for HTTP approval (experimental). 161 | 162 | v0.6.2 (2014-12-18) 163 | * Include recommended security settings when running `sslmate 164 | mkconfig`, unless --no-security option is specified. 165 | Recommendations are from the Mozilla Server Side TLS Guide. 166 | * Fix bug that could prevent full key/cert paths from appearing in 167 | mkconfig output. 168 | * Display a tip about mkconfig and test commands after buying a cert. 169 | 170 | v0.6.1 (2014-12-03) 171 | * Fix an error with newer versions of Perl. 172 | 173 | v0.6.0 (2014-12-03) 174 | * Add `sslmate test` command for testing the installation of a 175 | certificate. 176 | * Add `sslmate mkconfig` command for generating server configuration 177 | for a certificate. 178 | * Add --temp option to `sslmate buy` and `sslmate download`. If 179 | specified, a temporary, self-signed, certificate will be installed 180 | instead of waiting for the real cert to be issued. This temporary 181 | cert won't be trusted by clients, but can be used for configuring 182 | your server while you wait for your real cert to be issued. 183 | * Add --invoice-note and --email-invoice-to options to `sslmate buy` 184 | for customizing invoices. 185 | * Output non-error informational messages to stdout instead of stderr. 186 | stderr is now reserved for error messages only. 187 | * Strip private key and other cruft from certificate before importing. 188 | * Minor bug fixes. 189 | 190 | v0.5.0 (2014-11-05) 191 | * Allow buy, import, and renew commands to be used non-interactively: 192 | - The --batch option disables prompting for confirmation. 193 | - The --email=ADDRESS option specifies the desired approver address. 194 | - The --no-wait option tells sslmate to return immediately 195 | instead of waiting for the new certificate to be issued. 196 | * Better support for key rollover in `sslmate reissue`: 197 | - The new key file is initially written to CN.key.new and the 198 | existing key file is only overwritten (by either `sslmate reissue` 199 | or `sslmate download`) once the new certificate is ready. 200 | - Existing .key and .crt files are overwritten even without the 201 | --force option, but only once the reissue completes successfully. 202 | * renew now overwrites existing .crt files even without the --force 203 | option. A safety check has been added to ensure that renew only 204 | installs a certificate if it matches the .key file. 205 | * API credentials are now saved to disk only if `sslmate link` is run 206 | explicitly. Other commands no longer implicitly link the system. 207 | * Minor bug fixes and internal improvements. 208 | 209 | v0.4.5 (2014-10-27) 210 | * Support Perl when installed in a directory other than /usr/bin. 211 | 212 | v0.4.4 (2014-10-27) 213 | * Add `sslmate req` command for generating a key and CSR. 214 | * Minor bug fixes. 215 | 216 | v0.4.3 (2014-10-24) 217 | * Create cert files with a umask of 022 unless honor_umask config 218 | option set to 'yes'. 219 | * Re-license under the X11 license. 220 | * Minor bug fixes. 221 | 222 | v0.4.2 (2014-10-20) 223 | * Fix bug that prevented 'sslmate link' from working with 224 | passwords containing '0'. 225 | 226 | v0.4.1 (2014-10-18) 227 | * Fix warning when run with newer versions of Perl. 228 | 229 | v0.4.0 (2014-10-15) 230 | * Allow multiple certs, or all certs, to be downloaded with 231 | `sslmate download`. 232 | * Add sslmate(1) man page. 233 | * Ensure that `sslmate download` only downloads certs that 234 | match the corresponding private keys. 235 | * Improve usage messages. 236 | * Add support for configuration profiles. 237 | * Check for newer version when running `sslmate version`. 238 | * Rewrite in Perl. 239 | 240 | v0.3.0 (2014-09-12) 241 | * Add `sslmate renew` and `sslmate download` commands, and 242 | --auto-renew and --no-auto-renew options to `sslmate buy`. 243 | See https://sslmate.com/blog/post/automating_renewals 244 | * Make years argument optional in `sslmate buy`; default to 1 year. 245 | * Add key_directory and cert_directory config options to set the 246 | location of purchased/downloaded files. Defaults to $PWD for 247 | non-root users and /etc/sslmate for root. 248 | * Read default config options from /etc/sslmate.conf if it exists. 249 | * Add --force as an alias for -f option, and --all as alias for -a. 250 | * For consistency, always write a .chain.crt and .chained.crt file 251 | even if chain is empty. 252 | * Miscellaneous bug fixes and usability improvements. 253 | 254 | v0.2.1 (2014-09-03) 255 | * When prompting for password, treat DEL as erase in addition to BS. 256 | 257 | v0.2.0 (2014-08-21) 258 | * Add `sslmate revoke` command. 259 | * Add `sslmate version` command. 260 | -------------------------------------------------------------------------------- /man/man1/sslmate.1: -------------------------------------------------------------------------------- 1 | '\" t 2 | .\" Title: sslmate 3 | .\" Author: SSLMate 4 | .\" Generator: DocBook XSL Stylesheets v1.79.1 5 | .\" Date: 2022-05-03 6 | .\" Manual: SSLMate 7 | .\" Source: SSLMate 1.9.1 8 | .\" Language: English 9 | .\" 10 | .TH "SSLMATE" "1" "2022\-05\-03" "SSLMate 1.9.1" "SSLMate" 11 | .\" ----------------------------------------------------------------- 12 | .\" * Define some portability stuff 13 | .\" ----------------------------------------------------------------- 14 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 15 | .\" http://bugs.debian.org/507673 16 | .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html 17 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 18 | .ie \n(.g .ds Aq \(aq 19 | .el .ds Aq ' 20 | .\" ----------------------------------------------------------------- 21 | .\" * set default formatting 22 | .\" ----------------------------------------------------------------- 23 | .\" disable hyphenation 24 | .nh 25 | .\" disable justification (adjust text to left margin only) 26 | .ad l 27 | .\" ----------------------------------------------------------------- 28 | .\" * MAIN CONTENT STARTS HERE * 29 | .\" ----------------------------------------------------------------- 30 | .SH "NAME" 31 | sslmate \- buy and manage SSL certificates 32 | .SH "SYNOPSIS" 33 | .HP \w'\fBsslmate\ \fR\fB[\fIOPTIONS\fR]\fR\fB\ \fR\fB\fICOMMAND\fR\fR\fB\ \fR\fB[\fIARGS\fR...]\fR\ 'u 34 | \fBsslmate \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fICOMMAND\fR\fR\fB \fR\fB[\fIARGS\fR...]\fR 35 | .SH "COMMON COMMANDS" 36 | .HP \w'\fBsslmate\ buy\ \fR\fB\fIHOSTNAME\fR...\fR\ 'u 37 | \fBsslmate buy \fR\fB\fIHOSTNAME\fR...\fR 38 | .HP \w'\fBsslmate\ renew\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 39 | \fBsslmate renew \fR\fB\fIHOSTNAME\fR\fR 40 | .HP \w'\fBsslmate\ reissue\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 41 | \fBsslmate reissue \fR\fB\fIHOSTNAME\fR\fR 42 | .HP \w'\fBsslmate\ rekey\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 43 | \fBsslmate rekey \fR\fB\fIHOSTNAME\fR\fR 44 | .HP \w'\fBsslmate\ revoke\ \fR\fB[\-\-all]\fR\fB\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 45 | \fBsslmate revoke \fR\fB[\-\-all]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 46 | .HP \w'\fBsslmate\ download\ \fR\fB\fIHOSTNAME\fR...\fR\ 'u 47 | \fBsslmate download \fR\fB\fIHOSTNAME\fR...\fR 48 | .HP \w'\fBsslmate\ download\ \fR\fB\-\-all\fR\ 'u 49 | \fBsslmate download \fR\fB\-\-all\fR 50 | .HP \w'\fBsslmate\ list\fR\ 'u 51 | \fBsslmate list\fR 52 | .HP \w'\fBsslmate\ show\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 53 | \fBsslmate show \fR\fB\fIHOSTNAME\fR\fR 54 | .HP \w'\fBsslmate\ edit\ \fR\fB\fIOPTIONS\fR...\fR\fB\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 55 | \fBsslmate edit \fR\fB\fIOPTIONS\fR...\fR\fB \fR\fB\fIHOSTNAME\fR\fR 56 | .HP \w'\fBsslmate\ test\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 57 | \fBsslmate test \fR\fB\fIHOSTNAME\fR\fR 58 | .HP \w'\fBsslmate\ mkconfig\ \fR\fB\fITEMPLATE\fR\fR\fB\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 59 | \fBsslmate mkconfig \fR\fB\fITEMPLATE\fR\fR\fB \fR\fB\fIHOSTNAME\fR\fR 60 | .HP \w'\fBsslmate\ retry\-approval\ \fR\fB\fIHOSTNAME\fR\fR\ 'u 61 | \fBsslmate retry\-approval \fR\fB\fIHOSTNAME\fR\fR 62 | .HP \w'\fBsslmate\ link\fR\ 'u 63 | \fBsslmate link\fR 64 | .SH "DESCRIPTION" 65 | .PP 66 | \fBsslmate\fR 67 | is the command line client for SSLMate (\m[blue]\fBhttps://sslmate\&.com\fR\m[]), a service for purchasing and managing SSL certificates\&. SSLMate provides easy\-to\-use tools for buying, renewing, and revoking certificates, for monitoring the expiration date of your certificates, and for synchronizing your certificates between your servers\&. 68 | .PP 69 | SSLMate emphasizes speed, ease\-of\-use, and automation\&. For example, the command to purchase a certificate (\fBsslmate buy\fR) typically completes in under a minute and automates the steps of generating a private key, generating a CSR, and building a certificate bundle\&. SSLMate can automatically renew your certificates, and you can run 70 | \fBsslmate download\fR 71 | from a cron job so that renewed certificates are automatically downloaded to your server\&. 72 | .PP 73 | To use the 74 | \fBsslmate\fR 75 | command, you must create a free account at 76 | \m[blue]\fBhttps://sslmate\&.com\fR\m[]\&. 77 | .SH "COMMANDS" 78 | .PP 79 | \fBsslmate\fR 80 | is logically divided into several sub\-commands which perform distinct tasks\&. Each sub\-command, and its arguments, are documented below\&. Note that arguments and options to sub\-commands must be specified on the command line 81 | \fIafter\fR 82 | the name of the sub\-command\&. 83 | .PP 84 | \fBbuy \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR...\fR 85 | .RS 4 86 | Generate a private key and purchase a certificate for the given hostname(s)\&. 87 | .sp 88 | If only one hostname is specified, a single\-hostname certificate is issued\&. The hostname is placed in the certificate\*(Aqs common name (CN) field as well as a subjectAltName field\&. If the hostname starts with "www\&.", a second subjectAltName is added, free of charge, for the base domain (formed by removing the "www\&." prefix)\&. If the hostname does not start with "www\&.", a second subjectAltName is added, free of charge, for the www subdomain (formed by adding the "www\&." prefix)\&. To disable the automatic addition of the second subjectAltName, specify the 89 | \fB\-\-no\-auto\-san\fR 90 | option\&. 91 | .sp 92 | If the hostname starts with "*\&.", then a wildcard certificate is issued which is valid for the wildcard domain itself and all hostnames directly below the wildcard domain\&. The certificate is not valid for hostnames two or more levels below the wildcard domain\&. For example, "*\&.example\&.com" matches "example\&.com", "www\&.example\&.com", and "subdomain\&.example\&.com", but not "www\&.subdomain\&.example\&.com")\&. 