diff options
-rw-r--r-- | Makefile | 16 | ||||
-rw-r--r-- | README | 58 | ||||
-rwxr-xr-x | client | 8 | ||||
-rw-r--r-- | config/lacme-accountd.conf (renamed from config/letsencrypt-accountd.conf) | 4 | ||||
-rw-r--r-- | config/lacme-certs.conf (renamed from config/letsencrypt-certs.conf) | 2 | ||||
-rw-r--r-- | config/lacme.conf (renamed from config/letsencrypt.conf) | 24 | ||||
-rwxr-xr-x | lacme (renamed from letsencrypt) | 23 | ||||
-rwxr-xr-x | lacme-accountd (renamed from letsencrypt-accountd) | 10 | ||||
-rw-r--r-- | lacme-accountd.1 | 152 | ||||
-rw-r--r-- | lacme.1 (renamed from letsencrypt.1) | 128 | ||||
-rw-r--r-- | letsencrypt-accountd.1 | 153 |
11 files changed, 286 insertions, 292 deletions
@@ -1,15 +1,15 @@ all: install: - install -d $(DESTDIR)/etc/letsencrypt-tiny - install -m0644 -t $(DESTDIR)/etc/letsencrypt-tiny config/*.conf - install -d $(DESTDIR)/usr/share/letsencrypt-tiny - install -m0644 -t $(DESTDIR)/usr/share/letsencrypt-tiny lets-encrypt-x[1-4]-cross-signed.pem - install -d $(DESTDIR)/usr/lib/letsencrypt-tiny - install -m0755 -t $(DESTDIR)/usr/lib/letsencrypt-tiny client webserver + install -d $(DESTDIR)/etc/lacme + install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf + install -d $(DESTDIR)/usr/share/lacme + install -m0644 -t $(DESTDIR)/usr/share/lacme lets-encrypt-x[1-4]-cross-signed.pem + install -d $(DESTDIR)/usr/lib/lacme + install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver install -d $(DESTDIR)/usr/share/man/man1 - install -m0644 -t $(DESTDIR)/usr/share/man/man1 letsencrypt-accountd.1 letsencrypt.1 + install -m0644 -t $(DESTDIR)/usr/share/man/man1 lacme-accountd.1 lacme.1 install -d $(DESTDIR)/usr/bin - install -m0644 -t $(DESTDIR)/usr/bin letsencrypt-accountd letsencrypt + install -m0644 -t $(DESTDIR)/usr/bin lacme-accountd lacme .PHONY: all install @@ -1,29 +1,6 @@ -Requesting new Certificate Issuance with the ACME protocol generally -works as follows: - - 1. Generate a Certificate Signing Request. This requires access to - the private part of the server key. - 2. Issue an issuance request against the ACME server. - 3. Answer the ACME Identifier Validation Challenges. The challenge - type "http-01" requires a webserver to listen on port 80 for each - address for which an authorization request is issued; if there is - no running webserver, root privileges are required to bind against - port 80 and to install firewall rules to temporarily open the port. - 4. Install the certificate (after verification) and restart the - service. This usually requires root access as well. - -Steps 1,3,4 need to be run on the host for which an authorization -request is issued. However the the issuance itself (step 2) could be -done from another machine. Furthermore, each ACME command (step 2), as -well as the key authorization token in step 3, need to be signed using -an account key. The account key can be stored on another machine, or -even on a smartcard. - -_______________________________________________________________________ - -letsencrypt is a tiny ACME client written with process isolation and -minimal privileges in mind. It is divided into four components, each -with its own executable: +lacme is a small ACME client written with process isolation and minimal +privileges in mind. It is divided into four components, each with its +own executable: * A process to manage the account key and issue SHA-256 signatures needed for each ACME command. (This process binds to a UNIX-domain @@ -56,11 +33,34 @@ with its own executable: Consult the manuals for more information. - https://guilhem.org/man/letsencrypt.1.html - https://guilhem.org/man/letsencrypt-accountd.1.html + https://guilhem.org/man/lacme.1.html + https://guilhem.org/man/lacme-accountd.1.html + +_______________________________________________________________________ + +Requesting new Certificate Issuance with the ACME protocol generally +works as follows: + + 1. Generate a Certificate Signing Request. This requires access to + the private part of the server key. + 2. Issue an issuance request against the ACME server. + 3. Answer the ACME Identifier Validation Challenges. The challenge + type "http-01" requires a webserver to listen on port 80 for each + address for which an authorization request is issued; if there is + no running webserver, root privileges are required to bind against + port 80 and to install firewall rules to temporarily open the port. + 4. Install the certificate (after verification) and restart the + service. This usually requires root access as well. + +Steps 1,3,4 need to be run on the host for which an authorization +request is issued. However the the issuance itself (step 2) could be +done from another machine. Furthermore, each ACME command (step 2), as +well as the key authorization token in step 3, need to be signed using +an account key. The account key can be stored on another machine, or +even on a smartcard. _______________________________________________________________________ -letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and +lacme is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and licensed for use under the GNU General Public License version 3 or later. See ‘COPYING’ for specific terms and distribution information. @@ -24,9 +24,9 @@ use warnings; # Usage: client COMMAND CONFIG_FD SOCKET_FD [ARGUMENTS] # # fdopen(3) the file descriptor SOCKET_FD (corresponding to the -# listening letsencrypt-accountd socket), connect(2) to it to retrieve -# the account key's public parameters and later send data to be signed -# by the master component (using the account key). +# listening lacme-accountd socket), connect(2) to it to retrieve the +# account key's public parameters and later send data to be signed by +# the master component (using the account key). # # CONFIG_FD is a read-only file descriptor associated with the # configuration file at pos 0. (This is needed since this process @@ -66,7 +66,7 @@ open my $S, '+<&=', $1 or die "fdopen $1: $!"; ############################################################################# # Read the protocol version and JSON Web Key (RFC 7517) from the -# letsencrypt-accountd socket +# lacme-accountd socket # die "Error: Invalid client version\n" unless $S->getline() =~ /\A(\d+) OK(?:.*)\r\n\z/ and $1 == $PROTOCOL_VERSION; diff --git a/config/letsencrypt-accountd.conf b/config/lacme-accountd.conf index c372190..0a8b81a 100644 --- a/config/letsencrypt-accountd.conf +++ b/config/lacme-accountd.conf @@ -17,10 +17,10 @@ # for signature requests from the ACME client. An error is raised if # the path exists exists or if its parent directory is writable by other # users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR # environment variable is set. # -#socket = /run/user/1000/S.letsencrypt +#socket = /run/user/1000/S.lacme # Be quiet. Possible values: "Yes"/"No". # diff --git a/config/letsencrypt-certs.conf b/config/lacme-certs.conf index 2ee9b20..fbce5e2 100644 --- a/config/letsencrypt-certs.conf +++ b/config/lacme-certs.conf @@ -26,7 +26,7 @@ # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an # empty value skip certificate validation. -#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem +#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem # Subject field of the Certificate Signing Request. This option is # required. diff --git a/config/letsencrypt.conf b/config/lacme.conf index 1502020..edcbbb0 100644 --- a/config/letsencrypt.conf +++ b/config/lacme.conf @@ -1,23 +1,23 @@ # For certificate issuance (new-cert command), specify the certificate # configuration file to use # -#config-certs = config/letsencrypt-certs.conf +#config-certs = config/lacme-certs.conf [client] -# The value of "socket" specifies the letsencrypt-accountd(1) -# UNIX-domain socket to connect to for signature requests from the ACME -# client. letsencrypt aborts if the socket is readable or writable by -# other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR -# environment variable is set. +# The value of "socket" specifies the lacme-accountd(1) UNIX-domain +# socket to connect to for signature requests from the ACME client. +# lacme aborts if the socket is readable or writable by other users, or +# if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment +# variable is set. # -#socket = /run/user/1000/S.letsencrypt +#socket = /run/user/1000/S.lacme # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # Default: "nobody". # -#user = letsencrypt +#user = lacme # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). @@ -26,7 +26,7 @@ #group = nogroup # Path to the ACME client executable. -#command = /usr/lib/letsencrypt-tiny/client +#command = /usr/lib/lacme/client # Root URI of the ACME server. NOTE: Use the staging server for testing # as it has relaxed ratelimit. @@ -75,11 +75,11 @@ #user = www-data # Path to the ACME webserver executable. -#command = /usr/lib/letsencrypt-tiny/webserver +#command = /usr/lib/lacme/webserver # Whether to automatically install iptables(1) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once letsencrypt exits. +# removed once lacme(1) exits. # #iptables = Yes @@ -1,7 +1,7 @@ #!/usr/bin/perl -T #---------------------------------------------------------------------- -# Let's Encrypt ACME client +# ACME client # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify @@ -22,7 +22,7 @@ use strict; use warnings; our $VERSION = '0.0.1'; -my $NAME = 'letsencrypt'; +my $NAME = 'lacme'; use Errno qw/EADDRINUSE EINTR/; use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/; @@ -71,8 +71,8 @@ $COMMAND = $COMMAND =~ /\A(new-reg|reg=\p{Print}*|new-cert|revoke-cert)\z/ ? $1 do { my $conffile = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf" - , "/etc/letsencrypt-tiny/$NAME.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + , "/etc/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; @@ -84,10 +84,10 @@ do { my $defaults = delete $h->{_} // {}; my %valid = ( client => { - socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef), + socket => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef), user => 'nobody', group => 'nogroup', - command => '/usr/lib/letsencrypt-tiny/client', + command => '/usr/lib/lacme/client', # the rest is for the ACME client map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, @@ -96,7 +96,7 @@ do { 'challenge-directory' => '/var/www/acme-challenge', user => 'www-data', group => 'www-data', - command => '/usr/lib/letsencrypt-tiny/webserver', + command => '/usr/lib/lacme/webserver', iptables => 'Yes' } @@ -399,7 +399,7 @@ sub acme_client($@) { die "Error: insecure permissions on $dirname\n" if ($stat[2] & 0022) != 0; # ensure we're the only user with read/write access to the socket - @stat = stat($sockname) or die "Can't stat $sockname: $! (Is letsencrypt-accountd running?)\n"; + @stat = stat($sockname) or die "Can't stat $sockname: $! (Is lacme-accountd running?)\n"; die "Error: insecure permissions on $sockname\n" if ($stat[2] & 0066) != 0; # connect(2) to the socket @@ -515,14 +515,15 @@ if ($COMMAND eq 'new-reg' or $COMMAND =~ /^reg=/) { # new-cert [SECTION ..] # TODO: renewal without the account key, see # https://github.com/letsencrypt/acme-spec/pull/168 +# https://github.com/letsencrypt/acme-spec/issues/191 # elsif ($COMMAND eq 'new-cert') { my $conf; do { my $conffile = $OPTS{'config-certs'} // $CONFIG->{_}->{'config-certs'} // first { -f $_ } ( "./$NAME-certs.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME-certs.conf" - , "/etc/letsencrypt-tiny/$NAME-certs.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME-certs.conf" + , "/etc/lacme/$NAME-certs.conf" ); die "Error: Can't find certificate configuration file\n" unless defined $conffile; my $h = Config::Tiny::->read($conffile) or die Config::Tiny::->errstr()."\n"; @@ -604,7 +605,7 @@ elsif ($COMMAND eq 'new-cert') { }; # verify certificate validity against the CA - $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem'; + $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem'; if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, qw/-purpose sslserver -x509_strict/)) { print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; diff --git a/letsencrypt-accountd b/lacme-accountd index ffc5619..2bc648f 100755 --- a/letsencrypt-accountd +++ b/lacme-accountd @@ -1,7 +1,7 @@ #!