diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-06-14 01:12:08 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-06-14 01:12:08 +0200 |
commit | efde1af7077cff081a3dd9cb28b5896e6e9ed25a (patch) | |
tree | 4657dc076b8844a9e8960789177bb9cd584e3599 | |
parent | 76b9e800da0c7dd88a55fa9dac153c513e6e7748 (diff) | |
parent | c0849fb8b99216e9b2e20132296253f1ee905193 (diff) |
Merge branch 'master' into debian
-rw-r--r-- | Makefile | 50 | ||||
-rw-r--r-- | README | 60 | ||||
-rwxr-xr-x | client | 8 | ||||
-rw-r--r-- | config/lacme-accountd.conf (renamed from config/letsencrypt-accountd.conf) | 4 | ||||
-rw-r--r-- | config/lacme-certs.conf (renamed from config/letsencrypt-certs.conf) | 2 | ||||
-rw-r--r-- | config/lacme.conf (renamed from config/letsencrypt.conf) | 24 | ||||
-rwxr-xr-x | lacme (renamed from letsencrypt) | 23 | ||||
-rwxr-xr-x | lacme-accountd (renamed from letsencrypt-accountd) | 10 | ||||
-rw-r--r-- | lacme-accountd.md | 143 | ||||
-rw-r--r-- | lacme.md | 355 | ||||
-rw-r--r-- | letsencrypt-accountd.1 | 153 | ||||
-rw-r--r-- | letsencrypt.1 | 370 |
12 files changed, 602 insertions, 600 deletions
@@ -1,15 +1,41 @@ -all: - -install: - install -d $(DESTDIR)/etc/letsencrypt-tiny - install -m0644 -t $(DESTDIR)/etc/letsencrypt-tiny config/*.conf - install -d $(DESTDIR)/usr/share/letsencrypt-tiny - install -m0644 -t $(DESTDIR)/usr/share/letsencrypt-tiny lets-encrypt-x[1-4]-cross-signed.pem - install -d $(DESTDIR)/usr/lib/letsencrypt-tiny - install -m0755 -t $(DESTDIR)/usr/lib/letsencrypt-tiny client webserver +MANPAGES = lacme-accountd.1 lacme.1 + +all: ${MANPAGES} + +# upper case the headers and remove the links +%.1: %.md + @pandoc -S -f markdown -t json "$<" | \ + jq ".[1][] |= if .t == \"Header\" then .c[2][] |= (if .t == \"Str\" then .c |= ascii_upcase else . end) else . end" | \ + jq " \ + def fixit: \ + if type == \"object\" then \ + if .t == \"Link\" then \ + if .c[2][0][0:7] == \"mailto:\" then . else .c[1][] end \ + else \ + map_values(fixit) \ + end \ + else if type == \"array\" then \ + map(fixit) \ + else \ + . \ + end \ + end; \ + map(fixit)" | \ + pandoc -sS -f json -t man -o "$@" + +install: ${MANPAGES} + install -d $(DESTDIR)/etc/lacme + install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf + install -d $(DESTDIR)/usr/share/lacme + install -m0644 -t $(DESTDIR)/usr/share/lacme lets-encrypt-x[1-4]-cross-signed.pem + install -d $(DESTDIR)/usr/lib/lacme + install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver install -d $(DESTDIR)/usr/share/man/man1 - install -m0644 -t $(DESTDIR)/usr/share/man/man1 letsencrypt-accountd.1 letsencrypt.1 + install -m0644 -t $(DESTDIR)/usr/share/man/man1 lacme-accountd.1 lacme.1 install -d $(DESTDIR)/usr/bin - install -m0644 -t $(DESTDIR)/usr/bin letsencrypt-accountd letsencrypt + install -m0644 -t $(DESTDIR)/usr/bin lacme-accountd lacme + +clean: + rm -vf ${MANPAGES} -.PHONY: all install +.PHONY: all install clean @@ -1,29 +1,6 @@ -Requesting new Certificate Issuance with the ACME protocol generally -works as follows: - - 1. Generate a Certificate Signing Request. This requires access to - the private part of the server key. - 2. Issue an issuance request against the ACME server. - 3. Answer the ACME Identifier Validation Challenges. The challenge - type "http-01" requires a webserver to listen on port 80 for each - address for which an authorization request is issued; if there is - no running webserver, root privileges are required to bind against - port 80 and to install firewall rules to temporarily open the port. - 4. Install the certificate (after verification) and restart the - service. This usually requires root access as well. - -Steps 1,3,4 need to be run on the host for which an authorization -request is issued. However the the issuance itself (step 2) could be -done from another machine. Furthermore, each ACME command (step 2), as -well as the key authorization token in step 3, need to be signed using -an account key. The account key can be stored on another machine, or -even on a smartcard. - -_______________________________________________________________________ - -letsencrypt is a tiny ACME client written with process isolation and -minimal privileges in mind. It is divided into four components, each -with its own executable: +lacme is a small ACME client written with process isolation and minimal +privileges in mind. It is divided into four components, each with its +own executable: * A process to manage the account key and issue SHA-256 signatures needed for each ACME command. (This process binds to a UNIX-domain @@ -50,17 +27,40 @@ with its own executable: port. (The only challenge type currently supported is "http-01", which requires a webserver to answer challenges.) That webserver only processes GET and HEAD requests under the - "/.well-known/acme-challenge/" URI. By default some iptables(1) + "/.well-known/acme-challenge/" URI. By default some iptables(8) rules are automatically installed to open the HTTP port, and removed afterwards. Consult the manuals for more information. - https://guilhem.org/man/letsencrypt.1.html - https://guilhem.org/man/letsencrypt-accountd.1.html + https://guilhem.org/man/lacme.1.html + https://guilhem.org/man/lacme-accountd.1.html + +_______________________________________________________________________ + +Requesting new Certificate Issuance with the ACME protocol generally +works as follows: + + 1. Generate a Certificate Signing Request. This requires access to + the private part of the server key. + 2. Issue an issuance request against the ACME server. + 3. Answer the ACME Identifier Validation Challenges. The challenge + type "http-01" requires a webserver to listen on port 80 for each + address for which an authorization request is issued; if there is + no running webserver, root privileges are required to bind against + port 80 and to install firewall rules to temporarily open the