Simple Let’s Encrypt client.
simp_le --email you@example.com -f account_key.json \
-f account_reg.json \
-f fullchain.pem -f key.pem \
-d example.com -d www.example.com --default_root /var/www/html \
-d example.net:/var/www/other_html
For more info see simp_le --help
.
NOTE: this repository is mostly unmaintained; I will review and merge PRs, but I(@zenhack) am no longer using this tool myself and am thus not motivated to otherwise actively develop it.
- @kuba wrote the original https://github.com/kuba/simp_le, at a time when ACME & let's Encrypt were very new; certbot still didn't support nginx, and there was an un-filled niche for a trivial command line ACME client.
- At some point @kuba stopped maintaining simp_le. A few months later bitrot set in, and PRs fixing the problems went unmerged.
- When the breakage began to affect https://zenhack.net, I(@zenhack) forked the project, merged the PRs, fixed CI and began maintaining the tool. This continued for several years.
- I(@zenhack) switched over to using NixOS's acme configuration options, and transitioned the project to its current semi-unmaintained status.
- UNIX philosophy: Do one thing and do it well!
simp_le --valid_min ${seconds?} -f cert.pem
implies thatcert.pem
is valid for at at leastvalid_min
(defaults to 2592000 seconds / 30 days). Register new ACME CA account if necessary. Issue new certificate if no previous key/certificate/chain found. Renew only if necessary.- (Sophisticated) “manager” for
${webroot?}/.well-known/acme-challenge
only. No challenges other thanhttp-01
. Existing web-server must be running already. - No magical webserver auto-configuration.
- Owner of
${webroot?}/.well-known/acme-challenge
must be able to run the script, without privilege escalation (sudo
,root
, etc.). crontab
friendly: fully automatable - no prompts, etc.- No configuration files. CLI flags as the sole interface! Users should write their own wrapper scripts or use shell aliases if necessary.
- Support multiple domains with multiple roots. Always create single
SAN certificate per
simp_le
run. - Flexible storage capabilities. Built-in
simp_le -f fullchain.pem -f key.pem
,simp_le -f chain.pem -f cert.pem -f key.pem
, etc. - Do not allow specifying output file paths. Users should symlink if necessary!
- No need to allow specifying an arbitrary command when renewal has
happened, just check the exit code:
0
if certificate data was created or updated;1
if renewal not necessary;2
in case of errors.
--server
(support multiple ACME v2 CAs).- Support for revocation.
- Implicit agreement to the selected ACME CA's terms of service.
sudo ./bootstrap.sh
./venv.sh
export PATH=$PWD/venv/bin:$PATH
If you want to use simp_le with Docker, have a look at simp_le for Docker.
Have a look at https://github.com/zenhack/simp_le/wiki/Examples for some examples.
If you’re having problems feel free to open an issue to ask questions.
Below is a summary of changes introduced in each release. Any user-visible changes must be recorded here. Note that the topmost entry sometimes represents the next (i.e. not yet released) version.
Releases occur approximately every two months, unless there is a pressing need to do otherwise (e.g. security & serious bug fixes), or no changes have been made since the last release.
- Update python-acme dependency to version 2.0
- Fix a minor standards conformance issue, see #155
- Add missing dependency on the
six
package.
- Add
--use_alt_chain
flag.
- Fix a minor protocol conformance issue.
- Fix some bitrot in the venv.sh script (not applicable unless installing from the git repo).
- Upgrade acme to 1.3 or later.
- Fix a bug where simp_le failed to obtain a cert from BuyPass ACME.
- Upgrade acme to 1.x
- Fix an ACME v2 protocol non-conformity
- Upgrade acme to 0.39.x
Please read these carefully, as this release includes a couple changes that may require changes when upgrading
- Switch from ACME v1 to ACME v2 endpoints support.
Support for ACME v1 endpoints has been dropped entirely.
If you were previously passing the server endpoint via the
--server
flag, you will need to update it to point to a v2 endpoint (or simply remove it, to use Let's Encrypt's default v2 endpoint). - Persist account_reg.json in addition to account_key.json, and recover missing registration info if needed. You will now need to pass a ``-f account_reg.json`` option to simp_le
- Remove the
-f external.sh
feature. - Drop official support for Python 2 and 3.4.
- Add official support for Python 3.7 (in theory it should have worked before, but we are now testing with it).
- Upgrade acme to 0.35.x
- Upgrade acme to 0.33.x
- Upgrade acme to 0.31.x
- Upgrade acme to 0.29.x
- Upgrade acme to 0.27.x
- Upgrade acme to 0.25.x
- Upgrade acme to 0.24.x
- Add a workaround for some installation problems caused by a bug in pip.
- Drop official support for Python 2.6
- Upgrade acme to 0.22.x
- Remove the ToS hash comparison, implicitly agree to CA's ToS if present
- Add check for empty or corrupt cert/key files
- Add some sanity checks for email syntax
- Upgrade acme to 0.20.x
- Implement the future-proofing mentioned in the 0.6.1 release notes. Future TOS changes should not break simp_le >= 0.6.2
- Update the hash for the letsencrypt TOS. The TOS changed on November 15th, which broke previous releases. Future releases will not hard-code the hash, which should avoid this sort of problem in the future.
- Drop official support for Python 3.3.
- Disable self-verification; this was highly unreliable and resulted in spurrious warnings.
- Improve argument sanity-checks and error messages.
- Save account_key.json, even on failures
- Clean temporary challenge files.
- Upgrade acme to 0.19.x
- Add a workaround for some installation problems caused by a bug in pip
- Upgrade acme to 0.17.x
- Upgrade acme to 0.16.x
- Fix a bug where the version number was incorrectly reported
- Upgrade acme to 0.15.x
- Upgrade to acme 0.11.x
- Change the package name; the original maintainer owns the simp_le PyPI package, and hasn't responded to requests to transfer it, so the package name is now 'simp_le-client'.
- First release