simp_le
Simple Letโs Encrypt client.
simp_le --email [email protected] -f account_key.json \
-f account_reg.json \
-f fullchain.pem -f key.pem \
-d example.com -d www.example.com --default_root /var/www/html \
-d example.net:/var/www/other_htmlFor more info see simp_le --help.
NOTE: this repository is mostly unmaintained; I will review and merge PRs, but I(@zenhack) am no longer using this tool myself and am thus not motivated to otherwise actively develop it.
Project History
- @kuba wrote the original https://github.com/kuba/simp_le, at a time when ACME & let's Encrypt were very new; certbot still didn't support nginx, and there was an un-filled niche for a trivial command line ACME client.
- At some point @kuba stopped maintaining simp_le. A few months later bitrot set in, and PRs fixing the problems went unmerged.
- When the breakage began to affect https://zenhack.net, I(@zenhack) forked the project, merged the PRs, fixed CI and began maintaining the tool. This continued for several years.
- I(@zenhack) switched over to using NixOS's acme configuration options, and transitioned the project to its current semi-unmaintained status.
Manifest
- UNIX philosophy: Do one thing and do it well!
simp_le --valid_min ${seconds?} -f cert.pemimplies thatcert.pemis valid for at at leastvalid_min(defaults to 2592000 seconds / 30 days). Register new ACME CA account if necessary. Issue new certificate if no previous key/certificate/chain found. Renew only if necessary.- (Sophisticated) โmanagerโ for
${webroot?}/.well-known/acme-challengeonly. No challenges other thanhttp-01. Existing web-server must be running already. - No magical webserver auto-configuration.
- Owner of
${webroot?}/.well-known/acme-challengemust be able to run the script, without privilege escalation (sudo,root, etc.). crontabfriendly: fully automatable - no prompts, etc.- No configuration files. CLI flags as the sole interface! Users should write their own wrapper scripts or use shell aliases if necessary.
- Support multiple domains with multiple roots. Always create single
SAN certificate per
simp_lerun. - Flexible storage capabilities. Built-in
simp_le -f fullchain.pem -f key.pem,simp_le -f chain.pem -f cert.pem -f key.pem, etc. - Do not allow specifying output file paths. Users should symlink if necessary!
- No need to allow specifying an arbitrary command when renewal has
happened, just check the exit code:
0if certificate data was created or updated;1if renewal not necessary;2in case of errors.
--server(support multiple ACME v2 CAs).- Support for revocation.
- Implicit agreement to the selected ACME CA's terms of service.
Installation
sudo ./bootstrap.sh
./venv.sh
export PATH=$PWD/venv/bin:$PATHUsage with Docker
If you want to use simp_le with Docker, have a look at simp_le for Docker.
Help
Have a look at https://github.com/zenhack/simp_le/wiki/Examples for some examples.
If youโre having problems feel free to open an issue to ask questions.
Change Log
Below is a summary of changes introduced in each release. Any user-visible changes must be recorded here. Note that the topmost entry sometimes represents the next (i.e. not yet released) version.
Releases occur approximately every two months, unless there is a pressing need to do otherwise (e.g. security & serious bug fixes), or no changes have been made since the last release.
0.20.0
- Update python-acme dependency to version 2.0
0.19.2
- Fix a minor standards conformance issue, see #155
0.19.1
- Add missing dependency on the
sixpackage.
0.19.0
- Add
--use_alt_chainflag.
0.18.1
- Fix a minor protocol conformance issue.
- Fix some bitrot in the venv.sh script (not applicable unless installing from the git repo).
0.18.0
- Upgrade acme to 1.3 or later.
- Fix a bug where simp_le failed to obtain a cert from BuyPass ACME.
0.17.0
- Upgrade acme to 1.x
0.16.0
- Fix an ACME v2 protocol non-conformity
- Upgrade acme to 0.39.x
0.15.0
Please read these carefully, as this release includes a couple changes that may require changes when upgrading
- Switch from ACME v1 to ACME v2 endpoints support.
Support for ACME v1 endpoints has been dropped entirely.
If you were previously passing the server endpoint via the
--serverflag, you will need to update it to point to a v2 endpoint (or simply remove it, to use Let's Encrypt's default v2 endpoint). - Persist account_reg.json in addition to account_key.json, and recover missing registration info if needed. You will now need to pass a ``-f account_reg.json`` option to simp_le
- Remove the
-f external.shfeature. - Drop official support for Python 2 and 3.4.
- Add official support for Python 3.7 (in theory it should have worked before, but we are now testing with it).
- Upgrade acme to 0.35.x
0.14.0
- Upgrade acme to 0.33.x
0.13.0
- Upgrade acme to 0.31.x
0.12.0
- Upgrade acme to 0.29.x
0.11.0
- Upgrade acme to 0.27.x
0.10.0
- Upgrade acme to 0.25.x
0.9.0
- Upgrade acme to 0.24.x
0.8.1
- Add a workaround for some installation problems caused by a bug in pip.
0.8.0
- Drop official support for Python 2.6
- Upgrade acme to 0.22.x
0.7.0
- Remove the ToS hash comparison, implicitly agree to CA's ToS if present
- Add check for empty or corrupt cert/key files
- Add some sanity checks for email syntax
- Upgrade acme to 0.20.x
0.6.2
- Implement the future-proofing mentioned in the 0.6.1 release notes. Future TOS changes should not break simp_le >= 0.6.2
0.6.1
- Update the hash for the letsencrypt TOS. The TOS changed on November 15th, which broke previous releases. Future releases will not hard-code the hash, which should avoid this sort of problem in the future.
0.6.0
- Drop official support for Python 3.3.
- Disable self-verification; this was highly unreliable and resulted in spurrious warnings.
- Improve argument sanity-checks and error messages.
- Save account_key.json, even on failures
- Clean temporary challenge files.
- Upgrade acme to 0.19.x
0.5.1
- Add a workaround for some installation problems caused by a bug in pip
0.5.0
- Upgrade acme to 0.17.x
0.4.0
- Upgrade acme to 0.16.x
0.3.0
- Fix a bug where the version number was incorrectly reported
- Upgrade acme to 0.15.x
0.2.0
- Upgrade to acme 0.11.x
0.1.1
- Change the package name; the original maintainer owns the simp_le PyPI package, and hasn't responded to requests to transfer it, so the package name is now 'simp_le-client'.
0.1.0
- First release