aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-08-04 01:40:31 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-08-04 01:40:31 +0200
commit2671d497d6d287b4729fed39738a9ad86e78c44c (patch)
tree34599aa17192d0d7441c799d3c013d2659a1ccda
parentcfb8e89b5992b51d5d0955509dfedeab228e43eb (diff)
parent49c14fb9faf9aedf1f6c22bff9526ba980d0f23b (diff)
Merge tag 'upstream/0.6.1' into debian
New release 0.6.1
-rw-r--r--.gitignore3
-rw-r--r--COPYING8
-rw-r--r--Changelog16
-rw-r--r--Makefile97
-rwxr-xr-xclient2
-rw-r--r--config/lacme-certs.conf2
-rw-r--r--config/lacme.conf20
-rwxr-xr-xlacme18
-rwxr-xr-xlacme-accountd4
-rw-r--r--lacme-accountd.1.md (renamed from lacme-accountd.md)24
-rw-r--r--lacme.8.md (renamed from lacme.md)39
-rwxr-xr-xpandoc2man.jq28
-rw-r--r--snippets/apache2.conf5
-rw-r--r--snippets/nginx.conf2
-rwxr-xr-xwebserver2
15 files changed, 156 insertions, 114 deletions
diff --git a/.gitignore b/.gitignore
index 813d896..f6e4380 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
# vim swapfiles
.*.sw[po]
-# generated man-pages
-*.1
+/build/
diff --git a/COPYING b/COPYING
index 94a9ed0..e600086 100644
--- a/COPYING
+++ b/COPYING
@@ -1,7 +1,7 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found.
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
@@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
+<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+<https://www.gnu.org/philosophy/why-not-lgpl.html>.
diff --git a/Changelog b/Changelog
index c7cc0b3..b71cce7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,17 @@
+lacme (0.6.1) upstream;
+
+ + Adapt Apache2 snippet to Apache2 2.4.
+ + Ignore [accountd] section from lacme.conf when the --socket option is
+ defined. This allows remotely-controlled lacme processes being
+ controlled without modifying an config files.
+ * Makefile: major refactoring, add install and uninstall targets, honor
+ BUILD_DOCDIR and DESTDIR variables.
+ * Install lacme manual to section 8.
+ * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
+ * Makefile: Use variables for target directories etc.
+
+ -- Guilhem Moulin <guilhem@fripost.org> Tue, 04 Aug 2020 01:39:47 +0200
+
lacme (0.6) upstream;
+ client: poll order URL instead of each authz URL successively.
@@ -5,7 +19,7 @@ lacme (0.6) upstream;
deactivation, see RFC 8555 sec. 7.3.6.
- lacme, client: new dependency Date::Parse, don't parse RFC 3339
datetime strings from X.509 certs manually.
- - lacme: assume that the iptables(1) binaries are under /usr/sbin not
+ - lacme: assume that the iptables(8) binaries are under /usr/sbin not
/sbin. As of Buster this is the case, and the maintainer plans to
drop compatibility symlinks once Bullseye is released.
- Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
diff --git a/Makefile b/Makefile
index 5d421bf..757a581 100644
--- a/Makefile
+++ b/Makefile
@@ -1,53 +1,56 @@
-MANPAGES = lacme-accountd.1 lacme.1
+DESTDIR ?= /usr/local
+BUILDDIR ?= ./build
+MANUAL_FILES = $(addprefix $(BUILDDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md)))
-all: ${MANPAGES}
+all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver $(wildcard config/* snippets/*))
+doc: manual
+
+manual: $(MANUAL_FILES)
# upper case the headers and remove the links
-%.1: %.md
- @pandoc -f markdown -t json "$<" | \
- jq " \
- def fixheaders: \
- if .t == \"Header\" then \
- .c[2][] |= (if .t == \"Str\" then .c |= ascii_upcase else . end)\
- else \
- . \
- end; \
- def fixlinks: \
- if type == \"object\" then \
- if .t == \"Link\" then \
- if .c[2][0][0:7] == \"mailto:\" then . else .c[1][] end \
- else \
- map_values(fixlinks) \
- end \
- else if type == \"array\" then \
- map(fixlinks) \
- else \
- . \
- end \
- end; \
- { \"pandoc-api-version\" \
- , meta \
- , blocks: .blocks | map(fixheaders) | map(fixlinks) \
- }" | \
- pandoc -s -f json -t man+smart -o "$@"
-
-install: ${MANPAGES}
- install -d $(DESTDIR)/etc/lacme
- install -d $(DESTDIR)/etc/lacme/lacme-certs.conf.d
- install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf
- install -m0644 -t $(DESTDIR)/etc/lacme snippets/*.conf
- install -d $(DESTDIR)/usr/share/lacme
- install -m0644 -t $(DESTDIR)/usr/share/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem
- install -d $(DESTDIR)/usr/lib/lacme