/usr/bin/perl -T #---------------------------------------------------------------------- -# Let's Encrypt ACME client (account key manager) +# ACME client (account key manager) # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify @@ -23,7 +23,7 @@ use warnings; our $VERSION = '0.0.1'; my $PROTOCOL_VERSION = 1; -my $NAME = 'letsencrypt-accountd'; +my $NAME = 'lacme-accountd'; use Errno 'EINTR'; use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; @@ -64,8 +64,8 @@ usage(0) if $OPTS{help}; do { my $conffile = $OPTS{config} // first { -f $_ } ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/letsencrypt-tiny/$NAME.conf" - , "/etc/letsencrypt-tiny/$NAME.conf" + , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + , "/etc/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; print STDERR "Using configuration file: $conffile\n" if $OPTS{debug}; @@ -137,7 +137,7 @@ $JWK = JSON::->new->encode($JWK); # delete the file manually. # do { - my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.letsencrypt" : undef); + my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); die "Missing socket option\n" unless defined $sockname; $sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname diff --git a/lacme-accountd.1 b/lacme-accountd.1 new file mode 100644 index 0000000..46a6a0d --- /dev/null +++ b/lacme-accountd.1 @@ -0,0 +1,152 @@ +.TH LACME\-ACCOUNTD "1" "MARCH 2016" "ACME client (account key manager)" "User Commands" + +.SH NAME +lacme\-accountd \- ACME client (account key manager) + +.SH SYNOPSIS +.B lacme\-accountd\fR [\fB\-\-config=\fIFILENAME\fR] +[\fB\-\-privkey=\fIARG\fR] [\fB\-\-socket=\fIPATH\fR] [\fB\-\-quiet\fR] + + +.SH DESCRIPTION +.PP +.B lacme\-accountd\fR is the account key manager component of +\fIlacme\fR(1), a tiny ACME client written with process isolation and +minimal privileges in mind. No other \fIlacme\fR(1) component need +access to the account key; in fact the account key could also be stored +on a smartcard. + +.B lacme\-accountd\fR binds to a UNIX\-domain socket (specified with +\fB\-\-socket=\fR), which ACME clients can connect to in order to +request data signatures. +As a consequence, \fBlacme\-accountd\fR needs to be up and running +before using \fIlacme\fR(1) to issue ACME commands. Also, the process +does not automatically terminate after the last signature request: +instead, one sends an \fIINT\fR or \fITERM\fR signal to bring the server +down. + +Furthermore, one can use the UNIX\-domain socket forwarding facility of +OpenSSH 6.7 and later to run \fBlacme\-accountd\fR and \fIlacme\fR(1) on +different hosts. For instance one could store the account key on a +machine that is not exposed to the internet. See the \fBEXAMPLES\fR +section below. + + +.SH OPTIONS +.TP +.B \-\-config=\fIfilename\fR +Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION +FILE\fR section below for the configuration options. + +.TP +.B \-\-privkey=\fIarg\fR +Specify the (private) account key to use for signing requests. +Currently supported \fIarg\fRuments are: + +.RS +.IP \[bu] 2 +file:\fIFILE\fR, to specify an encrypted private key (in PEM format); and +.IP \[bu] +gpg:\fIFILE\fR, to specify a \fIgpg\fR(1)\-encrypted private key (in PEM format). + +.PP +The following command can be used to generate a new 4096\-bits RSA key in +PEM format with mode 0600: + +.nf + openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key +.fi +.RE + +.TP +.B \-\-socket=\fIpath\fR +Use \fIpath\fR as the UNIX\-domain socket to bind against for signature +requests from the ACME client. \fBlacme\-accountd\fR aborts if +\fIpath\fR exists or if its parent directory is writable by other users. + +.TP +.B \-?\fR, \fB\-\-help\fR +Display a brief help and exit. + +.TP +.B \-q\fR, \fB\-\-quiet\fR +Be quiet. + +.TP +.B \-\-debug +Turn on debug mode. + + +.SH CONFIGURATION FILE +If \fB\-\-config=\fR is not given, \fBlacme\-accountd\fR uses the first +existing configuration file among \fI./lacme\-accountd.conf\fR, +\fI$XDG_CONFIG_HOME/lacme/lacme\-accountd.conf\fR (or +\fI~/.config/lacme/lacme\-accountd.conf\fR if the XDG_CONFIG_HOME +environment variable is not set), and +\fI/etc/lacme/lacme\-accountd.conf\fR. + +When given on the command line, the \fB\-\-privkey=\fR, +\fB\-\-socket=\fR and \fB\-\-quiet\fR options take precedence over their +counterpart (without