aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-14 01:12:08 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-14 01:12:08 +0200
commitefde1af7077cff081a3dd9cb28b5896e6e9ed25a (patch)
tree4657dc076b8844a9e8960789177bb9cd584e3599
parent76b9e800da0c7dd88a55fa9dac153c513e6e7748 (diff)
parentc0849fb8b99216e9b2e20132296253f1ee905193 (diff)
Merge branch 'master' into debian
-rw-r--r--Makefile50
-rw-r--r--README60
-rwxr-xr-xclient8
-rw-r--r--config/lacme-accountd.conf (renamed from config/letsencrypt-accountd.conf)4
-rw-r--r--config/lacme-certs.conf (renamed from config/letsencrypt-certs.conf)2
-rw-r--r--config/lacme.conf (renamed from config/letsencrypt.conf)24
-rwxr-xr-xlacme (renamed from letsencrypt)23
-rwxr-xr-xlacme-accountd (renamed from letsencrypt-accountd)10
-rw-r--r--lacme-accountd.md143
-rw-r--r--lacme.md355
-rw-r--r--letsencrypt-accountd.1153
-rw-r--r--letsencrypt.1370
12 files changed, 602 insertions, 600 deletions
diff --git a/Makefile b/Makefile
index 7fd32f8..ad586ab 100644
--- a/Makefile
+++ b/Makefile
@@ -1,15 +1,41 @@
-all:
-
-install:
- install -d $(DESTDIR)/etc/letsencrypt-tiny
- install -m0644 -t $(DESTDIR)/etc/letsencrypt-tiny config/*.conf
- install -d $(DESTDIR)/usr/share/letsencrypt-tiny
- install -m0644 -t $(DESTDIR)/usr/share/letsencrypt-tiny lets-encrypt-x[1-4]-cross-signed.pem
- install -d $(DESTDIR)/usr/lib/letsencrypt-tiny
- install -m0755 -t $(DESTDIR)/usr/lib/letsencrypt-tiny client webserver
+MANPAGES = lacme-accountd.1 lacme.1
+
+all: ${MANPAGES}
+
+# upper case the headers and remove the links
+%.1: %.md
+ @pandoc -S -f markdown -t json "$<" | \
+ jq ".[1][] |= if .t == \"Header\" then .c[2][] |= (if .t == \"Str\" then .c |= ascii_upcase else . end) else . end" | \
+ jq " \
+ def fixit: \
+ if type == \"object\" then \
+ if .t == \"Link\" then \
+ if .c[2][0][0:7] == \"mailto:\" then . else .c[1][] end \
+ else \
+ map_values(fixit) \
+ end \
+ else if type == \"array\" then \
+ map(fixit) \
+ else \
+ . \
+ end \
+ end; \
+ map(fixit)" | \
+ pandoc -sS -f json -t man -o "$@"
+
+install: ${MANPAGES}
+ install -d $(DESTDIR)/etc/lacme
+ install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf
+ install -d $(DESTDIR)/usr/share/lacme
+ install -m0644 -t $(DESTDIR)/usr/share/lacme lets-encrypt-x[1-4]-cross-signed.pem
+ install -d $(DESTDIR)/usr/lib/lacme
+ install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver
install -d $(DESTDIR)/usr/share/man/man1
- install -m0644 -t $(DESTDIR)/usr/share/man/man1 letsencrypt-accountd.1 letsencrypt.1
+ install -m0644 -t $(DESTDIR)/usr/share/man/man1 lacme-accountd.1 lacme.1
install -d $(DESTDIR)/usr/bin
- install -m0644 -t $(DESTDIR)/usr/bin letsencrypt-accountd letsencrypt
+ install -m0644 -t $(DESTDIR)/usr/bin lacme-accountd lacme
+
+clean:
+ rm -vf ${MANPAGES}
-.PHONY: all install
+.PHONY: all install clean
diff --git a/README b/README
index 37c531a..ea8cc66 100644
--- a/README
+++ b/README
@@ -1,29 +1,6 @@
-Requesting new Certificate Issuance with the ACME protocol generally
-works as follows:
-
- 1. Generate a Certificate Signing Request. This requires access to
- the private part of the server key.
- 2. Issue an issuance request against the ACME server.
- 3. Answer the ACME Identifier Validation Challenges. The challenge
- type "http-01" requires a webserver to listen on port 80 for each
- address for which an authorization request is issued; if there is
- no running webserver, root privileges are required to bind against
- port 80 and to install firewall rules to temporarily open the port.
- 4. Install the certificate (after verification) and restart the
- service. This usually requires root access as well.
-
-Steps 1,3,4 need to be run on the host for which an authorization
-request is issued. However the the issuance itself (step 2) could be
-done from another machine. Furthermore, each ACME command (step 2), as
-well as the key authorization token in step 3, need to be signed using
-an account key. The account key can be stored on another machine, or
-even on a smartcard.
-
-_______________________________________________________________________
-
-letsencrypt is a tiny ACME client written with process isolation and
-minimal privileges in mind. It is divided into four components, each
-with its own executable:
+lacme is a small ACME client written with process isolation and minimal
+privileges in mind. It is divided into four components, each with its
+own executable:
* A process to manage the account key and issue SHA-256 signatures
needed for each ACME command. (This process binds to a UNIX-domain
@@ -50,17 +27,40 @@ with its own executable:
port. (The only challenge type currently supported is "http-01",
which requires a webserver to answer challenges.) That webserver
only processes GET and HEAD requests under the
- "/.well-known/acme-challenge/" URI. By default some iptables(1)
+ "/.well-known/acme-challenge/" URI. By default some iptables(8)
rules are automatically installed to open the HTTP port, and removed
afterwards.
Consult the manuals for more information.
- https://guilhem.org/man/letsencrypt.1.html
- https://guilhem.org/man/letsencrypt-accountd.1.html
+ https://guilhem.org/man/lacme.1.html
+ https://guilhem.org/man/lacme-accountd.1.html
+
+_______________________________________________________________________
+
+Requesting new Certificate Issuance with the ACME protocol generally
+works as follows:
+
+ 1. Generate a Certificate Signing Request. This requires access to
+ the private part of the server key.
+ 2. Issue an issuance request against the ACME server.
+ 3. Answer the ACME Identifier Validation Challenges. The challenge
+ type "http-01" requires a webserver to listen on port 80 for each
+ address for which an authorization request is issued; if there is
+ no running webserver, root privileges are required to bind against
+ port 80 and to install firewall rules to temporarily open the port.
