Merge branch 'master' into debian

1 files changed, 15 insertions, 2 deletions

diff --git a/lacme.md b/lacme.md
index 4146515..0f6f3ee 100644
--- a/lacme.md
+++ b/lacme.md
@@ -223,7 +223,8 @@ of [ACME] commands and dialogues with the remote [ACME] server).
 `[webserver]` section
 ---------------------
 
-This section is used for configuring the [ACME] webserver.
+This section is used to configure how [ACME] challenge responses are
+served during certificate issuance.
 
 *listen*
 
@@ -233,6 +234,16 @@ This section is used for configuring the [ACME] webserver.
     absolute path of a UNIX-domain socket (created with mode `0666`).
     Default: `/var/run/lacme.socket`.
 
+    **Note**: The default value is only suitable when an external HTTP
+    daemon is publicly reachable and passes all ACME challenge requests
+    to the webserver component through the UNIX-domain socket
+    `/var/run/lacme.socket` (for instance using the provided
+    `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration
+    snippets for each virtual host requiring authorization).  If there
+    is no HTTP daemon bound to port 80 one needs to set *listen* to
+    `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or
+    unavailable), and possibly also set *iptables* to `Yes`.
+
 *challenge-directory*
 
 :   Specify a non-existent directory under which an external HTTP daemon
@@ -258,7 +269,9 @@ This section is used for configuring the [ACME] webserver.
 
 *command*
 
-:   Path to the [ACME] webserver executable.
+:   Path to the [ACME] webserver executable.  A separate process is
+    spawned for each address to *listen* on.  (In particular no
+    webserver process is forked when the *listen* option is empty.)
     Default: `/usr/lib/lacme/webserver`.
 
 *iptables*