A Ruby client for the letsencrypt's ACME protocol.

Charles Barbier 5413c895a6 Merge pull request #70 from nickmcdonnough/master 5 years ago
bin 42a9684309 Clean up bin/* crud and prefer pry in bin/console 5 years ago
lib d6187a6149 Adds RateLimited error class. 5 years ago
spec 35b4984571 Add a missing key in the keystash fixtures 5 years ago
.gitignore 8c4e71f206 Provide a convenience wrapper for CSR generation 5 years ago
.rspec 8c4e71f206 Provide a convenience wrapper for CSR generation 5 years ago
.rubocop.yml dfe8345c7b Fix Rubocop violations and pin Rubocop version 5 years ago
.travis.yml d7e4a85a9e Enable dependency caching on Travis 5 years ago
Gemfile dfe8345c7b Fix Rubocop violations and pin Rubocop version 5 years ago
LICENSE.txt 0ed8c2a141 Initial implementation 6 years ago
README.md 3d7d4ebbd6 Clean up gem loading 5 years ago
Rakefile 17066bb93a Add Rubocop code style check 5 years ago
acme-client.gemspec a0c91c5ad8 Mark required Ruby version 5 years ago



Build Status

acme-client is a client implementation of the ACME protocol in Ruby.

You can find the ACME reference implementations of the server in Go and the client in Python.

ACME is part of the Letsencrypt project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.


Via Rubygems:

$ gem install acme-client

Or add it to a Gemfile:

gem 'acme-client'


Register client

In order to authenticate our client, we have to create an account for it.

# We're going to need a private key.
require 'openssl'
private_key = OpenSSL::PKey::RSA.new(4096)

# We need an ACME server to talk to, see github.com/letsencrypt/boulder
# WARNING: This endpoint is the production endpoint, which is rate limited and will produce valid certificates.
# You should probably use the staging endpoint for all your experimentation:
# endpoint = 'https://acme-staging.api.letsencrypt.org/'
endpoint = 'https://acme-v01.api.letsencrypt.org/'

# Initialize the client
require 'acme-client'
client = Acme::Client.new(private_key: private_key, endpoint: endpoint, connection_options: { request: { open_timeout: 5, timeout: 5 } })

# If the private key is not known to the server, we need to register it for the first time.
registration = client.register(contact: 'mailto:contact@example.com')

# You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)

Authorize for domain

Before you are able to obtain certificates for your domain, you have to prove that you are in control of it.

authorization = client.authorize(domain: 'example.org')

# This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
challenge = authorization.http01

# The http-01 method will require you to respond to a HTTP request.

# You can retrieve the challenge token
challenge.token # => "some_token"

# You can retrieve the expected path for the file.
challenge.filename # => ".well-known/acme-challenge/:some_token"

# You can generate the body of the expected response.
challenge.file_content # => 'string token and JWK thumbprint'

# You are not required to send a Content-Type. This method will return the right Content-Type should you decide to include one.

# Save the file. We'll create a public directory to serve it from, and inside it we'll create the challenge file.
FileUtils.mkdir_p( File.join( 'public', File.dirname( challenge.filename ) ) )

# We'll write the content of the file
File.write( File.join( 'public', challenge.filename), challenge.file_content )

# Optionally save the challenge for use at another time (eg: by a background job processor)
File.write('challenge', challenge.to_h.to_json)

# The challenge file can be served with a Ruby webserver.
# You can run a webserver in another console for that purpose. You may need to forward ports on your router.
# $ ruby -run -e httpd public -p 8080 --bind-address

# Load a saved challenge. This is only required if you need to reuse a saved challenge as outlined above.
challenge = client.challenge_from_hash(JSON.parse(File.read('challenge')))

# Once you are ready to serve the confirmation request you can proceed.
challenge.request_verification # => true
challenge.verify_status # => 'pending'

# Wait a bit for the server to make the request, or just blink. It should be fast.

challenge.verify_status # => 'valid'

Obtain a certificate

Now that your account is authorized for the domain, you should be able to obtain a certificate for it.

# We're going to need a certificate signing request. If not explicitly
# specified, the first name listed becomes the common name.
csr = Acme::Client::CertificateRequest.new(names: %w[example.org www.example.org])

# We can now request a certificate. You can pass anything that returns
# a valid DER encoded CSR when calling to_der on it. For example an
# OpenSSL::X509::Request should work too.
certificate = client.new_certificate(csr) # => #<Acme::Client::Certificate ....>

# Save the certificate and the private key to files
File.write("privkey.pem", certificate.request.private_key.to_pem)
File.write("cert.pem", certificate.to_pem)
File.write("chain.pem", certificate.chain_to_pem)
File.write("fullchain.pem", certificate.fullchain_to_pem)

# Start a webserver, using your shiny new certificate
# ruby -r openssl -r webrick -r 'webrick/https' -e "s = WEBrick::HTTPServer.new(
#   :Port => 8443,
#   :DocumentRoot => Dir.pwd,
#   :SSLEnable => true,
#   :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('privkey.pem') ),
#   :SSLCertificate => OpenSSL::X509::Certificate.new( File.read('cert.pem') )); trap('INT') { s.shutdown }; s.start"

Not implemented

  • Recovery methods are not implemented.
  • proofOfPossession-01 is not implemented.


Ruby >= 2.1


All the tests use VCR to mock the interaction with the server but if you need to record new interation against the server simply clone boulder and run it normally with ./start.py.

Pull request?



MIT License