93 | .sp 94 | If more than one hostname is specified, a multi\-hostname certificate is issued\&. The first hostname is the primary name of the certificate and is placed in the certificate\*(Aqs common name field, as well as a subjectAltName field\&. The remaining hostnames are placed in subjectAltNames\&. The certificate is referred to by its primary name when downloading, renewing, reissuing, etc\&. The primary name cannot be changed without purchasing a new certificate, but alternative names can be added and removed after the certificate is issued by running 95 | \fBsslmate edit\fR\&. 96 | .sp 97 | The following options are understood: 98 | .PP 99 | \fB\-\-auto\-renew\fR, \fB\-\-no\-auto\-renew\fR 100 | .RS 4 101 | Enable or disable automatic renewal for this certificate\&. If neither option is specified, your account\*(Aqs default auto\-renewal setting is used\&. 102 | .sp 103 | The auto\-renewal setting of an already\-purchased certificate can be changed from the SSLMate website\&. 104 | .RE 105 | .PP 106 | \fB\-\-approval=email|dns|http\fR 107 | .RS 4 108 | Use the given method to prove ownership of your domain\&. 109 | .sp 110 | When "email" is used (the default), you must respond to an email sent to one of the administrative addresses for your domain\&. You will be prompted for the email address when running 111 | \fBsslmate buy\fR, or you can specify it on the command line with the 112 | \fB\-\-email=\fR\fB\fIADDRESS\fR\fR 113 | option\&. 114 | .sp 115 | When "dns" is used, you must add a specific DNS record under your domain\&. If you have configured your SSLMate account to integrate with a supported DNS provider (see 116 | \m[blue]\fBhttps://sslmate\&.com/account/integrations\fR\m[]), then the DNS record will be added automatically\&. Otherwise, the DNS record will be displayed and you will need to add it manually\&. 117 | .sp 118 | When "http" is used, you must configure the web server for your domain to proxy certain URLs to an SSLMate approval server, as described at 119 | \m[blue]\fBhttps://sslmate\&.com/help/approval/http\fR\m[]\&. Once your web server is configured, certificates using HTTP approval will be approved and issued automatically\&. 120 | .sp 121 | When purchasing a multi\-hostname certificate, each hostname must be approved separately\&. The approval method specified by this option applies to every hostname\&. To use a different method for a hostname, specify an option of the form 122 | \fB\-\-approval=\fR\fB\fIHOSTNAME\fR\fR\fB=\fR\fB\fIMETHOD\fR\fR\&. 123 | .RE 124 | .PP 125 | \fB\-\-email=\fR\fB\fIADDRESS\fR\fR 126 | .RS 4 127 | Send the approval email to the given email address\&. This address must be one of the addresses that is listed when you run 128 | \fBsslmate buy\fR 129 | interactively\&. Only applicable if email approval is used\&. 130 | .sp 131 | When purchasing a multi\-hostname certificate, this email address is used for every hostname\&. To use a different email address for a hostname, specify an option of the form 132 | \fB\-\-email=\fR\fB\fIHOSTNAME\fR\fR\fB=\fR\fB\fIADDRESS\fR\fR\&. 133 | .RE 134 | .PP 135 | \fB\-\-timeout=\fR\fB\fISECONDS\fR\fR 136 | .RS 4 137 | Wait up to 138 | \fISECONDS\fR 139 | seconds for the certificate to be issued\&. If the certificate is not issued before the timeout elapses, 140 | \fBsslmate\fR 141 | exits without downloading any certificate files\&. Instead, the certificate must be downloaded later with the 142 | \fBsslmate download\fR 143 | command\&. 144 | .RE 145 | .PP 146 | \fB\-\-no\-wait\fR 147 | .RS 4 148 | Return immediately after placing the order instead of waiting for the certificate to be issued\&. If this option is used, no certificate files are downloaded; instead the certificate must be downloaded separately with the 149 | \fBsslmate download\fR 150 | command\&. 151 | .sp 152 | This option is equivalent to 153 | \fB\-\-timeout 0\fR\&. 154 | .RE 155 | .PP 156 | \fB\-\-temp\fR 157 | .RS 4 158 | Instead of waiting for the certificate to be issued, install a temporary, self\-signed, certificate and return immediately\&. The temporary certificate will not be trusted by clients, but it can be used to configure your server software while waiting for the real certificate to be issued\&. 159 | .sp 160 | When the real certificate is issued, it can be downloaded with the 161 | \fBsslmate download\fR 162 | command\&. 163 | .RE 164 | .PP 165 | \fB\-\-coupon=\fR\fB\fICODE\fR\fR 166 | .RS 4 167 | Use the given coupon code for a discount\&. 168 | .RE 169 | .PP 170 | \fB\-\-invoice\-note=\fR\fB\fINOTE\fR\fR 171 | .RS 4 172 | Include the given note with the invoice for this purchase\&. 173 | .RE 174 | .PP 175 | \fB\-\-email\-invoice\-to=\fR\fB\fIADDRESS\fR\fR 176 | .RS 4 177 | Email the invoice for this purchase to the given address\&. 178 | .sp 179 | By default, invoices are not emailed, but can be downloaded from your 180 | \m[blue]\fBonline SSLMate dashboard\fR\m[]\&\s-2\u[1]\d\s+2\&. 181 | .RE 182 | .PP 183 | \fB\-f\fR, \fB\-\-force\fR 184 | .RS 4 185 | Buy the certificate even if there are existing key and certificate files, or if an active certificate with this name already exists in your SSLMate account\&. Existing key and certificate files will be overwritten\&. 186 | .RE 187 | .PP 188 | \fB\-\-key\-type=rsa|ecdsa\fR 189 | .RS 4 190 | Specify the type of key to generate: RSA (the default), or ECDSA (elliptic curve)\&. The certificate will be signed with a signature of the same type\&. 191 | .sp 192 | RSA provides the best compatibility with clients\&. ECDSA provides better performance during the TLS handshake, but is not supported by older web browsers (such as IE 8 on Windows XP, Android 2\&.3, and Java 6)\&. If in doubt, use RSA\&. 193 | .sp 194 | The default key type can be changed by setting the 195 | \fBkey_type\fR 196 | configuration option (see the CONFIGURATION section for details)\&. 197 | .RE 198 | .PP 199 | \fB\-\-no\-auto\-san\fR 200 | .RS 4 201 | Disable the addition of the automatic second subjectAltName if only one one hostname was specified on the command line\&. 202 | .RE 203 | .RE 204 | .PP 205 | \fBrenew \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 206 | .RS 4 207 | Renew the certificate for the given hostname\&. 208 | .sp 209 | The following options are understood: 210 | .PP 211 | \fB\-\-timeout=\fR\fB\fISECONDS\fR\fR 212 | .RS 4 213 | Wait up to 214 | \fISECONDS\fR 215 | seconds for the certificate to be issued\&. If the certificate is not issued before the timeout elapses, 216 | \fBsslmate\fR 217 | exits without downloading any certificate files\&. Instead, the certificate must be downloaded later with the 218 | \fBsslmate download\fR 219 | command\&. 220 | .RE 221 | .PP 222 | \fB\-\-no\-wait\fR 223 | .RS 4 224 | Return immediately after placing the order instead of waiting for the new certificate to be issued\&. If this option is used, no certificate files are downloaded; instead the new certificate must be downloaded separately with the 225 | \fBsslmate download\fR 226 | command\&. 227 | .sp 228 | This option is equivalent to 229 | \fB\-\-timeout 0\fR\&. 230 | .RE 231 | .PP 232 | \fB\-\-coupon=\fR\fB\fICODE\fR\fR 233 | .RS 4 234 | Use the given coupon code for a discount\&. 235 | .RE 236 | .PP 237 | \fB\-\-invoice\-note=\fR\fB\fINOTE\fR\fR 238 | .RS 4 239 | Include the given note with the invoice for this purchase\&. 240 | .RE 241 | .PP 242 | \fB\-\-email\-invoice\-to=\fR\fB\fIADDRESS\fR\fR 243 | .RS 4 244 | Email the invoice for this purchase to the given address\&. 245 | .sp 246 | By default, invoices are not emailed, but can be downloaded from your 247 | \m[blue]\fBonline SSLMate dashboard\fR\m[]\&\s-2\u[1]\d\s+2\&. 248 | .RE 249 | .PP 250 | \fB\-f\fR, \fB\-\-force\fR 251 | .RS 4 252 | Renew the certificate even if it\*(Aqs not about to expire\&. Note that the renewed certificate will expire one year from the today\*(Aqs date, not from the expiration date of the current certificate\&. 253 | .RE 254 | .RE 255 | .PP 256 | \fBreissue \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 257 | .RS 4 258 | Generate a new private key (unless 259 | \fB\-\-same\-key\fR 260 | is specified) and reissue the certificate for the given hostname\&. 261 | .sp 262 | Note: 263 | \fBsslmate reissue\fR 264 | without the 265 | \fB\-\-same\-key\fR 266 | option is deprecated\&. Starting with SSLMate 2\&.0, 267 | \fB\-\-same\-key\fR 268 | will be implied\&. To reissue a certificate with a new key, use 269 | \fBsslmate rekey\fR 270 | instead\&. 271 | .sp 272 | Reissuing a certificate does 273 | \fInot\fR 274 | revoke it\&. Use the 275 | \fBsslmate revoke\fR 276 | command to revoke a certificate after you have reissued it\&. 277 | .sp 278 | The following options are understood: 279 | .PP 280 | \fB\-\-same\-key\fR 281 | .RS 4 282 | Keep the same private key when reissuing\&. This is useful if you are reissuing a certificate not because of a lost key, but to add or remove the alternative names of a multi\-hostname certificate\&. 283 | .sp 284 | Note: Starting with SSLMate 2\&.0, 285 | \fB\-\-same\-key\fR 286 | will be implied\&. To reissue a certificate with a new key, use 287 | \fBsslmate rekey\fR 288 | instead\&. 289 | .RE 290 | .PP 291 | \fB\-\-timeout=\fR\fB\fISECONDS\fR\fR 292 | .RS 4 293 | Wait up to 294 | \fISECONDS\fR 295 | seconds for the certificate to be issued\&. If the certificate is not issued before the timeout elapses, 296 | \fBsslmate\fR 297 | exits without downloading any certificate files\&. Instead, the certificate must be downloaded later with the 298 | \fBsslmate download\fR 299 | command\&. 300 | .RE 301 | .PP 302 | \fB\-\-no\-wait\fR 303 | .RS 4 304 | Return immediately after requesting the reissue instead of waiting for the new certificate to be issued\&. If this option is used, no certificate files are downloaded; instead the new certificate must be downloaded separately with the 305 | \fBsslmate download\fR 306 | command\&. 307 | .sp 308 | This option is equivalent to 309 | \fB\-\-timeout 0\fR\&. 310 | .RE 311 | .RE 312 | .PP 313 | \fBrekey \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 314 | .RS 4 315 | Generate a new private key and reissue the certificate for the given hostname\&. 316 | .sp 317 | Reissuing a certificate does 318 | \fInot\fR 319 | revoke it\&. Use the 320 | \fBsslmate revoke\fR 321 | command to revoke a certificate after you have rekeyed it\&. 322 | .sp 323 | The following options are understood: 324 | .PP 325 | \fB\-\-timeout=\fR\fB\fISECONDS\fR\fR 326 | .RS 4 327 | Wait up to 328 | \fISECONDS\fR 329 | seconds for the certificate to be issued\&. If the certificate is not issued before the timeout elapses, 330 | \fBsslmate\fR 331 | exits without downloading any certificate files\&. Instead, the certificate must be downloaded later with the 332 | \fBsslmate download\fR 333 | command\&. 