aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/lacme-certs.conf25
-rw-r--r--config/lacme.conf24
2 files changed, 37 insertions, 12 deletions
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index 9b9df2f..12fcd54 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -1,49 +1,62 @@
-# Each non-default section denotes a separate certificate issuance.
-# Options in the default section apply to each sections.
+# Each non-default section refer to separate certificate issuance
+# requests. Options in the default section apply to each sections.
# Message digest to sign the Certificate Signing Request with.
+#
#hash = sha512
# Comma-separated list of Key Usages, see x509v3_config(5ssl).
+#
#keyUsage = digitalSignature, keyEncipherment
+
#[www]
+# Path the service's private key. This option is required.
+#
+#certificate-key = /etc/nginx/ssl/srv.key
+
# Where to store the issued certificate (in PEM format).
+#
#certificate = /etc/nginx/ssl/srv.pem
# Where to store the issued certificate, concatenated with the content
# of the file specified specified with the CAfile option (in PEM format).
+#
#certificate-chain = /etc/nginx/ssl/srv.chain.pem
-# Path the service's private key. This option is required.
-#certificate-key = /etc/nginx/ssl/srv.key
-
# For an existing certificate, the minimum number of days before its
# expiration date the section is considered for re-issuance.
+#
#min-days = 10
# Path to the issuer's certificate. This is used for certificate-chain
# and to verify the validity of each issued certificate. Specifying an
# empty value skip certificate validation.
+#
#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem
# Subject field of the Certificate Signing Request. This option is
# required.
+#
#subject = /CN=example.org
# Comma-separated list of Subject Alternative Names.
+#
#subjectAltName = DNS:example.org,DNS:www.example.org
# username[:groupname] to chown the issued certificate and
# certificate-chain with.
+#
#chown = root:root
-# octal mode to chmod the issued certificate and certificate-chain with.
+# Octal mode to chmod the issued certificate and certificate-chain with.
+#
#chmod = 0644
# Command to pass the the system's command shell ("/bin/sh -c") after
# successful installation of the certificate and/or certificate-chain.
+#
#notify = /bin/systemctl reload nginx
diff --git a/config/lacme.conf b/config/lacme.conf
index 39cfd36..c5efb03 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -1,9 +1,11 @@
-# For certificate issuance (new-cert command), specify the certificate
-# configuration file to use
+# For certificate issuance (new-cert command), specify a space-separated
+# certificate configuration files or directories to use
#
-#config-certs = /etc/lacme/lacme-certs.conf
+#config-certs = lacme-certs.conf lacme-certs.conf.d/
+
[client]
+
# The value of "socket" specifies the path to the lacme-accountd(1)
# UNIX-domain socket to connect to for signature requests from the ACME
# client. lacme(1) aborts if the socket is readable or writable by
@@ -25,10 +27,12 @@
# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Preserve root privileges if the value is empty (not recommended).
+# Default: "nogroup".
#
#group = nogroup
# Path to the ACME client executable.
+#
#command = /usr/lib/lacme/client
# Root URI of the ACME server. NOTE: Use the staging server for testing
@@ -43,12 +47,15 @@
#timeout = 10
# Whether to verify the server certificate chain.
+#
#SSL_verify = yes
# Specify the version of the SSL protocol used to transmit data.
+#
#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
# Specify the cipher list for the connection.
+#
#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
@@ -78,6 +85,7 @@
#group = www-data
# Path to the ACME webserver executable.
+#
#command = /usr/lib/lacme/webserver
# Whether to automatically install iptables(8) rules to open the
@@ -87,10 +95,10 @@
#iptables = Yes
-# lacme-accound(1) section. Comment out the following section to make
-# lacme(1) connect to an existing UNIX-domain socket bound by a running
-# acme-accountd(1) process.
[accountd]
+# lacme-accound(1) section. Comment out this section (including its
+# header) to make lacme(1) connect to an existing UNIX-domain socket
+# bound by a running acme-accountd(1) process.
# username to drop privileges to (setting both effective and real uid).
# Preserve root privileges if the value is empty.
@@ -104,16 +112,20 @@
#group = root
# Path to the lacme-accountd(1) executable.
+#
#command = /usr/bin/lacme-accountd
# Path to the lacme-accountd(1) configuration file.
+#
#config = /etc/lacme/lacme-accountd.conf
# The (private) account key to use for signing requests. See
# lacme-accountd(1) for details.
+#
#privkey = file:/path/to/account.key
# Be quiet.
+#
#quiet = Yes
; vim:ft=dosini