port. + 4. Install the certificate (after verification) and restart the + service. This usually requires root access as well. + +Steps 1,3,4 need to be run on the host for which an authorization +request is issued. However the the issuance itself (step 2) could be +done from another machine. Furthermore, each ACME command (step 2), as +well as the key authorization token in step 3, need to be signed using +an account key. The account key can be stored on another machine, or +even on a smartcard. _______________________________________________________________________ -letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and +lacme is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and licensed for use under the GNU General Public License version 3 or later. See ‘COPYING’ for specific terms and distribution information. @@ -24,9 +24,9 @@ use warnings; # Usage: client COMMAND CONFIG_FD SOCKET_FD [ARGUMENTS] # # fdopen(3) the file descriptor SOCKET_FD (corresponding to the -# listening letsencrypt-accountd socket), connect(2) to it to retrieve -# the account key's public parameters and later send data to be signed -# by the master component (using the account key). +# listening lacme-accountd socket), connect(2) to it to retrieve the +# account key's public parameters and later send data to be signed by +# the master component (using the account key). # # CONFIG_FD is a read-only file descriptor associated with the # configuration file at pos 0. (This is needed since this process @@ -66,7 +66,7 @@ open my $S, '+<&=', $1 or die "fdopen $1: $!"; ############################################################################# # Read the protocol version and JSON Web Key (RFC 7517) from the -# letsencrypt-accountd socket +# lacme-accountd socket # die "Error: Invalid client version\n" unless $S->getline() =~ /\A(\d+) OK(?:.*)\r\n\z/ and $1 == $PROTOCOL_VERSION; diff --git a/config/letsencrypt-accountd.conf b/config/lacme-accountd.conf index c372190..0a8b81a 100644 --- a/config/letsencrypt-accountd.conf +++ b/config/lacme-accountd.conf @@ -17,10 +17,10 @@ # for signature requests from the ACME client. An error is raised if # the path exists exists or if its parent directory is writable by other # users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR # environment variable is set. # -#socket = /run/user/1000/S.letsencrypt +#socket = /run/user/1000/S.lacme # Be quiet. Possible values: "Yes"/"No". # diff --git a/config/letsencrypt-certs.conf b/config/lacme-certs.conf index 2ee9b20..fbce5e2 100644 --- a/config/letsencrypt-certs.conf +++ b/config/lacme-certs.conf @@ -26,7 +26,7 @@ # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an # empty value skip certificate validation. -#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem +#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem # Subject field of the Certificate Signing Request. This option is # required. diff --git a/config/letsencrypt.conf b/config/lacme.conf index 1502020..edcbbb0 100644 --- a/config/letsencrypt.conf +++ b/config/lacme.conf @@ -1,23 +1,23 @@ # For certificate issuance (new-cert command), specify the certificate # configuration file to use # -#config-certs = config/letsencrypt-certs.conf +#config-certs = config/lacme-certs.conf [client] -# The value of "socket" specifies the letsencrypt-accountd(1) -# UNIX-domain socket to connect to for signature requests from the ACME -# client. letsencrypt aborts if the socket is readable or writable by -# other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR -# environment variable is set. +# The value of "socket" specifies the lacme-accountd(1) UNIX-domain +# socket to connect to for signature requests from the ACME client. +# lacme aborts if the socket is readable or writable by other users, or +# if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment +# variable is set. # -#socket = /run/user/1000/S.letsencrypt +#socket = /run/user/1000/S.lacme # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # Default: "nobody". # -#user = letsencrypt +#user = lacme # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). @@ -26,7 +26,7 @@ #group = nogroup # Path to the ACME client executable. -#command = /usr/lib/letsencrypt-tiny/client +#command = /usr/lib/lacme/client # Root URI of the ACME server. NOTE: Use the staging server for testing # as it has relaxed ratelimit. @@ -75,11 +75,11 @@ #user = www-data # Path to the ACME webserver executable. -#command = /usr/lib/letsencrypt-tiny/webserver +#command = /usr/lib/lacme/webserver # Whether to automatically install iptables(1) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once letsencrypt exits. +# removed once lacme(1) exits. # #iptables = Yes @@ -1,7 +1,7 @@ #!/usr/bin/perl -T #---------------------------------------------------------------------- -# Let's Encrypt ACME client +# ACME client # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify @@ -22,7 +22,7 @@ use strict; use warnings; our $VERSION = '0.0.1'; -my $NAME = 'letsencrypt'; +my $NAME = 'lacme'; use Errno qw/EADDRINUSE EINTR/; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; @@ -71,8 +71,8 @@ $COMMAND = $COMMAND =~ /\A(new-reg|reg=\p{Print}*|new-cert|revoke-cert)\z/ ? $1 do { my $conffile = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf" - , "/etc/letsencrypt-tiny/$NAME.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + , "/etc/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; @@ -84,10 +84,10 @@ do { my $defaults = delete $h->{_} // {}; my %valid = ( client => { - socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef), + socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef), user => 'nobody', group => 'nogroup', - command => '/usr/lib/letsencrypt-tiny/client', + command => '/usr/lib/lacme/client', # the rest is for the ACME client map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, @@ -96,7 +96,7 @@ do { 'challenge-directory' => '/var/www/acme-challenge', user => 'www-data', group => 'www-data', - command => '/usr/lib/letsencrypt-tiny/webserver', + command => '/usr/lib/lacme/webserver', iptables => 'Yes' } @@ -399,7 +399,7 @@ sub acme_client($@) { die "Error: insecure permissions on $dirname\n" if ($stat[2] & 0022) != 0; # ensure we're the only user with read/write access to the socket - @stat = stat($sockname) or die "Can't stat $sockname: $! (Is letsencrypt-accountd running?)