zerossl / zerossl-bot Goto Github PK

The repository for the ZeroSSL certbot wrapper

License: MIT License

Shell 100.00%

zerossl-bot's Introduction

zerossl-bot

This repository contains a wrapper script that makes it easier to use Electronic Frontier Foundation's (EFF's) Certbot with the ZeroSSL ACME server

Installation

Install the operating system packages for curl, certbot and python3.
Install the ZeroSSL wrapper script
1. Quick:
  1. run bash <(wget -q -O - https://github.com/zerossl/zerossl-bot/raw/master/get-zerosslbot.sh)
  2. Done!
2. Careful:
  1. Run wget -q -O - https://github.com/zerossl/zerossl-bot/raw/master/get-zerosslbot.sh > get-zerosslbot.sh
  2. Inspect the file to see that it does what it is supposed to do
  3. Run source get-zerosslbot.sh

Usage

To use the ZeroSSL ACME server instead of running certbot run zerossl-bot.

Important Note: You should use the --zerossl-api-key argument in order to make sure you get a ZeroSSL certificate instead of an Let's Encrypt certificate.

Examples

sudo zerossl-bot certonly --standalone -m [email protected] -d mydomain.example.com

sudo zerossl-bot --apache -m [email protected] -d myotherdomain.example.com

sudo zerossl-bot --apache -d mythirddomain.example.com --zerossl-api-key 1234567890abcdef1234567890abcdef

sudo zerossl-bot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare-api-token \
                          --dns-cloudflare-propagation-seconds 60 -d fourth.example.com \
                          --zerossl-api-key=1234567890abcdef1234567890abcdef

Recommendations

Ensure correct ACME server URL is used (--server flag):

 --server https://acme.zerossl.com/v2/DV90

Known issues

There have been issues reported with certbot interactive prompt causing certificates of Let's Encrypt instead of ZeroSSL being issued. It is recommended to hand over parameters directly using the documented flags.

zerossl-bot's People

Contributors

Stargazers

Watchers

Forkers

moises0746 odongohcoder cadyrayller sitedata stefanmarkmann ming-ddtechcg sts0mrg0 holavaguy smallmote truongluu steelball annatoie micheleselea ros2-ship dannysauer adamlaska juanpalom ip11 clayauld fuchse-ohren felixlaguna njmube webzcc axisofentropy romangb surfndez heymarkk 0idr leviosar burkely-00orso69 mutazawadorg fluctlights g0053 mzha999 gugas1nwork korkin25 chunkworks yanlun0323 suryatmodulus anhvutuan djreefa kstr0k abdiiwan1841 eancpdev ben5231 nimdassdev paengomngay azzaka ai2hub wisekeylab dimaviii branhamcharles721 distantroad norbertosus lemathochist hlpmenu rice2220 mattbrumpton

zerossl-bot's Issues

zerossl-bot failed to parse parameters correctly

Using the latest instruction for zerossl-bot quick install

my zerossl-bot

user@host:~$ cat /usr/local/bin/zerossl-bot
#!/bin/bash

CERTBOT_ARGS=()

function parse_eab_credentials()
{
    PYTHONIOENCODING=utf8
    ZEROSSL_EAB_KID=$(echo $1 | python -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
    ZEROSSL_EAB_HMAC_KEY=$(echo $1 | python -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
    CERTBOT_ARGS+=(--eab-kid "$ZEROSSL_EAB_KID" --eab-hmac-key "$ZEROSSL_EAB_HMAC_KEY" --server "https://acme.zerossl.com/v2/DV90")
}

while [[ "$#" -gt 0 ]]; do
    case $1 in
        --zerossl-api-key=*)
            ZEROSSL_API_KEY="${1:18}"
        ;;
        --zerossl-api-key|-z)
           ZEROSSL_API_KEY="${2}"
           shift
        ;;
        --zerossl-email=*) 
            ZEROSSL_EMAIL="${1:16}"
        ;;
        --email|--zerossl-email|-m)
           ZEROSSL_EMAIL="${2}"
           CERTBOT_ARGS+=(-m "${2}")
           shift
        ;;
        *) CERTBOT_ARGS+=($1) ;;
    esac
    shift
done

if [[ -n $ZEROSSL_API_KEY ]]; then
    parse_eab_credentials $(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=$ZEROSSL_API_KEY")
elif [[ -n $ZEROSSL_EMAIL ]]; then
    parse_eab_credentials $(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ZEROSSL_EMAIL")
fi

