CSR instead of cert key (fixes #13, #53)

.gitignore

@@ -15,5 +15,6 @@
 # ... as well as external IO plugin script
 /external.sh
 
-# `sshfs user@host:$ROOT public_html/` and `--default_root=public_html`
+# `sshfs user@host:$ROOT public_html/.well-known/acme-challenge` and
+# `simp_le ... public_html/.well-known/acme-challenge`
 /public_html/

README.rst

@@ -7,10 +7,10 @@ Simple `Let’s Encrypt`_ client.
 
 .. code:: shell
 
+    ./examples/generate_csr.sh example.com
     simp_le --email [email protected] -f account_key.json \
-      -f fullchain.pem -f key.pem \
-      -d example.com -d www.example.com --default_root /var/www/html \
-      -d example.net:/var/www/other_html
+      -f csr.pem -f fullchain.pem -f chain.pem -f cert.pem \
+      /var/www/html/.well-known/acme-challenge
 
 For more info see ``simp_le --help``.
 
@@ -22,9 +22,9 @@ Manifest
 2.  ``simp_le --valid_min ${seconds?} -f cert.pem`` implies that
     ``cert.pem`` is valid for at at least ``valid_min``. Register new
     ACME CA account if necessary. Issue new certificate if no previous
-    key/certificate/chain found. Renew only if necessary.
+    certificate/chain found. Renew only if necessary.
 
-3.  (Sophisticated) “manager” for
+3.  (Sophisticated) "manager" for
     ``${webroot?}/.well-known/acme-challenge`` only. No challenges other
     than ``http-01``. Existing web-server must be running already.
 
@@ -40,16 +40,16 @@ Manifest
     should write their own wrapper scripts or use shell aliases if
     necessary.
 
-8.  Support multiple domains with multiple roots. Always create single
+8.  Support multiple domains (sharing
+    ``${webroot?}/.well-known/acme-challenge``). Always create single
     SAN certificate per ``simp_le`` run.
 
-9.  Flexible storage capabilities. Built-in
-    ``simp_le -f fullchain.pem    -f key.pem``,
-    ``simp_le -f chain.pem -f cert.pem -f key.pem``, etc. Extensions
-    through ``simp_le -f external.sh``.
+9.  Flexible storage capabilities. Built-in ``simp_le -f
+    fullchain.pem``, ``simp_le -f chain.pem -f cert.pem``,
+    etc. Extensions through ``simp_le -f external.sh``.
 
-10. Do not allow specifying output file paths. Users should symlink if
-    necessary!
+10. Do not allow specifying input/output file paths. Users should
+    symlink if necessary!
 
 11. No need to allow specifying an arbitrary command when renewal has
     happened, just check the exit code:

examples/external.sh

@@ -1,13 +1,13 @@
 #!/bin/sh
 #
 # Dummy example external script that loads/saves
-# account_key/key/cert/chain to /tmp/foo. Experiment e.g. by running
+# account_key/csr/cert/chain to /tmp/foo. Experiment e.g. by running
 # `./external.sh persisted`, `echo foo | ./external.sh save; cat
 # /tmp/foo`, or `./external.sh load`; note the exit codes. The plugin
 # can be loaded by running `simp_le -f external.sh`.
 
 case $1 in
   save) cat - > /tmp/foo;;
   load) [ ! -f /tmp/foo ] || cat /tmp/foo;;
-  persisted) echo account_key key cert chain;;
+  persisted) echo account_key csr cert chain;;
 esac

examples/generate_csr.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# This script generates a simple SAN CSR to be used with ACME CA.
+
+if [ "$#" -lt 1 ]
+then
+  echo "Usage: $0 name [name...]" >&2
+  exit 1
+fi
+
+OUTFORM=${OUTFORM:-pem}
+OUT="csr.${OUTFORM}"
+# 512 or 1024 too low for Boulder, 2048 is smallest for tests
+BITS="${BITS:-4096}"
+KEYOUT=key.pem
+
+names="DNS:$1"
+shift
+for x in "$@"
+do
+  names="$names,DNS:$x"
+done
+
+openssl_cnf=$(mktemp)
+cat >"${openssl_cnf}" <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+[ san ]
+subjectAltName=\${ENV::SAN}
+EOF
+
+SAN="$names" openssl req -config "${openssl_cnf}" \
+  -new -nodes -subj '/' -reqexts san \
+  -out "${OUT}" \
+  -keyout "${KEYOUT}" \
+  -newkey rsa:"${BITS}" \
+  -outform "${OUTFORM}"
+
+rm "${openssl_cnf}"