aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:33:37 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:33:37 +0200
commit4a730d372818f86ae42dbe1d89ec63fc67c9f462 (patch)
treef98bf6e24a4e0284472703b2e60c449037c24b9d /config
parent871aa1f53d428f31902b4428f8bae11ccea8c5f7 (diff)
parent99902d8737cd01b2788ec51b06d314a36135be2c (diff)
Merge branch 'master' into debian
Diffstat (limited to 'config')
-rw-r--r--config/lacme-certs.conf2
-rw-r--r--config/lacme.conf34
-rw-r--r--config/nginx.conf18
3 files changed, 35 insertions, 19 deletions
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 12fcd54..97d588a 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -28,7 +28,7 @@
# For an existing certificate, the minimum number of days before its
# expiration date the section is considered for re-issuance.
#
-#min-days = 10
+#min-days = 21
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
diff --git a/config/lacme.conf b/config/lacme.conf
index c5efb03..874bb1f 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -16,18 +16,16 @@
# since the two processes communicate through a socket pair. See the
# "accountd" section below for details.
#
-#socket = /run/user/1000/S.lacme
+#socket =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
-# Default: "nobody".
#
-#user = lacme
+#user = nobody
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty (not recommended).
-# Default: "nogroup".
#
#group = nogroup
@@ -35,11 +33,11 @@
#
#command = /usr/lib/lacme/client
-# Root URI of the ACME server. NOTE: Use the staging server for testing
-# as it has relaxed rate-limiting.
+# Root URI of the ACME server. NOTE: Use the staging server
+# <https://acme-staging.api.letsencrypt.org/> for testing as it has
+# relaxed rate-limiting.
#
#server = https://acme-v01.api.letsencrypt.org/
-#server = https://acme-staging.api.letsencrypt.org/
# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
@@ -61,17 +59,17 @@
[webserver]
-# Specify the local address to listen on, in the form ADDRESS[:PORT].
+# Comma- or space-separated list of addresses to listen on, for instance
+# "0.0.0.0:80 [::]:80".
#
-#listen = 0.0.0.0:80
-#listen = [::]:80
+#listen = /var/run/lacme.socket
-# If a webserver is already running, specify a non-existent directory
-# under which the webserver is configured to serve GET requests for
-# challenge files under "/.well-known/acme-challenge/" (for each virtual
-# hosts requiring authorization) as static files.
+# Non-existent directory under which an external HTTP daemon is
+# configured to serve GET requests for challenge files under
+# "/.well-known/acme-challenge/" (for each virtual host requiring
+# authorization) as static files.
#
-#challenge-directory = /var/www/acme-challenge
+#challenge-directory =
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty (not recommended).
@@ -92,7 +90,7 @@
# ADDRESS[:PORT] specified with listen. Theses rules are automatically
# removed once lacme(1) exits.
#
-#iptables = Yes
+#iptables = No
[accountd]
@@ -103,13 +101,13 @@
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty.
#
-#user = root
+#user =
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty.
#
-#group = root
+#group =
# Path to the lacme-accountd(1) executable.
#
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..f842c12
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,18 @@
+# Let nginx serve ACME requests directly, or pass them to lacme's
+# webserver component.
+#
+# This file needs to be sourced to the server directives (at least the
+# non-ssl one) of each virtual host requiring authorization.
+
+location /.well-known/acme-challenge/ {
+ # Pass ACME requests to lacme's webserver component
+ proxy_pass http://unix:/var/run/lacme.socket;
+
+ ## Alternatively, you can let nginx serve the requests by
+ ## setting 'challenge-directory' to '/var/www/acme-challenge' in
+ ## lacme's configuration file
+ # alias /var/www/acme-challenge/;
+ # default_type application/jose+json;
+ # disable_symlinks on from=$document_root;
+ # autoindex off;
+}