Tried to run some commands to request for certificates but it keep failing.
So i went to test out the basics with the following commands

user@host:~$ sudo zerossl-bot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
user@host:~$ sudo zerossl-bot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
user@host:~$ sudo zerossl-bot --standalone certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
user@host:~$ certbot --version
certbot 1.16.0

Seems that zerossl-bot is having difficulty ingesting the first parameter, even when i tried to feed certonly, it did not work.

The actual command executed is similar to below:

sudo zerossl-bot certonly \
--cert-name example.com \
--zerossl-api-key mykeys \
--dns-digitalocean \
--dns-digitalocean-credentials ~/.secrets/secrets.ini \
-d example.com \
-d *.example.com

How to get 1 year cert (365 days) with ACME?

Hi,

we want to get 1 year certs via ACME. We upgrade our plan to basic (3 x1year cert included) but can't figure out how to get a 1year valid cert.

Please advise.

zerossl-bot doesn't pass parameter correctly

Here's what happens:
Note, I'm using the python3-certbot-nginx package for certbot (installed via apt-get) on Raspberry Pi, but that shouldn't make any difference.

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ramonk.net
    Domains: familykolb.com planeboston.com planefence.com ramonk.net
    Expiry Date: 2021-08-25 08:44:40+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/ramonk.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ramonk.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ sudo zerossl-bot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: familykolb.com
2: planeboston.com
3: planefence.com
4: ramonk.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Broken links

So this wrapper is actually great, and actually more efficient than the full-on certbot port I was expecting for ZeroSSL, but the links to https://certbot.zerossl.com/get-certbot.sh and https://certbot.zerossl.com/certbot-zerossl.sh are broken. I'm sure fixing this is planned as part of the full rollout, but it makes it a bit more difficult to start issuing ACME certificates when the links to download the wrapper are broken on a DNS level. Any time frame?

These scripts have no license

Could you specify the license either in the repo or in the script files themselves?

Current version NOT work! Even fixed certbot_opts

zerossl-bot certonly --standalone -d 1.2.3.4 -m [email protected]
Sat Nov 6 21:23:08 CET 2021 Calling: certbot certonly --standalone -d 1.2.3.4 -m [email protected] --eab-kid EDITED --eab-hmac-key EDITED --server https://acme.zerossl.com/v2/DV90/
Requested name 1.2.3.4 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpeafum1dq/log or re-run Certbot with -v for more details.

zerossl-bot cannot issue SSL for IP but zerossl.com can

Hello,

I want to automate SSL issuing and renewing for my IP Address via zerossl-bot but I get this error:

Requested name MY_IP_ADDRESS is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.

While in zerossl.com it say I can.

How is different zerossl-bot from zerossl.com in generating certificates? And how can I automate it?

Will zerossl-bot client be supported in the future without snap?

One of the reasons we are willing to subscribe to zerossl is cerbot-auto not being supported because they are moving to snap but I am reading issues and just installed zerossl-bot and get this message:

Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.

zerossl-bot and non standard ports

Can I use zerossl-bot to automate the renewal of a certificate on a web server that is running on the non standard port 30443 ?

Errors with arguments containing spaces

I had tried this:

certbot-zerossl \
  certonly \
  --email '[email protected]' \
  --agree-tos \
  --no-eff-email \
  --standalone \
  --pre-hook 'systemctl stop nginx' \
  --post-hook 'systemctl start nginx' \
  --domain 'example.com'

but had an error: certbot: error: unrecognized arguments: stop nginx start nginx

I adapted a wrapper for another script and am successfully able to use ZeroSSL with certbot using the following:

