diff options
authorGuilhem Moulin <guilhem@fripost.org>2021-02-18 12:22:37 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-20 20:16:34 +0100
commit57afbf387cf812945ad14cd03570b0746fc4c865 (patch)
parent3e49ef22ba3fbbe4e73bc4ad151770603ffa5ef1 (diff)
Document spawning a remote lacme-accountd(1) instance.
And add a test case for this.
3 files changed, 57 insertions, 0 deletions
diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
index 5303418..9377e23 100644
--- a/lacme-accountd.1.md
+++ b/lacme-accountd.1.md
@@ -135,6 +135,10 @@ execute [`lacme`(8)] remotely:
$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
sudo lacme --socket=/path/to/remote.sock newOrder
+Consult the [`lacme`(8) manual][`lacme`(8)] for a solution involving
+connecting to `lacme-accountd` on a dedicated remote host. Doing so
+enables automatic renewal via [`crontab`(5)] or [`systemd.timer`(5)].
See also
@@ -147,3 +151,5 @@ See also
[OpenSSH]: https://www.openssh.com/
[`ssh`(1)]: https://man.openbsd.org/ssh
[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
+[`crontab`(5)]: https://linux.die.net/man/5/crontab
+[`systemd.timer`(5)]: https://www.freedesktop.org/software/systemd/man/systemd.timer.html
diff --git a/lacme.8.md b/lacme.8.md
index 3852b13..6218d36 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -435,6 +435,21 @@ Examples
$ sudo lacme newOrder
$ sudo lacme revokeCert /path/to/service.crt
+Automatic renewal can be scheduled via [`crontab`(5)] or
+[`systemd.timer`(5)]. In order to avoid deploying a single account key
+onto multiple nodes and/or dealing with multiple account keys, one can
+install a single [`lacme-accountd`(1)] instance on a dedicated host,
+generate a single account key there (and keep it well), and set the
+following in the [`[accountd]` section](#accountd-section):
+ command = ssh -T lacme@account.example.net lacme-accountd
+If the user running `lacme` can connect to `lacme@account.example.net`
+using (passwordless) key authentication, this setting will spawn a
+remote [`lacme-accountd`(1)] and use it to sign [ACME] requests.
+Further hardening can be achieved my means of [`authorized_keys`(5)]
See also
@@ -448,3 +463,6 @@ See also
[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
[`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html
+[`crontab`(5)]: https://linux.die.net/man/5/crontab
+[`systemd.timer`(5)]: https://www.freedesktop.org/software/systemd/man/systemd.timer.html
+[`authorized_keys`(5)]: https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT
diff --git a/tests/accountd-remote b/tests/accountd-remote
new file mode 100644
index 0000000..71bb8e2
--- /dev/null
+++ b/tests/accountd-remote
@@ -0,0 +1,33 @@
+# Remote accountd server process
+adduser --disabled-password --shell /bin/sh \
+ --home /home/lacme-account \
+ --gecos "lacme account user" \
+ --quiet lacme-account
+chown lacme-account: /etc/lacme/account.key
+DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
+ openssh-client openssh-server
+ssh-keygen -N "" -f ~root/.ssh/id_rsa
+install -olacme-account -glacme-account -dm0700 ~lacme-account/.ssh
+install -olacme-account -glacme-account -m0644 ~root/.ssh/id_rsa.pub ~lacme-account/.ssh/authorized_keys
+{ echo -n "[]:2222 "; cat /etc/ssh/ssh_host_rsa_key.pub; } >~root/.ssh/known_hosts
+cat >/etc/ssh/sshd_config <<-EOF
+ Port 2222
+ ListenAddress
+ ChallengeResponseAuthentication no
+ PasswordAuthentication no
+ UsePAM yes
+install -oroot -groot -dm0755 /run/sshd
+sed -ri 's|^#?command\s*=.*/lacme-accountd$|command = ssh -Tp2222 -llacme-account lacme-accountd|' /etc/lacme/lacme.conf
+sed -ri 's|^#?config\s*=.*|config = /etc/lacme/lacme-accountd.conf|' /etc/lacme/lacme.conf
+lacme newOrder --debug 2>"$STDERR" || fail # intentionally use --debug, ssh should tunnel stdin + stdout + stderr
+test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
+# vim: set filetype=sh :