A certificate manager for lets-encrypt certificates
LeSSL is a simple gem to authorize for domains and obtaining certificates from the Let's Encrypt CA. Now it's very easy to get free and trusted SSL certificates!
Install from Rubygems:
$ gem install le_ssl
or add it to your Gemfile:
And then run
bundle installand you are ready to go.
Create an instance of the LeSSL Manager:
private_key = OpenSSL::PKey::RSA.new(4096) manager = LeSSL::Manager.new(email: '[email protected]', agree_terms: true, private_key: private_key)
It's recommended to store the contact email and the private key in environment variables because you are just allowed to obtain certificates for domains you are authorized for.
If you have
LESSL_CONTACT_EMAILset, you don't have to pass them to the initializer.
# Example manager = LeSSL::Manager.new(agree_terms: true) # Accepting the terms is enough
The manager registers automatically a new account on the Let's Encrypt servers.
Authorize for a domain now:
Important! Every domain you want to be authorized for must have a valid A record which points to your server IP!
If your domain is properly set up, you should now be authorized for the domain. Be also sure that your Rails server is running.
Obtaining a SSL certificate:
This puts the public and private keys into
config/ssl. Now you just have to configure your webserver to use these certificates and you should be ready for encrypted HTTP.
Note that you have to authorize seperately for subdomains (e.g. www.example.com)!
If the domain isn't pointing to your server, you can also use a DNS TXT verification. Simply pass the option
:challengewith the value
:dnsto the parameters of the
challenge = manager.authorize_for_domain('example.com', challenge: :dns)
Important! Save the returned value into a variable because it's needed to request the verification!
Then create the corresponding DNS TXT record for your domain. (Hint: The
#authorize_for_domainmethod prints the information if you use it from the command line)
Wait a few minutes to be sure that the record was updated by the Let's encrypt servers.
And as last step request the verification for the challenge.
This returns the verification status afterwards.
If this returns
validyou are authorized to obtain a certificate for this domain.
You can tell LeSSL to verify the DNS record automatically. In this way you don't have to worry if the DNS record is already present.
Caution! This option is blocking the thread until the verification is completed!
manager.authorize_for_domain('example.com', challenge: :dns, automatic_verification: true)
By default, LeSSL uses the Google public nameservers (126.96.36.199 and 188.8.131.52) to check the records but you can use also your own ones:
manager.authorize_for_domain('example.com', challenge: :dns, automatic_verification: true, custom_nameservers: 184.108.40.206)
The verification process may take some time, especially if you already have an _acme-challenge TXT record in your DNS table with a higher TTL. If you are able to configure the TTL on your own set it the shortest possible TTL. (E.g. 60 seconds)
You can also skip the automatic registering which is done in the initializer:
manager = LeSSL::Manager.new(agree_terms: true, email: '[email protected]', private_key: private_key, skip_register: true)
To register an account call the
LeSSL uses the staging servers of Let's Encrypt if the Rails environment is set to 'development'.
Ask a question on StackOverflow with the tag 'le-ssl'.
We welcome also other feature request and of course feature pull requests!
Also here we would be thankful for pull requests.
Create pull requests on Github and help us to improve this gem. There are some guidelines to follow:
Copyright (c) 2016 Tobias Feistmantl, MIT license