leading \(lq\-\-\(rq) in the configuration file. +Valid options are: + +.TP +.I privkey +See \fB\-\-privkey=\fR. +This option is required when \fB\-\-privkey=\fR is not specified on the +command line. + +.TP +.I gpg +For a \fIgpg\fR(1)\-encrypted private account key, specify the binary +\fIgpg\fR(1) to use, as well as some default options. +Default: \(lqgpg \-\-quiet\(rq. + +.TP +.I socket +See \fB\-\-socket=\fR. +Default: \(lq$XDG_RUNTIME_DIR/S.lacme\(rq if the XDG_RUNTIME_DIR +environment variable is set. + +.TP +.I quiet +Be quiet. Possible values: \(lqYes\(rq/\(lqNo\(rq. + + +.SH EXAMPLES + +Run \fBlacme\-accountd\fR in a first terminal: + +.nf + ~$ lacme\-accountd \-\-privkey=file:/path/to/priv.key \-\-socket=/run/user/1000/S.lacme +.fi + +Then, while \fBlacme\-accountd\fR is running, execute locally +\fIlacme\fR(1) in another terminal: + +.nf + ~$ sudo lacme \-\-socket=/run/user/1000/S.lacme new\-cert +.fi + +Alternatively, use \fIssh\fR(1) to forward the socket and execute +\fIlacme\fR(1) remotely: + +.nf + ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.lacme user@example.org \\ + sudo lacme --socket=/path/to/remote.sock new-cert +.fi + + +.SH SEE ALSO +\fBlacme\fR(1), \fBssh\fR(1) + +.SH AUTHOR +.ie \n[www-html] \{\ + Written by +. MTO guilhem@fripost.org "Guilhem Moulin" . +\} +.el \{\ + Written by Guilhem Moulin +. MT guilhem@fripost.org +. ME . +\} @@ -1,33 +1,31 @@ -.TH LETSENCRYPT "1" "MARCH 2016" "Tiny Let's Encrypt ACME client" "User Commands" +.TH LACME "1" "MARCH 2016" "ACME client" "User Commands" .SH NAME -letsencrypt \- Tiny Let's Encrypt ACME client +lacme \- ACME client .SH SYNOPSIS -.B letsencrypt\fR [\fB\-\-config=\fIFILENAME\fR] -[\fB\-\-socket=\fIPATH\fR] [\fIOPTION\fR ...] \fICOMMAND\fR -[\fIARGUMENT\fR ...] +.B lacme\fR [\fB\-\-config=\fIFILENAME\fR] [\fB\-\-socket=\fIPATH\fR] +[\fIOPTION\fR ...] \fICOMMAND\fR [\fIARGUMENT\fR ...] .SH DESCRIPTION .PP -.B letsencrypt\fR is a tiny ACME client written with process isolation -and minimal privileges in mind. +.B lacme\fR is a tiny ACME client written with process isolation and +minimal privileges in mind. It is divided into four components, each with its own executable: .IP \[bu] 4 -A \fIletsencrypt\-accountd\fR(1) process to manage the account key and -issue SHA\-256 signatures needed for each ACME command. -(This process binds to a UNIX\-domain socket to reply to signature -requests from the ACME client.) +A \fIlacme\-accountd\fR(1) process to manage the account key and issue +SHA\-256 signatures needed for each ACME command. (This process binds +to a UNIX\-domain socket to reply to signature requests from the ACME +client.) One can use the UNIX\-domain socket forwarding facility of OpenSSH 6.7 -and later to run \fIletsencrypt\-accountd\fR(1) and \fBletsencrypt\fR on -different hosts. +and later to run \fIlacme\-accountd\fR(1) and \fBlacme\fR on different +hosts. .IP \[bu] 4 -A \(lqmaster\(rq \fBletsencrypt\fR process, which runs as root and is -the only component with access to the private key material of the server -keys. +A \(lqmaster\(rq \fBlacme\fR process, which runs as root and is the only +component with access to the private key material of the server keys. It is used to fork the ACME client (and optionally the ACME webserver) after dropping root privileges. For certificate issuances (\fBnew\-cert\fR command), it also generates @@ -40,18 +38,17 @@ An actual ACME client (specified with the \fIcommand\fR option of the \(lq[client]\(rq section of the configuration file), which builds ACME commands and dialogues with the remote ACME server. Since ACME commands need to be signed with the account key, the -\(lqmaster\(rq \fBletsencrypt\fR process passes the -\fIletsencrypt\-accountd\fR(1) UNIX\-domain socket to the ACME client: -data signatures are requested by writing the data to be signed to the -socket. +\(lqmaster\(rq \fBlacme\fR process passes the \fIlacme\-accountd\fR(1) +UNIX\-domain socket to the ACME client: data signatures are requested by +writing the data to be signed to the socket. .IP \[bu] 4 For certificate issuances (\fBnew\-cert\fR command), an optional webserver (specified with the \fIcommand\fR