aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/lacme-certs.conf16
-rw-r--r--config/lacme.conf16
2 files changed, 27 insertions, 5 deletions
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 45c46a8..12fcd54 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,50 +1,62 @@
-# Each non-default section denotes a separate certificate issuance.
-# Options in the default section apply to each sections.
+# Each non-default section refer to separate certificate issuance
+# requests. Options in the default section apply to each sections.
# Message digest to sign the Certificate Signing Request with.
+#
#hash = sha512
# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+#
#keyUsage = digitalSignature, keyEncipherment
#[www]
# Path the service's private key. This option is required.
+#
#certificate-key = /etc/nginx/ssl/srv.key
# Where to store the issued certificate (in PEM format).
+#
#certificate = /etc/nginx/ssl/srv.pem
# Where to store the issued certificate, concatenated with the content
# of the file specified specified with the CAfile option (in PEM format).
+#
#certificate-chain = /etc/nginx/ssl/srv.chain.pem
# For an existing certificate, the minimum number of days before its
# expiration date the section is considered for re-issuance.
+#
#min-days = 10
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
+#
#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
+#
#subject = /CN=example.org
# Comma-separated list of Subject Alternative Names.
+#
#subjectAltName = DNS:example.org,DNS:www.example.org
# username[:groupname] to chown the issued certificate and
# certificate-chain with.
+#
#chown = root:root
# Octal mode to chmod the issued certificate and certificate-chain with.
+#
#chmod = 0644
# Command to pass the the system's command shell ("/bin/sh -c") after
# successful installation of the certificate and/or certificate-chain.
+#
#notify = /bin/systemctl reload nginx
diff --git a/config/lacme.conf b/config/lacme.conf
index a52689a..08afeb4 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -3,7 +3,9 @@
#
#config-certs = /etc/lacme/lacme-certs.conf
+
[client]
+
# The value of "socket" specifies the path to the lacme-accountd(1)
# UNIX-domain socket to connect to for signature requests from the ACME
# client. lacme(1) aborts if the socket is readable or writable by
@@ -30,6 +32,7 @@
#group = nogroup
# Path to the ACME client executable.
+#
#command = /usr/lib/lacme/client
# Root URI of the ACME server. NOTE: Use the staging server for testing
@@ -44,12 +47,15 @@
#timeout = 10
# Whether to verify the server certificate chain.
+#
#SSL_verify = yes
# Specify the version of the SSL protocol used to transmit data.
+#
#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
# Specify the cipher list for the connection.
+#
#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
@@ -88,10 +94,10 @@
#iptables = Yes
-# lacme-accound(1) section. Comment out the following section to make
-# lacme(1) connect to an existing UNIX-domain socket bound by a running
-# acme-accountd(1) process.
[accountd]
+# lacme-accound(1) section. Comment out this section (including its
+# header) to make lacme(1) connect to an existing UNIX-domain socket
+# bound by a running acme-accountd(1) process.
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty.
@@ -105,16 +111,20 @@
#group = root
# Path to the lacme-accountd(1) executable.
+#
#command = /usr/bin/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
+#
#config = /etc/lacme/lacme-accountd.conf
# The (private) account key to use for signing requests. See
# lacme-accountd(1) for details.
+#
#privkey = file:/path/to/account.key
# Be quiet.
+#
#quiet = Yes
; vim:ft=dosini