PHP client acme-client install and usage


#1

@kelunik wrote a PHP client at https://github.com/kelunik/acme-client and posted it on the list at List of Client Implementations

I thought I’d start a thread here for folks trying this client out and I am also looking at this PHP client as alternative for low memory VPS systems 128MB to 512MB VPSes.

From my understanding installing acme-client is fairly simple and i usually install in /root/tools for myself

wget https://getcomposer.org/composer.phar -O /usr/bin/composer
mkdir -p /root/tools
cd /root/tools
git clone https://github.com/kelunik/acme-client
cd acme-client
composer install

main help

/root/tools/acme-client/bin/acme --help

      ____ __________ ___  ___
     / __ `/ ___/ __ `__ \/ _ \
    / /_/ / /__/ / / / / /  __/
    \__,_/\___/_/ /_/ /_/\___/

    Usage: bin/acme command --args

    Available Commands:
    bin/acme register
    bin/acme issue
    bin/acme revoke

    Get more help by appending --help to specific commands.

individual help

/root/tools/acme-client/bin/acme register --help
The following arguments are required: [-s server, --server server] [--email email].

/root/tools/acme-client/bin/acme issue --help   
The following arguments are required: [-d domains, --domains domains] [-s server, --server server].

/root/tools/acme-client/bin/acme revoke --help
The following arguments are required: [-c cert, --cert cert] [-s server, --server server].

registering client

/root/tools/acme-client/bin/acme register --server acme-v01.api.letsencrypt.org/directory --email me@example.com

issuing ssl certificates

/root/tools/acme-client/bin/acme issue --server acme-v01.api.letsencrypt.org/directory --domains example.com,www.example.com --path /var/www/example.com

revoking ssl certs

/root/tools/acme-client/bin/acme revoke --server acme-v01.api.letsencrypt.org/directory --cert data/live/example.com/cert.pem

Example usage

/root/tools/acme-client/bin/acme register --server acme-v01.api.letsencrypt.org/directory --email validemail@addy
[2015-12-09 01:52:40] ACME.INFO: Generating key keys ...
[2015-12-09 01:52:42] ACME.INFO: Registering with ACME server acme-v01.api.letsencrypt.org/directory ...
[2015-12-09 01:52:46] ACME.NOTICE: Registration successful with contact ["mailto:validemail@addy"]

saved data

ls -lah /root/tools/acme-client/data/accounts/
total 8.0K
drwx------ 2 root root  119 Dec  9 01:52 .
drwx------ 3 root root   21 Dec  9 01:52 ..
---x-wx--T 1 root root 3.2K Dec  9 01:52 acme-v01.api.letsencrypt.org-directory.private.key
-rw-r--r-- 1 root root  800 Dec  9 01:52 acme-v01.api.letsencrypt.org-directory.public.key

#2

@kelunik so what happens if you use acme-client to reissue a ssl cert already previously obtained via the official letsencrypt client ? you’d have ssl certificates that are both valid in /etc/letsencrypt/live/domain.com/* directory and in data/* directory ?

can you use the same email address to register for both official letsencrypt client AND acme-client ?


#3

The client doesn’t care about other clients installed, so it doesn’t import anything form the official one. It just requests a new certificate. As email addresses are not bound to anything, you can reuse them always.

What’s missing currently is a fourth subcommand to renew certificates, something like bin/acme renew which automatically renews certificates valid for no more than 30 days.


#4

cheers @kelunik for the clarification

this client is shaping up to be very nice and easy to use indeed ! :+1:


#5

Note that this client requires PHP 7, because it’s awesome. You can always use a local PHP 7 binary if you don’t want to upgrade your whole server (yet).


#6

hmm i ran my tests on PHP 5.5.30 IIRC

i’d have to double check


#7

You didn’t, it’s using return type declarations and yield from. :wink:
https://github.com/kelunik/acme-client/blob/master/src/Commands/Issue.php#L29


#8

oh I must of used virtualbox snapshot with PHP 7 in place as I was testing my Centmin Mod LEMP stack’s PHP 7 support :smiley:

hmm that might limit the applicability of this client for integration into my LEMP stack installer, it defaults to PHP <7 out of the box although supports PHP 7


#9

The PHP7 requirement is an issue for me as well, So I’m investigating building my own PHP client that works on 5.5+


#10

We could make it PHP 5.5 compatible. yield from ...; can be replaced with yield resolve(...);, type declarations can be dropped, manual parameter checks can be added and all yield expressions have to be put into parenthesis when used as expression.

I would accept a PR changing all that, but my current priority is reworking some things to ensure a solid design first. Please join the Two Crowns room on https://dev.kelunik.com for discussion.


#11

unfortunately no php coder so no PR contributions heh

would be great to have wider PHP support - at least you’d have more testers and feedback from folks using PHP less <7 and thus make your acme-client more robust :slight_smile: :wink:


#12

I have it backported to PHP 5.5+ now. Will probably be able to test and push it tomorrow.


#13

sweet goodness @kelunik :+1:


#14

@kelunik, I am implementing ACME capabilities for my work, and heavily rely on the PHP 5.5+ requirement. Are you still open to pull requests on the renew branch? My end goal is to add support for DNS-01 validation with Amazon Route53 in your client.


#15

@kfeutz I guess I’ll have time to finish my (local) changes in the renew branch this Sunday. I didn’t have a look at the DNS-01 challenge yet, but you probably want to add at least a self verification method to https://github.com/kelunik/acme, which is the base library that’s already PHP 5.5+ compatible.

Sorry for the late reply. Opening an issue on GitHub might have been faster. :slight_smile:


#16

New changes are finally in master and tagged as 0.2.0. New changes are incompatible to the old ones of 0.1.0, but can theoretically easily migrated. But it shouldn’t be too much of a problem just keeping the old client if it works for you, it just doesn’t have the check command.


#17

Could you update or remove the instructions? You could as well just state that they’re for the 0.1.0 version.

There’s a blog post now, that explains how things work in 0.2.0: http://blog.kelunik.com/2016/03/13/letsencrypt-php-client.html


#18

The client has been updated and now is as simple as a single configuration file that does it all.

https://github.com/kelunik/acme-client/blob/master/doc/usage.md