\n"; + @stat = stat($sockname) or die "Can't stat $sockname: $! (Is lacme-accountd running?)\n"; die "Error: insecure permissions on $sockname\n" if ($stat[2] & 0066) != 0; # connect(2) to the socket @@ -515,14 +515,15 @@ if ($COMMAND eq 'new-reg' or $COMMAND =~ /^reg=/) { # new-cert [SECTION ..] # TODO: renewal without the account key, see # https://github.com/letsencrypt/acme-spec/pull/168 +# https://github.com/letsencrypt/acme-spec/issues/191 # elsif ($COMMAND eq 'new-cert') { my $conf; do { my $conffile = $OPTS{'config-certs'} // $CONFIG->{_}->{'config-certs'} // first { -f $_ } ( "./$NAME-certs.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME-certs.conf" - , "/etc/letsencrypt-tiny/$NAME-certs.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME-certs.conf" + , "/etc/lacme/$NAME-certs.conf" ); die "Error: Can't find certificate configuration file\n" unless defined $conffile; my $h = Config::Tiny::->read($conffile) or die Config::Tiny::->errstr()."\n"; @@ -604,7 +605,7 @@ elsif ($COMMAND eq 'new-cert') { }; # verify certificate validity against the CA - $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem'; + $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem'; if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, qw/-purpose sslserver -x509_strict/)) { print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; diff --git a/letsencrypt-accountd b/lacme-accountd index ffc5619..2bc648f 100755 --- a/letsencrypt-accountd +++ b/lacme-accountd @@ -1,7 +1,7 @@ #!/usr/bin/perl -T #---------------------------------------------------------------------- -# Let's Encrypt ACME client (account key manager) +# ACME client (account key manager) # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify @@ -23,7 +23,7 @@ use warnings; our $VERSION = '0.0.1'; my $PROTOCOL_VERSION = 1; -my $NAME = 'letsencrypt-accountd'; +my $NAME = 'lacme-accountd'; use Errno 'EINTR'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; @@ -64,8 +64,8 @@ usage(0) if $OPTS{help}; do { my $conffile = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf" - , "/etc/letsencrypt-tiny/$NAME.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + , "/etc/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; @@ -137,7 +137,7 @@ $JWK = JSON::->new->encode($JWK); # delete the file manually. # do { - my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef); + my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); die "Missing socket option\n" unless defined $sockname; $sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname diff --git a/lacme-accountd.md b/lacme-accountd.md new file mode 100644 index 0000000..54b0ed7 --- /dev/null +++ b/lacme-accountd.md @@ -0,0 +1,143 @@ +% lacme-accountd(1) +% [Guilhem Moulin](mailto:guilhem@fripost.org) +% March 2016 + +Name +==== + +lacme-accountd - [ACME] client (account key manager) + +Synopsis +======== + +`lacme-accountd` [`--config=FILENAME`] [`--privkey=ARG`] [`--socket=PATH`] [`--quiet`] + +Description +=========== + +`lacme-accountd` is the account key manager component of [`lacme`(1)], a +small [ACME] client written with process isolation and minimal +privileges in mind. No other [`lacme`(1)] component needs access to the +account key; in fact the account key could as well be stored on another +host or a smartcard. + +`lacme-accountd` binds to a UNIX-domain socket (specified with +`--socket=`), which [ACME] clients can connect to in order to request +data signatures. +As a consequence, `lacme-accountd` needs to be up and running before +using [`lacme`(1)] to issue [ACME] commands. Also, the process does not +automatically terminate after the last signature request: instead, one +sends an `INT` or `TERM` [`signal`(7)] to bring the server down. + +Furthermore, one can use the UNIX-domain socket forwarding facility of +[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(1)] on +different hosts. For instance one could store the account key on a +machine that is not exposed to the internet. See the +**[examples](#examples)** section below. + +Options +======= + +`--config=`*filename* + +: Use *filename* as configuration file. See the **[configuration + file](#configuration-file)** section below for the configuration + options. + +`--privkey=`*arg* + +: Specify the (private) account key to use for signing requests. + Currently supported *arg*uments are: + + * `file:`*FILE*, to specify an encrypted private key (in PEM + format); and + * `gpg:`*FILE*, to specify a [`gpg`(1)]-encrypted private key (in + PEM format). + + The following command can be used to generate a new 4096-bits RSA + key in PEM format with mode 0600: + + openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key + +`-socket=`*path* + +: Use *path* as the UNIX-domain socket to bind against for signature + requests from the [ACME] client. `lacme-accountd` aborts if *path* + exists or if its parent directory is writable by other users. + +`-?