Merge tag 'v0.8.0' into debian/latest

Release version 0.8.0

3 files changed, 62 insertions, 55 deletions

diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf
index 94d2556..5c769cf 100644
--- a/config/lacme-accountd.conf
+++ b/config/lacme-accountd.conf
@@ -1,11 +1,11 @@
 # The value of "privkey" specifies the (private) account key to use
 # for signing requests.  Currently supported values are:
 #
-#   - file:FILE, to specify an encrypted private key (in PEM format)
-#   - gpg:FILE, to specify a gpg-encrypted private key (in PEM format)
+#   - file:FILE, for a private key in PEM format (optionally encrypted)
+#   - gpg:FILE, for a gpg-encrypted private key
 #
-#privkey = gpg:/path/to/encrypted/account.key.gpg
 #privkey = file:/path/to/account.key
+#privkey = gpg:/path/to/encrypted/account.key.gpg
 
 # For a gpg-encrypted private account key, "gpg" specifies the binary
 # gpg(1) to use, as well as some default options.  Default: "gpg
@@ -17,10 +17,18 @@
 # for signature requests from the ACME client.  An error is raised if
 # the path exists or if its parent directory is writable by other
 # users.
-# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR
-# environment variable is set.
 #
-#socket = /run/user/1000/S.lacme
+#socket = %t/S.lacme
+
+# An optional file where to log to.
+#
+#logfile =
+
+# The "Key ID", as shown by `acme account`, to give the ACME client.
+# A non-empty value revokes all account management access (status
+# change, contact address updates etc.) from the client.
+#
+#keyid =
 
 # Be quiet.  Possible values: "Yes"/"No".
 #
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 232c85b..5259690 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,41 +1,46 @@
 # Each non-default section refer to separate certificate issuance
-# requests. Options in the default section apply to each sections.
+# requests. Settings in the default section apply to each sections.
 
-# Message digest to sign the Certificate Signing Request with.
+# Message digest to sign the Certificate Signing Request with,
+# overriding the req(1ssl) default.
 #
-#hash = sha512
+#hash =
 
-# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+# Comma-separated list of Key Usages, for instance "digitalSignature,
+# keyEncipherment", to include in the Certificate Signing Request.
+# See x509v3_config(5ssl) for a list of possible values.  Note that the
+# ACME might override the value provided here.
 #
-#keyUsage = digitalSignature, keyEncipherment
+#keyUsage =
+
+# Path to the bundle of trusted issuer certificates.  This is used for
+# validating each certificate after issuance or renewal.  Specifying an
+# empty value skips certificate validation.
+#
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
+
+# For an existing certificate, the minimum number of days before its
+# expiration date the section is considered for re-issuance.
+#
+#min-days = 21
 
 
 #[www]
 
-# Path the service's private key.  This option is required.
+# Path the service's private key.  This setting is required.
 #
 #certificate-key = /etc/nginx/ssl/srv.key
 
 # Where to store the issued certificate (in PEM format).
 #
-#certificate = /etc/nginx/ssl/srv.pem
+#certificate = /etc/nginx/ssl/srv.crt
 
 # Where to store the issued certificate along with its chain of trust
 # (in PEM format).
 #
-#certificate-chain = /etc/nginx/ssl/srv.chain.pem
-
-# For an existing certificate, the minimum number of days before its
-# expiration date the section is considered for re-issuance.
-#
-#min-days = 21
-
-# Path to trusted issuer certificates, used for validating each issued
-# certificate.  Specifying an empty value skips certificate validation.
-#
-#CAfile = @@datadir@@/lacme/ca-certificates.crt
+#certificate-chain = /etc/nginx/ssl/srv.chain.crt
 
-# Subject field of the Certificate Signing Request.  This option is
+# Subject field of the Certificate Signing Request.  This setting is
 # required.
 #
 #subject = /CN=example.org
@@ -61,7 +66,7 @@
 
 #[smtp]
 #certificate-key = /etc/postfix/ssl/srv.key
-#certificate-chain = /etc/postfix/ssl/srv.pem
+#certificate-chain = /etc/postfix/ssl/srv.crt
 #subject = /CN=smtp.example.org
 #notify = /bin/systemctl reload postfix
 
diff --git a/config/lacme.conf b/config/lacme.conf
index 9f4db72..0392be5 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -10,26 +10,24 @@
 # UNIX-domain socket to connect to for signature requests from the ACME
 # client.  lacme(8) aborts if the socket is readable or writable by
 # other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
-# variable is set.
-# This option is ignored when lacme-accountd(1) is spawned by lacme(8),
+# This setting is ignored when lacme-accountd(1) is spawned by lacme(8),
 # since the two processes communicate through a socket pair.  See the
 # "accountd" section below for details.
 #
-#socket =
+#socket = %t/S.lacme
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#user = nobody
+#user = @@lacme_client_user@@
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#group = nogroup
+#group = @@lacme_client_group@@
 
-# Path to the ACME client executable.
+# ACME client command.
 #
 #command = @@libexecdir@@/lacme/client
 
@@ -37,12 +35,12 @@
 # <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
 # as it has relaxed rate-limiting.
 #
-#server = https://acme-v02.api.letsencrypt.org/directory
+#server = @@acmeapi_server@@
 
 # Timeout in seconds after which the client stops polling the ACME
 # server and considers the request failed.
 #
-#timeout = 10
+#timeout = 30
 
 # Whether to verify the server certificate chain.
 #
@@ -64,25 +62,26 @@
 #
 #listen = @@runstatedir@@/lacme-www.socket
 
-# Non-existent directory under which an external HTTP daemon is
-# configured to serve GET requests for challenge files under
-# "/.well-known/acme-challenge/" (for each virtual host requiring
-# authorization) as static files.
+# Directory under which an external HTTP daemon is configured to serve
+# GET requests for challenge files under "/.well-known/acme-challenge/"
+# (for each virtual host requiring authorization) as static files.
+# NOTE: the directory must exist and be writable by the lacme client
+# user.
 #
 #challenge-directory =
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#user = www-data
+#user = @@lacme_www_user@@
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#group = www-data
+#group = @@lacme_www_group@@
 
-# Path to the ACME webserver executable.
+# ACME webserver command.
 #
 #command = @@libexecdir@@/lacme/webserver
 
@@ -99,28 +98,23 @@
 # an existing lacme-accountd(1) process via a UNIX-domain socket.
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
 #
 #user =
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
 #
 #group =
 
-# Path to the lacme-accountd(1) executable.
+# lacme-accountd(1) command.
 #
 #command = @@bindir@@/lacme-accountd
 
 # Path to the lacme-accountd(1) configuration file.
 #
-#config = @@sysconfdir@@/lacme/lacme-accountd.conf
-
-# The (private) account key to use for signing requests.  See
-# lacme-accountd(1) for details.
-#
-#privkey = file:/path/to/account.key
+#config =
 
 # Be quiet.
 #