Merge branch 'master' into debian

3 files changed, 35 insertions, 19 deletions

diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 12fcd54..97d588a 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -28,7 +28,7 @@
 # For an existing certificate, the minimum number of days before its
 # expiration date the section is considered for re-issuance.
 #
-#min-days = 10
+#min-days = 21
 
 # Path to the issuer's certificate.  This is used for certificate-chain
 # and to verify the validity of each issued certificate.  Specifying an
diff --git a/config/lacme.conf b/config/lacme.conf
index c5efb03..874bb1f 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -16,18 +16,16 @@
 # since the two processes communicate through a socket pair.  See the
 # "accountd" section below for details.
 #
-#socket = /run/user/1000/S.lacme
+#socket =
 
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty (not recommended).
-# Default: "nobody".
 #
-#user = lacme
+#user = nobody
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
 # Preserve root privileges if the value is empty (not recommended).
-# Default: "nogroup".
 #
 #group = nogroup
 
@@ -35,11 +33,11 @@
 #
 #command = /usr/lib/lacme/client
 
-# Root URI of the ACME server.  NOTE: Use the staging server for testing
-# as it has relaxed rate-limiting.
+# Root URI of the ACME server.  NOTE: Use the staging server
+# <https://acme-staging.api.letsencrypt.org/> for testing as it has
+# relaxed rate-limiting.
 #
 #server = https://acme-v01.api.letsencrypt.org/
-#server = https://acme-staging.api.letsencrypt.org/
 
 # Timeout in seconds after which the client stops polling the ACME
 # server and considers the request failed.
@@ -61,17 +59,17 @@
 
 [webserver]
 
-# Specify the local address to listen on, in the form ADDRESS[:PORT].
+# Comma- or space-separated list of addresses to listen on, for instance
+# "0.0.0.0:80 [::]:80".
 #
-#listen = 0.0.0.0:80
-#listen = [::]:80
+#listen = /var/run/lacme.socket
 
-# If a webserver is already running, specify a non-existent directory
-# under which the webserver is configured to serve GET requests for
-# challenge files under "/.well-known/acme-challenge/" (for each virtual
-# hosts requiring authorization) as static files.
+# Non-existent directory under which an external HTTP daemon is
+# configured to serve GET requests for challenge files under
+# "/.well-known/acme-challenge/" (for each virtual host requiring
+# authorization) as static files.
 #
-#challenge-directory = /var/www/acme-challenge
+#challenge-directory =
 
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty (not recommended).
@@ -92,7 +90,7 @@
 # ADDRESS[:PORT] specified with listen.  Theses rules are automatically
 # removed once lacme(1) exits.
 #
-#iptables = Yes
+#iptables = No
 
 
 [accountd]
@@ -103,13 +101,13 @@
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty.
 #
-#user = root
+#user =
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
 # Preserve root privileges if the value is empty.
 #
-#group = root
+#group =
 
 # Path to the lacme-accountd(1) executable.
 #
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..f842c12
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,18 @@
+# Let nginx serve ACME requests directly, or pass them to lacme's
+# webserver component.
+#
+# This file needs to be sourced to the server directives (at least the
+# non-ssl one) of each virtual host requiring authorization.
+
+location /.well-known/acme-challenge/ {
+    # Pass ACME requests to lacme's webserver component
+    proxy_pass http://unix:/var/run/lacme.socket;
+
+    ## Alternatively, you can let nginx serve the requests by
+    ## setting 'challenge-directory' to '/var/www/acme-challenge' in
+    ## lacme's configuration file
+    # alias /var/www/acme-challenge/;
+    # default_type application/jose+json;
+    # disable_symlinks on from=$document_root;
+    # autoindex off;
+}