aboutsummaryrefslogtreecommitdiffstats
path: root/lacme.md
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-04-26 20:29:44 +0200
committerGuilhem Moulin <guilhem@fripost.org>2018-04-27 01:43:03 +0200
commitd1bc3ad109a3000bda8a7876673ff9a0281e8c7b (patch)
treeb5202fae0c6b580b7760e7b6ea66647c2da4da8d /lacme.md
parent5ea132288e4f83fa24ebf3f61b503e440aaccad5 (diff)
Use ACME v2 endpoints
https://tools.ietf.org/html/draft-ietf-acme-acme-12
Diffstat (limited to 'lacme.md')
-rw-r--r--lacme.md59
1 files changed, 25 insertions, 34 deletions
diff --git a/lacme.md b/lacme.md
index ba1e5be..2d70c49 100644
--- a/lacme.md
+++ b/lacme.md
@@ -34,7 +34,7 @@ with its own executable:
component with access to the private key material of the server
keys. It is used to fork the [ACME] client (and optionally the
[ACME] webserver) after dropping root privileges.
- For certificate issuances (`new-cert` command), it also generates
+ For certificate issuances (`newOrder` command), it also generates
Certificate Signing Requests, then verifies the validity of the
issued certificate, and optionally reloads or restarts services when
the *notify* option is set.
@@ -48,7 +48,7 @@ with its own executable:
UNIX-domain socket to the [ACME] client: data signatures are
requested by writing the data to be signed to the socket.
- 4. For certificate issuances (`new-cert` command), an optional
+ 4. For certificate issuances (`newOrder` command), an optional
webserver (specified with the *command* option of the [`[webserver]`
section](#webserver-section) of the configuration file), which is
spawned by the “master” `lacme`. (The only challenge type currently
@@ -61,44 +61,36 @@ with its own executable:
Commands
========
-`lacme` [`--agreement-uri=`*URI*] `new-reg` [*CONTACT* …]
+`lacme account` [`--tos-agreed`] [`--register`] [*CONTACT* …]
-: Register the account key managed by [`lacme-accountd`(1)]. A list
- of *CONTACT* information (such as `maito:` URIs) can be specified in
- order for the server to contact the client for issues related to
- this registration (such as notifications about server-initiated
- revocations).
+: Register (if `--registered` is set) a [`lacme-accountd`(1)]-managed
+ account key. A list of *CONTACT* information (such as `maito:`
+ URIs) can be specified in order for the [ACME] server to contact the
+ client for issues related to this registration (such as
+ notifications about server-initiated revocations). `--tos-agreed`
+ indicates agreement with the [ACME] server's Terms of Service (and
+ might be required for registration).
- `--agreement-uri=` can be used to specify a *URI* referring to a
- subscriber agreement or terms of service provided by the server;
- adding this options indicates the client's agreement with the
- referenced terms. Note that the server might require the client to
- agree to subscriber agreement before performing any further actions.
+ If the account key is already registered, update the contact info
+ with the given list of *CONTACT* information.
- If the account key is already registered, `lacme` prints the URI of
- the existing registration and aborts.
+ Upon success, `lacme` prints the new or updated Account Object from
+ the [ACME] server.
-`lacme` [`--agreement-uri=`*URI*] `reg=`*URI* [*CONTACT* …]
-
-: Dump or edit the registration *URI* (relative to the [ACME] server
- URI, which is specified with the *server* option of the [`[client]`
- section](#client-section) of the configuration file).
-
- When specified, the list of *CONTACT* information and the agreement
- *URI* are sent to the server to replace the existing values.
-
-`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …]
+`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `newOrder` [*SECTION* …]
: Read the certificate configuration *FILE* (see the **[certificate
configuration file](#certificate-configuration-file)** section below
for the configuration options), and request new Certificate Issuance
for each of its sections (or the given list of *SECTION*s).
+ Command alias: `new-order`.
-`lacme` `revoke-cert` *FILE* [*FILE* …]
+`lacme` `revokeCert` *FILE* [*FILE* …]
: Request that the given certificate(s) *FILE*(s) be revoked. For
this command, [`lacme-accountd`(1)] can be pointed to either the
account key or the server's private key.
+ Command alias: `revoke-cert`.
Generic options
===============
@@ -149,7 +141,7 @@ Default section
*config-certs*
-: For certificate issuances (`new-cert` command), specify the
+: For certificate issuances (`newOrder` command), specify the
space-separated list of certificate configuration files or
directories to use (see the **[certificate configuration
file](#certificate-configuration-file)** section below for the
@@ -198,7 +190,7 @@ of [ACME] commands and dialogues with the remote [ACME] server).
*server*
: Root URI of the [ACME] server.
- Default: `https://acme-v01.api.letsencrypt.org/`.
+ Default: `https://acme-v02.api.letsencrypt.org/directory`.
*timeout*
@@ -322,7 +314,7 @@ If the section (including its header) is absent or commented out,
Certificate configuration file
==============================
-For certificate issuances (`new-cert` command), a separate file is used
+For certificate issuances (`newOrder` command), a separate file is used
to configure paths to the certificate and key, as well as the subject,
subjectAltName, etc. to generate Certificate Signing Requests.
Each section denotes a separate certificate issuance.
@@ -405,17 +397,16 @@ Valid options are:
Examples
========
- ~$ sudo lacme new-reg mailto:noreply@example.com
- ~$ sudo lacme reg=/acme/reg/123456 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
- ~$ sudo lacme new-cert
- ~$ sudo lacme revoke-cert /path/to/server/certificate.pem
+ ~$ sudo lacme account --register --tos-agreed mailto:noreply@example.com
+ ~$ sudo lacme newOrder
+ ~$ sudo lacme revokeCert /path/to/server/certificate.pem
See also
========
[`lacme-accountd`(1)]
-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
+[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
[`lacme-accountd`(1)]: lacme-accountd.1.html
[`iptables`(8)]: http://linux.die.net/man/8/iptables
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html