增强现实AR>> letsencrypt_heroku>> 返回
项目作者: xijo

项目描述 :
Automated letsencrypt setup for heroku
高级语言: Ruby
项目地址: git://github.com/xijo/letsencrypt_heroku.git
创建时间: 2016-06-22T21:22:56Z
项目社区:https://github.com/xijo/letsencrypt_heroku
开源协议:
下载


letsencrypt_heroku

CLI tool to automate SSL certificate setup and renewal for letsencrypt and rails (or any other rack based application).

Procedure

To grant a SSL certificate for a given domain, letsencrypt requires a challenge
request to be correctly answered on this domain. To automate this process this gem will perform the following steps for you:

  1. Register the domain and a contact email with letsencrypt
  2. Letsencrypt provides the expected challenge request answer
  3. Make your application answer correctly
  4. Trigger letsencrypt challenge process
  5. Download issued certificates from letsencrypt
  6. Setup certificates for your heroku application

Installation

Precondition: make sure the heroku cli is installed on your development machine.

In a nutshell

  1. Install the gems
  2. Deploy your application
  3. Write configuration file
  4. Run letsencrypt_heroku on your local machine
  5. Verify SSL is working correctly

The gems

  1. gem 'letsencrypt_rack'
  2. gem 'letsencrypt_heroku', require: false

Wait, why do I need two gems?

To perform SSL certificate setup and renewal a command line tool is used: letsencrypt_heroku. This tool will only be needed on your development machine and does not need to be loaded into your production environment.

letsencrypt_rack contains a tiny rack middleware, that answers challenge request at the following path: /.well-known/acme-challenge. It serves the contents of the LETSENCRYPT_RESPONSE environment variable.

For non rails apps

You need to add LetsencryptRack::Middleware to your rack stack:

  1. # in config.ru
  2. use LetsencryptRack::Middleware

Configuration

Put a configuration file under config/letsencrypt_heroku.yml that looks like this:

  1. - contact:    email@example.dev
  2.   domains:    example.dev www.example.dev
  3.   heroku_app: example-dev-application

Each block in this configuration will issue a new certificate, so if you need to retrieve more than one (e.g. for another environment) you can configure more:

  1. - contact:    email@example.dev
  2.   domains:    example.dev www.example.dev
  3.   heroku_app: example-dev-application
  5. - contact:    email@example.dev
  6.   domains:    stg.example.dev
  7.   heroku_app: stg-example-dev-application

You can add keep_certs: true to a block if you need to keep the generated certificate.

Please note that your application will be restarted for every single domain in your config. The restart happens automatically when the heroku challenge response gets set as environment variable.

Verify SSL is working correctly

Run curl -vI https://www.example.dev and check that it has a section that looks like this:

  1. * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  2. * Server certificate: blindlunch.team
  3. * Server certificate: Let's Encrypt Authority X3
  4. * Server certificate: DST Root CA X3

You may also check the results of qualys ssltest.

Renewal

Once the process ran through the renewal is as simple as: run letsencrypt_heroku - again.

You’ll receive emails from letsencrypt from time to time to remind you to renew your certificates.

CLI options

  1. # Use a custom config file location
  2. $ letsencrypt_heroku --config=another.yml
  4. # Restrict for which domains the process should be run
  5. $ letsencrypt_heroku --limit=foobar

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/xijo/letsencrypt_heroku.

TODO

  • document extraordinary configuration options (multiple domain SSL on single application)
  • configurable config file location