aboutsummaryrefslogtreecommitdiffstats
path: root/lacme.md
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:33:37 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:33:37 +0200
commit4a730d372818f86ae42dbe1d89ec63fc67c9f462 (patch)
treef98bf6e24a4e0284472703b2e60c449037c24b9d /lacme.md
parent871aa1f53d428f31902b4428f8bae11ccea8c5f7 (diff)
parent99902d8737cd01b2788ec51b06d314a36135be2c (diff)
Merge branch 'master' into debian
Diffstat (limited to 'lacme.md')
-rw-r--r--lacme.md45
1 files changed, 24 insertions, 21 deletions
diff --git a/lacme.md b/lacme.md
index f5b5559..4146515 100644
--- a/lacme.md
+++ b/lacme.md
@@ -51,13 +51,12 @@ with its own executable:
4. For certificate issuances (`new-cert` command), an optional
webserver (specified with the *command* option of the [`[webserver]`
section](#webserver-section) of the configuration file), which is
- spawned by the “master” `lacme` process when no service is listening
- on the HTTP port. (The only challenge type currently supported by
- `lacme` is `http-01`, which requires a webserver to answer
- challenges.) That webserver only processes `GET` and `HEAD` requests
- under the `/.well-known/acme-challenge/` URI.
- By default some [`iptables`(8)] rules are automatically installed to
- open the HTTP port, and removed afterwards.
+ spawned by the “master” `lacme`. (The only challenge type currently
+ supported by `lacme` is `http-01`, which requires a webserver to
+ answer challenges.) That webserver only processes `GET` and `HEAD`
+ requests under the `/.well-known/acme-challenge/` URI.
+ Moreover temporary [`iptables`(8)] rules can be automatically
+ installed to open the HTTP port.
Commands
========
@@ -88,7 +87,7 @@ Commands
When specified, the list of *CONTACT* information and the agreement
*URI* are sent to the server to replace the existing values.
-`lacme` [`--config-certs=`*FILE*] `new-cert` [*SECTION* …]
+`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …]
: Read the certificate configuration *FILE* (see the **[certificate
configuration file](#certificate-configuration-file)** section below
@@ -228,18 +227,19 @@ This section is used for configuring the [ACME] webserver.
*listen*
-: Specify the local address to listen on, in the form
- `ADDRESS[:PORT]`. If `ADDRESS` is enclosed with brackets ‘[’/‘]’
- then it denotes an IPv6; an empty `ADDRESS` means `0.0.0.0`.
- Default: `:80`.
+: Comma- or space-separated list of addresses to listen on. Valid
+ addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the
+ `:PORT` suffix is optional and defaults to the HTTP port 80), or an
+ absolute path of a UNIX-domain socket (created with mode `0666`).
+ Default: `/var/run/lacme.socket`.
*challenge-directory*
-: If a webserver is already running, specify a non-existent directory
- under which the webserver is configured to serve `GET` requests for
- challenge files under `/.well-known/acme-challenge/` (for each
- virtual hosts requiring authorization) as static files.
- Default: `/var/www/acme-challenge`.
+: Specify a non-existent directory under which an external HTTP daemon
+ is configured to serve `GET` requests for challenge files under
+ `/.well-known/acme-challenge/` (for each virtual host requiring
+ authorization) as static files.
+ This option is required when *listen* is empty.
*user*
@@ -263,10 +263,10 @@ This section is used for configuring the [ACME] webserver.
*iptables*
-: Whether to automatically install [`iptables`(8)] rules to open the
- `ADDRESS[:PORT]` specified with *listen*. Theses rules are
+: Whether to automatically install temporary [`iptables`(8)] rules to
+ open the `ADDRESS[:PORT]` specified with *listen*. The rules are
automatically removed once `lacme` exits.
- Default: `Yes`.
+ Default: `No`.
`[accountd]` section
---------------------
@@ -339,7 +339,10 @@ Valid options are:
: For an existing certificate, the minimum number of days before its
expiration date the section is considered for re-issuance.
- Default: `10`.
+ A negative value forces reissuance, while the number `0` limits
+ reissuance to expired certificates.
+ Default: the value of the CLI option `--min-days`, or `21` if there
+ is no such option.
*CAfile*