Let's Encrypt ACME client for NaviServer ======================================== Release 0.4 ----------- Florian Hanika <firstname.lastname@example.org> email@example.com This is a NaviServer module that implements a small Let's Encrypt ACME client for NaviServer. When the script is called via the browser, it prompts the user to enter one ore more domain names (blank separated) and generated for this a Let's Encrypt certificate by creating automatically a letsencrypt account (or reuses the account, if it was created before), the necessary challenges etc. Finally it obtains a certificate and tries to update the actual config file if necessary. When running this script, sometimes the Let's Encrypt interface rejects the generated keys. Probably, the problem occurs, when the last bit is "0", which is interpreted as a key with 2047 bits: https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/fOtt14fiDaM/IsvYqyPrNrcJ There is no need to worry about this, since the script will retry with another set of keys until the operation succeeds, which happens usually after the second or third attempt. When experimenting with this script, you might consider using the "staging" API instead of the production API to avoid to run into rate limits. See on the begin of letsencrypt.tcl. Requirements: - NaviServer (4.99.15 or newer) with the integrated OpenSSL support activated. - Next Scripting Framework 2.0 or newer - Tcllib (e.g. 1.15) installed on the Tcl library search path. - OpenSSL binaries installed (the "openssl" command will be executed during certificate generation via "exec") During runtime, the server (nsd) needs write permissions on a) [ns_info home]/modules/nsssl (for the certificate data) b) [ns_server pagedir] (for the challenge files) c) [ns_info config] (for updating the config file if necessary) Installation: Users might want to run "make install" from this directory to install the script in the page dir. This is ok for non-public servers, but otherwise please thinks about a proper space where to place "letsencrypt.tcl" OpenACS users might wish to copy it to packages/acs-subsite/www/admin/ such that only admins can execute it. Configuration: See the top section of "letsencrypt.tcl".