- install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver
- install -d $(DESTDIR)/usr/share/man/man1
- install -m0644 -t $(DESTDIR)/usr/share/man/man1 lacme-accountd.1 lacme.1
- install -d $(DESTDIR)/usr/bin
- install -m0644 -t $(DESTDIR)/usr/bin lacme-accountd
- install -d $(DESTDIR)/usr/sbin
- install -m0644 -t $(DESTDIR)/usr/bin lacme
+$(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
+ pandoc -f markdown -t json -- "$<" | ./pandoc2man.jq | pandoc -s -f json -t man -o "$@"
+
+prefix ?= $(DESTDIR)
+exec_prefix ?= $(prefix)
+bindir ?= $(exec_prefix)/bin
+sbindir ?= $(exec_prefix)/sbin
+libexecdir ?= $(exec_prefix)/libexec
+datarootdir ?= $(prefix)/share
+datadir ?= $(datarootdir)
+sysconfdir ?= $(prefix)/etc
+localstatedir =? $(prefix)/var
+runstatedir ?= $(localstatedir)/run
+mandir ?= $(datarootdir)/man
+man1dir ?= $(mandir)/man1
+man8dir ?= $(mandir)/man8
+
+$(BUILDDIR)/%: %
+ mkdir -pv -- $(dir $@)
+ cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@"
+ sed -i "s#@@bindir@@#$(bindir)#g; \
+ s#@@sbindir@@#$(sbindir)#g; \
+ s#@@libexecdir@@#$(libexecdir)#g; \
+ s#@@datadir@@#$(datadir)#g; \
+ s#@@runstatedir@@#$(runstatedir)#g; \
+ s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@"
+
+install: all
+ install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
+ install -vd $(sysconfdir)/lacme/lacme-certs.conf.d
+ install -m0644 -vDt $(datadir)/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem
+ install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver
+ install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1
+ install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8
+ install -m0644 -vDt $(bindir) $(BUILDDIR)/lacme-accountd
+ install -m0644 -vDt $(sbindir) $(BUILDDIR)/lacme
+
+uninstall:
+ rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme
+ rm -vf -- $(man1dir)/lacme-accountd.1 $(man8dir)/lacme.8
+ rm -rvf -- $(sysconfdir)/lacme $(datadir)/lacme $(libexecdir)/lacme
clean:
- rm -vf ${MANPAGES}
+ rm -rvf -- $(BUILDDIR)
-.PHONY: all install clean
+.PHONY: all doc manual install uninstall clean
diff --git a/client b/client
index 2eebbf0..b59c013 100755
--- a/client
+++ b/client
@@ -15,7 +15,7 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
#----------------------------------------------------------------------
use v5.14.2;
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 97d588a..dd02f95 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -34,7 +34,7 @@
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
#
-#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem
+#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
diff --git a/config/lacme.conf b/config/lacme.conf
index 39c8654..9f4db72 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -8,11 +8,11 @@
# The value of "socket" specifies the path to the lacme-accountd(1)
# UNIX-domain socket to connect to for signature requests from the ACME
-# client. lacme(1) aborts if the socket is readable or writable by
+# client. lacme(8) aborts if the socket is readable or writable by
# other users, or if its parent directory is writable by other users.
# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
# variable is set.
-# This option is ignored when lacme-accountd(1) is spawned by lacme(1),
+# This option is ignored when lacme-accountd(1) is spawned by lacme(8),
# since the two processes communicate through a socket pair. See the
# "accountd" section below for details.
#
@@ -31,7 +31,7 @@
# Path to the ACME client executable.
#
-#command = /usr/lib/lacme/client
+#command = @@libexecdir@@/lacme/client
# URI of the ACME server's directory. NOTE: Use the staging server
# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
@@ -62,7 +62,7 @@
# Comma- or space-separated list of addresses to listen on, for instance
# "0.0.0.0:80 [::]:80".
#
-#listen = /var/run/lacme-www.socket
+#listen = @@runstatedir@@/lacme-www.socket
# Non-existent directory under which an external HTTP daemon is
# configured to serve GET requests for challenge files under
@@ -84,19 +84,19 @@
# Path to the ACME webserver executable.
#
-#command = /usr/lib/lacme/webserver
+#command = @@libexecdir@@/lacme/webserver
# Whether to automatically install iptables(8) rules to open the
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
-# removed once lacme(1) exits.
