aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-03-02 18:19:04 +0100
committerGuilhem Moulin <guilhem@fripost.org>2016-03-02 18:19:04 +0100
commit97369c2e6dce66881d673ba308acd069c08a8776 (patch)
tree3946b0216071d0b2e47b805ac2a19bef685a6c38 /config
parentc4db1e4a18a13f7db04dbbd10663f0edba7d206d (diff)
parent63633fd91bcc97217f2ac45ba602d752e8fbaafd (diff)
Merge branch 'master' into debian
Diffstat (limited to 'config')
-rw-r--r--config/letsencrypt-accountd.conf29
-rw-r--r--config/letsencrypt-certs.conf56
-rw-r--r--config/letsencrypt.conf86
3 files changed, 171 insertions, 0 deletions
diff --git a/config/letsencrypt-accountd.conf b/config/letsencrypt-accountd.conf
new file mode 100644
index 0000000..c372190
--- /dev/null
+++ b/config/letsencrypt-accountd.conf
@@ -0,0 +1,29 @@
+# The value of "privkey" specifies the (private) account key to use
+# for signing requests. Currently supported values are:
+#
+# - file:FILE, to specify an encrypted private key (in PEM format)
+# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format)
+#
+#privkey = gpg:/path/to/encrypted/priv.key.gpg
+#privkey = file:/path/to/priv.key
+
+# For a gpg-encrypted private account key, "gpg" specifies the binary
+# gpg(1) to use, as well as some default options. Default: "gpg
+# --quiet".
+#
+#gpg = gpg2 --quiet --no-auto-check-trustdb
+
+# The value of "socket" specifies the UNIX-domain socket to bind against
+# for signature requests from the ACME client. An error is raised if
+# the path exists exists or if its parent directory is writable by other
+# users.
+# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
+# environment variable is set.
+#
+#socket = /run/user/1000/S.letsencrypt
+
+# Be quiet. Possible values: "Yes"/"No".
+#
+#quiet = Yes
+
+; vim:ft=dosini
diff --git a/config/letsencrypt-certs.conf b/config/letsencrypt-certs.conf
new file mode 100644
index 0000000..5613ef6
--- /dev/null
+++ b/config/letsencrypt-certs.conf
@@ -0,0 +1,56 @@
+# Each non-default section denotes a separate certificate issuance.
+# Options in the default section apply to each sections.
+
+# Message digest to sign the Certificate Signing Request with.
+#hash = sha512
+
+# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+#keyUsage = digitalSignature, keyEncipherment
+
+#[www]
+
+# Where to store the issued certificate (in PEM format).
+#certificate = /etc/nginx/ssl/srv.pem
+
+# Where to store the issued certificate, concatenated with the content
+# of the file specified specified with the CAfile option (in PEM format).
+#certificate-chain = /etc/nginx/ssl/srv.chain.pem
+
+# Path the service's private key. This option is required.
+#certificate-key = /etc/nginx/ssl/srv.key
+
+# For an existing certificate, the minimum number of days before its
+# expiration date the section is considered for re-issuance.
+#min-days = 10
+
+# Path to the issuer's certificate. This is used for certificate-chain
+# and to verify the validity of each issued certificate. Specifying an
+# empty value skip certificate validation.
+#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem
+
+# Subject field of the Certificate Signing Request. This option is
+# required.
+#subject = /CN=example.org
+
+# Comma-separated list of Subject Alternative Names.
+#subjectAltName = DNS:example.org,DNS:www.example.org
+
+# username[:groupname] to chown the issued certificate and
+# certificate-chain with.
+#chown = root:root
+
+# octal mode to chmod the issued certificate and certificate-chain with.
+#chmod = 0644
+
+# Command to pass the the system's command shell ("/bin/sh -c") after
+# successful installation of the certificate and/or certificate-chain.
+#notify = /bin/systemctl restart nginx
+
+
+#[smtp]
+#certificate-key = /etc/postfix/ssl/srv.key
+#certificate-chain = /etc/postfix/ssl/srv.pem
+#subject = /CN=smtp.example.org
+#notify = /bin/systemctl restart postfix
+
+; vim:ft=dosini
diff --git a/config/letsencrypt.conf b/config/letsencrypt.conf
new file mode 100644
index 0000000..1502020
--- /dev/null
+++ b/config/letsencrypt.conf
@@ -0,0 +1,86 @@
+# For certificate issuance (new-cert command), specify the certificate
+# configuration file to use
+#
+#config-certs = config/letsencrypt-certs.conf
+
+[client]
+# The value of "socket" specifies the letsencrypt-accountd(1)
+# UNIX-domain socket to connect to for signature requests from the ACME
+# client. letsencrypt aborts if the socket is readable or writable by
+# other users, or if its parent directory is writable by other users.
+# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
+# environment variable is set.
+#
+#socket = /run/user/1000/S.letsencrypt
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+# Default: "nobody".
+#
+#user = letsencrypt
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+#group = nogroup
+
+# Path to the ACME client executable.
+#command = /usr/lib/letsencrypt-tiny/client
+
+# Root URI of the ACME server. NOTE: Use the staging server for testing
+# as it has relaxed ratelimit.
+#
+#server = https://acme-v01.api.letsencrypt.org/
+#server = https://acme-staging.api.letsencrypt.org/
+
+# Timeout in seconds after which the client stops polling the ACME
+# server and considers the request failed.
+#
+#timeout = 10
+
+# Whether to verify the server certificate chain.
+#SSL_verify = yes
+
+# Specify the version of the SSL protocol used to transmit data.
+#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
+
+# Specify the cipher list for the connection.
+#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+
+[webserver]
+
+# Specify the local address to listen on, in the form ADDRESS[:PORT].
+#
+#listen = 0.0.0.0:80
+#listen = [::]:80
+
+# If a webserver is already running, specify a non-existent directory
+# under which the webserver is configured to serve GET requests for
+# challenge files under "/.well-known/acme-challenge/" (for each virtual
+# hosts requiring authorization) as static files.
+#
+#challenge-directory = /var/www/acme-challenge
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+#
+#user = www-data
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+#user = www-data
+
+# Path to the ACME webserver executable.
+#command = /usr/lib/letsencrypt-tiny/webserver
+
+# Whether to automatically install iptables(1) rules to open the
+# ADDRESS[:PORT] specified with listen. Theses rules are automatically
+# removed once letsencrypt exits.
+#
+#iptables = Yes
+
+; vim:ft=dosini