GitHub - ac000/lehttpd: Micro http server whose sole purpose is to answer letsencrypt challenge responses.

ac000 / lehttpd Public

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Micro http server whose sole purpose is to answer letsencrypt challenge responses.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 33 Commits
.gitattributes		.gitattributes
.gitignore		.gitignore
COPYING		COPYING
Makefile		Makefile
README		README
lehttpd.8		lehttpd.8
lehttpd.c		lehttpd.c

Repository files navigation

lehttpd is a micro http server with the sole purpose of answering
letsencrypt[0] challenge responses.

Handy for when you are issuing certificates for servers with no running
web server and you don't really want to set one up etc.

Usage is simply a matter of calling lehttpd and telling it where the
letsencrypt challenge directory is. lehttpd simply takes the last path
component of the request and sends that file from the specified directory.

E.g. if it gets the request

    /.well-known/acme-challenge/6rEoXjsdTITO7tJUXj-aXY-RN2CYOF1O6JsgfFqCeUs

it will simply send the file

    6rEoXjsdTITO7tJUXj-aXY-RN2CYOF1O6JsgfFqCeUs

I use this in conjunction with the C based acme-client[1].

Seeing as all this is meant to be automated. Here's what a shell script to
drive this might look like...

    #!/bin/sh
    #

    if [[ ! -d /tmp/acme ]]; then
            mkdir /tmp/acme
    fi

    # Will run for 60 seconds then terminate
    lehttpd /tmp/acme &

    sleep 1

    acme-client -v my.domain.com

    if [ $? -eq 0 ]; then
            # Certificates changed
            systemctl restart service1
            systemctl restart service2
            ...
    fi

    exit 0


lehttpd uses libmicrohttpd[2] and should be run as root, once started, it
chroot's to the specified directory and switches to the 'nobody' user. It
will run for 60 seconds then terminate.

On Red Hat/Fedora based systems you yill need the libmicrohttpd-devel package
and on Debian it's libmicrohttpd-dev

Also if you have libseccomp[3] installed it will try to make use of the
Linux kernels seccomp support. This also needs the SCMP_FLTATR_CTL_TSYNC
flag, which is also checked for at run-time.

On Red Hat/Fedora based systems you yill need the libseccomp-devel package
and on Debian it's libseccomp-dev

The libseccomp detection uses pkg-config which on Red Hat et al is either
the pkgconfig or pkgconf-pkg-config package for newer systems. On Debian it's
pkg-config.

This is licensed under the GNU General Public License version 2. See
COPYING.

[0] - https://letsencrypt.org/
[1] - https://git.wolfsden.cz/acme-client-portable
[2] - http://www.gnu.org/software/libmicrohttpd/
[3] - https://github.com/seccomp/libseccomp