aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/control54
-rw-r--r--debian/lacme-accountd.install2
-rw-r--r--debian/lacme-accountd.manpages (renamed from debian/manpages)1
-rw-r--r--debian/lacme.install4
-rw-r--r--debian/lacme.manpages1
-rwxr-xr-xdebian/rules4
6 files changed, 61 insertions, 5 deletions
diff --git a/debian/control b/debian/control
index 533ea03..258ee91 100644
--- a/debian/control
+++ b/debian/control
@@ -4,16 +4,22 @@ Priority: optional
Maintainer: Guilhem Moulin <guilhem@guilhem.org>
Build-Depends: debhelper (>= 9), jq, pandoc
Standards-Version: 3.9.6
+Homepage: https://git.guilhem.org/lacme/about/
Vcs-Git: https://git.guilhem.org/lacme
Vcs-Browser: https://git.guilhem.org/lacme
Package: lacme
Architecture: all
Depends: ${misc:Depends}, ${perl:Depends},
- libwww-perl, libjson-perl, libconfig-tiny-perl,
- libnet-ssleay-perl, openssl
-Recommends: liblwp-protocol-https-perl,
- libcrypt-openssl-bignum-perl, libcrypt-openssl-rsa-perl
+ openssl,
+ libconfig-tiny-perl,
+ libjson-perl,
+ libwww-perl,
+ libnet-ssleay-perl
+Recommends:
+ liblwp-protocol-https-perl
+Suggests:
+ lacme-accountd (= ${binary:Version})
Description: ACME client written with process isolation and minimal privileges in mind
lacme is divided into four components, each with its own executable:
.
@@ -43,3 +49,43 @@ Description: ACME client written with process isolation and minimal privileges i
HEAD requests under the "/.well-known/acme-challenge/" URI. By default
some iptables(8) rules are automatically installed to open the HTTP port,
and removed afterwards.
+
+Package: lacme-accountd
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends},
+ libconfig-tiny-perl,
+ libjson-perl
+Recommends: libcrypt-openssl-rsa-perl
+Description: lacme account key manager
+ lacme is an ACME client written with process isolation and minimal privileges
+ in mind. It is divided into four components, each with its own executable:
+ .
+ * A process to manage the account key and issue SHA-256 signatures needed for
+ each ACME command. (This process binds to a UNIX-domain socket to reply to
+ signature requests from the ACME client.) One can use the UNIX-domain
+ socket forwarding facility of OpenSSH 6.7 and later to run this process on
+ a different host.
+ .
+ * A "master" process, which runs as root and is the only component
+ with access to the private key material of the server keys. It is used to
+ fork the ACME client (and optionally the ACME webserver) after dropping
+ root privileges. For certificate issuances, it also generates Certificate
+ Signing Requests, then verifies the validity of the issued certificate, and
+ optionally reloads or restarts services.
+ .
+ * An actual ACME client, which builds ACME commands and dialogues with
+ the remote ACME server. Since ACME commands need to be signed with the
+ account key, the "master" process passes the UNIX-domain socket of the
+ account key manager to the ACME client: data signatures are requested by
+ writing the data to be signed to the socket.
+ .
+ * For certificate issuances, an optional webserver, which is spawned
+ by the "master" process when no service is listening on the HTTP port.
+ (The only challenge type currently supported is "http-01", which requires a
+ webserver to answer challenges.) That webserver only processes GET and
+ HEAD requests under the "/.well-known/acme-challenge/" URI. By default
+ some iptables(8) rules are automatically installed to open the HTTP port,
+ and removed afterwards.
+ .
+ lacme-accountd is the first (account key manager) component. It is the only
+ component with access to the account key.
diff --git a/debian/lacme-accountd.install b/debian/lacme-accountd.install
new file mode 100644
index 0000000..9070589
--- /dev/null
+++ b/debian/lacme-accountd.install
@@ -0,0 +1,2 @@
+lacme-accountd /usr/bin
+config/lacme-accountd.conf /etc/lacme
diff --git a/debian/manpages b/debian/lacme-accountd.manpages
index 5ce1b20..953a66d 100644
--- a/debian/manpages
+++ b/debian/lacme-accountd.manpages
@@ -1,2 +1 @@
-lacme.1
lacme-accountd.1
diff --git a/debian/lacme.install b/debian/lacme.install
new file mode 100644
index 0000000..457d2d8
--- /dev/null
+++ b/debian/lacme.install
@@ -0,0 +1,4 @@
+lacme /usr/sbin
+client webserver /usr/lib/lacme
+config/lacme-certs.conf config/lacme.conf /etc/lacme
+certs/lets-encrypt-x[1-4]-cross-signed.pem /usr/share/lacme
diff --git a/debian/lacme.manpages b/debian/lacme.manpages
new file mode 100644
index 0000000..e438c58
--- /dev/null
+++ b/debian/lacme.manpages
@@ -0,0 +1 @@
+lacme.1
diff --git a/debian/rules b/debian/rules
index 2d33f6a..f845727 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,3 +2,7 @@
%:
dh $@
+
+override_dh_installdocs:
+ dh_installdocs -Nlacme-accountd
+ dh_installdocs -placme-accountd --link-doc=lacme