aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-07-08 21:02:36 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-07-08 21:02:36 +0200
commit8cdd29841d0dbb89e866aad36173bb26182d0c97 (patch)
tree257e918f4af3bd68555276d7f19a0d3d0deea589
parent8349b801a5f7e5f11b0a758d7ab28d8b79eb08ea (diff)
Bind webserver to /var/run/lacme-www.socket by default.
-rw-r--r--Changelog2
-rw-r--r--config/lacme.conf2
-rwxr-xr-xlacme2
-rw-r--r--lacme.md4
-rw-r--r--snippets/apache2.conf2
-rw-r--r--snippets/nginx.conf2
6 files changed, 7 insertions, 7 deletions
diff --git a/Changelog b/Changelog
index e0ce8c0..070f2e3 100644
--- a/Changelog
+++ b/Changelog
@@ -5,7 +5,7 @@ lacme (0.3) upstream;
+ new-cert: create certificate files atomically.
+ webserver: allow listening to multiple addresses (useful when
dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain
- socket by default </var/run/lacme.socket>.
+ socket by default </var/run/lacme-www.socket>.
+ webserver: don't install temporary iptables by default. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the
diff --git a/config/lacme.conf b/config/lacme.conf
index 874bb1f..3cc1b34 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -62,7 +62,7 @@
# Comma- or space-separated list of addresses to listen on, for instance
# "0.0.0.0:80 [::]:80".
#
-#listen = /var/run/lacme.socket
+#listen = /var/run/lacme-www.socket
# Non-existent directory under which an external HTTP daemon is
# configured to serve GET requests for challenge files under
diff --git a/lacme b/lacme
index 01c683e..6570891 100755
--- a/lacme
+++ b/lacme
@@ -97,7 +97,7 @@ do {
map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/
},
webserver => {
- listen => '/var/run/lacme.socket',
+ listen => '/var/run/lacme-www.socket',
'challenge-directory' => undef,
user => 'www-data',
group => 'www-data',
diff --git a/lacme.md b/lacme.md
index 0f6f3ee..ba1e5be 100644
--- a/lacme.md
+++ b/lacme.md
@@ -232,12 +232,12 @@ served during certificate issuance.
addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the
`:PORT` suffix is optional and defaults to the HTTP port 80), or an
absolute path of a UNIX-domain socket (created with mode `0666`).
- Default: `/var/run/lacme.socket`.
+ Default: `/var/run/lacme-www.socket`.
**Note**: The default value is only suitable when an external HTTP
daemon is publicly reachable and passes all ACME challenge requests
to the webserver component through the UNIX-domain socket
- `/var/run/lacme.socket` (for instance using the provided
+ `/var/run/lacme-www.socket` (for instance using the provided
`/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration
snippets for each virtual host requiring authorization). If there
is no HTTP daemon bound to port 80 one needs to set *listen* to
diff --git a/snippets/apache2.conf b/snippets/apache2.conf
index 471791c..20bf2ad 100644
--- a/snippets/apache2.conf
+++ b/snippets/apache2.conf
@@ -5,7 +5,7 @@
# non-ssl one) of each virtual host requiring authorization.
<Location /.well-known/acme-challenge/>
- ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/
+ ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/
Order allow,deny
Allow from all
</Location>
diff --git a/snippets/nginx.conf b/snippets/nginx.conf
index 6753ff9..981bdc3 100644
--- a/snippets/nginx.conf
+++ b/snippets/nginx.conf
@@ -6,7 +6,7 @@
location ^~ /.well-known/acme-challenge/ {
# Pass ACME requests to lacme's webserver component
- proxy_pass http://unix:/var/run/lacme.socket;
+ proxy_pass http://unix:/var/run/lacme-www.socket;
## Alternatively, you can let nginx serve the requests by
## setting 'challenge-directory' to '/var/www/acme-challenge' in