prauxyssl v1.2.2
PrauxySSL CLI
This is the CLI tool for PrauxySSL, which allows you to automatically renew LetsEncrypt certificates (including wildcards) on platforms that wouldn't normally work, like Google Domains.
Usage
Setup
Install PrauxySSL: $ npm install prauxyssl -g
Using PrauxySSL is very simple. First, you'll want to grab an API key from PrauxySSL. The free key can have up to 15 different domains. If you need more than that, you can look into licensing a paid subscription. You may also self-host the backend DNS server if you want to. The instructions for that are here.
Once you've obtained this key, let the app know it by specifying the username and key:
# prauxyssl --key username@API_KEY
Now, you need to setup your DNS to point to PRAUXY servers. For this example, Google Domains will be used as the registrar. Under Custom resource records in the domain settings, add a new record that specifies the _acme-challenge as type NS (Nameserver) with the data: ns1.prxy.one
If you are trying to obtain a certificate for a subdomain, add the "_acme-challenge." prefix to whatever your subdomain is. Example:
I want to create a certificate for ssl.prauxy.app. To do this, I would create a new resource called "_acme-challenge.ssl" that points to the PRAUXY nameserver, and then point "ssl" to the server running the application.
Make sure to keep the "_acme-challenge" record present for as long as you have the certificate.
Creating your first certificate
PrauxySSL simplifies the entire creation process into one command:
# prauxyssl -d <domain>
This example was run as a dry run, however the production output is very similar.
Multiple domains under one certificate
Sometimes, you may want to have multiple domains under one certificate. You can accomplish this by comma-seperating the domain:
# prauxyssl -d prauxy.app,ssl.prauxy.app
You can add up to as many domains as LetsEncrypt supports.
Creating a wildcard certificate
One of the most useful features of PrauxySSL is its ability to create and renew wildcard certificates on domains that are hosted on registrars without simple support for them, such as Google Domains. Get started using wildcard certificates by using wildcards in the domain:
# prauxyssl -d kentonvizdos.com,*.kentonvizdos.com
When using wildcards, I put both the main host, as well as wildcard under one certificate to keep things clean. It might not be the best practice, however for most people this solution should be OK.
Command parameters
| Parameter | Type | Usage |
|---|---|---|
| -d, --domain | String | The domain in which you would like to generate an SSL certificate for (comma seperated, no spaces). |
| -k, --key | String | This specifies the PRAUXY API key to authorize with the servers |
| -f, --forcerenew | Boolean | In some cases, you may need to forcefully renew a certificate before it is required. This allows you to do so. |
| -v, --verbose | Boolean | If enabled, LetsEncrypt logs will be displayed in the console. Very useful for debugging |
| -l, --local | Boolean | If you run a self-hosted DNS server deployment on the same server as your web server, toggle this. |
| -u, --dryrun | Boolean | More info below |
Dry running
Sometimes, its useful to test a deployment before you try and create the certificate. To do this, append the -u or --dryrun parameter to the command. While this is useful for testing purposes (as it does not count against your primary LetsEncrypt rate limit), it can also be used to get pre-existing certificates into the auto-renewal system.
Renewing domains
Renewal is where PrauxySSL shines. No matter what domain registrar you have, you can renew all of your domains using the following command:
# prauxyssl --renew
That's it! Assuming you have some certificates created, you should see an output that displays the status of all of your certificates:
If a certificate happens to be up for renewal (after 60 days of creation), it will also inform you. Below, the example is dry runned for demonstration purposes:
If its been a while since you've run the renew command and have ended up with expired certificates (after 90 days from creation), the system will let you know and automatically renew them:
It is important to note that these renewals are based on the PRAUXY cache database, located at ~/.prauxyssl/domains.json. This means that the renewal date will always be correct, so long as you only ever use PrauxySSL to manage it. Worst case scenario, you can use a dry-run to fix the date if you did manual adjustments.
Setting up auto-renewal
Auto-renewal protection should be enabled as soon as possible. This will let PrauxySSL verify certificates daily, and if they need renewing, it will automatically do so without any human intervention.
For this example, cronjobs will be used to automate the renewal command. To create this cronjob, run sudo crontab -e. Once you are in the crontab file, append the following to the bottom of the file:
0 2 * * * prauxyssl --renew
The crontab above will run the renewal command every day at 2am. Assuming everything was setup properly to this point, PrauxySSL will now automatically renew your domains. No more renewal headaches, wahoo!