+# removed once lacme(8) exits.
#
#iptables = No
[accountd]
# lacme-accound(1) section. Comment out this section (including its
-# header) to make lacme(1) connect to an existing UNIX-domain socket
-# bound by a running acme-accountd(1) process.
+# header), or use the --socket= CLI option, to make lacme(8) connect to
+# an existing lacme-accountd(1) process via a UNIX-domain socket.
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty.
@@ -111,11 +111,11 @@
# Path to the lacme-accountd(1) executable.
#
-#command = /usr/bin/lacme-accountd
+#command = @@bindir@@/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
#
-#config = /etc/lacme/lacme-accountd.conf
+#config = @@sysconfdir@@/lacme/lacme-accountd.conf
# The (private) account key to use for signing requests. See
# lacme-accountd(1) for details.
diff --git a/lacme b/lacme
index d5e8933..1ca4a38 100755
--- a/lacme
+++ b/lacme
@@ -15,7 +15,7 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
#----------------------------------------------------------------------
use v5.14.2;
@@ -75,7 +75,7 @@ sub set_FD_CLOEXEC($$);
my $CONFFILENAME = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
, ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
- , "/etc/lacme/$NAME.conf"
+ , "@@sysconfdir@@/lacme/$NAME.conf"
);
do {
die "Error: Can't find configuration file\n" unless defined $CONFFILENAME;
@@ -87,30 +87,30 @@ do {
my $h = Config::Tiny::->read_string($conf) or die Config::Tiny::->errstr()."\n";
my $defaults = delete $h->{_} // {};
- my $accountd = exists $h->{accountd} ? 1 : 0;
+ my $accountd = defined $OPTS{socket} ? 0 : exists $h->{accountd} ? 1 : 0;
my %valid = (
client => {
socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef),
user => 'nobody',
group => 'nogroup',
- command => '/usr/lib/lacme/client',
+ command => '@@libexecdir@@/lacme/client',
# the rest is for the ACME client
map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/
},
webserver => {
- listen => '/var/run/lacme-www.socket',
+ listen => '@@runstatedir@@/lacme-www.socket',
'challenge-directory' => undef,
user => 'www-data',
group => 'www-data',
- command => '/usr/lib/lacme/webserver',
+ command => '@@libexecdir@@/lacme/webserver',
iptables => 'No'
},
accountd => {
user => '',
group => '',
- command => '/usr/bin/lacme-accountd',
- config => '/etc/lacme/lacme-accountd.conf',
+ command => '@@bindir@@/lacme-accountd',
+ config => '@@sysconfdir@@/lacme/lacme-accountd.conf',
privkey => undef,
quiet => 'Yes',
}
@@ -743,7 +743,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
};
# verify certificate validity against the CA
- $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem';
+ $conf->{CAfile} //= '@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem';
if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
qw/-purpose sslserver -x509_strict/)) {
print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
diff --git a/lacme-accountd b/lacme-accountd
index 822894b..af64168 100755
--- a/lacme-accountd
+++ b/lacme-accountd
@@ -16,7 +16,7 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
#----------------------------------------------------------------------
use v5.14.2;
@@ -67,7 +67,7 @@ do {
my $conffile = $OPTS{config} // first { -f $_ }
( "./$NAME.conf"
, ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf"
- , "/etc/lacme/$NAME.conf"
+ , "@@sysconfdir@@/lacme/$NAME.conf"
);
die "Error: Can't find configuration file\n" unless defined $conffile;
print STDERR "Using configuration file: $conffile\n" if $OPTS{debug};
diff --git a/lacme-accountd.md b/lacme-accountd.1.md
index 403c68c..6cf9ea8 100644
--- a/lacme-accountd.md
+++ b/lacme-accountd.1.md
@@ -16,9 +16,9 @@ Synopsis
Description
===========
-`lacme-accountd` is the account key manager component of [`lacme`(1)], a
+`lacme-accountd` is the account key manager component of [`lacme`(8)], a
small [ACME] client written with process isolation and minimal
-privileges in mind. No other [`lacme`(1)] component needs access to the
+privileges in mind. No other [`lacme`(8)] component needs access to the
account key; in fact the account key could as well be stored on another
host or a smartcard.
@@ -26,12 +26,12 @@ host or a smartcard.
`--socket=`), which [ACME] clients can connect to in order to request
data signatures.