`, `--help` + +: Display a brief help and exit. + +`-q`, `--quiet` + +: Be quiet. + +`--debug` + +: Turn on debug mode. + +Configuration file +================== + +If `--config=` is not given, `lacme-accountd` uses the first existing +configuration file among *./lacme-accountd.conf*, +*$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or +*~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME` +environment variable is not set), and */etc/lacme/lacme-accountd.conf*. + +When given on the command line, the `--privkey=`, `--socket=` and +`--quiet` options take precedence over their counterpart (without +leading `--`) in the configuration file. Valid options are: + +*privkey* + +: See `--privkey=`. This option is required when `--privkey=` is not + specified on the command line. + +*gpg* + +: For a [`gpg`(1)]-encrypted private account key, specify the binary + [`gpg`(1)] to use, as well as some default options. + Default: `gpg --quiet`. + +*socket* + +: See `--socket=`. + Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR` + environment variable is set. + +*quiet* + +: Be quiet. Possible values: `Yes`/`No`. + +Examples +======== + +Run `lacme-accountd` in a first terminal: + + ~$ lacme-accountd --privkey=file:/path/to/priv.key --socket=/run/user/1000/S.lacme + +Then, while `lacme-accountd` is running, execute locally [`lacme`(1)] in +another terminal: + + ~$ sudo lacme --socket=/run/user/1000/S.lacme new-cert + +Alternatively, use [OpenSSH] 6.7 or later to forward the socket and +execute [`lacme`(1)] remotely: + + ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.lacme user@example.org \ + sudo lacme --socket=/path/to/remote.sock new-cert + + +See also +======== + +[`lacme`(1)], [`ssh`(1)] + +[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 +[`lacme`(1)]: lacme.1.html +[`signal`(7)]: http://linux.die.net/man/7/signal +[`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html +[OpenSSH]: http://www.openssh.com/ +[`ssh`(1)]: http://man.openbsd.org/ssh diff --git a/lacme.md b/lacme.md new file mode 100644 index 0000000..a16f23d --- /dev/null +++ b/lacme.md @@ -0,0 +1,355 @@ +% lacme(1) +% [Guilhem Moulin](mailto:guilhem@fripost.org) +% December 2015 + +Name +==== + +lacme - [ACME] client + +Synopsis +======== + +`lacme` [`--config=FILENAME`] [`--socket=PATH`] [*OPTION* …] *COMMAND* [*ARGUMENT* …] + +Description +=========== + +`lacme` is a small [ACME] client written with process isolation and +minimal privileges in mind. It is divided into four components, each +with its own executable: + + 1. A [`lacme-accountd`(1)] process to manage the account key and issue + SHA-256 signatures needed for each [ACME] command. (This process + binds to a UNIX-domain socket to reply to signature requests from + the [ACME] client.) + One can use the UNIX-domain socket forwarding facility of OpenSSH + 6.7 and later to run [`lacme-accountd`(1)] and `lacme` on different + hosts. + + 2. A “master” `lacme` process, which runs as root and is the only + component with access to the private key material of the server + keys. It is used to fork the [ACME] client (and optionally the + [ACME] webserver) after dropping root privileges. + For certificate issuances (`new-cert` command), it also generates + Certificate Signing Requests, then verifies the validity of the + issued certificate, and optionally reloads or restarts services when + the *notify* option is set. + + 3. An actual [ACME] client (specified with the *command* option of the + [`[client]` section](#client-section) of the configuration file), + which builds [ACME] commands and dialogues with the remote [ACME] + server. + Since [ACME] commands need to be signed with the account key, the + “master” `lacme` process passes the [`lacme-accountd`(1)] + UNIX-domain socket to the [ACME] client: data signatures are + requested by writing the data to be signed to the socket. + + 4. For certificate issuances (`new-cert` command), an optional + webserver (specified with the *command* option of the [`[webserver]` + section](#webserver-section) of the configuration file), which is + spawned by the “master” `lacme` process when no service is listening + on the HTTP port. (The only challenge type currently supported by + `lacme` is `http-01`, which requires a webserver to answer + challenges.) That webserver only processes `GET` and `HEAD` requests + under the `/.well-known/acme-challenge/` URI. + By default some [`iptables`(8)] rules are automatically installed to + open the HTTP port, and removed afterwards. + +Commands +======== + +`lacme` [`--agreement-uri=`*URI*] `new-reg` [*CONTACT* …] + +: Register the account key managed by [`lacme-accountd`(1)]. A list + of *CONTACT* information (such as `maito:` URIs) can be specified in + order for the server to contact the client for issues related to + this registration (such as notifications about server-initiated + revocations). + + `--agreement-uri=` can be used to specify a *URI* referring to a + subscriber agreement or terms of service provided by the server; + adding this options indicates the client's agreement with the + referenced terms. Note that the server might require the client to + agree to subscriber agreement before performing any further actions. + + If the account key is already registered, `lacme` prints the URI of + the existing registration and aborts. + +`lacme` [`--agreement-uri=`*URI*] `reg=`*URI* [*CONTACT* …] + +: Dump or edit the registration *URI* (relative to the [ACME] server + URI, which is specified with the *server* option of the [`[client]` + section](#client-section) of the configuration file). + + When specified, the list of *CONTACT* information and the agreement + *URI* are sent to the server to replace the existing values. + +`lacme` [`--config-certs=`*FILE*] `new-cert` [*SECTION* …] + +: Read the certificate configuration *FILE* (see the **[certificate + configuration file](#certificate-configuration-file)** section below + for the configuration options), and request new Certificate Issuance + for each of its sections (or the given list of *SECTION*s). + +`lacme` `revoke-cert` *FILE* [*FILE* …] + +: Request that the given certificate(s) *FILE*(s) be revoked. For + this command, [`lacme-accountd`(1)] can be pointed to either the + account key or the server's private key. + +Generic options +=============== + +`--config=`*filename* + +: Use *filename* as configuration file. See the **[configuration + file](#configuration-file)** section below for the configuration + options. + +`--socket=`*path* + +: Use *path* as the [`lacme-accountd`(1)] UNIX-domain socket to + connect to for signature requests from the [ACME] client. `lacme` + aborts if `path` is readable or writable by other users, or if its + parent directory is writable by other users. This overrides the + *socket* option of the [`[client]` section](#client-section) of the + configuration file. + +`-?