diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-18 12:39:38 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-18 12:39:38 +0100 |
| commit | 1f1e4d85ffec1f13d88740a6fa8edb05696607d2 (patch) | |
| tree | 1f572c444c41b19f5eaad00f20245bdf656058be /README | |
| parent | d5fefc20bd4a6a4531fba2029ed4a5c895747c5d (diff) | |
| parent | a54a33b14c680984207e40259416684798d976f9 (diff) | |
Merge branch 'master' into debian
Diffstat (limited to 'README')
| -rw-r--r-- | README | 32 |
1 files changed, 32 insertions, 0 deletions
@@ -0,0 +1,32 @@ +letsencrypt is a tiny ACME client written with process isolation and +minimal privileges in mind. It is divided into three components: + +1. The "master" process, which runs as root and is the only component + with access to the private key material (both account and server + keys). It is only used to fork the other components (after dropping + privileges), and to sign ACME requests (JSON Web Signatures); for + certificate issuance ("new-cert" command), it is also used to + generate the Certificate Signing Request, then to verify the validity + of the issued certificate, and optionally to reload or restart + services using "--notify". + +2. The actual ACME client, which runs as the user specified with + "--runas" (or root if the option is omitted). It builds ACME + requests and dialogues with the remote ACME server. All requests + need to be signed with the account key, but this process doesn't need + direct access to any private key material: instead, it write the data + to be signed to a pipe shared with the master process, which in turns + replies with its SHA-256 signature. + +3. An optional webserver, which is spawned by the master process (when + nothing is listening on localhost:80); socat(1) is used to listen on + port 80 and to change the user (owner) and group of the process to + "www-data:www-data". (The only challenge type currently supported by + letsencrypt-tiny is "http-01", hence a webserver is required.) Some + iptables rules are automatically added to open port 80, and removed + afterwards. The web server only processes GET requests under the + "/.well-known/acme-challenge" URI. + If a webserver is already listening on port 80, it needs to be + configured to serve these URIs (for each virtual-hosts requiring + authorization) as static files under the + "/var/www/acme-challenge" root directory, which must not exist. |