As a consequence, `lacme-accountd` needs to be up and running before
-using [`lacme`(1)] to issue [ACME] commands. Also, the process does not
+using [`lacme`(8)] to issue [ACME] commands. Also, the process does not
automatically terminate after the last signature request: instead, one
sends an `INT` or `TERM` [`signal`(7)] to bring the server down.
Furthermore, one can use the UNIX-domain socket forwarding facility of
-[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(1)] on
+[OpenSSH] 6.7 and later to run `lacme-accountd` and [`lacme`(8)] on
different hosts. For instance one could store the account key on a
machine that is not exposed to the internet. See the
**[examples](#examples)** section below.
@@ -85,7 +85,7 @@ If `--config=` is not given, `lacme-accountd` uses the first existing
configuration file among *./lacme-accountd.conf*,
*$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or
*~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME`
-environment variable is not set), and */etc/lacme/lacme-accountd.conf*.
+environment variable is not set), and *@@sysconfdir@@/lacme/lacme-accountd.conf*.
When given on the command line, the `--privkey=`, `--socket=` and
`--quiet` options take precedence over their counterpart (without
@@ -119,13 +119,13 @@ Run `lacme-accountd` in a first terminal:
~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme
-Then, while `lacme-accountd` is running, execute locally [`lacme`(1)] in
+Then, while `lacme-accountd` is running, execute locally [`lacme`(8)] in
another terminal:
~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder
Alternatively, use [OpenSSH] 6.7 or later to forward the socket and
-execute [`lacme`(1)] remotely:
+execute [`lacme`(8)] remotely:
~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
sudo lacme --socket=/path/to/remote.sock newOrder
@@ -133,11 +133,11 @@ execute [`lacme`(1)] remotely:
See also
========
-[`lacme`(1)], [`ssh`(1)]
+[`lacme`(8)], [`ssh`(1)]
[ACME]: https://tools.ietf.org/html/rfc8555
-[`lacme`(1)]: lacme.1.html
-[`signal`(7)]: http://linux.die.net/man/7/signal
+[`lacme`(8)]: lacme.8.html
+[`signal`(7)]: https://linux.die.net/man/7/signal
[`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
-[OpenSSH]: http://www.openssh.com/
-[`ssh`(1)]: http://man.openbsd.org/ssh
+[OpenSSH]: https://www.openssh.com/
+[`ssh`(1)]: https://man.openbsd.org/ssh
diff --git a/lacme.md b/lacme.8.md
index ca9a6a9..90fd3cf 100644
--- a/lacme.md
+++ b/lacme.8.md
@@ -1,4 +1,4 @@
-% lacme(1)
+% lacme(8)
% [Guilhem Moulin](mailto:guilhem@fripost.org)
% December 2015
@@ -108,11 +108,9 @@ Generic options
aborts if `path` is readable or writable by other users, or if its
parent directory is writable by other users.
This command-line option overrides the *socket* option of the
- [`[client]` section](#client-section) of the configuration file.
- Moreover this option is ignored when the configuration file has an
- [`[accountd]` section](#accountd-section); in that case `lacme`
- spawns [`lacme-accountd`(1)], and the two processes communicate
- through a socket pair.
+ [`[client]` section](#client-section) of the configuration file; it
+ also causes the [`[accountd]` section](#accountd-section) to be
+ ignored.
`-h`, `--help`
@@ -133,7 +131,7 @@ If `--config=` is not given, `lacme` uses the first existing
configuration file among *./lacme.conf*,
*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if
the `XDG_CONFIG_HOME` environment variable is not set), and
-*/etc/lacme/lacme.conf*.
+*@@sysconfdir@@/lacme/lacme.conf*.
Valid options are:
Default section
@@ -185,7 +183,7 @@ of [ACME] commands and dialogues with the remote [ACME] server).
*command*
: Path to the [ACME] client executable.
- Default: `/usr/lib/lacme/client`.
+ Default: `@@libexecdir@@/lacme/client`.
*server*
@@ -224,13 +222,13 @@ served during certificate issuance.
addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the
`:PORT` suffix is optional and defaults to the HTTP port 80), or an
absolute path of a UNIX-domain socket (created with mode `0666`).
- Default: `/var/run/lacme-www.socket`.
+ Default: `@@runstatedir@@/lacme-www.socket`.