`, `--help` + +: Display a brief help and exit. + +`--debug` + +: Turn on debug mode. + +Configuration file +================== + +If `--config=` is not given, `lacme` uses the first existing +configuration file among *./lacme.conf*, +*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if +the `XDG_CONFIG_HOME` environment variable is not set), and +*/etc/lacme/lacme.conf*. +Valid options are: + +Default section +--------------- + +*config-certs* + +: For certificate issuances (`new-cert` command), specify the + certificate configuration file to use (see the **[certificate + configuration file](#certificate-configuration-file)** section below + for the configuration options). + +`[client]` section +------------------ + +This section is used for configuring the [ACME] client (which takes care +of [ACME] commands and dialogues with the remote [ACME] server). + +*socket* + +: See `--socket=`. + Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR` + environment variable is set. + +*user* + +: The username to drop privileges to (setting both effective and real + uid). Preserve root privileges if the value is empty (not + recommended). + Default: `nobody`. + +*group* + +: The groupname to drop privileges to (setting both effective and real + gid, and also setting the list of supplementary gids to that single + group). Preserve root privileges if the value is empty (not + recommended). + Default: `nogroup`. + +*command* + +: Path to the [ACME] client executable. + Default: `/usr/lib/lacme/client`. + +*server* + +: Root URI of the [ACME] server. + Default: `https://acme-v01.api.letsencrypt.org/`. + +*timeout* + +: Timeout in seconds after which the client stops polling the [ACME] + server and considers the request failed. + Default: `10`. + +*SSL_verify* + +: Whether to verify the server certificate chain. + Default: `Yes`. + +*SSL_version* + +: Specify the version of the SSL protocol used to transmit data. + +*SSL_cipher_list* + +: Specify the cipher list for the connection, see [`ciphers`(1ssl)] + for more information. + +`[webserver]` section +--------------------- + +This section is used for configuring the [ACME] webserver. + +*listen* + +: Specify the local address to listen on, in the form + `ADDRESS[:PORT]`. If `ADDRESS` is enclosed with brackets ‘[’/‘]’ + then it denotes an IPv6; an empty `ADDRESS` means `0.0.0.0`. + Default: `:80`. + +*challenge-directory* + +: If a webserver is already running, specify a non-existent directory + under which the webserver is configured to serve `GET` requests for + challenge files under `/.well-known/acme-challenge/` (for each + virtual hosts requiring authorization) as static files. + Default: `/var/www/acme-challenge`. + +*user* + +: The username to drop privileges to (setting both effective and real + uid). Preserve root privileges if the value is empty (not + recommended). + Default: `www-data`. + +*group* + +: The groupname to drop privileges to (setting both effective and real + gid, and also setting the list of supplementary gids to that single + group). Preserve root privileges if the value is empty (not + recommended). + Default: `www-data`. + +*command* + +: Path to the [ACME] webserver executable. + Default: `/usr/lib/lacme/webserver`. + +*iptables* + +: Whether to automatically install [`iptables`(8)] rules to open the + `ADDRESS[:PORT]` specified with *listen*. Theses rules are + automatically removed once `lacme` exits. + Default: `Yes`. + +Certificate configuration file +============================== + +For certificate issuances (`new-cert` command), a separate file is used +to configure paths to the certificate and key, as well as the subject, +subjectAltName, etc. to generate Certificate Signing Requests. +If `--config-certs=` is not given, and if the `config-certs` +configuration option is absent, then `lacme` uses the first existing +configuration file among *./lacme-certs.conf*, +*$XDG_CONFIG_HOME/lacme/lacme-certs.conf* (or +*~/.config/lacme/lacme-certs.conf* if the `XDG_CONFIG_HOME` environment +variable is not set), and */etc/lacme/lacme-certs.conf*. +Each section denotes a separate certificate issuance. +Valid options are: + +*certificate* + +: Where to store the issued certificate (in PEM format). + At least one of *certificate* or *certificate-chain* is required. + +*certificate-chain* + +: Where to store the issued certificate, concatenated with the content + of the file specified specified with the *CAfile* option (in PEM + format). + At least one of *certificate* or *certificate-chain* is required. + +*certificate-key* + +: Path the service's private key. This option is required. The + following command can be used to generate a new 4096-bits RSA key in + PEM format with mode 0600: + + openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key + +*min-days* + +: For an existing certificate, the minimum number of days before its + expiration date the section is considered for re-issuance. + Default: `10`. + +*CAfile* + +: Path to the issuer's certificate. This is used for + *certificate-chain* and to verify the validity of each issued + certificate. + Specifying an empty value skip certificate validation. + Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`. + +*hash* + +: Message digest algorithm to sign the Certificate Signing Request + with. + +*keyUsage* + +: Comma-separated list of Key Usages, see [`x509v3_config`(5ssl)]. + +*subject* + +: Subject field of the Certificate