+ 4. Install the certificate (after verification) and restart the
+ service. This usually requires root access as well.
+
+Steps 1,3,4 need to be run on the host for which an authorization
+request is issued. However the the issuance itself (step 2) could be
+done from another machine. Furthermore, each ACME command (step 2), as
+well as the key authorization token in step 3, need to be signed using
+an account key. The account key can be stored on another machine, or
+even on a smartcard.
_______________________________________________________________________
-letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and
+lacme is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and
licensed for use under the GNU General Public License version 3 or
later. See ‘COPYING’ for specific terms and distribution information.
diff --git a/client b/client
index 70150ca..409fc62 100755
--- a/client
+++ b/client
@@ -24,9 +24,9 @@ use warnings;
# Usage: client COMMAND CONFIG_FD SOCKET_FD [ARGUMENTS]
#
# fdopen(3) the file descriptor SOCKET_FD (corresponding to the
-# listening letsencrypt-accountd socket), connect(2) to it to retrieve
-# the account key's public parameters and later send data to be signed
-# by the master component (using the account key).
+# listening lacme-accountd socket), connect(2) to it to retrieve the
+# account key's public parameters and later send data to be signed by
+# the master component (using the account key).
#
# CONFIG_FD is a read-only file descriptor associated with the
# configuration file at pos 0. (This is needed since this process
@@ -66,7 +66,7 @@ open my $S, '+<&=', $1 or die "fdopen $1: $!";
#############################################################################
# Read the protocol version and JSON Web Key (RFC 7517) from the
-# letsencrypt-accountd socket
+# lacme-accountd socket
#
die "Error: Invalid client version\n" unless
$S->getline() =~ /\A(\d+) OK(?:.*)\r\n\z/ and $1 == $PROTOCOL_VERSION;
diff --git a/config/letsencrypt-accountd.conf b/config/lacme-accountd.conf
index c372190..0a8b81a 100644
--- a/config/letsencrypt-accountd.conf
+++ b/config/lacme-accountd.conf
@@ -17,10 +17,10 @@
# for signature requests from the ACME client. An error is raised if
# the path exists exists or if its parent directory is writable by other
# users.
-# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
+# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR
# environment variable is set.
#
-#socket = /run/user/1000/S.letsencrypt
+#socket = /run/user/1000/S.lacme
# Be quiet. Possible values: "Yes"/"No".
#
diff --git a/config/letsencrypt-certs.conf b/config/lacme-certs.conf
index 2ee9b20..fbce5e2 100644
--- a/config/letsencrypt-certs.conf
+++ b/config/lacme-certs.conf
@@ -26,7 +26,7 @@
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
-#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem
+#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
diff --git a/config/letsencrypt.conf b/config/lacme.conf
index 1502020..edcbbb0 100644
--- a/config/letsencrypt.conf
+++ b/config/lacme.conf
@@ -1,23 +1,23 @@
# For certificate issuance (new-cert command), specify the certificate
# configuration file to use
#
-#config-certs = config/letsencrypt-certs.conf
+#config-certs = config/lacme-certs.conf
[client]
-# The value of "socket" specifies the letsencrypt-accountd(1)
-# UNIX-domain socket to connect to for signature requests from the ACME
-# client. letsencrypt aborts if the socket is readable or writable by
-# other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
-# environment variable is set.
+# The value of "socket" specifies the lacme-accountd(1) UNIX-domain
+# socket to connect to for signature requests from the ACME client.
+# lacme aborts if the socket is readable or writable by other users, or
+# if its parent directory is writable by other users.
+# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
+# variable is set.
#
-#socket = /run/user/1000/S.letsencrypt
+#socket = /run/user/1000/S.lacme
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
# Default: "nobody".
#
-#user = letsencrypt
+#user = lacme
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
@@ -26,7 +26,7 @@
#group = nogroup
# Path to the ACME client executable.
-#command = /usr/lib/letsencrypt-tiny/client
+#command = /usr/lib/lacme/client
# Root URI of the ACME server. NOTE: Use the staging server for testing
# as it has relaxed ratelimit.
@@ -75,11 +75,11 @@
#user = www-data
# Path to the ACME webserver executable.
-#command = /usr/lib/letsencrypt-tiny/webserver
+#command = /usr/lib/lacme/webserver
# Whether to automatically install iptables(1) rules to open the
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
-# removed once letsencrypt exits.
+# removed once lacme(1) exits.
#
#iptables = Yes
diff --git a/letsencrypt b/lacme
index d11b569..12fb181 100755
--- a/letsencrypt
+++ b/lacme
@@ -1,7 +1,7 @@
#!/usr/bin/perl -T
#----------------------------------------------------------------------
-# Let's Encrypt ACME client
+# ACME client
# Copyright © 2016 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
@@ -22,7 +22,7 @@ use strict;
use warnings;
our $VERSION = '0.0.1';
-my $NAME = 'letsencrypt';
+my $NAME = 'lacme';
use Errno qw/EADDRINUSE EINTR/;
use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/;
@@ -71,8 +71,8 @@ $COMMAND = $COMMAND =~ /\A(new-reg|reg=\p{Print}*|new-cert|revoke-cert)\z/ ? $1
do {
my $conffile = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
- , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf"
- , "/etc/letsencrypt-tiny/$NAME.conf"
+ , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
+ , "/etc/lacme/$NAME.conf"
);
die "Error: Can't find configuration file\n" unless defined $conffile;
print STDERR "Using configuration file: $conffile\n" if $OPTS{debug};
@@ -84,10 +84,10 @@ do {
my $defaults = delete $h->{_} // {};
my %valid = (
client => {
- socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef),
+ socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef),
user => 'nobody',
group => 'nogroup',
- command => '/usr/lib/letsencrypt-tiny/client',
+ command => '/usr/lib/lacme/client',
# the rest is for the ACME client
map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/
},
@@ -96,7 +96,7 @@ do {
'challenge-directory' => '/var/www/acme-challenge',
user => 'www-data',
group => 'www-data',
- command => '/usr/lib/letsencrypt-tiny/webserver',
+ command => '/usr/lib/lacme/webserver',
iptables => 'Yes'
}
@@ -399,7 +399,7 @@ sub acme_client($@) {
die "Error: insecure permissions on $dirname\n" if ($stat[2] & 0022) != 0;
# ensure we're the only user with read/write access to the socket
- @stat = stat($sockname) or die "Can't stat $sockname: $! (Is letsencrypt-accountd running?)\n";
+ @stat = stat($sockname) or die "Can't stat $sockname: $! (Is lacme-accountd running?)\n";
die "Error: insecure permissions on $sockname\n" if ($stat[2] & 0066) != 0;