334 | .RE 335 | .PP 336 | \fB\-\-no\-wait\fR 337 | .RS 4 338 | Return immediately after requesting the rekey instead of waiting for the new certificate to be issued\&. If this option is used, no certificate files are downloaded; instead the new certificate must be downloaded separately with the 339 | \fBsslmate download\fR 340 | command\&. 341 | .sp 342 | This option is equivalent to 343 | \fB\-\-timeout 0\fR\&. 344 | .RE 345 | .PP 346 | \fB\-f\fR, \fB\-\-force\fR 347 | .RS 4 348 | Overwrite existing files\&. 349 | .RE 350 | .PP 351 | \fB\-\-key\-type=rsa|ecdsa\fR 352 | .RS 4 353 | Specify the type of the new key: RSA (the default), or ECDSA (elliptic curve)\&. The certificate will be signed with a signature of the same type\&. 354 | .sp 355 | See the documentation for 356 | \fBsslmate buy\fR 357 | for more information\&. If in doubt, do not use this option\&. 358 | .RE 359 | .RE 360 | .PP 361 | \fBrevoke \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 362 | .RS 4 363 | Revoke the certificate(s) for the given hostname\&. 364 | .sp 365 | Revoking a certificate does 366 | \fInot\fR 367 | issue a new certificate\&. If you need a new certificate, use the 368 | \fBsslmate reissue\fR 369 | command to generate and issue a new certificate 370 | \fIbefore\fR 371 | running 372 | \fBsslmate revoke\fR\&. 373 | .sp 374 | The following options are understood: 375 | .PP 376 | \fB\-a\fR, \fB\-\-all\fR 377 | .RS 4 378 | Revoke 379 | \fIall\fR 380 | certificates for this hostname, including the most recent active certificate\&. If this option is omitted, all but the most recent active certificate are revoked\&. 381 | .sp 382 | WARNING: if you use this option, SSLMate will no longer be able to issue new certificates for this hostname unless you buy a brand new certificate\&. Generally, to revoke a certificate, you should first reissue it with the 383 | \fBreissue\fR 384 | command and then use 385 | \fBrevoke\fR 386 | \fIwithout\fR 387 | the 388 | \fB\-\-all\fR 389 | option\&. Only use 390 | \fB\-\-all\fR 391 | if you no longer need any certificates for a hostname\&. 392 | .sp 393 | You will be prompted for confirmation unless you also specify the 394 | \fB\-\-batch\fR 395 | global option\&. 396 | .RE 397 | .RE 398 | .PP 399 | \fBdownload \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR...\fR 400 | .RS 4 401 | Download the certificate(s) for the given hostname(s), or, if 402 | \fB\-\-all\fR 403 | is specified, for all hostnames that have keys in the 404 | \fIkey_directory\fR\&. 405 | .sp 406 | Certificate files are downloaded from your SSLMate account to your configured 407 | \fIcert_directory\fR 408 | (/etc/sslmate 409 | by default if run as root, 410 | $PWD 411 | if run as non\-root)\&. Existing certificate files are replaced\&. Exits with status code 0 if new certificate files were downloaded, or 10 if the most up\-to\-date certificate files have already been downloaded\&. 412 | .sp 413 | This command is designed to be run from a cron job or configuration management script so that auto\-renewed certificates are automatically propagated to your server\&. You can check the exit status and, if zero, restart daemons so they load the latest version of the certificate\&. 414 | .sp 415 | The following options are understood: 416 | .PP 417 | \fB\-a\fR, \fB\-\-all\fR 418 | .RS 4 419 | Download certificate files for every key present in the 420 | \fIkey_directory\fR 421 | (/etc/sslmate 422 | by default if run as root, 423 | $PWD 424 | if run as non\-root)\&. 425 | .sp 426 | If this option is used, specific hostnames cannot be specified on the command line\&. 427 | .RE 428 | .PP 429 | \fB\-\-temp\fR 430 | .RS 4 431 | If the certificate has not been issued yet, download a temporary, self\-signed, certificate instead\&. See the documentation for 432 | \fBsslmate buy\fR 433 | for more information about temporary certificates\&. 434 | .RE 435 | .RE 436 | .PP 437 | \fBlist \fR\fB[\fIOPTIONS\fR]\fR 438 | .RS 4 439 | List the certificates in your SSLMate account\&. 440 | .sp 441 | The following options are understood: 442 | .PP 443 | \fB\-\-local\fR 444 | .RS 4 445 | List only certificates that are also installed locally\&. 446 | .RE 447 | .PP 448 | \fB\-\-no\-local\fR 449 | .RS 4 450 | List only certificates that are 451 | \fInot\fR 452 | installed locally\&. 453 | .RE 454 | .PP 455 | \fB\-c \fR\fB\fICOLUMNS\fR\fR, \fB\-\-columns=\fR\fB\fICOLUMNS\fR\fR 456 | .RS 4 457 | Include the given columns in the output, where 458 | \fICOLUMNS\fR 459 | is a comma\-separated list of the following column names: 460 | .PP 461 | name 462 | .RS 4 463 | The certificate\*(Aqs common name\&. 464 | .RE 465 | .PP 466 | status 467 | .RS 4 468 | The certificate\*(Aqs status\&. 469 | .RE 470 | .PP 471 | expiration 472 | .RS 4 473 | The certificate\*(Aqs expiration date, in YYYY\-MM\-DD format\&. 474 | .RE 475 | .PP 476 | local_status 477 | .RS 4 478 | The status of the locally\-installed copy of the certificate ("Installed", "Temporary", "Mismatched key", "No key file", "Out\-of\-date", or "None")\&. 479 | .RE 480 | .PP 481 | fingerprint 482 | .RS 4 483 | The certificate\*(Aqs SHA\-1 fingerprint, in uppercase hex with octets separated by colons\&. 484 | .RE 485 | .PP 486 | sha256_fingerprint 487 | .RS 4 488 | The certificate\*(Aqs SHA\-256 fingerprint, in uppercase hex with octets separated by colons\&. 489 | .RE 490 | .PP 491 | auto_renew 492 | .RS 4 493 | The certificate\*(Aqs auto\-renew setting\&. 494 | .RE 495 | .PP 496 | type 497 | .RS 4 498 | The certificate\*(Aqs type ("DV" or "EV")\&. 499 | .RE 500 | .PP 501 | approval_method 502 | .RS 4 503 | The approval method\&. 504 | .RE 505 | .PP 506 | approver_email 507 | .RS 4 508 | The approver email address\&. 509 | .RE 510 | .RE 511 | .PP 512 | \fB\-\-sort=\fR\fB\fICOLUMNS\fR\fR 513 | .RS 4 514 | Sort the output by the given column(s), where 515 | \fICOLUMNS\fR 516 | is a comma\-separated list of column names as understood by the 517 | \fB\-\-columns\fR 518 | option\&. If more than one column is specified, the latter columns are used to break ties if the earlier columns are equal\&. 519 | .sp 520 | Columns are sorted in ascending order by default\&. To sort a column in descending order, prefix it with a ^ symbol\&. 521 | .RE 522 | .PP 523 | \fB\-z\fR 524 | .RS 4 525 | Generate machine\-parseable output\&. By default, columns and lines are separated by a NUL character, but this can be customized by setting the 526 | \fIOFS\fR 527 | (output field separator) and 528 | \fIORS\fR 529 | (output record separator) environment variables\&. 530 | .sp 531 | When using 532 | \fB\-z\fR, you must explicitly enumerate the columns you want with the 533 | \fB\-\-columns\fR 534 | option\&. 535 | .sp 536 | The output of 537 | \fB\-z\fR 538 | is guaranteed not to change format, making it suitable for use in scripts\&. 539 | .RE 540 | .RE 541 | .PP 542 | \fBshow \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 543 | .RS 4 544 | Show information about the given certificate\&. 545 | .sp 546 | The following options are understood: 547 | .PP 548 | \fB\-f \fR\fB\fIFIELDS\fR\fR, \fB\-\-fields=\fR\fB\fIFIELDS\fR\fR 549 | .RS 4 550 | Include the given fields in the output, where 551 | \fIFIELDS\fR 552 | is a comma\-separated list of the following column names: 553 | .PP 554 | name 555 | .RS 4 556 | The certificate\*(Aqs common name\&. 557 | .RE 558 | .PP 559 | all_alt_names 560 | .RS 4 561 | The certificate\*(Aqs subject alternative names (SANs), including any automatically\-added SAN for a single\-hostname certificate\&. 562 | .RE 563 | .PP 564 | alt_names 565 | .RS 4 566 | The certificate\*(Aqs subject alternative names (SAN)\&. For backwards compatibility, this field is null if the certificate is a single\-hostname certificate with the automatically\-added SAN\&. You generally want to use all_alt_names instead\&. 567 | .RE 568 | .PP 569 | status 570 | .RS 4 571 | The certificate\*(Aqs status\&. 572 | .RE 573 | .PP 574 | expiration 575 | .RS 4 576 | The certificate\*(Aqs expiration date, in YYYY\-MM\-DD format\&. 577 | .RE 578 | .PP 579 | local_status 580 | .RS 4 581 | The status of the locally\-installed copy of the certificate ("Installed", "Temporary", "Mismatched key", "No key file", "Out\-of\-date", or "None")\&. 582 | .RE 583 | .PP 584 | fingerprint 585 | .RS 4 586 | The certificate\*(Aqs SHA\-1 fingerprint, in uppercase hex with octets separated by colons\&. 587 | .RE 588 | .PP 589 | sha256_fingerprint 590 | .RS 4 591 | The certificate\*(Aqs SHA\-256 fingerprint, in uppercase hex with octets separated by colons\&. 592 | .RE 593 | .PP 594 | auto_renew 595 | .RS 4 596 | The certificate\*(Aqs auto\-renew setting\&. 597 | .RE 598 | .PP 599 | type 600 | .RS 4 601 | The certificate\*(Aqs type ("DV" or "EV")\&. 602 | .RE 603 | .PP 604 | approval_method 605 | .RS 4 606 | The approval method\&. 607 | .RE 608 | .PP 609 | approver_email 610 | .RS 4 611 | The approver email address\&. 612 | .RE 613 | .RE 614 | .PP 615 | \fB\-\-json\fR 616 | .RS 4 617 | Generate JSON output\&. The output format is guaranteed not to change, apart from backwards\-compatible changes such as adding new fields to the JSON object\&. 618 | .RE 619 | .RE 620 | .PP 621 | \fBedit \fR\fB\fIOPTIONS\fR...\fR\fB \fR\fB\fIHOSTNAME\fR\fR 622 | .RS 4 623 | Change one or more setting of the given certificate\&. The settings are specified by the 624 | \fIOPTIONS\fR 625 | arguments, as described below\&. Every setting is optional; if omitted, the setting is left unchanged\&. 626 | .PP 627 | \fB\-\-approval=email|dns|http\fR 628 | .RS 4 629 | Change the approval method for this certificate\&. The new method will be used for approving future reissues and renewals of the certificate\&. If the certificate is currently pending approval, the approval process will be re\-initiated\&. 630 | .sp 631 | For more information about approval methods, see the documentation for 632 | \fBsslmate buy\fR\&. 633 | .sp 634 | If this is a multi\-hostname certificate, the approval method specified by this option applies to every hostname\&. To edit the approval method for a single hostname only, pass an option of the form 635 | \fB\-\-approval=\fR\fB\fIHOSTNAME\fR\fR\fB=\fR\fB\fIMETHOD\fR\fR\&. 636 | .RE 637 | .PP 638 | \fB\-\-email=\fR\fB\fIADDRESS\fR\fR 639 | .RS 4 640 | Change the approver email address of this certificate\&. The new address will be used for approving future reissues and renewals of the certificate\&. If the certificate is currently pending approval, the approval email will be resent to the new address\&. 641 | .sp 642 | The new address must be one of the acceptable addresses that is listed when you run 643 | \fBsslmate buy\fR 644 | for this host name\&. This option is only applicable when email approval is used\&. 