https://github.com/ndilieto/uacme Skip to content Sign up * Product + Features + Mobile + Actions + Codespaces + Copilot + Packages + Security + Code review + Issues + Discussions + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Skills + GitHub Sponsors + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} ndilieto / uacme Public * Notifications * Fork 29 * Star 306 ACMEv2 client written in plain C with minimal dependencies License GPL-3.0 license 306 stars 29 forks Star Notifications * Code * Issues 0 * Pull requests 1 * Actions * Security * Insights More * Code * Issues * Pull requests * Actions * Security * Insights ndilieto/uacme This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. master Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 4 branches 120 tags Code * Clone HTTPS GitHub CLI [https://github.com/n] Use Git or checkout with SVN using the web URL. [gh repo clone ndilie] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @ndilieto ndilieto LibreSSL > 3.5.0 has ASN1_TIME_diff() ... 1eae686 Aug 16, 2022 LibreSSL > 3.5.0 has ASN1_TIME_diff() 1eae686 Git stats * 226 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time build-aux Embed ax_check_compile_flag.m4 from autoconf-archive Jun 10, 2022 docs Release 1.7.2 Jul 20, 2022 libev ualpn: transparent proxy and tls-alpn-01 responder Mar 1, 2020 .gitignore Master branch builds must autoreconf Dec 27, 2020 AUTHORS Initial public release (v1.0) Apr 21, 2019 COPYING Initial public release (v1.0) Apr 21, 2019 ChangeLog Release 1.7.2 Jul 20, 2022 GNUmakefile Master branch builds must autoreconf Dec 27, 2020 INSTALL Initial public release (v1.0) Apr 21, 2019 Makefile.am Update copyright year Jul 20, 2022 NEWS Release 1.7.2 Jul 20, 2022 README Update copyright year Jul 20, 2022 README.md Add Unix philosophy link to README.md Aug 1, 2022 THANKS Merge branch 'dns' of https://github.com/MichelStam/uacme Apr 29, 2020 aclocal.m4 regenerate aclocal.m4 Jul 20, 2022 base64.c Update copyright year Jul 20, 2022 base64.h Update copyright year Jul 20, 2022 configure.ac Update copyright year Jul 20, 2022 crypto.c LibreSSL > 3.5.0 has ASN1_TIME_diff() Aug 16, 2022 crypto.h Update copyright year Jul 20, 2022 curlwrap.c Update copyright year Jul 20, 2022 curlwrap.h Update copyright year Jul 20, 2022 jsmn.h Initial public release (v1.0) Apr 21, 2019 json.c Update copyright year Jul 20, 2022 json.h Update copyright year Jul 20, 2022 log.c Update copyright year Jul 20, 2022 log.h Update copyright year Jul 20, 2022 msg.c Update copyright year Jul 20, 2022 msg.h Update copyright year Jul 20, 2022 nsupdate.sh Fix #45 Jun 27, 2021 read-file.c fix compilation warning with gcc7 on solaris (#9) Aug 28, 2019 read-file.h Preparing for release 1.0.2 Apr 24, 2019 sglib.h ualpn: transparent proxy and tls-alpn-01 responder Mar 1, 2020 uacme.1 Release 1.7.2 Jul 20, 2022 uacme.1.txt Update copyright year Jul 20, 2022 uacme.c Update copyright year Jul 20, 2022 uacme.sh Update copyright year Jul 20, 2022 ualpn.1 Release 1.7.2 Jul 20, 2022 ualpn.1.txt Update copyright year Jul 20, 2022 ualpn.c Update copyright year Jul 20, 2022 ualpn.sh Update copyright year Jul 20, 2022 View code [ ] uacme Features Installation Getting started Automating updates dns-01 challenge support tls-alpn-01 challenge support Documentation Bugs and suggestions README.md uacme manual uacme lightweight client for the RFC8555 ACMEv2 protocol, written in plain C with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS). The ACMEv2 protocol allows a Certificate Authority (Let's Encrypt is a popular one) and an applicant to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. Features * Lightweight - Unlike most other ACME clients uacme does one thing only and tries to do it well, according to the Unix philosophy. For example don't expect it to automatically set up your webserver to use the certificates it obtains. * Written in C - It runs on any unix machine, including Linux, BSD, ... * Minimal dependencies - Other than the standard C library, uacme depends only on libcurl and one of GnuTLS, OpenSSL or mbedTLS. It does all the cryptography and network communications without spawning external processes. Particularly when using mbedTLS, it is small enough to run on embedded systems with severe RAM and program memory restrictions (such as OpenWRT routers, for example). This is in contrast to solutions based on python or shell scripts, which may well be a few hundred lines but require many other large