# connect(2) to the socket
@@ -515,14 +515,15 @@ if ($COMMAND eq 'new-reg' or $COMMAND =~ /^reg=/) {
# new-cert [SECTION ..]
# TODO: renewal without the account key, see
# https://github.com/letsencrypt/acme-spec/pull/168
+# https://github.com/letsencrypt/acme-spec/issues/191
#
elsif ($COMMAND eq 'new-cert') {
my $conf;
do {
my $conffile = $OPTS{'config-certs'} // $CONFIG->{_}->{'config-certs'} // first { -f $_ }
( "./$NAME-certs.conf"
- , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME-certs.conf"
- , "/etc/letsencrypt-tiny/$NAME-certs.conf"
+ , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME-certs.conf"
+ , "/etc/lacme/$NAME-certs.conf"
);
die "Error: Can't find certificate configuration file\n" unless defined $conffile;
my $h = Config::Tiny::->read($conffile) or die Config::Tiny::->errstr()."\n";
@@ -604,7 +605,7 @@ elsif ($COMMAND eq 'new-cert') {
};
# verify certificate validity against the CA
- $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem';
+ $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem';
if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
qw/-purpose sslserver -x509_strict/)) {
print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
diff --git a/letsencrypt-accountd b/lacme-accountd
index ffc5619..2bc648f 100755
--- a/letsencrypt-accountd
+++ b/lacme-accountd
@@ -1,7 +1,7 @@
#!/usr/bin/perl -T
#----------------------------------------------------------------------
-# Let's Encrypt ACME client (account key manager)
+# ACME client (account key manager)
# Copyright © 2016 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
@@ -23,7 +23,7 @@ use warnings;
our $VERSION = '0.0.1';
my $PROTOCOL_VERSION = 1;
-my $NAME = 'letsencrypt-accountd';
+my $NAME = 'lacme-accountd';
use Errno 'EINTR';
use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/;
@@ -64,8 +64,8 @@ usage(0) if $OPTS{help};
do {
my $conffile = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
- , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf"
- , "/etc/letsencrypt-tiny/$NAME.conf"
+ , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
+ , "/etc/lacme/$NAME.conf"
);
die "Error: Can't find configuration file\n" unless defined $conffile;
print STDERR "Using configuration file: $conffile\n" if $OPTS{debug};
@@ -137,7 +137,7 @@ $JWK = JSON::->new->encode($JWK);
# delete the file manually.
#
do {
- my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef);
+ my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef);
die "Missing socket option\n" unless defined $sockname;
$sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname
diff --git a/lacme-accountd.md b/lacme-accountd.md
new file mode 100644
index 0000000..54b0ed7
--- /dev/null
+++ b/lacme-accountd.md
@@ -0,0 +1,143 @@
+% lacme-accountd(1)
+% [Guilhem Moulin](mailto:guilhem@fripost.org)
+% March 2016
+
+Name
+====
+
+lacme-accountd - [ACME] client (account key manager)
+
+Synopsis
+========
+
+`lacme-accountd` [`--config=FILENAME`] [`--privkey=ARG`] [`--socket=PATH`] [`--quiet`]
+
+Description
+===========
+
+`lacme-accountd` is the account key manager component of [`lacme`(1)], a
+small [ACME] client written with process isolation and minimal
+privileges in mind. No other [`lacme`(1)] component needs access to the
+account key; in fact the account key could as well be stored on another
+host or a smartcard.
+
+`lacme-accountd` binds to a UNIX-domain socket (specified with
+`--socket=`), which [ACME] clients can connect to in order to request
+data signatures.
+As a consequence, `lacme-accountd` needs to be up and running before
+using [`lacme`(1)] to issue [ACME] commands. Also, the process does not
+automatically terminate after the last signature request: instead, one
+sends an `INT` or `TERM` [`signal`(7)] to bring the server down.
+
+Furthermore, one can use the UNIX-domain socket forwarding facility of
+[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(1)] on
+different hosts. For instance one could store the account key on a
+machine that is not exposed to the internet. See the
+**[examples](#examples)** section below.
+
+Options
+=======
+
+`--config=`*filename*
+
+: Use *filename* as configuration file. See the **[configuration
+ file](#configuration-file)** section below for the configuration
+ options.
+
+`--privkey=`*arg*
+
+: Specify the (private) account key to use for signing requests.
+ Currently supported *arg*uments are:
+
+ * `file:`*FILE*, to specify an encrypted private key (in PEM
+ format); and
+ * `gpg:`*FILE*, to specify a [`gpg`(1)]-encrypted private key (in
+ PEM format).
+
+ The following command can be used to generate a new 4096-bits RSA
+ key in PEM format with mode 0600:
+
+ openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key
+
+`-socket=`*path*
+
+: Use *path* as the UNIX-domain socket to bind against for signature
+ requests from the [ACME] client. `lacme-accountd` aborts if *path*
+ exists or if its parent directory is writable by other users.
+
+`-?`, `--help`
+
+: Display a brief help and exit.
+
+`-q`, `--quiet`
+
+: Be quiet.
+
+`--debug`
+
+: Turn on debug mode.
+
+Configuration file
+==================
+
+If `--config=` is not given, `lacme-accountd` uses the first existing
+configuration file among *./lacme-accountd.conf*,
+*$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or
+*~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME`
+environment variable is not set), and */etc/lacme/lacme-accountd.conf*.
+
+When given on the command line, the `--privkey=`, `--socket=` and
+`--quiet` options take precedence over their counterpart (without
+leading `--`) in the configuration file. Valid options are:
+
+*privkey*
+
+: See `--privkey=`. This option is required when `--privkey=` is not
+ specified on the command line.
+
+*gpg*
+
+: For a [`gpg`(1)]-encrypted private account key, specify the binary
+ [`gpg`(1)] to use, as well as some default options.
+ Default: `gpg --quiet`.
+
+*socket*
+
+: See `--socket=`.
+ Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR`
+ environment variable is set.