Signing Request, in the form + `/type0=value0/type1=value1/type2=…`. This option is required. + +*subjectAltName* + +: Comma-separated list of Subject Alternative Names, in the form + `type0:value1,type1:value1,type2:…` + The only `type` currently supported is `DNS`, to specify an + alternative domain name. + +*chown* + +: An optional `username[:groupname]` to chown the issued *certificate* + and *certificate-chain* with. + +*chmod* + +: An optional octal mode to chmod the issued *certificate* and + *certificate-chain* with. + +*notify* + +: Command to pass the the system's command shell (`/bin/sh -c`) + after successful installation of the *certificate* and/or + *certificate-chain*. + +Examples +======== + + ~$ sudo lacme new-reg mailto:noreply@example.com + ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf + ~$ sudo lacme new-cert + ~$ sudo lacme revoke-cert /path/to/server/certificate.pem + + +See also +======== + +[`lacme-accountd`(1)] + +[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 +[`lacme-accountd`(1)]: lacme-accountd.1.html +[`iptables`(8)]: http://linux.die.net/man/8/iptables +[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html +[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1 deleted file mode 100644 index a06cdcc..0000000 --- a/letsencrypt-accountd.1 +++ /dev/null @@ -1,153 +0,0 @@ -.TH LETSENCRYPT\-ACCOUNTD "1" "MARCH 2016" "Tiny Let's Encrypt ACME client (account key manager)" "User Commands" - -.SH NAME -letsencrypt\-accountd \- Tiny Let's Encrypt ACME client (account key manager) - -.SH SYNOPSIS -.B letsencrypt\-accountd\fR [\fB\-\-config=\fIFILENAME\fR] -[\fB\-\-privkey=\fIARG\fR] [\fB\-\-socket=\fIPATH\fR] [\fB\-\-quiet\fR] - - -.SH DESCRIPTION -.PP -.B letsencrypt\-accountd\fR is the account key manager component of -\fIletsencrypt\fR(1), a tiny ACME client written with process isolation -and minimal privileges in mind. No other \fIletsencrypt\fR(1) component -need access to the account key; in fact the account key could also be -stored on a smartcard. - -.B letsencrypt\-accountd\fR binds to a UNIX\-domain socket (specified -with \fB\-\-socket=\fR), which ACME clients can connect to in order to -request data signatures. -As a consequence, \fBletsencrypt\-accountd\fR needs to be up and running -before using \fIletsencrypt\fR(1) to issue ACME commands. -Also, the process does not automatically terminate after the last -signature request: instead, one sends an \fIINT\fR or \fITERM\fR signal -to bring the server down. - -Furthermore, one can use the UNIX\-domain socket forwarding facility of -OpenSSH 6.7 and later to run \fBletsencrypt\-accountd\fR and -\fIletsencrypt\fR(1) on different hosts. For instance one could store -the account key on a machine that is not exposed to the internet. See -the \fBEXAMPLES\fR section below. - - -.SH OPTIONS -.TP -.B \-\-config=\fIfilename\fR -Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION -FILE\fR section below for the configuration options. - -.TP -.B \-\-privkey=\fIarg\fR -Specify the (private) account key to use for signing requests. -Currently supported \fIarg\fRuments are: - -.RS -.IP \[bu] 2 -file:\fIFILE\fR, to specify an encrypted private key (in PEM format); and -.IP \[bu] -gpg:\fIFILE\fR, to specify a \fIgpg\fR(1)\-encrypted private key (in PEM format). - -.PP -The following command can be used to generate a new 4096\-bits RSA key in -PEM format with mode 0600: - -.nf - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key -.fi -.RE - -.TP -.B \-\-socket=\fIpath\fR -Use \fIpath\fR as the UNIX\-domain socket to bind against for signature -requests from the ACME client. \fBletsencrypt\-accountd\fR aborts if -\fIpath\fR exists or if its parent directory is writable by other users. - -.TP -.B \-?\fR, \fB\-\-help\fR -Display a brief help and exit. - -.TP -.B \-q\fR, \fB\-\-quiet\fR -Be quiet. - -.TP -.B \-\-debug -Turn on debug mode. - - -.SH CONFIGURATION FILE -If \fB\-\-config=\fR is not given, \fBletsencrypt\-accountd\fR uses the -first existing configuration file among -\fI./letsencrypt\-accountd.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR. - -When given on the command line, the \fB\-\-privkey=\fR, -\fB\-\-socket=\fR and \fB\-\-quiet\fR options take precedence over their -counterpart (without leading \(lq\-\-\(rq) in the configuration file. -Valid options are: - -.TP -.I privkey -See \fB\-\-privkey=\fR. -This option is required when \fB\-\-privkey=\fR is not specified on the -command line. - -.TP -.I gpg -For a \fIgpg\fR(1)\-encrypted private account key, specify the binary -\fIgpg\fR(1) to use, as well as some default options. -Default: \(lqgpg \-\-quiet\(rq. - -.TP -.I socket -See \fB\-\-socket=\fR. -Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR -environment variable is set. - -.TP -.I quiet -Be quiet. Possible values: \(lqYes\(rq/\(lqNo\(rq. - - -.SH EXAMPLES - -Run \fBletsencrypt\-accountd\fR in a first terminal: - -.nf - ~$ letsencrypt\-accountd \-\-privkey=file:/path/to/priv.key \-\-socket=/run/user/1000/S.letsencrypt -.fi - -Then, while \fBletsencrypt\-accountd\fR is running, execute locally -\fIletsencrypt\fR(1) in another terminal: - -.nf - ~$ sudo letsencrypt \-\-socket=/run/user/1000/S.letsencrypt new\-cert -.fi - -Alternatively, use \fIssh\fR(1) to forward the socket and execute -\fIletsencrypt\fR(1) remotely: - -.nf - ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.letsencrypt user@example.org \\ - sudo letsencrypt --socket=/path/to/remote.sock new-cert -.fi - - -.SH SEE ALSO -\fBletsencrypt\fR(1), \fBssh\fR(1) - -.SH AUTHOR -.ie \n[www-html] \{\ - Written by -. MTO guilhem@fripost.org "Guilhem Moulin" . -\} -.el \{\ - Written by Guilhem Moulin -. MT guilhem@fripost.org -. ME . -\} diff --git a/letsencrypt.1 b/letsencrypt.1 deleted file mode 100644 index 1c4b0db..0000000 --- a/letsencrypt.1 +++ /dev/null @@ -1,370 +0,0 @@ -.TH LETSENCRYPT "1" "MARCH 2016" "Tiny Let's