Letsencrypt wrapper for auto completion of http challenge in manual mode

1

A Tcl/expect wrapper script to auto-complete the http challenge in manual mode: lcget source, web page

It requires ssh access to remote host. An example command to get the cert would be:

lcget certonly --manual -d example.com -d www.example.com -m admin@example.com

lcget runs the letsencrypt client and monitors its’ output, then parses the output to get the challenge info and finally runs a ssh command for each domain to complete the challenge.

3 Likes
2

This is great, although I’d much rather see the option for manual mode to do two things:

  1. –save-output: Output the content for the ACME challenge to a text file, or better yet MySQL / MariaDB, rather than printing it to the console;
  2. –sleep (N): Wait N seconds for the content to be copied into place before attempting validation, rather than waiting for the user to press enter.

It’s a simple modification, and it would allow remote servers, via cron, to scp the content over FROM the LE host, and complete the http challenge without giving the LE host SSH access to everything that could potentially need a certificate. It’s a lot better to give your remote hosts the option of what to take and when, then to open them all up to arbitrary content being pushed from a central location.

1 Like
3

@sol
That’s very much possible. For example, you can turn lcget to your desired tool like this:

  1. First stop the ssh command: comment out lines 186 to 231. Those are the lines responsible for running ssh.
  2. –save -output: There are several convenience variables available (though all of them are not in actual use): $output $protocol $domain $dir $cont. $output is the full acme-challenge text, all the required information are parsed from it and saved in $protocol, $domain, $dir and $cont variables. $dir=.well-known/acme-challenge/+the token, $cont is the content (also known as authorization key). You can construct the challenge url with those vars if you want ( set churl $protocol$domain/$dir). All of the above variables are available from line 185 to 233.
  3. –sleep(N): Insert a sleep command before line 233 (exp_send "\r").
1 Like