+
+*quiet*
+
+: Be quiet. Possible values: `Yes`/`No`.
+
+Examples
+========
+
+Run `lacme-accountd` in a first terminal:
+
+ ~$ lacme-accountd --privkey=file:/path/to/priv.key --socket=/run/user/1000/S.lacme
+
+Then, while `lacme-accountd` is running, execute locally [`lacme`(1)] in
+another terminal:
+
+ ~$ sudo lacme --socket=/run/user/1000/S.lacme new-cert
+
+Alternatively, use [OpenSSH] 6.7 or later to forward the socket and
+execute [`lacme`(1)] remotely:
+
+ ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.lacme user@example.org \
+ sudo lacme --socket=/path/to/remote.sock new-cert
+
+
+See also
+========
+
+[`lacme`(1)], [`ssh`(1)]
+
+[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
+[`lacme`(1)]: lacme.1.html
+[`signal`(7)]: http://linux.die.net/man/7/signal
+[`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+[OpenSSH]: http://www.openssh.com/
+[`ssh`(1)]: http://man.openbsd.org/ssh
diff --git a/lacme.md b/lacme.md
new file mode 100644
index 0000000..a16f23d
--- /dev/null
+++ b/lacme.md
@@ -0,0 +1,355 @@
+% lacme(1)
+% [Guilhem Moulin](mailto:guilhem@fripost.org)
+% December 2015
+
+Name
+====
+
+lacme - [ACME] client
+
+Synopsis
+========
+
+`lacme` [`--config=FILENAME`] [`--socket=PATH`] [*OPTION* …] *COMMAND* [*ARGUMENT* …]
+
+Description
+===========
+
+`lacme` is a small [ACME] client written with process isolation and
+minimal privileges in mind. It is divided into four components, each
+with its own executable:
+
+ 1. A [`lacme-accountd`(1)] process to manage the account key and issue
+ SHA-256 signatures needed for each [ACME] command. (This process
+ binds to a UNIX-domain socket to reply to signature requests from
+ the [ACME] client.)
+ One can use the UNIX-domain socket forwarding facility of OpenSSH
+ 6.7 and later to run [`lacme-accountd`(1)] and `lacme` on different
+ hosts.
+
+ 2. A “master” `lacme` process, which runs as root and is the only
+ component with access to the private key material of the server
+ keys. It is used to fork the [ACME] client (and optionally the
+ [ACME] webserver) after dropping root privileges.
+ For certificate issuances (`new-cert` command), it also generates
+ Certificate Signing Requests, then verifies the validity of the
+ issued certificate, and optionally reloads or restarts services when
+ the *notify* option is set.
+
+ 3. An actual [ACME] client (specified with the *command* option of the
+ [`[client]` section](#client-section) of the configuration file),
+ which builds [ACME] commands and dialogues with the remote [ACME]
+ server.
+ Since [ACME] commands need to be signed with the account key, the
+ “master” `lacme` process passes the [`lacme-accountd`(1)]
+ UNIX-domain socket to the [ACME] client: data signatures are
+ requested by writing the data to be signed to the socket.
+
+ 4. For certificate issuances (`new-cert` command), an optional
+ webserver (specified with the *command* option of the [`[webserver]`
+ section](#webserver-section) of the configuration file), which is
+ spawned by the “master” `lacme` process when no service is listening
+ on the HTTP port. (The only challenge type currently supported by
+ `lacme` is `http-01`, which requires a webserver to answer
+ challenges.) That webserver only processes `GET` and `HEAD` requests
+ under the `/.well-known/acme-challenge/` URI.
+ By default some [`iptables`(8)] rules are automatically installed to
+ open the HTTP port, and removed afterwards.
+
+Commands
+========
+
+`lacme` [`--agreement-uri=`*URI*] `new-reg` [*CONTACT* …]
+
+: Register the account key managed by [`lacme-accountd`(1)]. A list
+ of *CONTACT* information (such as `maito:` URIs) can be specified in
+ order for the server to contact the client for issues related to
+ this registration (such as notifications about server-initiated
+ revocations).
+
+ `--agreement-uri=` can be used to specify a *URI* referring to a
+ subscriber agreement or terms of service provided by the server;
+ adding this options indicates the client's agreement with the
+ referenced terms. Note that the server might require the client to
+ agree to subscriber agreement before performing any further actions.
+
+ If the account key is already registered, `lacme` prints the URI of
+ the existing registration and aborts.
+
+`lacme` [`--agreement-uri=`*URI*] `reg=`*URI* [*CONTACT* …]
+
+: Dump or edit the registration *URI* (relative to the [ACME] server
+ URI, which is specified with the *server* option of the [`[client]`
+ section](#client-section) of the configuration file).
+
+ When specified, the list of *CONTACT* information and the agreement
+ *URI* are sent to the server to replace the existing values.
+
+`lacme` [`--config-certs=`*FILE*] `new-cert` [*SECTION* …]
+
+: Read the certificate configuration *FILE* (see the **[certificate
+ configuration file](#certificate-configuration-file)** section below
+ for the configuration options), and request new Certificate Issuance
+ for each of its sections (or the given list of *SECTION*s).
+
+`lacme` `revoke-cert` *FILE* [*FILE* …]
+
+: Request that the given certificate(s) *FILE*(s) be revoked. For
+ this command, [`lacme-accountd`(1)] can be pointed to either the
+ account key or the server's private key.
+
+Generic options
+===============
+
+`--config=`*filename*
+
+: Use *filename* as configuration file. See the **[configuration
+ file](#configuration-file)** section below for the configuration
+ options.
+
+`--socket=`*path*
+
+: Use *path* as the [`lacme-accountd`(1)] UNIX-domain socket to
+ connect to for signature requests from the [ACME] client. `lacme`
+ aborts if `path` is readable or writable by other users, or if its
+ parent directory is writable by other users. This overrides the
+ *socket* option of the [`[client]` section](#client-section) of the
+ configuration file.
+
+`-?`, `--help`
+
+: Display a brief help and exit.
+
+`--debug`
+
+: Turn on debug mode.
+
+Configuration file
+==================
+
+If `--config=` is not given, `lacme` uses the first existing
+configuration file among *./lacme.conf*,
+*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if
+the `XDG_CONFIG_HOME` environment variable is not set), and
+*/etc/lacme/lacme.conf*.