Encrypt ACME client" "User Commands" - -.SH NAME -letsencrypt \- Tiny Let's Encrypt ACME client - -.SH SYNOPSIS -.B letsencrypt\fR [\fB\-\-config=\fIFILENAME\fR] -[\fB\-\-socket=\fIPATH\fR] [\fIOPTION\fR ...] \fICOMMAND\fR -[\fIARGUMENT\fR ...] - - -.SH DESCRIPTION -.PP -.B letsencrypt\fR is a tiny ACME client written with process isolation -and minimal privileges in mind. -It is divided into four components, each with its own executable: - -.IP \[bu] 4 -A \fIletsencrypt\-accountd\fR(1) process to manage the account key and -issue SHA\-256 signatures needed for each ACME command. -(This process binds to a UNIX\-domain socket to reply to signature -requests from the ACME client.) -One can use the UNIX\-domain socket forwarding facility of OpenSSH 6.7 -and later to run \fIletsencrypt\-accountd\fR(1) and \fBletsencrypt\fR on -different hosts. - -.IP \[bu] 4 -A \(lqmaster\(rq \fBletsencrypt\fR process, which runs as root and is -the only component with access to the private key material of the server -keys. -It is used to fork the ACME client (and optionally the ACME webserver) -after dropping root privileges. -For certificate issuances (\fBnew\-cert\fR command), it also generates -Certificate Signing Requests, then verifies the validity of the issued -certificate, and optionally reloads or restarts services when the -\fInotify\fR option is set. - -.IP \[bu] 4 -An actual ACME client (specified with the \fIcommand\fR option of the -\(lq[client]\(rq section of the configuration file), which builds ACME -commands and dialogues with the remote ACME server. -Since ACME commands need to be signed with the account key, the -\(lqmaster\(rq \fBletsencrypt\fR process passes the -\fIletsencrypt\-accountd\fR(1) UNIX\-domain socket to the ACME client: -data signatures are requested by writing the data to be signed to the -socket. - -.IP \[bu] 4 -For certificate issuances (\fBnew\-cert\fR command), an optional -webserver (specified with the \fIcommand\fR option of the -\(lq[webserver]\(rq section of the configuration file), which is spawned -by the \(lqmaster\(rq \fBletsencrypt\fR process when no service is -listening on the HTTP port. -(The only challenge type currently supported by \fBletsencrypt\fR is -\(lqhttp\-01\(rq, which requires a webserver to answer challenges.) -That webserver only processes GET and HEAD requests under the -\(lq/.well\-known/acme\-challenge/\(rq URI. -By default some \fIiptables\fR(1) rules are automatically installed to -open the HTTP port, and removed afterwards. - -.SH COMMANDS -.TP -.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBnew\-reg \fR[\fICONTACT\fR ...] -Register the account key managed by \fIletsencrypt\-accountd\fR(1). A -list of \fICONTACT\fR information (such as \(lqmaito:\(rq -URIs) can be specified in order for the server to contact the client for -issues related to this registration (such as notifications about -server\-initiated revocations). - -\fB\-\-agreement\-uri=\fR can be used to specify a \fIURI\fR referring -to a subscriber agreement or terms of service provided by the server; -adding this options indicates the client's agreement with the referenced -terms. Note that the server might require the client to agree to -subscriber agreement before performing any further actions. - -If the account key is already registered, \fBletsencrypt\fR prints the -URI of the existing registration and aborts. - -.TP -.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBreg=\fIURI\fR \fR[\fICONTACT\fR ...] - -Dump or edit the registration \fIURI\fR (relative to the ACME server URI, -which is specified with the \fIserver\fR option of the \(lq[client]\(rq -section of the configuration file). - -When specified, the list of \fICONTACT\fR information and the agreement -\fIURI\fR are sent to the server to replace the existing values. - -.TP -.B letsencrypt \fR[\fB\-\-config\-certs=\fIFILE\fR]\fB \fBnew\-cert \fR[\fISECTION\fR ...] - -Read the certificate configuration \fIFILE\fR (see the \fBCERTIFICATE -CONFIGURATION FILE\fR section below for the configuration options), and -request new Certificate Issuance for each of its sections (or the given -list of \fISECTION\fRs). - -.TP -.B letsencrypt \fBrevoke\-cert \fIFILE\fR [\fIFILE\fR ...] - -Request that the given certificate(s) \fIFILE\fR(s) be revoked. For -this command, \fIletsencrypt\-accountd\fR(1) can be pointed to either -the account key or the server's private key. - - -.SH GENERIC OPTIONS -.TP -.B \-\-config=\fIfilename\fR -Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION -FILE\fR section below for the configuration options. - -.TP -.B \-\-socket=\fIpath\fR -Use \fIpath\fR as the \fIletsencrypt\-accountd\fR(1) UNIX\-domain socket -to connect to for signature requests from the ACME client. -\fBletsencrypt\fR aborts if \fIpath\fR is readable or writable by -other users, or if its parent directory is writable by other users. -This overrides the \fIsocket\fR option of the \(lq[client]\(rq section -of the configuration file. - -.TP -.B \-?\fR, \fB\-\-help\fR -Display a brief help and exit. - -.TP -.B \-\-debug -Turn on debug mode. - - -.SH CONFIGURATION FILE -If \fB\-\-config=\fR is not given, \fBletsencrypt\fR uses the first -existing configuration file among -\fI./letsencrypt.