#!/bin/bash

# Copy provided arguments to new array CERTBOT_ARGS
CERTBOT_ARGS=("$@")

function parse_eab_credentials()
{
    PYTHONIOENCODING=utf8
    ZEROSSL_EAB_KID=$(echo $1 | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
    ZEROSSL_EAB_HMAC_KEY=$(echo $1 | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
    CERTBOT_ARGS+=(--eab-kid "$ZEROSSL_EAB_KID" --eab-hmac-key "$ZEROSSL_EAB_HMAC_KEY" --server "https://acme.zerossl.com/v2/DV90")
}

# Iterate through CERTBOT_ARGS array
for (( i = 1 ; i < ${#CERTBOT_ARGS[@]}+1 ; i++ )); do

  # Look for --zerossl-api-key ARG and --zerossl-api-key=ARG (if specified more than once, the last one wins)
  if [[ "${CERTBOT_ARGS[$i-1]}" =~ ^--zerossl-api-key$ ]]; then
    # We're operating off counter $i - 1, so the argument to --zerossl-api-key is the next array item
    ZEROSSL_API_KEY="${CERTBOT_ARGS[$i]}"
    # After setting the ZEROSSL_API_KEY value, remove the option and the value from the array
    unset 'CERTBOT_ARGS[$i-1]' 'CERTBOT_ARGS[$i]'
  elif [[ "${CERTBOT_ARGS[$i-1]}" =~ ^--zerossl-api-key= ]]; then
    # Strip the text before the = character and capture (no need to check for whitespace at end b/c of array separator)
    ZEROSSL_API_KEY="${CERTBOT_ARGS[$i-1]#*=}"
    # After setting the ZEROSSL_API_KEY value, remove the option=value from the array
    unset 'CERTBOT_ARGS[$i-1]'
  fi

  if [[ "${CERTBOT_ARGS[$i-1]}" =~ ^--zerossl-email$ ]]; then
    ZEROSSL_EMAIL="${CERTBOT_ARGS[$i]}"
    unset 'CERTBOT_ARGS[$i-1]' 'CERTBOT_ARGS[$i]'
  elif [[ "${CERTBOT_ARGS[$i-1]}" =~ ^--zerossl-email= ]]; then
    ZEROSSL_EMAIL="${CERTBOT_ARGS[$i-1]#*=}"
    unset 'CERTBOT_ARGS[$i-1]'
  fi

  # Don't remove -m/--email from request like the --zerossl-* options
  if [[ "${CERTBOT_ARGS[$i-1]}" =~ ^(--email|-m)$ ]]; then
    ZEROSSL_EMAIL="${CERTBOT_ARGS[$i]}"
  elif [[ "${CERTBOT_ARGS[$i-1]}" =~ ^--email= ]]; then
    ZEROSSL_EMAIL="${CERTBOT_ARGS[$i-1]#*=}"
  fi

done

if [[ -n $ZEROSSL_API_KEY ]]; then
    parse_eab_credentials $(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=$ZEROSSL_API_KEY")
elif [[ -n $ZEROSSL_EMAIL ]]; then
    parse_eab_credentials $(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ZEROSSL_EMAIL")
fi

certbot "${CERTBOT_ARGS[@]}"

Wildcard SSL Cert creation

When I attempt to use the following command:
usr/local/bin/zerossl-bot -m [email] -d *.[name].com --zerossl-api-key [api_key] --nginx --agree-tos --non-interactive
I receive
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

Any ideas how to get around this? I never have this problem when I use a non-wildcard domain.

certbot issues certificate but zerossl-bot cannot probably because of no arguments

I run the following command but get this error:

root@mytest:~# zerossl-bot certonly --standalone --webroot -w /var/www/html/ -m [email protected] -d $HOSTNAME
/usr/local/bin/zerossl-bot: line 8: python: command not found
/usr/local/bin/zerossl-bot: line 9: python: command not found
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
root@mytest:~# python
python              python3             python3-config      python3-futurize    python3-pasteurize  python3-pbr         python3-unidiff     python3.8           python3.8-config
root@mytest:~# python -V
Python 3.8.10

Its log:

2022-11-22 16:32:31,726:DEBUG:certbot.main:certbot version: 0.40.0
2022-11-22 16:32:31,726:DEBUG:certbot.main:Arguments: []
2022-11-22 16:32:31,726:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-11-22 16:32:31,747:DEBUG:certbot.log:Root logging level set at 20
2022-11-22 16:32:31,747:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-11-22 16:32:31,749:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2022-11-22 16:32:31,750:DEBUG:certbot.plugins.selection:No candidate plugin
2022-11-22 16:32:31,750:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

But the following command works and has this log:

Command:

root@mytest:~# certbot certonly --dry-run --webroot -w /var/www/html/ -m [email protected] -d $HOSTNAME
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mytest.domaintest.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

Do you please help me why it does not issue any certificates and has these two issues:

python command not found, while python itself is installed as you see
DEBUG:certbot.main:Arguments: [] did not receive any arguments while I passed.

