aboutsummaryrefslogtreecommitdiffstats
path: root/config/lacme.conf
diff options
context:
space:
mode:
Diffstat (limited to 'config/lacme.conf')
-rw-r--r--config/lacme.conf52
1 files changed, 23 insertions, 29 deletions
diff --git a/config/lacme.conf b/config/lacme.conf
index 9f4db72..0392be5 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -10,26 +10,24 @@
# UNIX-domain socket to connect to for signature requests from the ACME
# client. lacme(8) aborts if the socket is readable or writable by
# other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
-# variable is set.
-# This option is ignored when lacme-accountd(1) is spawned by lacme(8),
+# This setting is ignored when lacme-accountd(1) is spawned by lacme(8),
# since the two processes communicate through a socket pair. See the
# "accountd" section below for details.
#
-#socket =
+#socket = %t/S.lacme
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#user = nobody
+#user = @@lacme_client_user@@
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#group = nogroup
+#group = @@lacme_client_group@@
-# Path to the ACME client executable.
+# ACME client command.
#
#command = @@libexecdir@@/lacme/client
@@ -37,12 +35,12 @@
# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
# as it has relaxed rate-limiting.
#
-#server = https://acme-v02.api.letsencrypt.org/directory
+#server = @@acmeapi_server@@
# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
#
-#timeout = 10
+#timeout = 30
# Whether to verify the server certificate chain.
#
@@ -64,25 +62,26 @@
#
#listen = @@runstatedir@@/lacme-www.socket
-# Non-existent directory under which an external HTTP daemon is
-# configured to serve GET requests for challenge files under
-# "/.well-known/acme-challenge/" (for each virtual host requiring
-# authorization) as static files.
+# Directory under which an external HTTP daemon is configured to serve
+# GET requests for challenge files under "/.well-known/acme-challenge/"
+# (for each virtual host requiring authorization) as static files.
+# NOTE: the directory must exist and be writable by the lacme client
+# user.
#
#challenge-directory =
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#user = www-data
+#user = @@lacme_www_user@@
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
#
-#group = www-data
+#group = @@lacme_www_group@@
-# Path to the ACME webserver executable.
+# ACME webserver command.
#
#command = @@libexecdir@@/lacme/webserver
@@ -99,28 +98,23 @@
# an existing lacme-accountd(1) process via a UNIX-domain socket.
# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
#
#user =
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
#
#group =
-# Path to the lacme-accountd(1) executable.
+# lacme-accountd(1) command.
#
#command = @@bindir@@/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
#
-#config = @@sysconfdir@@/lacme/lacme-accountd.conf
-
-# The (private) account key to use for signing requests. See
-# lacme-accountd(1) for details.
-#
-#privkey = file:/path/to/account.key
+#config =
# Be quiet.
#