applications such as python or openssl to work. * Native ECC support - Elliptic Curve keys and certificates can be generated with a commmand line option (-t EC) * Easily extensible - It optionally calls an external hook program with the tokens required for domain authorization by the server. The hook program can be an executable, shell script, perl script, python script, or any file that the operating system can execute. * ACME challenge agnostic - It provides the user or hook program with all tokens and information required to complete any challenge type but leaves the task of setting up and cleaning up the challenge environment to the user or hook. Example shell scripts to handle http-01, dns-01 and tls-alpn-01 challenges are provided. * Zero downtime tls-alpn-01 support - The distribution also includes ualpn, a lightweight proxying tls-alpn-01 challenge responder compliant with RFC8737 and RFC8738. * Can run as a cron job - to renew certificates automatically when needed, even for remote machines * Robust - It checks every operation, retrying or failing gracefully as appropriate * Detailed error reporting - By default totally quiet when everything works ok, it reports precise and detailed error information on stderr when something goes wrong. Optionally it can also print debug information by specifying the --verbose flag once or more. Installation Note: pristine releases are in the upstream/latest branch, tagged as upstream/x.x.x mkdir uacme wget -O - https://github.com/ndilieto/uacme/archive/upstream/latest.tar.gz | tar zx -C uacme --strip-components=1 cd uacme ./configure --disable-maintainer-mode make install If you just want to check out the latest pristine release from github: git clone -b upstream/latest https://github.com/ndilieto/uacme uacme is included in several distributions: * https://packages.debian.org/uacme * https://packages.ubuntu.com/uacme * https://software.opensuse.org/package/uacme * https://pkgs.alpinelinux.org/packages?name=uacme * https://aur.archlinux.org/packages/uacme * https://voidlinux.org/packages/?q=uacme * https://cvsweb.openbsd.org/ports/security/uacme * https://www.freshports.org/security/uacme * https://github.com/openwrt/packages/tree/master/net/uacme * https://github.com/buildroot/buildroot/tree/master/package/uacme Getting started Once you have obtained uacme (see Installation above) the next step is creating an ACME account: uacme -v -c /path/to/uacme.d new The configuration directory and account private key should have been created: /path/to/uacme.d/private/key.pem You can then issue a certificate for your domain by doing uacme -v -c /path/to/uacme.d issue www.your.domain.com If everything goes well uacme asks you to set up a challenge, for example uacme: challenge=http-01 ident=www.your.domain.com token=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 key_auth=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU Note the challenge type in the example is http-01 which means you should set up your web server to serve a URL based on the token: http://www.your.domain.com/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 The URL must return a text file containing a single line with the key authorization: kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU After setting up the web server you can then type 'y' followed by a newline. This notifies the ACME server that it can proceed with the challenge verification. If the procedure is successful uacme saves the certificate and the key at: /path/to/uacme.d/www.your.domain.com/cert.pem /path/to/uacme.d/private/www.your.domain.com/key.pem Note several challenge types are possible. If you type anything other than 'y', uacme skips the challenge and proposes a different one. The easiest is http-01 but any other type can be dealt with. Keep in mind that challenge types may be served in random order by the server. Do not make any assumptions and read what uacme outputs carefully. Automating updates Use the -h flag to manage the challenge with a hook script: uacme -v -c /path/to/uacme.d -h /usr/share/uacme/uacme.sh issue www.your.domain.com or (depending on your installation) uacme -v -c /path/to/uacme.d -h /usr/local/share/uacme/uacme.sh issue www.your.domain.com This will use the example uacme.sh hook script included in the distribution to manage http-01 challenges. You might need to edit the script to match your webserver's environment. Once everything works correctly you can also set up cron, for example 6 15 * * * /usr/bin/uacme -c /path/to/uacme.d -h /usr/share/uacme/uacme.sh issue www.your.domain.com The cron job will automatically update the certificate when needed. Note the absence of -v flag, this makes uacme only produce output upon errors. Note also that you will need to restart or reload any service that uses the certificate, to make sure it uses the renewed one. This is system and installation dependent. I normally put the necessary instructions in another script (for example /usr/share/uacme/ reload.sh) that is executed by cron when uacme returns 0 (indicating the certificate has been reissued). 