This is WIP fork of acme-lw adapted for use in Vircadia project:
- curl has been replaced with Qt.
- The API has been completely reworked to support asynchronous operation (interface-implementing split is lost).
- No API for cancellation of the asynchronous operations.
- Error handling is not entirely consistent (exceptions are sometimes passed to callbacks, sometimes thrown).
- No standalone build configuration (full source is included as a submodule in a Qt project).
- ACME External Account Binding
- IP Identifier Validation Extension
- ZeroSSL REST API
This project is yet another Let's Encrypt client. It has the following properties.
The main artifact is a C++ static library.- Functionality only supports creating and updating certificates using http challenges.
- All code runs 'in process', i.e., no processes are spawned.
Building requires cmake, openssl and curl. On Debian based systems this will install them.
apt-get install cmake libssl-dev libcurl4-gnutls-dev
On Red Hat based systems this will do it.
yum install cmake openssl-devel curl-devel
On macOS you'll install prerequisites with your package manager of choice.
To build and install run:
cmake .
make
make install
To run against the Let's Encrypt staging environment generate your makefiles with this.
cmake -D STAGING=ON .
To use any Let's Encrypt client you need to sign requests with your existing Let's Encrypt's account's private key. This library uses a private key in PEM format. If you want to use an existing Let's Encrypt private key, it's in JWK format. The acme-tiny library has good documentation on how to convert it.
The command line client is run as follows.
acme_lw_client <filename of account private key> <domain name> ...
Multiple domain names can be on the command line.
The behavior is similar to the official Let's Encrypt client run as follows:
certbot certonly --manual -d <domain name>
The API of the library is documented in its header file. The command line client source provides an example of how it's used.
All methods report errors by throwing std::exception, which will normally be an instance of acme_lw::AcmeException. Note that this means you should compile your client code and this code with the same compiler and ideally with the same compiler options.
If your code is in main.cpp, something like this will build and link.
g++ main.cpp -lacme_lw -lcurl -lcrypto
The library itself is fairly agnostic about security. It doesn't read or write to disk. If you use the library you'll need to decide for yourself how you want to protect the account private key and the private key associated with the certificates issued.
The command line client writes the certificate and private key to disk, readable only by the current user. It
reads the account private key (in PEM format) from disk, so it needs to be readable by the current user.
You'll need to decide whether that's acceptable and if so which user you want to use. (You probably want to
create one solely for this purpose.)
The certificate issued uses a 2,048 bit RSA key.