aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2021-02-22 03:30:32 +0100
committerGuilhem Moulin <guilhem@debian.org>2021-02-22 03:30:32 +0100
commitd1be19ea9484f4c48af2de54266465d49bb1281d (patch)
tree768da9388a9ea6ed42d8d818a6433a4871a1172e /config
parent847ae99fb1ed73fd77c6ffd30f2c554ab5892fde (diff)
parent3eba02ef820a393bd5781be9f8fcda1611ae7c3d (diff)
Merge tag 'v0.8.0' into debian/latest
Release version 0.8.0
Diffstat (limited to 'config')
-rw-r--r--config/lacme-accountd.conf20
-rw-r--r--config/lacme-certs.conf45
-rw-r--r--config/lacme.conf52
3 files changed, 62 insertions, 55 deletions
diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf
index 94d2556..5c769cf 100644
--- a/config/lacme-accountd.conf
+++ b/config/lacme-accountd.conf
@@ -1,11 +1,11 @@
# The value of "privkey" specifies the (private) account key to use
# for signing requests. Currently supported values are:
#
-# - file:FILE, to specify an encrypted private key (in PEM format)
-# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format)
+# - file:FILE, for a private key in PEM format (optionally encrypted)
+# - gpg:FILE, for a gpg-encrypted private key
#
-#privkey = gpg:/path/to/encrypted/account.key.gpg
#privkey = file:/path/to/account.key
+#privkey = gpg:/path/to/encrypted/account.key.gpg
# For a gpg-encrypted private account key, "gpg" specifies the binary
# gpg(1) to use, as well as some default options. Default: "gpg
@@ -17,10 +17,18 @@
# for signature requests from the ACME client. An error is raised if
# the path exists or if its parent directory is writable by other
# users.
-# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR
-# environment variable is set.
#
-#socket = /run/user/1000/S.lacme
+#socket = %t/S.lacme
+
+# An optional file where to log to.
+#
+#logfile =
+
+# The "Key ID", as shown by `acme account`, to give the ACME client.
+# A non-empty value revokes all account management access (status
+# change, contact address updates etc.) from the client.
+#
+#keyid =
# Be quiet. Possible values: "Yes"/"No".
#
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 232c85b..5259690 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,41 +1,46 @@
# Each non-default section refer to separate certificate issuance
-# requests. Options in the default section apply to each sections.
+# requests. Settings in the default section apply to each sections.
-# Message digest to sign the Certificate Signing Request with.
+# Message digest to sign the Certificate Signing Request with,
+# overriding the req(1ssl) default.
#
-#hash = sha512
+#hash =
-# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+# Comma-separated list of Key Usages, for instance "digitalSignature,
+# keyEncipherment", to include in the Certificate Signing Request.
+# See x509v3_config(5ssl) for a list of possible values. Note that the
+# ACME might override the value provided here.
#
-#keyUsage = digitalSignature, keyEncipherment
+#keyUsage =
+
+# Path to the bundle of trusted issuer certificates. This is used for
+# validating each certificate after issuance or renewal. Specifying an
+# empty value skips certificate validation.
+#
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
+
+# For an existing certificate, the minimum number of days before its
+# expiration date the section is considered for re-issuance.
+#
+#min-days = 21
#[www]
-# Path the service's private key. This option is required.
+# Path the service's private key. This setting is required.
#
#certificate-key = /etc/nginx/ssl/srv.key
# Where to store the issued certificate (in PEM format).
#
-#certificate = /etc/nginx/ssl/srv.pem
+#certificate = /etc/nginx/ssl/srv.crt
# Where to store the issued certificate along with its chain of trust
# (in PEM format).
#
-#certificate-chain = /etc/nginx/ssl/srv.chain.pem
-
-# For an existing certificate, the minimum number of days before its
-# expiration date the section is considered for re-issuance.
-#
-#min-days = 21
-
-# Path to trusted issuer certificates, used for validating each issued
-# certificate. Specifying an empty value skips certificate validation.
-#
-#CAfile = @@datadir@@/lacme/ca-certificates.crt
+#certificate-chain = /etc/nginx/ssl/srv.chain.crt
-# Subject field of the Certificate Signing Request. This option is
+# Subject field of the Certificate Signing Request. This setting is
# required.
#
#subject = /CN=example.org
@@ -61,7 +66,7 @@
#[smtp]
#certificate-key = /etc/postfix/ssl/srv.key
-#certificate-chain = /etc/postfix/ssl/srv.pem
+#certificate-chain = /etc/postfix/ssl/srv.crt
#subject = /CN=smtp.example.org
#notify = /bin/systemctl reload postfix
diff --git a/config/lacme.conf b/config/lacme.conf
index 9f4db72..0392be5 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -10,26 +10,24 @@
# UNIX-domain socket to connect to for signature requests from the ACME
# client. lacme(8) aborts if the socket is readable or writable by
# other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
-# variable is set.
-# This option is ignored when lacme-accountd(1) is spawned by lacme(8),
+# This setting is ignored when lacme-accountd(1) is spawned by lacme(8),
# since the two processes communicate through a socket pair. See the
# "accountd" section below for details.
#
-#socket =
+#socket = %t/S.lacme
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#user = nobody
+#user = @@lacme_client_user@@
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#group = nogroup
+#group = @@lacme_client_group@@
-# Path to the ACME client executable.
+# ACME client command.
#
#command = @@libexecdir@@/lacme/client
@@ -37,12 +35,12 @@
# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
# as it has relaxed rate-limiting.
#
-#server = https://acme-v02.api.letsencrypt.org/directory
+#server = @@acmeapi_server@@
# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
#
-#timeout = 10
+#timeout = 30
# Whether to verify the server certificate chain.
#
@@ -64,25 +62,26 @@
#
#listen = @@runstatedir@@/lacme-www.socket
-# Non-existent directory under which an external HTTP daemon is
-# configured to serve GET requests for challenge files under
-# "/.well-known/acme-challenge/" (for each virtual host requiring
-# authorization) as static files.
+# Directory under which an external HTTP daemon is configured to serve
+# GET requests for challenge files under "/.well-known/acme-challenge/"
+# (for each virtual host requiring authorization) as static files.
+# NOTE: the directory must exist and be writable by the lacme client
+# user.
#
#challenge-directory =
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#user = www-data
+#user = @@lacme_www_user@@
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#group = www-data
+#group = @@lacme_www_group@@
-# Path to the ACME webserver executable.
+# ACME webserver command.
#
#command = @@libexecdir@@/lacme/webserver
@@ -99,28 +98,23 @@
# an existing lacme-accountd(1) process via a UNIX-domain socket.
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
#
#user =
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
#
#group =
-# Path to the lacme-accountd(1) executable.
+# lacme-accountd(1) command.
#
#command = @@bindir@@/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
#
-#config = @@sysconfdir@@/lacme/lacme-accountd.conf
-
-# The (private) account key to use for signing requests. See
-# lacme-accountd(1) for details.
-#
-#privkey = file:/path/to/account.key
+#config =
# Be quiet.
#