+Valid options are:
+
+Default section
+---------------
+
+*config-certs*
+
+: For certificate issuances (`new-cert` command), specify the
+ certificate configuration file to use (see the **[certificate
+ configuration file](#certificate-configuration-file)** section below
+ for the configuration options).
+
+`[client]` section
+------------------
+
+This section is used for configuring the [ACME] client (which takes care
+of [ACME] commands and dialogues with the remote [ACME] server).
+
+*socket*
+
+: See `--socket=`.
+ Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR`
+ environment variable is set.
+
+*user*
+
+: The username to drop privileges to (setting both effective and real
+ uid). Preserve root privileges if the value is empty (not
+ recommended).
+ Default: `nobody`.
+
+*group*
+
+: The groupname to drop privileges to (setting both effective and real
+ gid, and also setting the list of supplementary gids to that single
+ group). Preserve root privileges if the value is empty (not
+ recommended).
+ Default: `nogroup`.
+
+*command*
+
+: Path to the [ACME] client executable.
+ Default: `/usr/lib/lacme/client`.
+
+*server*
+
+: Root URI of the [ACME] server.
+ Default: `https://acme-v01.api.letsencrypt.org/`.
+
+*timeout*
+
+: Timeout in seconds after which the client stops polling the [ACME]
+ server and considers the request failed.
+ Default: `10`.
+
+*SSL_verify*
+
+: Whether to verify the server certificate chain.
+ Default: `Yes`.
+
+*SSL_version*
+
+: Specify the version of the SSL protocol used to transmit data.
+
+*SSL_cipher_list*
+
+: Specify the cipher list for the connection, see [`ciphers`(1ssl)]
+ for more information.
+
+`[webserver]` section
+---------------------
+
+This section is used for configuring the [ACME] webserver.
+
+*listen*
+
+: Specify the local address to listen on, in the form
+ `ADDRESS[:PORT]`. If `ADDRESS` is enclosed with brackets ‘[’/‘]’
+ then it denotes an IPv6; an empty `ADDRESS` means `0.0.0.0`.
+ Default: `:80`.
+
+*challenge-directory*
+
+: If a webserver is already running, specify a non-existent directory
+ under which the webserver is configured to serve `GET` requests for
+ challenge files under `/.well-known/acme-challenge/` (for each
+ virtual hosts requiring authorization) as static files.
+ Default: `/var/www/acme-challenge`.
+
+*user*
+
+: The username to drop privileges to (setting both effective and real
+ uid). Preserve root privileges if the value is empty (not
+ recommended).
+ Default: `www-data`.
+
+*group*
+
+: The groupname to drop privileges to (setting both effective and real
+ gid, and also setting the list of supplementary gids to that single
+ group). Preserve root privileges if the value is empty (not
+ recommended).
+ Default: `www-data`.
+
+*command*
+
+: Path to the [ACME] webserver executable.
+ Default: `/usr/lib/lacme/webserver`.
+
+*iptables*
+
+: Whether to automatically install [`iptables`(8)] rules to open the
+ `ADDRESS[:PORT]` specified with *listen*. Theses rules are
+ automatically removed once `lacme` exits.
+ Default: `Yes`.
+
+Certificate configuration file
+==============================
+
+For certificate issuances (`new-cert` command), a separate file is used
+to configure paths to the certificate and key, as well as the subject,
+subjectAltName, etc. to generate Certificate Signing Requests.
+If `--config-certs=` is not given, and if the `config-certs`
+configuration option is absent, then `lacme` uses the first existing
+configuration file among *./lacme-certs.conf*,
+*$XDG_CONFIG_HOME/lacme/lacme-certs.conf* (or
+*~/.config/lacme/lacme-certs.conf* if the `XDG_CONFIG_HOME` environment
+variable is not set), and */etc/lacme/lacme-certs.conf*.
+Each section denotes a separate certificate issuance.
+Valid options are:
+
+*certificate*
+
+: Where to store the issued certificate (in PEM format).
+ At least one of *certificate* or *certificate-chain* is required.
+
+*certificate-chain*
+
+: Where to store the issued certificate, concatenated with the content
+ of the file specified specified with the *CAfile* option (in PEM
+ format).
+ At least one of *certificate* or *certificate-chain* is required.
+
+*certificate-key*
+
+: Path the service's private key. This option is required. The
+ following command can be used to generate a new 4096-bits RSA key in
+ PEM format with mode 0600:
+
+ openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key
+
+*min-days*
+
+: For an existing certificate, the minimum number of days before its
+ expiration date the section is considered for re-issuance.
+ Default: `10`.
+
+*CAfile*
+
+: Path to the issuer's certificate. This is used for
+ *certificate-chain* and to verify the validity of each issued
+ certificate.
+ Specifying an empty value skip certificate validation.
+ Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`.
+
+*hash*
+
+: Message digest algorithm to sign the Certificate Signing Request
+ with.
+
+*keyUsage*
+
+: Comma-separated list of Key Usages, see [`x509v3_config`(5ssl)].
+
+*subject*
+
+: Subject field of the Certificate Signing Request, in the form
+ `/type0=value0/type1=value1/type2=…`. This option is required.
+
+*subjectAltName*
+
+: Comma-separated list of Subject Alternative Names, in the form
+ `type0:value1,type1:value1,type2:…`
+ The only `type` currently supported is `DNS`, to specify an
+ alternative domain name.
+
+*chown*
+
+: An optional `username[:groupname]` to chown the issued *certificate*
+ and *certificate-chain* with.
+
+*chmod*
+
+: An optional octal mode to chmod the issued *certificate* and
+ *certificate-chain* with.
+
+*notify*
+
+: Command to pass the the system's command shell (`/bin/sh -c`)
+ after successful installation of the *certificate* and/or
+ *certificate-chain*.