option of the \(lq[webserver]\(rq section of the configuration file), which is spawned -by the \(lqmaster\(rq \fBletsencrypt\fR process when no service is -listening on the HTTP port. -(The only challenge type currently supported by \fBletsencrypt\fR is +by the \(lqmaster\(rq \fBlacme\fR process when no service is listening +on the HTTP port. +(The only challenge type currently supported by \fBlacme\fR is \(lqhttp\-01\(rq, which requires a webserver to answer challenges.) That webserver only processes GET and HEAD requests under the \(lq/.well\-known/acme\-challenge/\(rq URI. @@ -60,12 +57,12 @@ open the HTTP port, and removed afterwards. .SH COMMANDS .TP -.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBnew\-reg \fR[\fICONTACT\fR ...] -Register the account key managed by \fIletsencrypt\-accountd\fR(1). A -list of \fICONTACT\fR information (such as \(lqmaito:\(rq -URIs) can be specified in order for the server to contact the client for -issues related to this registration (such as notifications about -server\-initiated revocations). +.B lacme \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBnew\-reg +\fR[\fICONTACT\fR ...] Register the account key managed by +\fIlacme\-accountd\fR(1). A list of \fICONTACT\fR information (such as +\(lqmaito:\(rq URIs) can be specified in order for the server to contact +the client for issues related to this registration (such as +notifications about server\-initiated revocations). \fB\-\-agreement\-uri=\fR can be used to specify a \fIURI\fR referring to a subscriber agreement or terms of service provided by the server; @@ -73,11 +70,11 @@ adding this options indicates the client's agreement with the referenced terms. Note that the server might require the client to agree to subscriber agreement before performing any further actions. -If the account key is already registered, \fBletsencrypt\fR prints the -URI of the existing registration and aborts. +If the account key is already registered, \fBlacme\fR prints the URI of +the existing registration and aborts. .TP -.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBreg=\fIURI\fR \fR[\fICONTACT\fR ...] +.B lacme \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBreg=\fIURI\fR \fR[\fICONTACT\fR ...] Dump or edit the registration \fIURI\fR (relative to the ACME server URI, which is specified with the \fIserver\fR option of the \(lq[client]\(rq @@ -87,7 +84,7 @@ When specified, the list of \fICONTACT\fR information and the agreement \fIURI\fR are sent to the server to replace the existing values. .TP -.B letsencrypt \fR[\fB\-\-config\-certs=\fIFILE\fR]\fB \fBnew\-cert \fR[\fISECTION\fR ...] +.B lacme \fR[\fB\-\-config\-certs=\fIFILE\fR]\fB \fBnew\-cert \fR[\fISECTION\fR ...] Read the certificate configuration \fIFILE\fR (see the \fBCERTIFICATE CONFIGURATION FILE\fR section below for the configuration options), and @@ -95,11 +92,11 @@ request new Certificate Issuance for each of its sections (or the given list of \fISECTION\fRs). .TP -.B letsencrypt \fBrevoke\-cert \fIFILE\fR [\fIFILE\fR ...] +.B lacme \fBrevoke\-cert \fIFILE\fR [\fIFILE\fR ...] Request that the given certificate(s) \fIFILE\fR(s) be revoked. For -this command, \fIletsencrypt\-accountd\fR(1) can be pointed to either -the account key or the server's private key. +this command, \fIlacme\-accountd\fR(1) can be pointed to either the +account key or the server's private key. .SH GENERIC OPTIONS @@ -110,12 +107,12 @@ FILE\fR section below for the configuration options. .TP .B \-\-socket=\fIpath\fR -Use \fIpath\fR as the \fIletsencrypt\-accountd\fR(1) UNIX\-domain socket -to connect to for signature requests from the ACME client. -\fBletsencrypt\fR aborts if \fIpath\fR is readable or writable by -other users, or if its parent directory is writable by other users. -This overrides the \fIsocket\fR option of the \(lq[client]\(rq section -of the configuration file. +Use \fIpath\fR as the \fIlacme\-accountd\fR(1) UNIX\-domain socket to +connect to for signature requests from the ACME client. \fBlacme\fR +aborts if \fIpath\fR is readable or writable by other users, or if its +parent directory is writable by other users. This overrides the +\fIsocket\fR option of the \(lq[client]\(rq section of the configuration +file. .TP .B \-?