645 | .sp 646 | If this is a multi\-hostname certificate, the email address specified by this option applies to every hostname\&. To edit the email address for a single hostname only, pass an option of the form 647 | \fB\-\-email=\fR\fB\fIHOSTNAME\fR\fR\fB=\fR\fB\fIMETHOD\fR\fR\&. 648 | .RE 649 | .PP 650 | \fB\-\-auto\-renew\fR, \fB\-\-no\-auto\-renew\fR 651 | .RS 4 652 | Enable or disable auto\-renew for this certificate\&. 653 | .RE 654 | .PP 655 | \fB\-\-add\-name=\fR\fB\fIHOSTNAME\fR\fR, \fB\-\-rm\-name=\fR\fB\fIHOSTNAME\fR\fR 656 | .RS 4 657 | Add or remove the given hostname to or from this certificate\&. Only alternative names (not the common name) can be removed\&. 658 | .sp 659 | The name is not added or removed immediately\&. Instead, the changes take effect on the next call to 660 | \fBsslmate reissue\fR\&. Any names that were added since the last issuance will need to be approved\&. Existing names do not need to be re\-approved as long as you preserve the existing private key by passing the 661 | \fB\-\-same\-key\fR 662 | option to 663 | \fBsslmate reissue\fR\&. If there has been a net increase in hostnames since the last issuance, your account will be charged for the new names\&. 664 | .RE 665 | .RE 666 | .PP 667 | \fBtest \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fIHOSTNAME\fR\fR 668 | .RS 4 669 | Test whether your certificate for 670 | \fIHOSTNAME\fR 671 | has been correctly installed\&. 672 | .sp 673 | This command works by connecting to the host specified in the certificate and checking that the server returns both the correct certificate and the correct certificate chain\&. The results of the test are printed to standard out\&. There may be more than one test result if 674 | \fIHOSTNAME\fR 675 | resolves to more than one IP address\&. This command exits with status 0 if all tests were successful, 11 if one or more tests failed, and some other exit code if there was an error that prevented the test from running\&. 676 | .sp 677 | The following options are understood: 678 | .PP 679 | \fB\-p \fR\fB\fIPORTNUMBER\fR\fR, \fB\-\-port=\fR\fB\fIPORTNUMBER\fR\fR 680 | .RS 4 681 | Test the server on the given port number\&. (Default: 443) 682 | .RE 683 | .PP 684 | \fB\-h \fR\fB\fIHOSTNAME\fR\fR, \fB\-\-host=\fR\fB\fIHOSTNAME\fR\fR 685 | .RS 4 686 | Test the server running on the given hostname\&. Defaults to the certificate\*(Aqs common name\&. 687 | .RE 688 | .RE 689 | .PP 690 | \fBmkconfig \fR\fB[\fIOPTIONS\fR]\fR\fB \fR\fB\fITEMPLATE\fR\fR\fB \fR\fB\fIHOSTNAME\fR\fR 691 | .RS 4 692 | Output the configuration directives necessary to securely use the given certificate with the server software (such as Apache, nginx, etc\&.) specified by the 693 | \fITEMPLATE\fR 694 | argument\&. For a list of server software for which configuration templates are available, pass the 695 | \fB\-\-templates\fR 696 | option\&. 697 | .sp 698 | By default, 699 | \fBsslmate mkconfig\fR 700 | includes the "intermediate compatibility" security settings recommended by 701 | \m[blue]\fBMozilla\*(Aqs Server Side TLS Guide\fR\m[]\&\s-2\u[2]\d\s+2\&. These settings enable forward secrecy and disable broken ciphers and protocols, while supporting a broad range of clients\&. 702 | .sp 703 | The following options are understood: 704 | .PP 705 | \fB\-\-templates\fR 706 | .RS 4 707 | Output a list of available configuration templates\&. No other arguments are required if you use this option\&. 708 | .RE 709 | .PP 710 | \fB\-\-no\-security\fR 711 | .RS 4 712 | Don\*(Aqt include recommended security settings\&. Output only the bare minimum configuration needed to use the certificate\&. 713 | .RE 714 | .RE 715 | .PP 716 | \fBretry\-approval \fR\fB\fIHOSTNAME\fR\fR 717 | .RS 4 718 | Retry the approval process of a certificate that\*(Aqs pending approval\&. If the certificate uses email approval, the email will be resent\&. If the certificate uses DNS approval, the DNS record will be added if not already present, and then re\-checked\&. 719 | .sp 720 | To change the approval method or approver email of a pending certificate, use the 721 | \fBsslmate edit\fR 722 | command\&. 723 | .RE 724 | .PP 725 | \fBlink\fR 726 | .RS 4 727 | Link this system with your SSLMate account\&. 728 | \fBsslmate link\fR 729 | prompts for your SSLMate username and password and writes your API credentials to your personal SSLMate configuration file, permitting you to use the 730 | \fBsslmate\fR 731 | commands without having to enter your username and password\&. 732 | .sp 733 | Note: if you have enabled a daily purchase limit through your 734 | \m[blue]\fBonline SSLMate account page\fR\m[]\&\s-2\u[3]\d\s+2, you will always need to enter your password after exceeding the limit, even if you have linked this system\&. 735 | .RE 736 | .PP 737 | \fBhelp \fR\fB[\fICOMMAND\fR]\fR 738 | .RS 4 739 | Display help for the given 740 | \fICOMMAND\fR, or an overview of all commands if no command is specified\&. 741 | .RE 742 | .PP 743 | \fBversion \fR\fB[\fIOPTIONS\fR]\fR 744 | .RS 4 745 | Print the currently\-installed version of 746 | \fBsslmate\fR\&. By default, check if this version is up\-to\-date and print a message if a newer version is available\&. 747 | .sp 748 | The following options are understood: 749 | .PP 750 | \fB\-\-no\-check\fR 751 | .RS 4 752 | Do not check for a newer version\&. 753 | .RE 754 | .PP 755 | \fB\-\-is\-latest\fR 756 | .RS 4 757 | Print no output, but exit with 0 if this version of 758 | \fBsslmate\fR 759 | is up\-to\-date, 10 if a newer version is available, and some other exit code if there is an error\&. 760 | .sp 761 | This option cannot be combined with 762 | \fB\-\-no\-check\fR\&. 763 | .RE 764 | .RE 765 | .SH "GLOBAL OPTIONS" 766 | .PP 767 | The following options are understood by 768 | \fBsslmate\fR 769 | and can be used with any sub\-command\&. Since they apply globally to 770 | \fBsslmate\fR, they must be specified on the command line 771 | \fIbefore\fR 772 | the sub\-command name\&. 773 | .PP 774 | \fB\-\-batch\fR 775 | .RS 4 776 | Don\*(Aqt prompt for confirmation or for additional information\&. This option should be used when running 777 | \fBsslmate\fR 778 | unattended from scripts\&. 779 | .sp 780 | Any information which 781 | \fBsslmate\fR 782 | would have prompted for must be specified on the command line instead\&. For example, when buying a certificate, you must specify the approval method with the 783 | \fB\-\-approval\fR 784 | option, and, if applicable, the approver email address with the 785 | \fB\-\-email=\fR\fB\fIADDRESS\fR\fR 786 | option\&. 787 | .RE 788 | .PP 789 | \fB\-\-verbose\fR 790 | .RS 4 791 | Display additional information about what 792 | \fBsslmate\fR 793 | is doing\&. 794 | .RE 795 | .PP 796 | \fB\-p \fR\fB\fIPROFILE\fR\fR, \fB\-\-profile=\fR\fB\fIPROFILE\fR\fR 797 | .RS 4 798 | Use the given configuration profile, instead of the default\&. If this option is specified, the string "\-\fIPROFILE\fR" will be appended to the paths of the configuration file and default key and certificate directories\&. 799 | .sp 800 | For example, if 801 | \fB\-\-profile=company\fR 802 | is used, the global configuration file will be 803 | /etc/sslmate\-company\&.conf 804 | and the default certificate directory will be 805 | /etc/sslmate\-company, instead of 806 | /etc/sslmate\&.conf 807 | and 808 | /etc/sslmate\&. 809 | .sp 810 | This option is intended for those who need to use several different SSLMate accounts on a single server, since each configuration file can contain distinct SSLMate API credentials\&. 811 | .RE 812 | .SH "CONFIGURATION" 813 | .PP 814 | Upon startup, 815 | \fBsslmate\fR 816 | reads configuration from the global configuration file, 817 | /etc/sslmate\&.conf, and your personal configuration file, 818 | ~/\&.sslmate, if they exist\&. These files should contain one configuration option per line of the form 819 | \fB\fINAME\fR\fR\fB \fR\fB\fIVALUE\fR\fR\&. Blank lines and lines starting with 820 | # 821 | are ignored\&. Options in your personal configuration file override options set in the global configuration file\&. The location of your personal configuration file can be changed by setting the 822 | \fI$SSLMATE_CONFIG\fR 823 | environment variable\&. 824 | .PP 825 | The following options are understood: 826 | .PP 827 | \fBapi_key \fR\fB\fIKEY\fR\fR 828 | .RS 4 829 | Your API key, which can be found on your 830 | \m[blue]\fBonline SSLMate account page\fR\m[]\&\s-2\u[3]\d\s+2\&. This option is automatically set (in your personal configuration file) when you run 831 | \fBsslmate link\fR\&. 832 | .RE 833 | .PP 834 | \fBkey_directory \fR\fB\fIPATH\fR\fR, \fBcert_directory \fR\fB\fIPATH\fR\fR 835 | .RS 4 836 | The directories where 837 | \fBsslmate\fR 838 | places keys and certificates\&. When running as root, the default is 839 | /etc/sslmate\&. When running as non\-root, the default is the current working directory\&. 840 | .RE 841 | .PP 842 | \fBwildcard_filename \fR\fB\fIPREFIX\fR\fR 843 | .RS 4 844 | When creating files for wildcard certificates, use 845 | \fIPREFIX\fR 846 | in the filename instead of a * character\&. 847 | .RE 848 | .PP 849 | \fBcert_format\&.\fR\fB\fIFORMAT\fR\fR\fB yes|no\fR 850 | .RS 4 851 | Enable or disable the given certificate format\&. When a format is enabled, 852 | \fBsslmate\fR 853 | will create a file of that format in your certificate directory when buying, reissuing, renewing, and downloading\&. After enabling a format that was previously disabled, you can create the missing files by running 854 | \fBsslmate download \-\-all\fR\&. The formats are documented below in the CERTIFICATE FILES section\&. All formats are disabled by default except for "chained"\&. 855 | .RE 856 | .PP 857 | \fBkey_type rsa|ecdsa\fR 858 | .RS 4 859 | The key type to use by default when buying or reissuing a certificate\&. Can be overridden by the 860 | \fB\-\-key\-type\fR 861 | command line flag\&. See the documentation for 862 | \fBsslmate buy\fR 863 | for details\&. 864 | .RE 865 | .PP 866 | \fBapi_endpoint \fR\fB\fIURI\fR\fR 867 | .RS 4 868 | The URI to the SSLMate API endpoint\&. This option does not need to be configured under normal circumstances\&. 869 | .RE 870 | .SH "CONFIGURATION FILES" 871 | .PP 872 | ~/\&.sslmate 873 | .RS 4 874 | Your personal configuration file\&. Options set in this file override options set in the global configuration file\&. See the "Configuration" section above for the syntax of this file\&. 875 | .RE 876 | .PP 877 | /etc/sslmate\&.conf 878 | .RS 4 879 | The global configuration file\&. See the "Configuration" section above for the syntax of this file\&. 880 | .RE 881 | .PP 882 | /etc/sslmate 883 | .RS 4 884 | The default directory for storing keys and certificates when run as root\&. Can be overridden by the 885 | \fIkey_directory\fR 886 | and 887 | \fIcert_directory\fR 888 | configuration options\&. 