+
+Examples
+========
+
+ ~$ sudo lacme new-reg mailto:noreply@example.com
+ ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf
+ ~$ sudo lacme new-cert
+ ~$ sudo lacme revoke-cert /path/to/server/certificate.pem
+
+
+See also
+========
+
+[`lacme-accountd`(1)]
+
+[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
+[`lacme-accountd`(1)]: lacme-accountd.1.html
+[`iptables`(8)]: http://linux.die.net/man/8/iptables
+[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
+[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1
deleted file mode 100644
index a06cdcc..0000000
--- a/letsencrypt-accountd.1
+++ /dev/null
@@ -1,153 +0,0 @@
-.TH LETSENCRYPT\-ACCOUNTD "1" "MARCH 2016" "Tiny Let's Encrypt ACME client (account key manager)" "User Commands"
-
-.SH NAME
-letsencrypt\-accountd \- Tiny Let's Encrypt ACME client (account key manager)
-
-.SH SYNOPSIS
-.B letsencrypt\-accountd\fR [\fB\-\-config=\fIFILENAME\fR]
-[\fB\-\-privkey=\fIARG\fR] [\fB\-\-socket=\fIPATH\fR] [\fB\-\-quiet\fR]
-
-
-.SH DESCRIPTION
-.PP
-.B letsencrypt\-accountd\fR is the account key manager component of
-\fIletsencrypt\fR(1), a tiny ACME client written with process isolation
-and minimal privileges in mind. No other \fIletsencrypt\fR(1) component
-need access to the account key; in fact the account key could also be
-stored on a smartcard.
-
-.B letsencrypt\-accountd\fR binds to a UNIX\-domain socket (specified
-with \fB\-\-socket=\fR), which ACME clients can connect to in order to
-request data signatures.
-As a consequence, \fBletsencrypt\-accountd\fR needs to be up and running
-before using \fIletsencrypt\fR(1) to issue ACME commands.
-Also, the process does not automatically terminate after the last
-signature request: instead, one sends an \fIINT\fR or \fITERM\fR signal
-to bring the server down.
-
-Furthermore, one can use the UNIX\-domain socket forwarding facility of
-OpenSSH 6.7 and later to run \fBletsencrypt\-accountd\fR and
-\fIletsencrypt\fR(1) on different hosts. For instance one could store
-the account key on a machine that is not exposed to the internet. See
-the \fBEXAMPLES\fR section below.
-
-
-.SH OPTIONS
-.TP
-.B \-\-config=\fIfilename\fR
-Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION
-FILE\fR section below for the configuration options.
-
-.TP
-.B \-\-privkey=\fIarg\fR
-Specify the (private) account key to use for signing requests.
-Currently supported \fIarg\fRuments are:
-
-.RS
-.IP \[bu] 2
-file:\fIFILE\fR, to specify an encrypted private key (in PEM format); and
-.IP \[bu]
-gpg:\fIFILE\fR, to specify a \fIgpg\fR(1)\-encrypted private key (in PEM format).
-
-.PP
-The following command can be used to generate a new 4096\-bits RSA key in
-PEM format with mode 0600:
-
-.nf
- openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key
-.fi
-.RE
-
-.TP
-.B \-\-socket=\fIpath\fR
-Use \fIpath\fR as the UNIX\-domain socket to bind against for signature
-requests from the ACME client. \fBletsencrypt\-accountd\fR aborts if
-\fIpath\fR exists or if its parent directory is writable by other users.
-
-.TP
-.B \-?\fR, \fB\-\-help\fR
-Display a brief help and exit.
-
-.TP
-.B \-q\fR, \fB\-\-quiet\fR
-Be quiet.
-
-.TP
-.B \-\-debug
-Turn on debug mode.
-
-
-.SH CONFIGURATION FILE
-If \fB\-\-config=\fR is not given, \fBletsencrypt\-accountd\fR uses the
-first existing configuration file among
-\fI./letsencrypt\-accountd.conf\fR,
-\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR (or
-\fI~/.config/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR if the
-XDG_CONFIG_HOME environment variable is not set), and
-\fI/etc/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR.
-
-When given on the command line, the \fB\-\-privkey=\fR,
-\fB\-\-socket=\fR and \fB\-\-quiet\fR options take precedence over their
-counterpart (without leading \(lq\-\-\(rq) in the configuration file.
-Valid options are:
-
-.TP
-.I privkey
-See \fB\-\-privkey=\fR.
-This option is required when \fB\-\-privkey=\fR is not specified on the
-command line.
-
-.TP
-.I gpg
-For a \fIgpg\fR(1)\-encrypted private account key, specify the binary
-\fIgpg\fR(1) to use, as well as some default options.
-Default: \(lqgpg \-\-quiet\(rq.
-
-.TP
-.I socket
-See \fB\-\-socket=\fR.
-Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR
-environment variable is set.
-
-.TP
-.I quiet
-Be quiet. Possible values: \(lqYes\(rq/\(lqNo\(rq.
-
-
-.SH EXAMPLES
-
-Run \fBletsencrypt\-accountd\fR in a first terminal:
-
-.nf
- ~$ letsencrypt\-accountd \-\-privkey=file:/path/to/priv.key \-\-socket=/run/user/1000/S.letsencrypt
-.fi
-
-Then, while \fBletsencrypt\-accountd\fR is running, execute locally
-\fIletsencrypt\fR(1) in another terminal:
-
-.nf
- ~$ sudo letsencrypt \-\-socket=/run/user/1000/S.letsencrypt new\-cert
-.fi
-
-Alternatively, use \fIssh\fR(1) to forward the socket and execute
-\fIletsencrypt\fR(1) remotely:
-
-.nf
- ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.letsencrypt user@example.org \\
- sudo letsencrypt --socket=/path/to/remote.sock new-cert
-.fi
-
-
-.SH SEE ALSO
-\fBletsencrypt\fR(1), \fBssh\fR(1)
-
-.SH AUTHOR
-.ie \n[www-html] \{\
- Written by
-. MTO guilhem@fripost.org "Guilhem Moulin" .
-\}
-.el \{\
- Written by Guilhem Moulin
-. MT guilhem@fripost.org
-. ME .
-\}
diff --git a/letsencrypt.1 b/letsencrypt.1
deleted file mode 100644
index 1c4b0db..0000000
--- a/letsencrypt.1
+++ /dev/null
@@ -1,370 +0,0 @@
-.TH LETSENCRYPT "1" "MARCH 2016" "Tiny Let's Encrypt ACME client" "User Commands"
-
-.SH NAME
-letsencrypt \- Tiny Let's Encrypt ACME client
-
-.SH SYNOPSIS
-.B letsencrypt\fR [\fB\-\-config=\fIFILENAME\fR]
-[\fB\-\-socket=\fIPATH\fR] [\fIOPTION\fR ...] \fICOMMAND\fR
-[\fIARGUMENT\fR ...]
-
-
-.SH DESCRIPTION
-.PP
-.B letsencrypt\fR is a tiny ACME client written with process isolation
-and minimal privileges in mind.