Ne

#!/usr/bin/env sh #https://github.com/acmesh-official/get.acme.sh _exists() { cmd="$1" if [ -z "$cmd" ] ; then echo "Usage: _exists cmd" return 1 fi if type command >/dev/null 2>&1 ; then command -v $cmd >/dev/null 2>&1 else type $cmd >/dev/null 2>&1 fi ret="$?" return $ret } if [ -z "$BRANCH" ]; then BRANCH="master" fi #format "[email protected]" _email="$1" if [ "$_email" ]; then shift _email="--$(echo "$_email" | tr '=' ' ')" fi if _exists curl && [ "${ACME_USE_WGET:-0}" = "0" ]; then curl https://raw.githubusercontent.com/acmesh-official/acme.sh/$BRANCH/acme.sh | sh -s -- --install-online $_email "$@" elif _exists wget ; then wget -O - https://raw.githubusercontent.com/acmesh-official/acme.sh/$BRANCH/acme.sh | sh -s -- --install-online $_email "$@" else echo "Sorry, you must have curl or wget installed first." echo "Please install either of them and try again." fi

I tried to use this script but it errors..

The ARGS variable on the last line I am sure is the wrong ARG ???

Surely this should be certbot ${CERTBOT_ARGS[@]} ??

The python clever stuff just errors for me with any version of Python..

I just by passed everything here and just added the hmac/kid/server vars to certbot which worked fine... Which sorta defeats the point of the script :-)

I did BTW upgrade the certbot install etc so those dependencies were dealt with..

I may well be missing something...

cconstab@orac:$ sudo certbot-zerossl certonly --standalone -m [email protected] home.mydomain.com
[sudo] password for cconstab:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
cconstab@orac:$

Getting an error when trying to generate a certificate with --webroot

I'm trying to run:
sudo certbot-zerossl certonly --webroot -d mydomain.com -d www.mydomain.com --zerossl-api-key MY_API_KEY_HERE

But I got the error:

2020-12-16 16:55:13,122:DEBUG:certbot._internal.main:certbot version: 1.10.1
2020-12-16 16:55:13,122:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2020-12-16 16:55:13,122:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#ngi$
2020-12-16 16:55:13,133:DEBUG:certbot._internal.log:Root logging level set at 20
2020-12-16 16:55:13,133:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-12-16 16:55:13,134:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2020-12-16 16:55:13,140:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /snap/certbot/793/bin:/snap/certbot/793/usr/bin:/usr/local/s$
2020-12-16 16:55:13,140:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 157, in prepare
    self._initialized.prepare()
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 317, in prepare
    self._verify_exe_availability(self.option("ctl"))
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 434, in _verify_exe_availability
    raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Cannot find Apache executable apache2ctl
2020-12-16 16:55:13,140:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#nginx): Could not find a usable 'nginx' binary. Ensure nginx $
Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 157, in prepare
    self._initialized.prepare()
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 185, in prepare
    raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
2020-12-16 16:55:13,141:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2020-12-16 16:55:13,141:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None

It looks like the Apache and Nginx plugin is missing, but I don't need them. I'm just wanting to generate the certificate.

OS: Ubuntu 16.04
I installed the certbot with snap, as shown on the official website.

inconsistent handling of --zerossl-email=... vs --zerossl-email ...

I've opened PR #29 . While looking at the arg parser, I've noticed that --zerossl-email=$EML just puts the email into the curl --data parameter, the output of which gets parsed by parse_eab_credentials(); meanwhile, --zerossl-email $EML (with a separate arg) does that as well, but also adds -m $EML to certbot's args.

