diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/lacme-accountd.conf | 8 | ||||
| -rw-r--r-- | config/lacme-certs.conf | 2 | ||||
| -rw-r--r-- | config/lacme.conf | 47 |
3 files changed, 45 insertions, 12 deletions
diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 0a8b81a..94d2556 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -4,18 +4,18 @@ # - file:FILE, to specify an encrypted private key (in PEM format) # - gpg:FILE, to specify a gpg-encrypted private key (in PEM format) # -#privkey = gpg:/path/to/encrypted/priv.key.gpg -#privkey = file:/path/to/priv.key +#privkey = gpg:/path/to/encrypted/account.key.gpg +#privkey = file:/path/to/account.key # For a gpg-encrypted private account key, "gpg" specifies the binary # gpg(1) to use, as well as some default options. Default: "gpg # --quiet". # -#gpg = gpg2 --quiet --no-auto-check-trustdb +#gpg = gpg --quiet --no-auto-check-trustdb # The value of "socket" specifies the UNIX-domain socket to bind against # for signature requests from the ACME client. An error is raised if -# the path exists exists or if its parent directory is writable by other +# the path exists or if its parent directory is writable by other # users. # Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR # environment variable is set. diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index fbce5e2..9b9df2f 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -32,7 +32,7 @@ # required. #subject = /CN=example.org -# Comma-separated list of Subject Alternative Names. +# Comma-separated list of Subject Alternative Names. #subjectAltName = DNS:example.org,DNS:www.example.org # username[:groupname] to chown the issued certificate and diff --git a/config/lacme.conf b/config/lacme.conf index c5c643d..39cfd36 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -1,15 +1,18 @@ # For certificate issuance (new-cert command), specify the certificate # configuration file to use # -#config-certs = config/lacme-certs.conf +#config-certs = /etc/lacme/lacme-certs.conf [client] -# The value of "socket" specifies the lacme-accountd(1) UNIX-domain -# socket to connect to for signature requests from the ACME client. -# lacme(1) aborts if the socket is readable or writable by other users, -# or if its parent directory is writable by other users. +# The value of "socket" specifies the path to the lacme-accountd(1) +# UNIX-domain socket to connect to for signature requests from the ACME +# client. lacme(1) aborts if the socket is readable or writable by +# other users, or if its parent directory is writable by other users. # Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment # variable is set. +# This option is ignored when lacme-accountd(1) is spawned by lacme(1), +# since the two processes communicate through a socket pair. See the +# "accountd" section below for details. # #socket = /run/user/1000/S.lacme @@ -29,7 +32,7 @@ #command = /usr/lib/lacme/client # Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed ratelimit. +# as it has relaxed rate-limiting. # #server = https://acme-v01.api.letsencrypt.org/ #server = https://acme-staging.api.letsencrypt.org/ @@ -72,7 +75,7 @@ # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). # -#user = www-data +#group = www-data # Path to the ACME webserver executable. #command = /usr/lib/lacme/webserver @@ -83,4 +86,34 @@ # #iptables = Yes + +# lacme-accound(1) section. Comment out the following section to make +# lacme(1) connect to an existing UNIX-domain socket bound by a running +# acme-accountd(1) process. +[accountd] + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty. +# +#user = root + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty. +# +#group = root + +# Path to the lacme-accountd(1) executable. +#command = /usr/bin/lacme-accountd + +# Path to the lacme-accountd(1) configuration file. +#config = /etc/lacme/lacme-accountd.conf + +# The (private) account key to use for signing requests. See +# lacme-accountd(1) for details. +#privkey = file:/path/to/account.key + +# Be quiet. +#quiet = Yes + ; vim:ft=dosini |