Easy to use Let's Encrypt client and acme client library to issue, renew and revoke TLS certificates.
You can install letsencrypt-rs with:
cargo install letsencrypt-rs
letsencrypt-rs is using the openssl library to generate all required keys and certificate signing request. You don't need to run any openssl command. You can use your already generated keys and CSR if you want and you don't need any root access while running letsencrypt-rs.
letsencrypt-rs is using simple HTTP validation to pass Let's Encrypt's DNS validation challenge. You need a working HTTP server to host the challenge file.
sh
letsencrypt-rs sign -D example.org -P /var/www -k domain.key -o domain.crt
This command will generate a user key, domain key and X509 certificate signing
request. It will register a new user account and identify the domain ownership
by putting the required challenge token into /var/www/.well-known/acme-challenge/.
If everything goes well, it will save the domain private key into domain.key
and the signed certificate into domain.crt.
You can also use the --email option to provide a contact adress on registration.
You can use your own RSA keys for user registration and domain. For example:
sh
letsencrypt-rs sign \
--user-key user.key \
--domain-key domain.key \
--domain-csr domain.csr \
--domain example.org \
-P /var/www \
-o domain.crt
This will not generate any key and it will use provided keys to sign the certificate.
You can use --dns flag to trigger DNS validation instead of HTTP. This
option requires user to generate a TXT record for domain. An example DNS
validation:
sh
$ letsencrypt-rs sign --dns -D onur.im -E onur@onur.im \
-k /tmp/onur.im.key -o /tmp/onur.im.crt
Please create a TXT record for _acme-challenge.onur.im: fDdTmWl4RMuGqj9acJiTC13hF6dVOZUNm3FujCIz3jc
Press enter to continue
letsencrypt-rs can also revoke a signed certificate. You need to use your user key and a signed certificate to revoke.
sh
letsencrypt-rs revoke --user-key user.key --signed-crt signed.crt
You can get a list of all available options with letsencrypt-rs sign --help
and letsencrypt-rs revoke --help:
``` $ letsencrypt-rs sign --help letsencrypt-rs-sign Signs a certificate
USAGE:
letsencrypt-rs sign [FLAGS] [OPTIONS] --domain
FLAGS: -c, --chain Chains the signed certificate with Let's Encrypt Authority X3 (IdenTrust cross-signed) intermediate certificate. -d, --dns Use DNS challenge instead of HTTP. This option requires user to generate a TXT record for domain -h, --help Prints help information -V, --version Prints version information
OPTIONS:
-B, --bit-length
``` $ letsencrypt-rs revoke --help letsencrypt-rs-revoke Revokes a signed certificate
USAGE:
letsencrypt-rs revoke --user-key
FLAGS: -h, --help Prints help information -V, --version Prints version information
OPTIONS:
-C, --signed-crt
acme-client crateletsencrypt-rs is powered by the acme-client library. You can read the
documentation in docs.rs. Example usage of
AcmeClient:
rust
AcmeClient::new()
.and_then(|ac| ac.set_domain("example.org"))
.and_then(|ac| ac.register_account(Some("contact@example.org")))
.and_then(|ac| ac.identify_domain())
.and_then(|ac| ac.save_http_challenge_into("/var/www"))
.and_then(|ac| ac.simple_http_validation())
.and_then(|ac| ac.sign_certificate())
.and_then(|ac| ac.save_domain_private_key("domain.key"))
.and_then(|ac| ac.save_signed_certificate("domain.crt"));