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt.conf\fR. -Valid options are: - -.TP -Default section -.RS -.TP -.I config\-certs -For certificate issuances (\fBnew\-cert\fR command), specify the -certificate configuration file to use (see the \fBCERTIFICATE -CONFIGURATION FILE\fR section below for the configuration options). -.RE - -.TP -\(lq[client]\(rq section -This section is used for configuring the ACME client (which takes care -of ACME commands and dialogues with the remote ACME server). - -.RS -.TP -.I socket -See \fB\-\-socket=\fR. -Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR -environment variable is set. - -.TP -.I user -The username to drop privileges to (setting both effective and real -uid). -Preserve root privileges if the value is empty (not recommended). -Default: \(lqnobody\(rq. - -.TP -.I group -The groupname to drop privileges to (setting both effective and real -gid, and also setting the list of supplementary gids to that single -group). Preserve root privileges if the value is empty (not -recommended). -Default: \(lqnogroup\(rq. - -.TP -.I command -Path to the ACME client executable. -Default: \(lq/usr/lib/letsencrypt\-tiny/client\(rq. - -.TP -.I server -Root URI of the ACME server. -Default: \(lqhttps://acme\-v01.api.letsencrypt.org/\(rq. - -.TP -.I timeout -Timeout in seconds after which the client stops polling the ACME server -and considers the request failed. -Default: \(lq10\(rq. - -.TP -.I SSL_verify -Whether to verify the server certificate chain. -Default: \(lqYes\(rq. - -.TP -.I SSL_version -Specify the version of the SSL protocol used to transmit data. - -.TP -.I SSL_cipher_list -Specify the cipher list for the connection. -.RE - -.TP -\(lq[webserver]\(rq section -This section is used for configuring the ACME webserver. - -.RS -.TP -.I listen -Specify the local address to listen on, in the form -\fIADDRESS\fR[:\fIPORT\fR]. -If \fIADDRESS\fR is enclosed with brackets \(oq[\(cq/\(oq]\(cq then it -denotes an IPv6; an empty \fIADDRESS\fR means \(oq0.0.0.0\(cq. -Default: \(lq:80\(rq. - -.TP -.I challenge\-directory -If a webserver is already running, specify a non\-existent directory -under which the webserver is configured to serve GET requests for -challenge files under \(lq/.well\-known/acme\-challenge/\(rq (for each -virtual hosts requiring authorization) as static files. -Default: \(lq/var/www/acme\-challenge\(rq. - -.TP -.I user -The username to drop privileges to (setting both effective and real -uid). -Preserve root privileges if the value is empty (not recommended). -Default: \(lqwww\-data\(rq. - -.TP -.I group -The groupname to drop privileges to (setting both effective and real -gid, and also setting the list of supplementary gids to that single -group). Preserve root privileges if the value is empty (not -recommended). -Default: \(lqwww\-data\(rq. - -.TP -.I command -Path to the ACME webserver executable. -Default: \(lq/usr/lib/letsencrypt\-tiny/webserver\(rq. - -.TP -.I iptables -Whether to automatically install \fIiptables\fR(1) rules to open the -\fIADDRESS\fR[:\fIPORT\fR] specified with \fIlisten\fR. -Theses rules are automatically removed once \fBletsencrypt\fR exits. -Default: \(lqYes\(rq. -.RE - - -.SH CERTIFICATE CONFIGURATION FILE -For certificate issuances (\fBnew\-cert\fR command), a separate file is -used to configure paths to the certificate and key, as well as the -subject, subjectAltName, etc. to generate Certificate Signing Requests. -If \fB\-\-config\-certs=\fR is not given, and if the -\fIconfig\-certs\fR configuration option is absent, -then \fBletsencrypt\fR uses the first existing configuration file among -\fI./letsencrypt\-certs.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-certs.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt\-certs.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt\-certs.conf\fR. -Each section denotes a separate certificate issuance. -Valid options are: - -.TP -.I certificate -Where to store the issued certificate (in PEM format). -At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is -required. - -.TP -.I certificate\-chain -Where to store the issued certificate, concatenated with the content of -the file specified specified with the \fICAfile\fR option (in PEM -format). -At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is -required. - -.TP -.I certificate\-key -Path the service's private key. This option is required. The following -command can be used to generate a new 4096\-bits RSA key in PEM format -with mode 0600: - -.nf - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key -.fi - -.TP -.I min\-days -For an existing certificate, the minimum number of days before its -expiration date the section is considered for re\-issuance. -Default: \(lq10\(rq. - - -.TP -.I CAfile -Path to the issuer's certificate. This is used for -\fIcertificate\-chain\fR and to verify the validity of each issued -certificate. -Specifying an empty value skip certificate validation. -Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x3\-cross\-signed.pem\(rq. - -.TP -.I hash -Message digest to sign the Certificate Signing Request with. - -.TP -.I keyUsage -Comma\-separated list of Key Usages, see \fIx509v3_config\fR(5ssl). - -.TP -.I subject -Subject field of the Certificate Signing Request, in the form -\fR/\fItype0\fR=\fIvalue0\fR/\fItype1\fR=\fIvalue1\fR/\fItype2\fR=... -This option is required. - -.TP -.I subjectAltName -Comma\-separated list of Subject Alternative Names, in the form -\fItype0\fR:\fIvalue1\fR,\fItype1\fR:\fIvalue1\fR,\fItype2\fR:... -The only \fItype\fR currently supported is \(lqDNS\(rq, to specify an -alternative domain name. - -.TP -.I chown -An optional \fIusername\fR[:\fIgroupname\fR] to chown the issued -\fIcertificate\fR and \fIcertificate\-chain\fR with. - -.TP -.I chmod -An optional octal mode to chmod the issued \fIcertificate\fR and -\fIcertificate\-chain\fR with. - -.TP -.I notify -Command to pass the the system's command shell (\(lq/bin/sh \-c\(rq) -after successful installation of the \fIcertificate\fR and/or -\fIcertificate\-chain\fR. - - -.SH EXAMPLES - -.nf - ~$ sudo letsencrypt new-reg mailto:noreply@example.com - ~$ sudo letsencrypt reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf - ~$ sudo letsencrypt new-cert - ~$ sudo letsencrypt revoke-cert /path/to/server/certificate.pem -.fi - - -.SH SEE ALSO -\fBletsencrypt\-accountd\fR(1) - -.SH AUTHOR -.ie \n[www-html] \{\ - Written by -. MTO guilhem@fripost.org "Guilhem Moulin" . -\} -.el \{\ - Written by Guilhem Moulin -. MT guilhem@fripost.org -. ME . -\} |