oocx / acme.net Goto Github PK

View Code? Open in Web Editor NEW

89.0 13.0 18.0 601 KB

A .net implementation of ACME (Automatic Certificate Management Environment)

License: MIT License

C# 99.80% Batchfile 0.15% PowerShell 0.04%

acme.net's Introduction

Oocx.ACME - an ACME protocol library and simple Let's Encrypt client

This repository contains a library that can be used to develop ACME / Let's Encrypt clients.

Requesting and installing a a new SSL certificate can be as simple as this:

acme.exe -d www.example.com -a

That's all you need to do to request and install a free SSL certificate from Let's Encrypt!

This project is work in progress. It works, but probably still has many bugs and needs more testing.

I created this project as a training excercise and to learn about ACME and related technologies (certificate file formats, ASN1, ...). This is not intended to be a finished and ready to use product. However, I thought it might be useful or interesting for other people as well.

A major difference to other ACME .net clients is that this project does not have a dependency on OpenSSL (mainly because I wanted to figure out if I could implement this project without OpenSSL, and because it provided an opportunity to learn more about certificate file formats and ASN1).

If you are just looking for a Let's Encrypt client or a more mature project, then you should take a look at these projects:

.net ACME protocol library. A simple ACME Client for Windows

Using acme.exe

You can use acme.exe with or without IIS integration. With IIS integration, acme.exe autoamtically configures your IIS to respond to the ACME domain validation challenge, and it updates your IIS web site with the new SSL certificate. To use IIS integration, you must run acme.exe on your IIS web server.

Examples:

Request a certificate for www.yourdomain.com and accept the terms of service of the ACME server (-a), using [email protected] as registration contact information (-m):

acme.exe -a www.yourdomain.com -m mailto:[email protected]

If you don't want to use IIS integration or can't use it / you are not using IIS, you can also run acme.exe without IIS support. In that case, you need to manually copy the challenge file that is required to validate domain ownership to your server.

Request a certificate for www.yourdomain.com without IIS integration and accept the terms of service of the ACME server (-a), using [email protected] as registration contact information (-m):

acme.exe -a www.yourdomain.com -m mailto:[email protected] -c manual-http-01 -i manual

If something does not work, please contact me at [email protected] or submit an issue on GitHub. You can increase the output verbosity by using the parameter -v Verbose

Projects in this repository

Oocx.ACME

This is an implementation of the ACME protocol. IT contains a class AcmeClient that can be used to communicate with ACME servers.

Oocx.ACME supports .NET 4.6 and dnx46. It does not work with .NET 4.5 (see issue #2). I have begun to work on .NET Core support. I cannot really test it yet because I first need a version of NSubstitute that works with .NET Core, so that I can use .NET core to run my unit tests.

Oocx.ACME.Console

This is a simple command line client that I use to test my ACME client. It does not yet have any command line arguments (I use it by commenting out/in whatever I need).

Change log

2015-12-06 ACME.net now also on NuGet (v.0.0.72)

The ACME.net protocol library is now also available on nuget.org. The API could still change and is not widely used yet, therefore I have uploaded it as a prerelease package.

2015-11-22 IIS integration (v.0.0.56)

The console application can now configure IIS to automatically handle an http-01 challenge. It can now also install the certificate into the certificate store and update IIS bindings to use the new certificate.

2015-11-16 basic command line client

The console application now accepts command line parameters. I also added a first prerelease binary to the releases page. I have also set up an AppVeyor CI build.

2015-11-15 Initial Commit

This is just a prototype and work in progress. The code contains hard coded references to paths on my PC and hard coded certificate names and domain names.

However, it is complete enough that I was able to create a SSL certificate for my web site test.startliste.info.

acme.net's People

Stargazers

Watchers

Forkers

destinoas graphdefined frankhommers shaunol zhouson christoph-wagner arsenshnurkov mj2015 luisgustavooliveira djdealer troetz jatpat 19317362 dinkin lovewitty shilezi stefanogobbato

acme.net's Issues

Also install in additional Certificate Store

Hi,

To use the certificate with the IIS6 Smtp server, one has to install the certificate in the local machine, personal store.
Is this something that one can easily add to the application, or would it require significant changes?

Invalid agreement URL?

Command


Output Log:

using server https://acme-v01.api.letsencrypt.org/
trying to create new registration
error:
**urn:acme:error:malformed**
Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]

Where can I find acme.exe?

I'm looking for a simple way to create let's encrypt certificates on Windows. Where can I find acme.exe which is mentioned in the documentation?

Security software with malware?

Isn't it nice to get security software with malware combined?

please convert xproj to csproj

Could not compile Oocx.Asn1PKCS.Tests

In file class CsrTests

line 62 is:
sut.Save(key.ExportParameters(true), "test.startliste.info", KeyExport.Format.PEM);

but should be:
sut.Save(key.ExportParameters(true), "test.startliste.info", KeyFormat.PEM);

.net 461 Parameter parsing fails

The parameter IEnumerable Domains could not be parsed.