889 | .RE 890 | .SH "CERTIFICATE FILES" 891 | .PP 892 | SSLMate creates the following files for every certificate\&. The key file is placed in the configured 893 | \fIkey_directory\fR, and the other files are placed in the configured 894 | \fIcert_directory\fR\&. (Both directories are 895 | /etc/sslmate 896 | by default when running as root and 897 | $PWD 898 | by default when running as non\-root\&.) 899 | .PP 900 | \fIhostname\fR\&.key 901 | .RS 4 902 | The private key file for 903 | \fIhostname\fR, in PEM encoding (specifically, the PEM encoding of the ASN\&.1 DER encoding of a PKCS#1 RSAPrivateKey (for RSA) or a RFC 3279 EcpkParameters (for ECDSA))\&. This is the default format used by OpenSSL and is accepted by typical applications on Linux\&. 904 | .RE 905 | .PP 906 | \fIhostname\fR\&.crt 907 | .RS 4 908 | The public certificate file for 909 | \fIhostname\fR, in PEM encoding (specifically, the PEM encoding of the ASN\&.1 DER encoding of the X\&.509 certificate)\&. This is the default format used by OpenSSL and is accepted by typical applications on Linux\&. 910 | \fIWarning:\fR 911 | This file does not work on its own since it does not contain the certificate chain\&. You must also configure the chain certificate(s) using one of the other formats\&. 912 | .RE 913 | .PP 914 | \fIhostname\fR\&.chain\&.crt 915 | .RS 4 916 | The certificate chain (aka intermediate certificate) file for 917 | \fIhostname\fR\&. This file contains the concatenation of each intermediate certificate, in PEM encoding\&. The first certificate is the issuer of the end\-entity certificate, and the last certificate is signed by the root certificate\&. The root certificate is not included\&. 918 | .RE 919 | .PP 920 | SSLMate optionally creates the following files for every certificate (in the 921 | \fIcert_directory\fR) if the indicated configuration option is set to yes\&. 922 | .PP 923 | \fIhostname\fR\&.chained\&.crt (cert_format\&.chained) 924 | .RS 4 925 | A concatenation of the certificate and chain files for 926 | \fIhostname\fR, in PEM encoding\&. This format is enabled by default\&. This is the file you should use with most applications on Linux, which require the certificate and chain to be specified in the same file\&. 927 | .RE 928 | .PP 929 | \fIhostname\fR\&.combined\&.pem (cert_format\&.combined) 930 | .RS 4 931 | A concatenation of the private key, certificate, and chain files for 932 | \fIhostname\fR, in PEM encoding\&. This format is intended for Linux applications which require the key and certificates to be specified in the same file\&. 933 | .RE 934 | .PP 935 | \fIhostname\fR\&.p12 (cert_format\&.p12) 936 | .RS 4 937 | A PKCS#12 file (also known as a P12 or PFX file) containing the private key, certificate, and chain for 938 | \fIhostname\fR\&. The PKCS#12 file\*(Aqs password is "sslmate"\&. PKCS#12 files are primarily used by Windows applications\&. 939 | .RE 940 | .PP 941 | \fIhostname\fR\&.jks (cert_format\&.jks) 942 | .RS 4 943 | A Java keystore file containing the private key, certificate, and chain for 944 | \fIhostname\fR\&. The keystore\*(Aqs password is "sslmate"\&. The 945 | \fBkeytool(1)\fR 946 | command, from the Java runtime environment, must be installed to use this format\&. JKS files are generally used only by Java applications, such as Tomcat\&. 947 | .RE 948 | .PP 949 | \fIhostname\fR\&.root\&.crt (cert_format\&.root) 950 | .RS 4 951 | The root certificate for 952 | \fIhostname\fR, in PEM encoding\&. You do 953 | \fInot\fR 954 | generally need the root certificate, so you should leave this format disabled unless you have a special requirement\&. 955 | .RE 956 | .PP 957 | \fIhostname\fR\&.chain+root\&.crt (cert_format\&.chain+root) 958 | .RS 4 959 | A concatenation of the chain and root certificate files for 960 | \fIhostname\fR\&. This format is required for verifying OCSP responses and configuring OCSP stapling\&. You do not need it in a basic configuration\&. 961 | .RE 962 | .PP 963 | You need to configure your server software (e\&.g\&. Apache, nginx) with the private key file (\&.key) and some combination of the \&.crt files\&. Some software (e\&.g\&. Apache) requires you to specify the certificate (\&.crt) and the chain (\&.chain\&.crt) in separate files, while other software (e\&.g\&. nginx) requires you to specify both in a single file (\&.chained\&.crt)\&. 964 | .PP 965 | Files which contain the private key are created with restrictive filesystem permissions (0600), and other files are created with world\-readable permissions (0644)\&. When updating a file, 966 | \fBsslmate\fR 967 | preserves the existing owner and permissions, including (on Linux only) ACLs\&. This lets you use filesystem permissions to grant access to applications that run as a non\-root user, and not have to worry about the permissions being disrupted when downloading an updated certificate\&. 968 | .PP 969 | You are encouraged to run 970 | \fBsslmate\fR 971 | as root, store keys and certificates in the SSLMate\-managed 972 | \fIkey_directory\fR 973 | and 974 | \fIcert_directory\fR 975 | (/etc/sslmate 976 | by default), and to configure your server software to refer to keys and certificates in this directory\&. This makes automated renewals more seamless by ensuring that your server software always refers to the latest version of a certificate downloaded by 977 | \fBsslmate download\fR\&. 978 | .SH "ENVIRONMENT VARIABLES" 979 | .PP 980 | \fISSLMATE_CONFIG\fR 981 | .RS 4 982 | The path to your personal configuration file\&. Defaults to 983 | $HOME/\&.sslmate\&. 984 | .RE 985 | .SH "SEE ALSO" 986 | .PP 987 | \m[blue]\fBOnline SSLMate Help\fR\m[]\&\s-2\u[4]\d\s+2, 988 | \fBopenssl\fR(1) 989 | .SH "NOTES" 990 | .IP " 1." 4 991 | online SSLMate dashboard 992 | .RS 4 993 | \%https://sslmate.com/dashboard 994 | .RE 995 | .IP " 2." 4 996 | Mozilla's Server Side TLS Guide 997 | .RS 4 998 | \%https://wiki.mozilla.org/Security/Server_Side_TLS 999 | .RE 1000 | .IP " 3." 4 1001 | online SSLMate account page 1002 | .RS 4 1003 | \%https://sslmate.com/account 1004 | .RE 1005 | .IP " 4." 4 1006 | Online SSLMate Help 1007 | .RS 4 1008 | \%https://sslmate.com/help 1009 | .RE 1010 | -------------------------------------------------------------------------------- /man/sslmate.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 29 | 30 | SSLMate 31 | 2022-05-03 32 | SSLMate 1.9.1 33 | 34 | 35 | SSLMate 36 | 37 | sslmate@sslmate.com 38 | https://sslmate.com 39 | 40 | 41 | 42 | 43 | sslmate 44 | 1 45 | 46 | 47 | 48 | sslmate 49 | buy and manage SSL certificates 50 | 51 | 52 | 53 | 54 | sslmate OPTIONS COMMAND ARGS 55 | 56 | 57 | 58 | 59 | Common commands 60 | 61 | sslmate buy HOSTNAME 62 | 63 | 64 | sslmate renew HOSTNAME 65 | 66 | 67 | sslmate reissue HOSTNAME 68 | 69 | 70 | sslmate rekey HOSTNAME 71 | 72 | 73 | sslmate revoke --all HOSTNAME 74 | 75 | 76 | sslmate download HOSTNAME 77 | 78 | 79 | sslmate download --all 80 | 81 | 82 | sslmate list 83 | 84 | 85 | sslmate show HOSTNAME 86 | 87 | 88 | sslmate edit OPTIONS HOSTNAME 89 | 90 | 91 | sslmate test HOSTNAME 92 | 93 | 94 | sslmate mkconfig TEMPLATE HOSTNAME 95 | 96 | 97 | sslmate retry-approval HOSTNAME 98 | 99 | 100 | sslmate link 101 | 102 | 103 | 104 | 105 | Description 106 | 107 | 108 | sslmate is the command line client for 109 | SSLMate (https://sslmate.com), a service for 110 | purchasing and managing SSL certificates. 111 | SSLMate provides easy-to-use tools for buying, 112 | renewing, and revoking certificates, for monitoring 113 | the expiration date of your certificates, and for 114 | synchronizing your certificates between your servers. 115 | 116 | 117 | 118 | SSLMate emphasizes speed, ease-of-use, and automation. 119 | For example, the command to purchase a certificate (sslmate buy) 120 | typically completes in under a minute and automates the steps of generating a private key, generating a CSR, 121 | and building a certificate bundle. SSLMate can automatically renew your certificates, 122 | and you can run sslmate download from a cron job so that renewed 123 | certificates are automatically downloaded to your server. 124 | 125 | 126 | 127 | To use the sslmate command, you must create 128 | a free account at https://sslmate.com. 129 | 130 | 131 | 132 | 133 | Commands 134 | 135 | 136 | sslmate is logically divided into several sub-commands which 137 | perform distinct tasks. Each sub-command, and its arguments, 138 | are documented below. Note that arguments and options to sub-commands must be 139 | specified on the command line after the name of the sub-command. 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | Generate a private key and purchase a certificate for the given hostname(s). 148 | 149 | 150 | If only one hostname is specified, a single-hostname certificate is issued. 151 | The hostname is placed in the certificate's common name (CN) field as well as a 152 | subjectAltName field. If the hostname starts with "www.", a second subjectAltName is added, 153 | free of charge, for the base domain (formed by removing the "www." prefix). If the 154 | hostname does not start with "www.", a second subjectAltName is added, free of charge, for 155 | the www subdomain (formed by adding the "www." prefix). To disable the automatic addition 156 | of the second subjectAltName, specify the option. 157 | 158 | 159 | If the hostname starts with "*.", then a wildcard certificate is issued which is 160 | valid for the wildcard domain itself and all hostnames directly below the wildcard 161 | domain. The certificate is not valid for hostnames two or more levels below the 162 | wildcard domain. For example, "*.example.com" matches "example.com", "www.example.com", 163 | and "subdomain.example.com", but not "www.subdomain.example.com"). 164 | 165 | 166 | If more than one hostname is specified, a multi-hostname certificate is issued. The first 167 | hostname is the primary name of the certificate and is placed in the certificate's 168 | common name field, as well as a subjectAltName field. The remaining hostnames are 169 | placed in subjectAltNames. The certificate is referred to by its primary name 170 | when downloading, renewing, reissuing, etc. The primary name cannot be changed without 171 | purchasing a new certificate, but alternative names can be added and removed after the certificate 172 | is issued by running sslmate edit. 173 | 174 | 175 | 176 | The following options are understood: 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | Enable or disable automatic renewal for this certificate. 186 | If neither option is specified, your account's default auto-renewal 187 | setting is used. 188 | 189 | 190 | The auto-renewal setting of an already-purchased certificate can be changed 191 | from the SSLMate website. 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | Use the given method to prove ownership of your domain. 