\fR, \fB\-\-help\fR @@ -127,13 +124,11 @@ Turn on debug mode. .SH CONFIGURATION FILE -If \fB\-\-config=\fR is not given, \fBletsencrypt\fR uses the first -existing configuration file among -\fI./letsencrypt.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt.conf\fR. +If \fB\-\-config=\fR is not given, \fBlacme\fR uses the first existing +configuration file among \fI./lacme.conf\fR, +\fI$XDG_CONFIG_HOME/lacme/lacme.conf\fR (or +\fI~/.config/lacme/lacme.conf\fR if the XDG_CONFIG_HOME environment +variable is not set), and \fI/etc/lacme/lacme.conf\fR. Valid options are: .TP @@ -155,7 +150,7 @@ of ACME commands and dialogues with the remote ACME server). .TP .I socket See \fB\-\-socket=\fR. -Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR +Default: \(lq$XDG_RUNTIME_DIR/S.lacme\(rq if the XDG_RUNTIME_DIR environment variable is set. .TP @@ -176,7 +171,7 @@ Default: \(lqnogroup\(rq. .TP .I command Path to the ACME client executable. -Default: \(lq/usr/lib/letsencrypt\-tiny/client\(rq. +Default: \(lq/usr/lib/lacme/client\(rq. .TP .I server @@ -242,13 +237,13 @@ Default: \(lqwww\-data\(rq. .TP .I command Path to the ACME webserver executable. -Default: \(lq/usr/lib/letsencrypt\-tiny/webserver\(rq. +Default: \(lq/usr/lib/lacme/webserver\(rq. .TP .I iptables Whether to automatically install \fIiptables\fR(1) rules to open the \fIADDRESS\fR[:\fIPORT\fR] specified with \fIlisten\fR. -Theses rules are automatically removed once \fBletsencrypt\fR exits. +Theses rules are automatically removed once \fBlacme\fR exits. Default: \(lqYes\(rq. .RE @@ -257,14 +252,13 @@ Default: \(lqYes\(rq. For certificate issuances (\fBnew\-cert\fR command), a separate file is used to configure paths to the certificate and key, as well as the subject, subjectAltName, etc. to generate Certificate Signing Requests. -If \fB\-\-config\-certs=\fR is not given, and if the -\fIconfig\-certs\fR configuration option is absent, -then \fBletsencrypt\fR uses the first existing configuration file among -\fI./letsencrypt\-certs.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-certs.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt\-certs.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt\-certs.conf\fR. +If \fB\-\-config\-certs=\fR is not given, and if the \fIconfig\-certs\fR +configuration option is absent, then \fBlacme\fR uses the first existing +configuration file among \fI./lacme\-certs.conf\fR, +\fI$XDG_CONFIG_HOME/lacme/lacme\-certs.conf\fR (or +\fI~/.config/lacme/lacme\-certs.conf\fR if the XDG_CONFIG_HOME +environment variable is not set), and +\fI/etc/lacme/lacme\-certs.conf\fR. Each section denotes a separate certificate issuance. Valid options are: @@ -305,7 +299,7 @@ Path to the issuer's certificate. This is used for \fIcertificate\-chain\fR and to verify the validity of each issued certificate. Specifying an empty value skip certificate validation. -Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x3\-cross\-signed.pem\(rq. +Default: \(lq/usr/share/lacme/lets\-encrypt\-x3\-cross\-signed.pem\(rq. .TP .I hash @@ -348,15 +342,15 @@ after successful installation of the \fIcertificate\fR and/or .SH EXAMPLES .nf - ~$ sudo letsencrypt new-reg mailto:noreply@example.com - ~$ sudo letsencrypt reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf - ~$ sudo letsencrypt new-cert - ~$ sudo letsencrypt revoke-cert /path/to/server/certificate.pem + ~$ sudo lacme new-reg mailto:noreply@example.com + ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf + ~$ sudo lacme new-cert + ~$ sudo lacme revoke-cert /path/to/server/certificate.pem .fi .SH SEE ALSO -\fBletsencrypt\-accountd\fR(1) +\fBlacme\-accountd\fR(1) .SH AUTHOR .ie \n[www-html] \{\ diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1 deleted file mode 100644 index a06cdcc..0000000 --- a/letsencrypt-accountd.1 +++ /dev/null @@ -1,153 +0,0 @@ -.TH LETSENCRYPT\-ACCOUNTD "1" "MARCH 2016" "Tiny Let's Encrypt ACME client (account key manager)" "User Commands" - -.SH NAME -letsencrypt\-accountd \- Tiny Let's Encrypt ACME client (account key manager) - -.SH