Type conversion error :-(

Update to VS2017 + add NETSTANDARD 2.0 target

Are there plans to update the library to target the new csproj format / NETSTANDARD 2.0?

Am up for doing the port if this is a contribution that the project will accept.

Jason

.NET version issue?

Trying to run the cleint and I get:

Unhandled Exception: System.MissingMethodException: Method not found: '!!0[] Sys
tem.Array.Empty()'.
at Oocx.ACME.Console.ContainerConfiguration.Configure(Options options)
at Oocx.ACME.Console.Program.Execute(Options options) in C:\projects\acme-net
\src\Oocx.ACME.Console\Program.cs:line 32
at CommandLine.ParserResultExtensions.WithParsed[T](ParserResult1 result, Ac tion1 action)
at Oocx.ACME.Console.Program.Main(String[] args) in C:\projects\acme-net\src
Oocx.ACME.Console\Program.cs:line 20
at Oocx.ACME.CLRConsole.Program.Main(String[] args)

From a quick search it's a .NET 4.6/4.5 issue

Could not resolve type with token 01000049

using key base path ./src/Oocx.ACME.CLRConsole/bin/Debug
./src/Oocx.ACME.CLRConsole/bin/Debug/acme-key.xml
writing new key to file ./src/Oocx.ACME.CLRConsole/bin/Debug/acme-key.xml
using server https://acme-staging.api.letsencrypt.org/
Querying directory information from https://acme-staging.api.letsencrypt.org/

Unhandled Exception:
System.TypeLoadException: Could not resolve type with token 01000049

Server failure at resolver

I am try install in IIS8.5. why show wrong ? How I do it?

using server https://acme-v01.api.letsencrypt.org/
trying to create new registration
error:
urn:acme:error:malformed
Error creating new registration :: Validation of contact mailto:[email protected] f
ailed: Server failure at resolver

Registration Error: Out of date Terms of Service

Error occurs during registration. Out of terms of service link.

error:
urn:acme:error:malformed
Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]

Merge Oocx.Asn1PKCS & Oocx.Common into Oocx.Acme

Thoughts on merging Oocx.Asn1PKCS & Oocx.Common into Oocx.Acme?

This would let us internalize the internalize the key & certificate encoding/decoding API surface and give us a clean path to replace with corefx implementations when they land.

Security crypto - Roadmap: https://github.com/dotnet/designs/issues/11

Support for Alternative names

Is it somehow possible to encode alternative domain names, like to have identical certificate for:
www.example.com and example.com?

Key not valid for use in specified state

Hello
Was working for us for a long while
After the last windows update we get this:

could not create pfx file: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
at Oocx.Asn1PKCS.PKCS12.Pkcs12.CreatePfxFile(RSAParameters key, String pathToCertificate, String password, String pathToPfx) in C:\projects\acme-net\src\Oocx.Asn1PKCS\PKCS12\Pkcs12.cs:line 16
at Oocx.ACME.Console.AcmeProcess.SaveCertificateWithPrivateKey(String domain, RSAParameters key, String certificatePath) in C:\projects\acme-net\src\Oocx.ACME.Console\AcmeProcess.cs:line 93

Ideas?

It works! will it auto renew?

This worked great for me, too easy. I did have to do an optional update to install .net 4.6.

Is this going to auto renew on its own?

Notes:
I did this on an AWS EC2 T2 micro running windows 2012 R2.

I copied the acme.exe from the Releases link into a folder called LetsEncrypt on my C drive, then opened a command prompt there (Shift + Right Click - Open Command Window here) and then did as instructed: acme.exe -a mywebsite.com -m mailto:[email protected]

During the process, it asks for a password, it was not clear what this was to me - I was thinking it was being mailed to me so I checked my email. Eventually I figured maybe it was asking me to enter a password, so I made one up and it accepted it.

I'm still unclear what the purpose of the email is, I still have not received one, but the site is available over ssl with no errors that I can see.

Support for integration

Very nice project. I will be looking at using it in a small server project, and it looks like I could just provide my own IChallengeProvider to make it work.

If anyone has hints or has done this, let me know (via here presumably). If I proceed and succeed, I will post any suitable additions.

Hang in Parsing response

Don't know why but it hangs on first Directory response and this fix makes it work:

 src/Oocx.ACME/Client/AcmeClient.cs | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/src/Oocx.ACME/Client/AcmeClient.cs b/src/Oocx.ACME/Client/AcmeClient.cs 
 index 76fb7c9..832909e 100644
--- a/src/Oocx.ACME/Client/AcmeClient.cs
+++ b/src/Oocx.ACME/Client/AcmeClient.cs
@@ -213,7 +213,8 @@ namespace Oocx.ACME.Client
                 return certificateResponse as TResult;
             }

-            var responseContent = await response.Content.ReadAsAsync<TResult>();
+            var responseJson = await response.Content.ReadAsStringAsync();
+            var responseContent = JsonConvert.DeserializeObject<TResult>(responseJson);

             GetHeaderValues(response, responseContent);

New Release Please

Hi can someone rebuild the project with the new terms and conditions and submit it as a release.

Thank you