-It is divided into four components, each with its own executable:
-
-.IP \[bu] 4
-A \fIletsencrypt\-accountd\fR(1) process to manage the account key and
-issue SHA\-256 signatures needed for each ACME command.
-(This process binds to a UNIX\-domain socket to reply to signature
-requests from the ACME client.)
-One can use the UNIX\-domain socket forwarding facility of OpenSSH 6.7
-and later to run \fIletsencrypt\-accountd\fR(1) and \fBletsencrypt\fR on
-different hosts.
-
-.IP \[bu] 4
-A \(lqmaster\(rq \fBletsencrypt\fR process, which runs as root and is
-the only component with access to the private key material of the server
-keys.
-It is used to fork the ACME client (and optionally the ACME webserver)
-after dropping root privileges.
-For certificate issuances (\fBnew\-cert\fR command), it also generates
-Certificate Signing Requests, then verifies the validity of the issued
-certificate, and optionally reloads or restarts services when the
-\fInotify\fR option is set.
-
-.IP \[bu] 4
-An actual ACME client (specified with the \fIcommand\fR option of the
-\(lq[client]\(rq section of the configuration file), which builds ACME
-commands and dialogues with the remote ACME server.
-Since ACME commands need to be signed with the account key, the
-\(lqmaster\(rq \fBletsencrypt\fR process passes the
-\fIletsencrypt\-accountd\fR(1) UNIX\-domain socket to the ACME client:
-data signatures are requested by writing the data to be signed to the
-socket.
-
-.IP \[bu] 4
-For certificate issuances (\fBnew\-cert\fR command), an optional
-webserver (specified with the \fIcommand\fR option of the
-\(lq[webserver]\(rq section of the configuration file), which is spawned
-by the \(lqmaster\(rq \fBletsencrypt\fR process when no service is
-listening on the HTTP port.
-(The only challenge type currently supported by \fBletsencrypt\fR is
-\(lqhttp\-01\(rq, which requires a webserver to answer challenges.)
-That webserver only processes GET and HEAD requests under the
-\(lq/.well\-known/acme\-challenge/\(rq URI.
-By default some \fIiptables\fR(1) rules are automatically installed to
-open the HTTP port, and removed afterwards.
-
-.SH COMMANDS
-.TP
-.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBnew\-reg \fR[\fICONTACT\fR ...]
-Register the account key managed by \fIletsencrypt\-accountd\fR(1). A
-list of \fICONTACT\fR information (such as \(lqmaito:\(rq
-URIs) can be specified in order for the server to contact the client for
-issues related to this registration (such as notifications about
-server\-initiated revocations).
-
-\fB\-\-agreement\-uri=\fR can be used to specify a \fIURI\fR referring
-to a subscriber agreement or terms of service provided by the server;
-adding this options indicates the client's agreement with the referenced
-terms. Note that the server might require the client to agree to
-subscriber agreement before performing any further actions.
-
-If the account key is already registered, \fBletsencrypt\fR prints the
-URI of the existing registration and aborts.
-
-.TP
-.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBreg=\fIURI\fR \fR[\fICONTACT\fR ...]
-
-Dump or edit the registration \fIURI\fR (relative to the ACME server URI,
-which is specified with the \fIserver\fR option of the \(lq[client]\(rq
-section of the configuration file).
-
-When specified, the list of \fICONTACT\fR information and the agreement
-\fIURI\fR are sent to the server to replace the existing values.
-
-.TP
-.B letsencrypt \fR[\fB\-\-config\-certs=\fIFILE\fR]\fB \fBnew\-cert \fR[\fISECTION\fR ...]
-
-Read the certificate configuration \fIFILE\fR (see the \fBCERTIFICATE
-CONFIGURATION FILE\fR section below for the configuration options), and
-request new Certificate Issuance for each of its sections (or the given
-list of \fISECTION\fRs).
-
-.TP
-.B letsencrypt \fBrevoke\-cert \fIFILE\fR [\fIFILE\fR ...]
-
-Request that the given certificate(s) \fIFILE\fR(s) be revoked. For
-this command, \fIletsencrypt\-accountd\fR(1) can be pointed to either
-the account key or the server's private key.
-
-
-.SH GENERIC OPTIONS
-.TP
-.B \-\-config=\fIfilename\fR
-Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION
-FILE\fR section below for the configuration options.
-
-.TP
-.B \-\-socket=\fIpath\fR
-Use \fIpath\fR as the \fIletsencrypt\-accountd\fR(1) UNIX\-domain socket
-to connect to for signature requests from the ACME client.
-\fBletsencrypt\fR aborts if \fIpath\fR is readable or writable by
-other users, or if its parent directory is writable by other users.
-This overrides the \fIsocket\fR option of the \(lq[client]\(rq section
-of the configuration file.
-
-.TP
-.B \-?\fR, \fB\-\-help\fR
-Display a brief help and exit.
-
-.TP
-.B \-\-debug
-Turn on debug mode.
-
-
-.SH CONFIGURATION FILE
-If \fB\-\-config=\fR is not given, \fBletsencrypt\fR uses the first
-existing configuration file among
-\fI./letsencrypt.conf\fR,
-\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt.conf\fR (or
-\fI~/.config/letsencrypt\-tiny/letsencrypt.conf\fR if the
-XDG_CONFIG_HOME environment variable is not set), and
-\fI/etc/letsencrypt\-tiny/letsencrypt.conf\fR.
-Valid options are:
-
-.TP
-Default section
-.RS
-.TP
-.I config\-certs
-For certificate issuances (\fBnew\-cert\fR command), specify the
-certificate configuration file to use (see the \fBCERTIFICATE
-CONFIGURATION FILE\fR section below for the configuration options).
-.RE
-
-.TP
-\(lq[client]\(rq section
-This section is used for configuring the ACME client (which takes care
-of ACME commands and dialogues with the remote ACME server).
-
-.RS
-.TP
-.I socket
-See \fB\-\-socket=\fR.
-Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR
-environment variable is set.
-
-.TP
-.I user
-The username to drop privileges to (setting both effective and real
-uid).
-Preserve root privileges if the value is empty (not recommended).
-Default: \(lqnobody\(rq.
-
-.TP
-.I group
-The groupname to drop privileges to (setting both effective and real
-gid, and also setting the list of supplementary gids to that single
-group). Preserve root privileges if the value is empty (not
-recommended).
-Default: \(lqnogroup\(rq.