201 | 202 | 203 | When "email" is used (the default), you must respond to an email sent 204 | to one of the administrative addresses for your domain. You will be 205 | prompted for the email address when running sslmate buy, 206 | or you can specify it on the command line with the 207 | option. 208 | 209 | 210 | When "dns" is used, you must add a specific DNS record under your domain. 211 | If you have configured your SSLMate account to integrate with a supported 212 | DNS provider (see https://sslmate.com/account/integrations), 213 | then the DNS record will be added automatically. Otherwise, the DNS record will 214 | be displayed and you will need to add it manually. 215 | 216 | 217 | When "http" is used, you must configure the web server for your domain 218 | to proxy certain URLs to an SSLMate approval server, as described 219 | at https://sslmate.com/help/approval/http. 220 | Once your web server is configured, certificates using 221 | HTTP approval will be approved and issued automatically. 222 | 223 | 224 | When purchasing a multi-hostname certificate, each hostname must be approved 225 | separately. The approval method specified by this option applies to every 226 | hostname. To use a different method for a hostname, specify an option of the form 227 | . 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | Send the approval email to the given email address. 237 | This address must be one of the addresses that is listed when you run 238 | sslmate buy interactively. Only applicable if email approval is used. 239 | 240 | 241 | When purchasing a multi-hostname certificate, this email address is used for 242 | every hostname. To use a different email address for a hostname, specify 243 | an option of the form 244 | . 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | Wait up to SECONDS seconds for the certificate to be issued. 254 | If the certificate is not issued before the timeout elapses, sslmate 255 | exits without downloading any certificate files. Instead, the certificate must be downloaded 256 | later with the sslmate download command. 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | Return immediately after placing the order instead of waiting for the certificate 266 | to be issued. If this option is used, no certificate files are downloaded; instead 267 | the certificate must be downloaded separately with the sslmate download 268 | command. 269 | 270 | 271 | This option is equivalent to . 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | Instead of waiting for the certificate to be issued, install a temporary, self-signed, 281 | certificate and return immediately. The temporary certificate will not be trusted 282 | by clients, but it can be used to configure your server software while waiting for 283 | the real certificate to be issued. 284 | 285 | 286 | When the real certificate is issued, it can be downloaded 287 | with the sslmate download command. 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | Use the given coupon code for a discount. 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | Include the given note with the invoice for this purchase. 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | Email the invoice for this purchase to the given address. 315 | 316 | 317 | By default, invoices are not emailed, but can be downloaded from your 318 | online SSLMate dashboard. 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | Buy the certificate even if there are existing key and certificate files, 329 | or if an active certificate with this name already exists in your SSLMate 330 | account. Existing key and certificate files will be overwritten. 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | Specify the type of key to generate: RSA (the default), or ECDSA 340 | (elliptic curve). The certificate will be signed with a signature of the same type. 341 | 342 | 343 | RSA provides the best compatibility with clients. ECDSA provides 344 | better performance during the TLS handshake, but is not supported 345 | by older web browsers (such as IE 8 on Windows XP, Android 2.3, 346 | and Java 6). If in doubt, use RSA. 347 | 348 | 349 | The default key type can be changed by setting the 350 | configuration option (see the CONFIGURATION section for details). 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | Disable the addition of the automatic second subjectAltName if only one 360 | one hostname was specified on the command line. 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | Renew the certificate for the given hostname. 373 | 374 | 375 | 376 | The following options are understood: 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | Wait up to SECONDS seconds for the certificate to be issued. 385 | If the certificate is not issued before the timeout elapses, sslmate 386 | exits without downloading any certificate files. Instead, the certificate must be downloaded 387 | later with the sslmate download command. 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | Return immediately after placing the order instead of waiting for the new certificate 397 | to be issued. If this option is used, no certificate files are downloaded; instead 398 | the new certificate must be downloaded separately with the sslmate download 399 | command. 400 | 401 | 402 | This option is equivalent to . 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | Use the given coupon code for a discount. 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | Include the given note with the invoice for this purchase. 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | Email the invoice for this purchase to the given address. 430 | 431 | 432 | By default, invoices are not emailed, but can be downloaded from your 433 | online SSLMate dashboard. 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | Renew the certificate even if it's not about to expire. Note that the 444 | renewed certificate will expire one year from the today's date, not from 445 | the expiration date of the current certificate. 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | Generate a new private key (unless is specified) and reissue the 458 | certificate for the given hostname. 459 | 460 | 461 | Note: sslmate reissue without the 462 | option is deprecated. Starting with SSLMate 2.0, 463 | will be implied. To reissue a certificate with a 464 | new key, use instead. 465 | 466 | 467 | Reissuing a certificate does not revoke it. Use the sslmate revoke 468 | command to revoke a certificate after you have reissued it. 469 | 470 | 471 | 472 | The following options are understood: 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | Keep the same private key when reissuing. This is useful if you are reissuing 481 | a certificate not because of a lost key, but to add or remove the alternative 482 | names of a multi-hostname certificate. 483 | 484 | 485 | Note: Starting with SSLMate 2.0, 486 | will be implied. To reissue a certificate with a 487 | new key, use instead. 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | Wait up to SECONDS seconds for the certificate to be issued. 497 | If the certificate is not issued before the timeout elapses, sslmate 498 | exits without downloading any certificate files. Instead, the certificate must be downloaded 499 | later with the sslmate download command. 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | Return immediately after requesting the reissue instead of waiting for the new certificate 509 | to be issued. If this option is used, no certificate files are downloaded; instead 510 | the new certificate must be downloaded separately with the sslmate download 511 | command. 512 | 513 | 514 | This option is equivalent to . 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | Generate a new private key and reissue the certificate for the given hostname. 527 | 528 | 529 | Reissuing a certificate does not revoke it. Use the sslmate revoke 530 | command to revoke a certificate after you have rekeyed it. 531 | 532 | 533 | 534 | The following options are understood: 535 | 536 | 537 | 538 | 539 | 540 | 541 | 542 | Wait up to SECONDS seconds for the certificate to be issued. 543 | If the certificate is not issued before the timeout elapses, sslmate 544 | exits without downloading any certificate files. Instead, the certificate must be downloaded 545 | later with the sslmate download command. 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | Return immediately after requesting the rekey instead of waiting for the new certificate 555 | to be issued. If this option is used, no certificate files are downloaded; instead 556 | the new certificate must be downloaded separately with the sslmate download 557 | command. 558 | 559 | 560 | This option is equivalent to . 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | Overwrite existing files. 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | Specify the type of the new key: RSA (the default), or ECDSA 578 | (elliptic curve). The certificate will be signed with a signature of the same type. 579 | 580 | 581 | See the documentation for sslmate buy for more information. 582 | If in doubt, do not use this option. 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | Revoke the certificate(s) for the given hostname. 595 | 596 | 597 | Revoking a certificate does not issue a new certificate. 598 | If you need a new certificate, use the sslmate reissue command 599 | to generate and issue a new certificate before running 600 | sslmate revoke. 601 | 602 | 603 | 604 | The following options are understood: 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | Revoke all certificates for this hostname, including the 614 | most recent active certificate. If this option is omitted, all but 615 | the most recent active certificate are revoked. 616 | 617 | 618 | WARNING: if you use this option, SSLMate will no longer be able to 619 | issue new certificates for this hostname unless you buy a brand new 620 | certificate. Generally, to revoke a certificate, you should first reissue it with the 621 | reissue command and then use revoke 622 | without the option. Only use 623 | if you no longer need any certificates for a hostname. 624 | 625 | 626 | You will be prompted for confirmation unless you also specify the 627 | global option. 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | Download the certificate(s) for the given hostname(s), or, if is specified, 640 | for all hostnames that have keys in the key_directory. 641 | 642 | 643 | Certificate files are downloaded from your SSLMate account 644 | to your configured cert_directory (/etc/sslmate 645 | by default if run as root, $PWD if run as non-root). Existing certificate 646 | files are replaced. Exits with status code 0 if new certificate files were downloaded, or 10 647 | if the most up-to-date certificate files have already been downloaded. 