6 15 * * * /usr/bin/uacme -c /path/to/uacme.d -h /usr/share/uacme/uacme.sh issue www.your.domain.com && /usr/share/uacme/reload.sh Check https://github.com/jirutka/muacme for a complete, ready-to-go solution. dns-01 challenge support The nsupdate.sh hook script included in the distribution allows managing dns-01 challenges with nsupdate. This only works if your name server supports RFC2136 (bind does, nsd doesn't). https://gitlab.alpinelinux.org/alpine/infra/docker/uacme-nsd-wildcard is another example that works with nsd. https://gist.github.com/Gowee/e756f925cfcbd5ab32d564ee3c795786 shows how to integrate with Cloudflare API. https://github.com/tdy91/uacme-gandi-hook works with gandi.net. tls-alpn-01 challenge support ualpn is a lightweight proxying tls-alpn-01 challenge responder, designed to handle incoming HTTPS connections on port 443. Most of the time it just transparently proxies connections to the real web server (which can be on either another machine, or a different TCP port on the same machine). When a tls-alpn-01 challenge handshake comes in ualpn handles it on the fly instead of proxying it to the webserver. This means that unlike other available tls-alpn-01 responders, ualpn does not require your webserver to stop during the challenge (zero downtime). The high performance event-driven implementation is based on libev which considerably reduces the cost of context switches and memory usage. In addition on systems such as Linux supporting the splice() system call, ualpn is able to move network data entirely in kernel memory without a round trip to user space, which further enhances performance. ualpn also listens to a UNIX domain socket so that it can be fed the necessary tls-alpn-01 key authorizations for the domains being validated by the ACME server. ualpn was designed to be easy to integrate with not only uacme (check the example ualpn.sh hook script) but also other ACME clients. A certbot plugin is also available. To get started with ualpn: * move your real HTTPS server to port 4443 which doesn't need to be open to the outside (only ualpn will connect to it) and set it up to accept the PROXY protocol: + for nginx: https://docs.nginx.com/nginx/admin-guide/ load-balancer/using-proxy-protocol server { listen 127.0.0.1:4443 ssl proxy_protocol; set_real_ip_from 127.0.0.0/24; real_ip_header proxy_protocol; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; ... + for apache: https://httpd.apache.org/docs/2.4/mod/ mod_remoteip.html#remoteipproxyprotocol Listen 4443 RemoteIPProxyProtocol On ... * launch ualpn as a daemon and check the logs (by default in syslog) sudo ualpn -v -d -u nobody:nogroup -c 127.0.0.1@4443 -S 666 * create an ACME account uacme -v -s -c /path/to/uacme.d -y new * try obtaining a certificate with tls-alpn-01 challenge uacme -v -s -c /path/to/uacme.d -h /usr/share/uacme/ualpn.sh issue www.your.domain.com or, depending on your installation uacme -v -s -c /path/to/uacme.d -h /usr/local/share/uacme/ualpn.sh issue www.your.domain.com Documentation There are regular unix man pages in the distribution, also available in HTML: uacme ualpn Bugs and suggestions If you believe you have found a bug, please log it at https:// github.com/ndilieto/uacme/issues If you have any suggestions for improvements, pull requests are welcome. About ACMEv2 client written in plain C with minimal dependencies Topics letsencrypt challenge acme-client ssl-certificate acme-protocol letsencrypt-cli tls-certificate acme-v2 uacme rcf8555 ualpn Resources Readme License GPL-3.0 license Stars 306 stars Watchers 13 watching Forks 29 forks Releases 120 tags Packages 0 No packages published Contributors 7 * @ndilieto * @jirutka * @sthen * @alexshpilkin * @HalosGhost * @kolbma * @dengqf6 Languages * C 84.5% * Shell 8.0% * M4 3.3% * Roff 3.3% * Makefile 0.9% Footer (c) 2022 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.