-
-.TP
-.I command
-Path to the ACME client executable.
-Default: \(lq/usr/lib/letsencrypt\-tiny/client\(rq.
-
-.TP
-.I server
-Root URI of the ACME server.
-Default: \(lqhttps://acme\-v01.api.letsencrypt.org/\(rq.
-
-.TP
-.I timeout
-Timeout in seconds after which the client stops polling the ACME server
-and considers the request failed.
-Default: \(lq10\(rq.
-
-.TP
-.I SSL_verify
-Whether to verify the server certificate chain.
-Default: \(lqYes\(rq.
-
-.TP
-.I SSL_version
-Specify the version of the SSL protocol used to transmit data.
-
-.TP
-.I SSL_cipher_list
-Specify the cipher list for the connection.
-.RE
-
-.TP
-\(lq[webserver]\(rq section
-This section is used for configuring the ACME webserver.
-
-.RS
-.TP
-.I listen
-Specify the local address to listen on, in the form
-\fIADDRESS\fR[:\fIPORT\fR].
-If \fIADDRESS\fR is enclosed with brackets \(oq[\(cq/\(oq]\(cq then it
-denotes an IPv6; an empty \fIADDRESS\fR means \(oq0.0.0.0\(cq.
-Default: \(lq:80\(rq.
-
-.TP
-.I challenge\-directory
-If a webserver is already running, specify a non\-existent directory
-under which the webserver is configured to serve GET requests for
-challenge files under \(lq/.well\-known/acme\-challenge/\(rq (for each
-virtual hosts requiring authorization) as static files.
-Default: \(lq/var/www/acme\-challenge\(rq.
-
-.TP
-.I user
-The username to drop privileges to (setting both effective and real
-uid).
-Preserve root privileges if the value is empty (not recommended).
-Default: \(lqwww\-data\(rq.
-
-.TP
-.I group
-The groupname to drop privileges to (setting both effective and real
-gid, and also setting the list of supplementary gids to that single
-group). Preserve root privileges if the value is empty (not
-recommended).
-Default: \(lqwww\-data\(rq.
-
-.TP
-.I command
-Path to the ACME webserver executable.
-Default: \(lq/usr/lib/letsencrypt\-tiny/webserver\(rq.
-
-.TP
-.I iptables
-Whether to automatically install \fIiptables\fR(1) rules to open the
-\fIADDRESS\fR[:\fIPORT\fR] specified with \fIlisten\fR.
-Theses rules are automatically removed once \fBletsencrypt\fR exits.
-Default: \(lqYes\(rq.
-.RE
-
-
-.SH CERTIFICATE CONFIGURATION FILE
-For certificate issuances (\fBnew\-cert\fR command), a separate file is
-used to configure paths to the certificate and key, as well as the
-subject, subjectAltName, etc. to generate Certificate Signing Requests.
-If \fB\-\-config\-certs=\fR is not given, and if the
-\fIconfig\-certs\fR configuration option is absent,
-then \fBletsencrypt\fR uses the first existing configuration file among
-\fI./letsencrypt\-certs.conf\fR,
-\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-certs.conf\fR (or
-\fI~/.config/letsencrypt\-tiny/letsencrypt\-certs.conf\fR if the
-XDG_CONFIG_HOME environment variable is not set), and
-\fI/etc/letsencrypt\-tiny/letsencrypt\-certs.conf\fR.
-Each section denotes a separate certificate issuance.
-Valid options are:
-
-.TP
-.I certificate
-Where to store the issued certificate (in PEM format).
-At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is
-required.
-
-.TP
-.I certificate\-chain
-Where to store the issued certificate, concatenated with the content of
-the file specified specified with the \fICAfile\fR option (in PEM
-format).
-At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is
-required.
-
-.TP
-.I certificate\-key
-Path the service's private key. This option is required. The following
-command can be used to generate a new 4096\-bits RSA key in PEM format
-with mode 0600:
-
-.nf
- openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key
-.fi
-
-.TP
-.I min\-days
-For an existing certificate, the minimum number of days before its
-expiration date the section is considered for re\-issuance.
-Default: \(lq10\(rq.
-
-
-.TP
-.I CAfile
-Path to the issuer's certificate. This is used for
-\fIcertificate\-chain\fR and to verify the validity of each issued
-certificate.
-Specifying an empty value skip certificate validation.
-Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x3\-cross\-signed.pem\(rq.
-
-.TP
-.I hash
-Message digest to sign the Certificate Signing Request with.
-
-.TP
-.I keyUsage
-Comma\-separated list of Key Usages, see \fIx509v3_config\fR(5ssl).
-
-.TP
-.I subject
-Subject field of the Certificate Signing Request, in the form
-\fR/\fItype0\fR=\fIvalue0\fR/\fItype1\fR=\fIvalue1\fR/\fItype2\fR=...
-This option is required.
-
-.TP
-.I subjectAltName
-Comma\-separated list of Subject Alternative Names, in the form
-\fItype0\fR:\fIvalue1\fR,\fItype1\fR:\fIvalue1\fR,\fItype2\fR:...
-The only \fItype\fR currently supported is \(lqDNS\(rq, to specify an
-alternative domain name.
-
-.TP
-.I chown
-An optional \fIusername\fR[:\fIgroupname\fR] to chown the issued
-\fIcertificate\fR and \fIcertificate\-chain\fR with.
-
-.TP
-.I chmod
-An optional octal mode to chmod the issued \fIcertificate\fR and
-\fIcertificate\-chain\fR with.
-
-.TP
-.I notify
-Command to pass the the system's command shell (\(lq/bin/sh \-c\(rq)
-after successful installation of the \fIcertificate\fR and/or
-\fIcertificate\-chain\fR.
-
-
-.SH EXAMPLES
-
-.nf
- ~$ sudo letsencrypt new-reg mailto:noreply@example.com
- ~$ sudo letsencrypt reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf
- ~$ sudo letsencrypt new-cert
- ~$ sudo letsencrypt revoke-cert /path/to/server/certificate.pem
-.fi
-
-
-.SH SEE ALSO
-\fBletsencrypt\-accountd\fR(1)
-
-.SH AUTHOR
-.ie \n[www-html] \{\
- Written by
-. MTO guilhem@fripost.org "Guilhem Moulin" .
-\}
-.el \{\
- Written by Guilhem Moulin
-. MT guilhem@fripost.org
-. ME .
-\}