SYNOPSIS -.B letsencrypt\-accountd\fR [\fB\-\-config=\fIFILENAME\fR] -[\fB\-\-privkey=\fIARG\fR] [\fB\-\-socket=\fIPATH\fR] [\fB\-\-quiet\fR] - - -.SH DESCRIPTION -.PP -.B letsencrypt\-accountd\fR is the account key manager component of -\fIletsencrypt\fR(1), a tiny ACME client written with process isolation -and minimal privileges in mind. No other \fIletsencrypt\fR(1) component -need access to the account key; in fact the account key could also be -stored on a smartcard. - -.B letsencrypt\-accountd\fR binds to a UNIX\-domain socket (specified -with \fB\-\-socket=\fR), which ACME clients can connect to in order to -request data signatures. -As a consequence, \fBletsencrypt\-accountd\fR needs to be up and running -before using \fIletsencrypt\fR(1) to issue ACME commands. -Also, the process does not automatically terminate after the last -signature request: instead, one sends an \fIINT\fR or \fITERM\fR signal -to bring the server down. - -Furthermore, one can use the UNIX\-domain socket forwarding facility of -OpenSSH 6.7 and later to run \fBletsencrypt\-accountd\fR and -\fIletsencrypt\fR(1) on different hosts. For instance one could store -the account key on a machine that is not exposed to the internet. See -the \fBEXAMPLES\fR section below. - - -.SH OPTIONS -.TP -.B \-\-config=\fIfilename\fR -Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION -FILE\fR section below for the configuration options. - -.TP -.B \-\-privkey=\fIarg\fR -Specify the (private) account key to use for signing requests. -Currently supported \fIarg\fRuments are: - -.RS -.IP \[bu] 2 -file:\fIFILE\fR, to specify an encrypted private key (in PEM format); and -.IP \[bu] -gpg:\fIFILE\fR, to specify a \fIgpg\fR(1)\-encrypted private key (in PEM format). - -.PP -The following command can be used to generate a new 4096\-bits RSA key in -PEM format with mode 0600: - -.nf - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key -.fi -.RE - -.TP -.B \-\-socket=\fIpath\fR -Use \fIpath\fR as the UNIX\-domain socket to bind against for signature -requests from the ACME client. \fBletsencrypt\-accountd\fR aborts if -\fIpath\fR exists or if its parent directory is writable by other users. - -.TP -.B \-?\fR, \fB\-\-help\fR -Display a brief help and exit. - -.TP -.B \-q\fR, \fB\-\-quiet\fR -Be quiet. - -.TP -.B \-\-debug -Turn on debug mode. - - -.SH CONFIGURATION FILE -If \fB\-\-config=\fR is not given, \fBletsencrypt\-accountd\fR uses the -first existing configuration file among -\fI./letsencrypt\-accountd.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR. - -When given on the command line, the \fB\-\-privkey=\fR, -\fB\-\-socket=\fR and \fB\-\-quiet\fR options take precedence over their -counterpart (without leading \(lq\-\-\(rq) in the configuration file. -Valid options are: - -.TP -.I privkey -See \fB\-\-privkey=\fR. -This option is required when \fB\-\-privkey=\fR is not specified on the -command line. - -.TP -.I gpg -For a \fIgpg\fR(1)\-encrypted private account key, specify the binary -\fIgpg\fR(1) to use, as well as some default options. -Default: \(lqgpg \-\-quiet\(rq. - -.TP -.I socket -See \fB\-\-socket=\fR. -Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR -environment variable is set. - -.TP -.I quiet -Be quiet. Possible values: \(lqYes\(rq/\(lqNo\(rq. - - -.SH EXAMPLES - -Run \fBletsencrypt\-accountd\fR in a first terminal: - -.nf - ~$ letsencrypt\-accountd \-\-privkey=file:/path/to/priv.key \-\-socket=/run/user/1000/S.letsencrypt -.fi - -Then, while \fBletsencrypt\-accountd\fR is running, execute locally -\fIletsencrypt\fR(1) in another terminal: - -.nf - ~$ sudo letsencrypt \-\-socket=/run/user/1000/S.letsencrypt new\-cert -.fi - -Alternatively, use \fIssh\fR(1) to forward the socket and execute -\fIletsencrypt\fR(1) remotely: - -.nf - ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.letsencrypt user@example.org \\ - sudo letsencrypt --socket=/path/to/remote.sock new-cert -.fi - - -.SH SEE ALSO -\fBletsencrypt\fR(1), \fBssh\fR(1) - -.SH AUTHOR -.ie \n[www-html] \{\ - Written by -. MTO guilhem@fripost.org "Guilhem Moulin" . -\} -.el \{\ - Written by Guilhem Moulin -. MT guilhem@fripost.org -. ME . -\} |