If intended, it seems quite confusing and should be documented. I'm guessing it was an oversight, though?

Installation Dependencies

zerossl-bot/README.md

Line 10 in 7059698

1. Install the operating system packages for `curl` and `certbot`

zerossl-bot/zerossl-bot.sh

Line 16 in 7059698

(*) echo 'No python3 detected'; exit 1 ;;

If I'm reading these correctly, the instructions should specify python is required too.

zerossl-bot.sh wrapper is using the wrong variable for ARGS

Problem statement

zerossl-bot.sh wrapper is using the wrong variable for ARGS

Steps to reproduce

Install zerosll wrapper root@vmubuntu2004srv:~# bash <(curl -s https://zerossl.com/get-zerosslbot.sh)
Get API key from https://app.zerossl.com/developer
Setup DNS on own domain pointing to your IP

Setup Apache site using mydomain.com

root@vmubuntu2004srv:~# cat /etc/apache2/sites-available/mydomain.com.conf
<VirtualHost *:80>
        ServerName mydomain.com
        DocumentRoot /var/www/html
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Open port 80 and 443
Make sure you can visit http://mydomain.com

Run zerossl cerbot wrapper

root@vmubuntu2004srv:~# zerossl-bot --apache -d mydomain.com -m [email protected] --zerossl-api-key 123123123123123123123123123123

Visible results

The certificate is issued by Let's Encrypt instead of ZeroSSL

Expected results

The certificate should be issues by ZeroSSL

Proposed solution

The last line of zerossl-bot.sh is wrong - is using ARGS instead of CERTBOT_ARGS

Working script

#!/bin/bash

CERTBOT_ARGS=()

function parse_eab_credentials()
{
    PYTHONIOENCODING=utf8
    ZEROSSL_EAB_KID=$(echo $1 | python -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
    ZEROSSL_EAB_HMAC_KEY=$(echo $1 | python -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
    CERTBOT_ARGS+=(--eab-kid "$ZEROSSL_EAB_KID" --eab-hmac-key "$ZEROSSL_EAB_HMAC_KEY" --server "https://acme.zerossl.com/v2/DV90")
}

while [[ "$#" -gt 0 ]]; do
    case $1 in
        --zerossl-api-key=*)
            ZEROSSL_API_KEY="${1:18}"
        ;;
        --zerossl-api-key|-z)
           ZEROSSL_API_KEY="${2}"
           shift
        ;;
        --zerossl-email=*)
            ZEROSSL_EMAIL="${1:16}"
        ;;
        --email|--zerossl-email|-m)
           ZEROSSL_EMAIL="${2}"
           CERTBOT_ARGS+=(-m "${2}")
           shift
        ;;
        *) CERTBOT_ARGS+=($1) ;;
    esac
    shift
done

if [[ -n $ZEROSSL_API_KEY ]]; then
    parse_eab_credentials $(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=$ZEROSSL_API_KEY")
elif [[ -n $ZEROSSL_EMAIL ]]; then
    parse_eab_credentials $(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ZEROSSL_EMAIL")
fi

echo ${CERTBOT_ARGS[@]}
certbot ${CERTBOT_ARGS[@]}

If you need to manually obtain the certificate, here is the easy-to-use web page ACME client on the browser, welcome to use🎉

This webpage client is only used in scenarios where you want to manually apply for a certificate.

The source code of the client side of this webpage has been open sourced, and the access URL is provided by the hosting warehouse, and the source code is transparent and traceable.
This client is only a static HTML web page file, without any dependencies, it can be directly saved to your local use.
Compared with binary programs and class libraries that are difficult to analyze, html code and network request data are easier to review and more secure and reliable.
Compared with command line scripts, web pages have an easy-to-use UI interface and are easier to use.
Except for the ACME interface address of the certificate authority you specify, this webpage client will not send data to any other address, and it is easy to check the network data through the browser console.
This webpage client does not depend on the operating system environment, no need to download and install software, no need to register, no need to log in.

Online use URL: https://xiangyuecn.github.io/ACME-HTML-Web-Browser-Client/ACME-HTML-Web-Browser-Client.html
GitHub: https://github.com/xiangyuecn/ACME-HTML-Web-Browser-Client

Support to apply for RSA, ECC/ECDSA certificates from certificate authorities that support the ACME protocol, such as Let's Encrypt and ZeroSSL, and support multiple domain names and wildcards.