648 | 649 | 650 | This command is designed to be run from a cron job or configuration management script so that 651 | auto-renewed certificates are automatically propagated to your server. You can check the 652 | exit status and, if zero, restart daemons so they load the latest version of the certificate. 653 | 654 | 655 | The following options are understood: 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | Download certificate files for every key present in the key_directory 665 | (/etc/sslmate by default if run as root, $PWD 666 | if run as non-root). 667 | 668 | 669 | If this option is used, specific hostnames cannot be specified on the command line. 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | If the certificate has not been issued yet, download a temporary, 679 | self-signed, certificate instead. See the documentation for sslmate buy 680 | for more information about temporary certificates. 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | List the certificates in your SSLMate account. 693 | 694 | 695 | The following options are understood: 696 | 697 | 698 | 699 | 700 | 701 | 702 | 703 | List only certificates that are also installed locally. 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | List only certificates that are not installed locally. 713 | 714 | 715 | 716 | 717 | 718 | 719 | 720 | 721 | 722 | Include the given columns in the output, where COLUMNS is 723 | a comma-separated list of the following column names: 724 | 725 | 726 | 727 | name 728 | The certificate's common name. 729 | 730 | 731 | status 732 | The certificate's status. 733 | 734 | 735 | expiration 736 | The certificate's expiration date, in YYYY-MM-DD format. 737 | 738 | 739 | local_status 740 | The status of the locally-installed copy of the certificate ("Installed", "Temporary", "Mismatched key", "No key file", "Out-of-date", or "None"). 741 | 742 | 743 | fingerprint 744 | The certificate's SHA-1 fingerprint, in uppercase hex with octets separated by colons. 745 | 746 | 747 | sha256_fingerprint 748 | The certificate's SHA-256 fingerprint, in uppercase hex with octets separated by colons. 749 | 750 | 751 | auto_renew 752 | The certificate's auto-renew setting. 753 | 754 | 755 | type 756 | The certificate's type ("DV" or "EV"). 757 | 758 | 759 | approval_method 760 | The approval method. 761 | 762 | 763 | approver_email 764 | The approver email address. 765 | 766 | 772 | 773 | 774 | 775 | 776 | 777 | 778 | 779 | 780 | Sort the output by the given column(s), where COLUMNS is 781 | a comma-separated list of column names as understood by the 782 | option. If more than one column is specified, the latter columns are used to break 783 | ties if the earlier columns are equal. 784 | 785 | 786 | Columns are sorted in ascending order by default. To sort a column in descending 787 | order, prefix it with a ^ symbol. 788 | 789 | 790 | 791 | 792 | 793 | 794 | 795 | 796 | Generate machine-parseable output. By default, columns and lines are separated by a 797 | NUL character, but this can be customized by setting the OFS 798 | (output field separator) and ORS (output record separator) environment 799 | variables. 800 | 801 | 802 | When using , you must explicitly enumerate the columns you 803 | want with the option. 804 | 805 | 806 | The output of is guaranteed not to change format, making it suitable 807 | for use in scripts. 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | Show information about the given certificate. 820 | 821 | 822 | The following options are understood: 823 | 824 | 825 | 826 | 827 | 828 | 829 | 830 | 831 | Include the given fields in the output, where FIELDS is 832 | a comma-separated list of the following column names: 833 | 834 | 835 | 836 | name 837 | The certificate's common name. 838 | 839 | 840 | all_alt_names 841 | The certificate's subject alternative names (SANs), including any automatically-added SAN for a single-hostname certificate. 842 | 843 | 844 | alt_names 845 | The certificate's subject alternative names (SAN). For backwards compatibility, this field is null if the certificate is a single-hostname certificate with the automatically-added SAN. You generally want to use all_alt_names instead. 846 | 847 | 848 | status 849 | The certificate's status. 850 | 851 | 852 | expiration 853 | The certificate's expiration date, in YYYY-MM-DD format. 854 | 855 | 856 | local_status 857 | The status of the locally-installed copy of the certificate ("Installed", "Temporary", "Mismatched key", "No key file", "Out-of-date", or "None"). 858 | 859 | 860 | fingerprint 861 | The certificate's SHA-1 fingerprint, in uppercase hex with octets separated by colons. 862 | 863 | 864 | sha256_fingerprint 865 | The certificate's SHA-256 fingerprint, in uppercase hex with octets separated by colons. 866 | 867 | 868 | auto_renew 869 | The certificate's auto-renew setting. 870 | 871 | 872 | type 873 | The certificate's type ("DV" or "EV"). 874 | 875 | 876 | approval_method 877 | The approval method. 878 | 879 | 880 | approver_email 881 | The approver email address. 882 | 883 | 889 | 890 | 891 | 892 | 914 | 915 | 916 | 917 | 918 | 919 | Generate JSON output. The output format is guaranteed not to change, apart from 920 | backwards-compatible changes such as adding new fields to the JSON object. 921 | 922 | 923 | 924 | 925 | 926 | 927 | 928 | 929 | 930 | 931 | 932 | Change one or more setting of the given certificate. The settings are specified by the 933 | OPTIONS arguments, as described below. Every setting is 934 | optional; if omitted, the setting is left unchanged. 935 | 936 | 937 | 938 | 939 | 940 | 941 | 942 | Change the approval method for this certificate. The new method will be 943 | used for approving future reissues and renewals of the certificate. If the 944 | certificate is currently pending approval, the approval process will be 945 | re-initiated. 946 | 947 | 948 | For more information about approval methods, see the documentation 949 | for sslmate buy. 950 | 951 | 952 | If this is a multi-hostname certificate, the approval method specified by this option 953 | applies to every hostname. To edit the approval method for a single hostname only, 954 | pass an option of the form 955 | . 956 | 957 | 958 | 959 | 960 | 961 | 962 | 963 | 964 | Change the approver email address of this certificate. The new address will be 965 | used for approving future reissues and renewals of the certificate. If the 966 | certificate is currently pending approval, the approval email will be resent 967 | to the new address. 968 | 969 | 970 | The new address must be one of the acceptable addresses that is listed when you 971 | run sslmate buy for this host name. This option is only 972 | applicable when email approval is used. 973 | 974 | 975 | If this is a multi-hostname certificate, the email address specified by this option 976 | applies to every hostname. To edit the email address for a single hostname only, 977 | pass an option of the form 978 | . 979 | 980 | 981 | 982 | 983 | 984 | 985 | 986 | 987 | 988 | Enable or disable auto-renew for this certificate. 989 | 990 | 991 | 992 | 993 | 994 | 995 | 996 | 997 | 998 | Add or remove the given hostname to or from this certificate. 999 | Only alternative names (not the common name) can be removed. 1000 | 1001 | 1002 | The name is not added or removed immediately. Instead, 1003 | the changes take effect on the next call to sslmate reissue. 1004 | Any names that were added since the last issuance will need to be approved. 1005 | Existing names do not need to be re-approved as long as you preserve the 1006 | existing private key by passing the option to 1007 | sslmate reissue. If there has been a net increase in hostnames 1008 | since the last issuance, your account will be charged for the new names. 1009 | 1010 | 1011 | 1012 | 1013 | 1014 | 1015 | 1016 | 1017 | 1018 | 1019 | 1020 | Test whether your certificate for HOSTNAME 1021 | has been correctly installed. 1022 | 1023 | 1024 | This command works by connecting to the host specified in the certificate 1025 | and checking that the server returns both the correct certificate and the correct certificate chain. 1026 | The results of the test are printed to standard out. There may be more than one test result if 1027 | HOSTNAME resolves to more than one IP address. 1028 | This command exits with status 0 if all tests were successful, 11 if one or more tests failed, 1029 | and some other exit code if there was an error that prevented the test from running. 1030 | 1031 | 1032 | The following options are understood: 1033 | 1034 | 1035 | 1036 | 1037 | 1038 | 1039 | 1040 | 1041 | Test the server on the given port number. (Default: 443) 1042 | 1043 | 1044 | 1045 | 1046 | 1047 | 1048 | 1049 | 1050 | 1051 | Test the server running on the given hostname. Defaults to the 1052 | certificate's common name. 1053 | 1054 | 1055 | 1056 | 1057 | 1058 | 1059 | 1060 | 1061 | 1062 | 1063 | 1064 | Output the configuration directives necessary to securely use the given certificate 1065 | with the server software (such as Apache, nginx, etc.) specified by the 1066 | TEMPLATE argument. 1067 | For a list of server software for which configuration templates are available, 1068 | pass the option. 1069 | 1070 | 1071 | By default, sslmate mkconfig includes the "intermediate compatibility" security settings 1072 | recommended by Mozilla's Server Side 1073 | TLS Guide. These settings enable forward secrecy and disable broken ciphers and protocols, 1074 | while supporting a broad range of clients. 1075 | 1076 | 1077 | The following options are understood: 1078 | 1079 | 1080 | 1081 | 1082 | 1083 | 1084 | 1085 | Output a list of available configuration templates. No other arguments are 1086 | required if you use this option. 1087 | 1088 | 1089 | 1090 | 1091 | 1092 | 1093 | 1094 | 1095 | Don't include recommended security settings. Output only the bare minimum 1096 | configuration needed to use the certificate. 1097 | 1098 | 1099 | 1100 | 1101 | 1102 | 1103 | 1104 | 1105 | 1106 | 1107 | 1108 | Retry the approval process of a certificate that's pending approval. 1109 | If the certificate uses email approval, the email will be resent. 1110 | If the certificate uses DNS approval, the DNS record will be added 1111 | if not already present, and then re-checked. 1112 | 1113 | 1114 | To change the approval method or approver email of a pending certificate, 1115 | use the sslmate edit command. 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | 1123 | 1124 | Link this system with your SSLMate account. 1125 | sslmate link prompts for your SSLMate username and 1126 | password and writes your API credentials to your personal SSLMate configuration 1127 | file, permitting you to use the sslmate commands without 1128 | having to enter your username and password. 