**Note**: The default value is only suitable when an external HTTP
daemon is publicly reachable and passes all ACME challenge requests
to the webserver component through the UNIX-domain socket
- `/var/run/lacme-www.socket` (for instance using the provided
- `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration
+ `@@runstatedir@@/lacme-www.socket` (for instance using the provided
+ `@@sysconfdir@@/lacme/apache2.conf` or `@@sysconfdir@@/lacme/nginx.conf` configuration
snippets for each virtual host requiring authorization). If there
is no HTTP daemon bound to port 80 one needs to set *listen* to
`[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or
@@ -264,7 +262,7 @@ served during certificate issuance.
: Path to the [ACME] webserver executable. A separate process is
spawned for each address to *listen* on. (In particular no
webserver process is forked when the *listen* option is empty.)
- Default: `/usr/lib/lacme/webserver`.
+ Default: `@@libexecdir@@/lacme/webserver`.
*iptables*
@@ -276,10 +274,11 @@ served during certificate issuance.
`[accountd]` section
---------------------
-This section is used for configuring the [`lacme-accountd`(1)] process.
-If the section (including its header) is absent or commented out,
-`lacme` connects to an existing UNIX-domain socket bound by a running
-[`lacme-accountd`(1)] process.
+This section is used for configuring the [`lacme-accountd`(1)] child
+process. If the section (including its header) is absent or commented
+out, or if the CLI option `--socket` is specified, then `lacme` connects
+to an existing [`lacme-accountd`(1)] process via the specified
+UNIX-domain socket.
*user*
@@ -295,12 +294,12 @@ If the section (including its header) is absent or commented out,
*command*
: Path to the [`lacme-accountd`(1)] executable.
- Default: `/usr/bin/lacme-accountd`.
+ Default: `@@bindir@@/lacme-accountd`.
*config*
: Path to the [`lacme-accountd`(1)] configuration file.
- Default: `/etc/lacme/lacme-accountd.conf`.
+ Default: `@@sysconfdir@@/lacme/lacme-accountd.conf`.
*privkey*
@@ -355,7 +354,7 @@ Valid options are:
*certificate-chain* and to verify the validity of each issued
certificate.
Specifying an empty value skip certificate validation.
- Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`.
+ Default: `@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem`.
*hash*
@@ -408,6 +407,6 @@ See also
[ACME]: https://tools.ietf.org/html/rfc8555
[`lacme-accountd`(1)]: lacme-accountd.1.html
-[`iptables`(8)]: http://linux.die.net/man/8/iptables
+[`iptables`(8)]: https://linux.die.net/man/8/iptables
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
diff --git a/pandoc2man.jq b/pandoc2man.jq
new file mode 100755
index 0000000..69802a5
--- /dev/null
+++ b/pandoc2man.jq
@@ -0,0 +1,28 @@
+#!/usr/bin/jq -f
+
+def fixheaders:
+ if .t == "Header" then
+ .c[2][] |= (if .t == "Str" then .c |= ascii_upcase else . end)
+ else
+ .
+ end;
+
+def fixlinks:
+ if type == "object" then
+ if .t == "Link" then
+ if .c[2][0][0:7] == "mailto:" then . else .c[1][] end
+ else
+ map_values(fixlinks)
+ end
+ else if type == "array" then
+ map(fixlinks)
+ else
+ .
+ end
+ end;
+
+{
+ "pandoc-api-version"
+ , meta
+ , blocks: .blocks | map(fixheaders | fixlinks)
+}
diff --git a/snippets/apache2.conf b/snippets/apache2.conf
index 20bf2ad..45d7c7f 100644
--- a/snippets/apache2.conf
+++ b/snippets/apache2.conf
@@ -5,8 +5,7 @@
# non-ssl one) of each virtual host requiring authorization.
<Location /.well-known/acme-challenge/>
- ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/
- Order allow,deny
- Allow from all
+ ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/
+ Require all granted
</Location>
diff --git a/snippets/nginx.conf b/snippets/nginx.conf
index 981bdc3..6775489 100644
--- a/snippets/nginx.conf
+++ b/snippets/nginx.conf
@@ -6,7 +6,7 @@
location ^~ /.well-known/acme-challenge/ {
# Pass ACME requests to lacme's webserver component
- proxy_pass http://unix:/var/run/lacme-www.socket;
+ proxy_pass http://unix:@@runstatedir@@/lacme-www.socket;
## Alternatively, you can let nginx serve the requests by
## setting 'challenge-directory' to '/var/www/acme-challenge' in
diff --git a/webserver b/webserver
index 584f0bb..c16737f 100755
--- a/webserver
+++ b/webserver
@@ -16,7 +16,7 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
#----------------------------------------------------------------------
use v5.14.2;