diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2018-04-26 20:29:44 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2018-04-27 01:43:03 +0200 |
commit | d1bc3ad109a3000bda8a7876673ff9a0281e8c7b (patch) | |
tree | b5202fae0c6b580b7760e7b6ea66647c2da4da8d /lacme.md | |
parent | 5ea132288e4f83fa24ebf3f61b503e440aaccad5 (diff) |
Use ACME v2 endpoints
https://tools.ietf.org/html/draft-ietf-acme-acme-12
Diffstat (limited to 'lacme.md')
-rw-r--r-- | lacme.md | 59 |
1 files changed, 25 insertions, 34 deletions
@@ -34,7 +34,7 @@ with its own executable: component with access to the private key material of the server keys. It is used to fork the [ACME] client (and optionally the [ACME] webserver) after dropping root privileges. - For certificate issuances (`new-cert` command), it also generates + For certificate issuances (`newOrder` command), it also generates Certificate Signing Requests, then verifies the validity of the issued certificate, and optionally reloads or restarts services when the *notify* option is set. @@ -48,7 +48,7 @@ with its own executable: UNIX-domain socket to the [ACME] client: data signatures are requested by writing the data to be signed to the socket. - 4. For certificate issuances (`new-cert` command), an optional + 4. For certificate issuances (`newOrder` command), an optional webserver (specified with the *command* option of the [`[webserver]` section](#webserver-section) of the configuration file), which is spawned by the “master” `lacme`. (The only challenge type currently @@ -61,44 +61,36 @@ with its own executable: Commands ======== -`lacme` [`--agreement-uri=`*URI*] `new-reg` [*CONTACT* …] +`lacme account` [`--tos-agreed`] [`--register`] [*CONTACT* …] -: Register the account key managed by [`lacme-accountd`(1)]. A list - of *CONTACT* information (such as `maito:` URIs) can be specified in - order for the server to contact the client for issues related to - this registration (such as notifications about server-initiated - revocations). +: Register (if `--registered` is set) a [`lacme-accountd`(1)]-managed + account key. A list of *CONTACT* information (such as `maito:` + URIs) can be specified in order for the [ACME] server to contact the + client for issues related to this registration (such as + notifications about server-initiated revocations). `--tos-agreed` + indicates agreement with the [ACME] server's Terms of Service (and + might be required for registration). - `--agreement-uri=` can be used to specify a *URI* referring to a - subscriber agreement or terms of service provided by the server; - adding this options indicates the client's agreement with the - referenced terms. Note that the server might require the client to - agree to subscriber agreement before performing any further actions. + If the account key is already registered, update the contact info + with the given list of *CONTACT* information. - If the account key is already registered, `lacme` prints the URI of - the existing registration and aborts. + Upon success, `lacme` prints the new or updated Account Object from + the [ACME] server. -`lacme` [`--agreement-uri=`*URI*] `reg=`*URI* [*CONTACT* …] - -: Dump or edit the registration *URI* (relative to the [ACME] server - URI, which is specified with the *server* option of the [`[client]` - section](#client-section) of the configuration file). - - When specified, the list of *CONTACT* information and the agreement - *URI* are sent to the server to replace the existing values. - -`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …] +`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `newOrder` [*SECTION* …] : Read the certificate configuration *FILE* (see the **[certificate configuration file](#certificate-configuration-file)** section below for the configuration options), and request new Certificate Issuance for each of its sections (or the given list of *SECTION*s). + Command alias: `new-order`. -`lacme` `revoke-cert` *FILE* [*FILE* …] +`lacme` `revokeCert` *FILE* [*FILE* …] : Request that the given certificate(s) *FILE*(s) be revoked. For this command, [`lacme-accountd`(1)] can be pointed to either the account key or the server's private key. + Command alias: `revoke-cert`. Generic options =============== @@ -149,7 +141,7 @@ Default section *config-certs* -: For certificate issuances (`new-cert` command), specify the +: For certificate issuances (`newOrder` command), specify the space-separated list of certificate configuration files or directories to use (see the **[certificate configuration file](#certificate-configuration-file)** section below for the @@ -198,7 +190,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). *server* : Root URI of the [ACME] server. - Default: `https://acme-v01.api.letsencrypt.org/`. + Default: `https://acme-v02.api.letsencrypt.org/directory`. *timeout* @@ -322,7 +314,7 @@ If the section (including its header) is absent or commented out, Certificate configuration file ============================== -For certificate issuances (`new-cert` command), a separate file is used +For certificate issuances (`newOrder` command), a separate file is used to configure paths to the certificate and key, as well as the subject, subjectAltName, etc. to generate Certificate Signing Requests. Each section denotes a separate certificate issuance. @@ -405,17 +397,16 @@ Valid options are: Examples ======== - ~$ sudo lacme new-reg mailto:noreply@example.com - ~$ sudo lacme reg=/acme/reg/123456 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf - ~$ sudo lacme new-cert - ~$ sudo lacme revoke-cert /path/to/server/certificate.pem + ~$ sudo lacme account --register --tos-agreed mailto:noreply@example.com + ~$ sudo lacme newOrder + ~$ sudo lacme revokeCert /path/to/server/certificate.pem See also ======== [`lacme-accountd`(1)] -[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 +[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: http://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html |