git clone 'https://github.com/danielsz/certificaat.git'

(ql:quickload :danielsz.certificaat)

/Note:/ If [[https://certbot.eff.org/][certbot]] does everything for everybody, Certificaat is narrower in scope, focusing on usability and automated renewals.
** Installation [[https://github.com/danielsz/certificaat/releases/latest][Download]] the latest release, extract the archive and drop the self-contained binary in your ~PATH~.

/Note:/ Java is a system requirement.

** Usage * Command line

To get a certificate for a domain, you need to initialize ~certificaat~ with said domain, then you ~run~ it repeatedly until your certificate has downloaded.

  1. ~certificaat -m change.me init~
  2. ~certificaat -m change.me run~

The certificate can be renewed in one pass with ~certificaat -m change.me cron~.

**** Init

+BEGIN_SRC shell

certificaat -m change.me init


The ~-m~ option indicates the domain you want to authorize. It will feature in the Subject name of the final X.509 certificate.

+BEGIN_SRC shell

certificaat -m change.me -n www.change.me init


The ~-n~ option is for additional domain name you want to authorize. It will feature in the Subject Alternative Name a(SAN) of the certificate. Repeat this option for all required names. Caution: there is a hard limit imposed by the CA.

During this phase, certificaat will, if needed, register a user account with the ACME CA, and write configuration files that you then can edit and customize.

Certificaat follows the [[https://specifications.freedesktop.org/basedir-spec/latest/][XDG Base Directory Specification]]. The configuration folder is determined by querying the value of ~XDG_CONFIG_HOME~ in the environment, and if not set, will default to ~$HOME/.config/certificaat~.

Configuration files are in [[https://github.com/edn-format/edn][edn]] format and can be edited in any text editor.

The local configuration file is stored in the project directory, ~$HOME/.config/certificaat/change.me/config.edn~ , and looks like this:

+BEGIN_SRC clojure

{:acme-uri “acme://letsencrypt.org/staging”, :challenges #{“http-01”}, :contact “mailto:admin@change.me”, :domain “change.me”, :hooks [:before-challenge :after-request], :organisation “ChangeMe corporation”, :san #{“www.change.me”}}


Hopefully, the options are self-explanatory.

| Staging URI | Production URI | | acme://letsencrypt.org/staging | acme://letsencrypt.org |

The global configuration is stored in the root directory, ~$HOME/.config/certificaat/change.me/config.edn~ and it looks like this:

+BEGIN_SRC clojure

{:key-size 2048, :key-type :rsa, :keypair-filename “account.key”, :plugins {:diffie-hellman {:enabled false, :filename “dhparam.pem”, :group14 true, :modulus 2048}, :email {:enabled false, :sendmail false, :smtp {:host “smtp.changeme.org”, :pass “changeme”, :port 587, :user “changeme”}}, :webroot {:enabled false, :path “/var/www/”}}}


**** Run

+BEGIN_SRC shell

certificaat -m change.me run


~certificaat~ will display instructions pertaining to the challenge. This is the time to satisfy the requirements (for example, configuring DNS records or preparing your web server). When you are ready, simply repeat the operation and the challenges will be triggered and, if successfully completed, a certificate downloaded and saved to disk.

**** Hooks

Hooks are provided to perform additional functionality at key moments, namely before the challenges get triggered, and after a certificate has been acquired or renewed. The hooks are powered by plugins that need to be configured and enabled.

The plugin configuration resides in the root directory, ~XDG_CONFIG_HOME/.config/certificaat/config.edn~

***** Webroot This enables authorizing and requesting the certificate in a single pass. ***** Email An email will be sent to the contact registered with the certificate. ***** Diffie-Helman parameters This will save a Diffie-Helman parameters file along with the certificate, for further tuning the SSL setup.

**** Info

+BEGIN_SRC shell

certificaat -m example.com info


Certificaat will display a summary of the certificate.

**** Renew

+BEGIN_SRC shell

certificaat -m example.com cron


This command can be integrated in an automated workflow. For example, as a cron job.

+BEGIN_SRC shell

5 8 1 * * certificaat -m change.me cron && /usr/sbin/service nginx reload


** Challenges

Certificaat will honor all challenges defined in the ACME specification, but please note that Let’s Encrypt CA does not support the OOB challenge and that TLS-SNI comes in two flavors.

| Challenge | Option identifier | Let’s Encrypt | Certificaat | | HTTP | http-01 | ✓ | ✓ | | DNS | dns-01 | ✓ | ✓ | | TLS with Server Name Indication (SNI) | tls-sni-01 & tls-sni-02 | ✓ & ✕ | ✓ | | Out-of-Band | oob-01 | ✕ | ✓ |

** Clojure library In addition to the command line, Certificaat is available on [[https://clojars.org/][Clojars]] as a regular Clojure library which you can require in your projects.


/Note/: a single namespace exposes a core API which is made available to all interfaces.

** Contributions If you plan to submit enhancements beyond bug fixes, please coordinate with me beforehand in order to save everybody’s time and effort. * Credits I wish to thank [[https://shredzone.org/maven/acme4j/][Richard Körber]] who wrote the Java client for the ACME protocol, [[https://github.com/shred/acme4j][acme4j]], which serves as the foundation for Certificaat. Not only is it well written, it is exquisitely [[https://shredzone.org/maven/acme4j/][documented]]. * License Licensing terms will be revealed shortly. In the meantime, do what you want with it. Type ~certificaat -h~ to familiarize yourself with the input it expects. For as long as the authorizations remain valid,

/Note:/ With LetsEncrypt, cached authorizations last for 30 days from the time of validation.