1129 | 1130 | 1131 | Note: if you have enabled a daily purchase limit through your 1132 | online SSLMate account page, 1133 | you will always need to enter your password after exceeding the limit, even if 1134 | you have linked this system. 1135 | 1136 | 1137 | 1138 | 1139 | 1140 | 1141 | 1142 | 1143 | Display help for the given COMMAND, 1144 | or an overview of all commands if no command is specified. 1145 | 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | 1153 | Print the currently-installed version of sslmate. By default, 1154 | check if this version is up-to-date and print a message if a newer version is available. 1155 | 1156 | 1157 | The following options are understood: 1158 | 1159 | 1160 | 1161 | 1162 | 1163 | 1164 | Do not check for a newer version. 1165 | 1166 | 1167 | 1168 | 1169 | 1170 | 1171 | 1172 | Print no output, but exit with 0 if this version of sslmate 1173 | is up-to-date, 10 if a newer version is available, and some other exit code 1174 | if there is an error. 1175 | 1176 | 1177 | This option cannot be combined with . 1178 | 1179 | 1180 | 1181 | 1182 | 1183 | 1184 | 1185 | 1186 | 1187 | 1188 | 1189 | Global options 1190 | 1191 | 1192 | The following options are understood by sslmate and can 1193 | be used with any sub-command. Since they apply globally 1194 | to sslmate, they must be specified on the command line 1195 | before the sub-command name. 1196 | 1197 | 1198 | 1199 | 1200 | 1201 | 1202 | 1203 | Don't prompt for confirmation or for additional information. This 1204 | option should be used when running sslmate unattended from scripts. 1205 | 1206 | 1207 | Any information which sslmate would have prompted for must be specified 1208 | on the command line instead. For example, when buying a certificate, 1209 | you must specify the approval method with the 1210 | option, and, if applicable, the approver email address with the 1211 | option. 1212 | 1213 | 1214 | 1215 | 1216 | 1217 | 1218 | 1219 | 1220 | Display additional information about what sslmate is doing. 1221 | 1222 | 1223 | 1224 | 1225 | 1226 | 1227 | 1228 | 1229 | 1230 | Use the given configuration profile, instead of the default. 1231 | If this option is specified, the string "-PROFILE" 1232 | will be appended to the paths of the configuration file and default key and 1233 | certificate directories. 1234 | 1235 | 1236 | For example, if 1237 | is used, the global configuration file will be /etc/sslmate-company.conf 1238 | and the default certificate directory will be /etc/sslmate-company, 1239 | instead of /etc/sslmate.conf and /etc/sslmate. 1240 | 1241 | 1242 | This option is intended for those who need to use several different SSLMate 1243 | accounts on a single server, since each configuration file can contain distinct 1244 | SSLMate API credentials. 1245 | 1246 | 1247 | 1248 | 1249 | 1250 | 1251 | Configuration 1252 | 1253 | Upon startup, sslmate reads configuration from the global configuration 1254 | file, /etc/sslmate.conf, and your personal configuration file, 1255 | ~/.sslmate, if they exist. These files should contain one configuration 1256 | option per line of the form NAME VALUE. 1257 | Blank lines and lines starting with # are ignored. Options in your personal configuration 1258 | file override options set in the global configuration file. The location of your personal configuration 1259 | file can be changed by setting the $SSLMATE_CONFIG environment variable. 1260 | 1261 | 1262 | The following options are understood: 1263 | 1264 | 1265 | 1266 | 1267 | Your API key, which can be found on your online SSLMate account page. This option is automatically set (in your personal configuration file) when you run sslmate link. 1268 | 1269 | 1270 | 1271 | 1272 | The directories where sslmate places keys and certificates. When running as root, the default is /etc/sslmate. When running as non-root, the default is the current working directory. 1273 | 1274 | 1275 | 1276 | When creating files for wildcard certificates, use PREFIX in the filename instead of a * character. 1277 | 1278 | 1279 | 1280 | 1281 | 1282 | Enable or disable the given certificate format. When a format is enabled, 1283 | sslmate will create a file of that format in your certificate 1284 | directory when buying, reissuing, renewing, and downloading. After enabling 1285 | a format that was previously disabled, you can create the missing files by running 1286 | sslmate download --all. The formats are documented below in 1287 | the CERTIFICATE FILES section. All formats are disabled by default except for "chained". 1288 | 1289 | 1290 | 1291 | 1292 | 1293 | The key type to use by default when buying or reissuing a certificate. Can be overridden by the command line flag. See the documentation for sslmate buy for details. 1294 | 1295 | 1296 | 1297 | The URI to the SSLMate API endpoint. This option does not need to be configured under normal circumstances. 1298 | 1299 | 1300 | 1301 | 1302 | 1303 | Configuration files 1304 | 1305 | 1306 | ~/.sslmate 1307 | Your personal configuration file. Options set in this file override options set in the global configuration file. See the "Configuration" section above for the syntax of this file. 1308 | 1309 | 1310 | /etc/sslmate.conf 1311 | The global configuration file. See the "Configuration" section above for the syntax of this file. 1312 | 1313 | 1314 | /etc/sslmate 1315 | The default directory for storing keys and certificates when run as root. Can be overridden by the key_directory and cert_directory configuration options. 1316 | 1317 | 1318 | 1319 | 1320 | 1321 | Certificate files 1322 | 1323 | SSLMate creates the following files for every certificate. The key file is placed in the 1324 | configured key_directory, and the other files are placed in the configured 1325 | cert_directory. (Both directories are /etc/sslmate by default when 1326 | running as root and $PWD by default when running as non-root.) 1327 | 1328 | 1329 | 1330 | hostname.key 1331 | The private key file for hostname, in PEM encoding (specifically, the PEM encoding of the ASN.1 DER encoding of a PKCS#1 RSAPrivateKey (for RSA) or a RFC 3279 EcpkParameters (for ECDSA)). This is the default format used by OpenSSL and is accepted by typical applications on Linux. 1332 | 1333 | 1334 | hostname.crt 1335 | The public certificate file for hostname, in PEM encoding (specifically, the PEM encoding of the ASN.1 DER encoding of the X.509 certificate). This is the default format used by OpenSSL and is accepted by typical applications on Linux. Warning: This file does not work on its own since it does not contain the certificate chain. You must also configure the chain certificate(s) using one of the other formats. 1336 | 1337 | 1338 | hostname.chain.crt 1339 | The certificate chain (aka intermediate certificate) file for hostname. This file contains the concatenation of each intermediate certificate, in PEM encoding. The first certificate is the issuer of the end-entity certificate, and the last certificate is signed by the root certificate. The root certificate is not included. 1340 | 1341 | 1342 | SSLMate optionally creates the following files for every certificate (in the cert_directory) if the indicated configuration option is set to yes. 1343 | 1344 | 1345 | hostname.chained.crt (cert_format.chained) 1346 | A concatenation of the certificate and chain files for hostname, in PEM encoding. This format is enabled by default. This is the file you should use with most applications on Linux, which require the certificate and chain to be specified in the same file. 1347 | 1348 | 1349 | hostname.combined.pem (cert_format.combined) 1350 | A concatenation of the private key, certificate, and chain files for hostname, in PEM encoding. This format is intended for Linux applications which require the key and certificates to be specified in the same file. 1351 | 1352 | 1353 | hostname.p12 (cert_format.p12) 1354 | A PKCS#12 file (also known as a P12 or PFX file) containing the private key, certificate, and chain for hostname. The PKCS#12 file's password is "sslmate". PKCS#12 files are primarily used by Windows applications. 1355 | 1356 | 1357 | hostname.jks (cert_format.jks) 1358 | A Java keystore file containing the private key, certificate, and chain for hostname. The keystore's password is "sslmate". The keytool(1) command, from the Java runtime environment, must be installed to use this format. JKS files are generally used only by Java applications, such as Tomcat. 1359 | 1360 | 1361 | hostname.root.crt (cert_format.root) 1362 | The root certificate for hostname, in PEM encoding. You do not generally need the root certificate, so you should leave this format disabled unless you have a special requirement. 1363 | 1364 | 1365 | hostname.chain+root.crt (cert_format.chain+root) 1366 | A concatenation of the chain and root certificate files for hostname. This format is required for verifying OCSP responses and configuring OCSP stapling. You do not need it in a basic configuration. 1367 | 1368 | 1369 | 1370 | You need to configure your server software (e.g. Apache, nginx) with the private key 1371 | file (.key) and some combination of the .crt files. Some software (e.g. Apache) requires you 1372 | to specify the certificate (.crt) and the chain (.chain.crt) in separate files, while other 1373 | software (e.g. nginx) requires you to specify both in a single file (.chained.crt). 1374 | 1375 | 1376 | Files which contain the private key are created with restrictive filesystem permissions (0600), 1377 | and other files are created with world-readable permissions (0644). When updating 1378 | a file, sslmate preserves the existing owner and permissions, including 1379 | (on Linux only) ACLs. This lets you use filesystem permissions to grant access to 1380 | applications that run as a non-root user, and not have to worry about the permissions being 1381 | disrupted when downloading an updated certificate. 1382 | 1383 | 1384 | You are encouraged to run sslmate as root, store keys and certificates in the SSLMate-managed 1385 | key_directory and cert_directory 1386 | (/etc/sslmate by default), and to configure your server software to refer 1387 | to keys and certificates in this directory. This makes automated renewals more seamless by 1388 | ensuring that your server software always refers to the latest version 1389 | of a certificate downloaded by sslmate download. 1390 | 1391 | 1392 | 1393 | 1394 | Environment Variables 1395 | 1396 | 1397 | 1398 | SSLMATE_CONFIG 1399 | 1400 | The path to your personal configuration file. Defaults to $HOME/.sslmate. 1401 | 1402 | 1403 | 1404 | 1405 | 1406 | 1413 | 1414 | 1415 | See Also 1416 | 1417 | Online SSLMate Help, 1418 | openssl1 1419 | 1420 | 1421 | 1422 | 1423 | --------------------------------------------------------------------------------