If you don't need automatic renewal and just want to apply for a certificate, using the webpage version of the client should be the best choice.

It may be because of manual operation and the fact that automatic renewal is not supported. The ACME client list on the official website does not provide a browser version of the client. As a result, users who only want to obtain certificates and do not need automation functions must carefully use those clients that are not easy to use.

I have been applying for a certificate through the diafygi/gethttpsforfree webpage before, but the operation was too complicated, and I couldn't find a better web client from the official website, so I wrote my own code and made one, welcome to use🎉.

Certificate Expiration Risk Alert: Since this web client can only be operated manually and does not support automatic renewal, you should pay attention to apply for a new certificate before the certificate expires (free certificates are generally valid for 90 days, you only need to repeat the operation at that time), or use acme.sh and other client automatic renewal.

certbot-zerossl is using letsencrypt server

Hello,

I have installed certbot-zerossl, but I am having trouble getting it to use zerossl's ACME server.

I am running sudo certbot-zerossl --nginx --agree-tos --non-interactive --redirect -d subdomain.example.com -d cname.example.com --zerossl-api-key MY_ZEROSSL_API_KEY

The process also appears to be taking me through the interactive prompts, and hitting Let's Encrypt's ACME servers. Have I missed something obvious?

Certonly can't be used without extra packages

The wrapper doesn't allow for the certonly argument to be used unless the following packages are also installed:

python-certbot-apache
augeas-lenses
libaugeas0
python-augeas

Users without automatically detected web servers (or those wishing to just generate certs) will need to install these packages in order to use certonly with the wrapper:

sudo apt-get update && sudo apt-get install python-certbot-apache

This should be added to the README.md documentation.

Can't revoke certificates from zerossl-bot

It looks like zerossl-bot uses ACME directly so when I try to revoke certificates from the zerossl.com dashboard it's unable to and directs me to these instructions: https://help.zerossl.com/hc/en-us/articles/900005244486-Revoking-Certificates-Issued-via-ACME

I can't use the original ACME account as I can see in the zerossl-bot logs that it uses a new account variously which I assume is generated from my zerossl-api-key.

I tried the other method using the private key but the zerossl.com dashboard gives me two .crt files: ca_bundle.crt and certificate.crt and I no longer have the files zerossl-bot issued

Neither of these are in the .pem format required by cerbot revoke - I tried converting them with openssl but it doesn't look like either of those files is the private key as certbot revoke tells me the converted pem files do not match.

If there's a way to revoke the certificates from zerossl-bot please let me know.

504 timeouts

Hello,

I've been getting 504 gateway timeouts for the last couple of days. I'm 100% certain it's not my server(s) at fault.
Is there any word why it's been going down so much lately? Looking at the status page, it's been having issues for multiple days now!

Here's a short log:

$curl https://acme.zerossl.com/v2/DV90
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx</center>
</body>

zerossl-bot.sh using letsencrypt's API instead of ZeroSSL

Ran zerossl-bot.sh and that happened... Do I need to remove certbot from existence?

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: dindegmdps.us.to
2: acjagdps.dindegmdps.us.to
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Requesting a certificate for acjagdps.dindegmdps.us.to
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for "us.to". Retry after 2023-08-25T09:00:00Z: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Install script pulling the wrong bot script

Hey folks, even with the args bug being fixed with #15, the get-zerosslbot.sh script downloads the file at https://zerossl.com/zerossl-bot.sh, which is outdated. So when using the installer, we get "pre" #15 bot that doesn't work at all. Could you please update the file at https://zerossl.com/zerossl-bot.sh to the new one?

zerossl / zerossl-bot Goto Github PK

zerossl-bot's Introduction

zerossl-bot

Installation

Usage

Examples

Recommendations

Known issues

zerossl-bot's People

Contributors

Stargazers

Watchers

Forkers

zerossl-bot's Issues

Problem statement

Steps to reproduce

Visible results

Expected results

Proposed solution

Working script

Recommend Projects

Recommend Topics

Recommend Org