diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 10:42:23 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 10:42:23 +0100 |
| commit | 39031bb2a02789a956bf1ab3cbe092e4f17e1758 (patch) | |
| tree | 763d243d85aa9e60946b8c38f68248e7340d8f20 /lacme.md | |
| parent | 5b8c13bf44f7f1235f2dd0cec1f7f7e2c1a13a9e (diff) | |
| parent | 8faab5db6571972156f45b5838b23dbb0fadd5c4 (diff) | |
Merge branch 'master' into debian
Diffstat (limited to 'lacme.md')
| -rw-r--r-- | lacme.md | 52 |
1 files changed, 48 insertions, 4 deletions
@@ -26,7 +26,9 @@ with its own executable: the [ACME] client.) One can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run [`lacme-accountd`(1)] and `lacme` on different - hosts. + hosts. Alternatively, the [`lacme-accountd`(1)] process can be + spawned by the “master” `lacme` process below; in that case, the + two processes communicate through a socket pair. 2. A “master” `lacme` process, which runs as root and is the only component with access to the private key material of the server @@ -117,10 +119,14 @@ Generic options *socket* option of the [`[client]` section](#client-section) of the configuration file. -`-?`, `--help` +`-h`, `--help` : Display a brief help and exit. +`-q`, `--quiet` + +: Be quiet. + `--debug` : Turn on debug mode. @@ -249,6 +255,44 @@ This section is used for configuring the [ACME] webserver. automatically removed once `lacme` exits. Default: `Yes`. +`[accountd]` section +--------------------- + +This section is used for configuring the [`lacme-accountd`(1)] process. +If the section (including its header) is absent or commented out, +`lacme` connects to an existing UNIX-domain socket bound by a running +[`lacme-accountd`(1)] process. + +*user* + +: The username to drop privileges to (setting both effective and real + uid). Preserve root privileges if the value is empty. + +*group* + +: The groupname to drop privileges to (setting both effective and real + gid, and also setting the list of supplementary gids to that single + group). Preserve root privileges if the value is empty. + +*command* + +: Path to the [`lacme-accountd`(1)] executable. + Default: `/usr/bin/lacme-accountd`. + +*config* + +: Path to the [`lacme-accountd`(1)] configuration file. + Default: `/etc/lacme/lacme-accountd.conf`. + +*privkey* + +: The (private) account key to use for signing requests. See + [`lacme-accountd`(1)] for details. + +*quiet* + +: Be quiet. Possible values: `Yes`/`No`. + Certificate configuration file ============================== @@ -282,7 +326,7 @@ Valid options are: following command can be used to generate a new 4096-bits RSA key in PEM format with mode 0600: - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key + openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key *min-days* @@ -339,7 +383,7 @@ Examples ======== ~$ sudo lacme new-reg mailto:noreply@example.com - ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf + ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf ~$ sudo lacme new-cert ~$ sudo lacme revoke-cert /path/to/server/certificate.pem |