diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/lacme-accountd.conf | 20 | ||||
| -rw-r--r-- | config/lacme-certs.conf | 45 | ||||
| -rw-r--r-- | config/lacme.conf | 52 |
3 files changed, 62 insertions, 55 deletions
diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 94d2556..5c769cf 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -1,11 +1,11 @@ # The value of "privkey" specifies the (private) account key to use # for signing requests. Currently supported values are: # -# - file:FILE, to specify an encrypted private key (in PEM format) -# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format) +# - file:FILE, for a private key in PEM format (optionally encrypted) +# - gpg:FILE, for a gpg-encrypted private key # -#privkey = gpg:/path/to/encrypted/account.key.gpg #privkey = file:/path/to/account.key +#privkey = gpg:/path/to/encrypted/account.key.gpg # For a gpg-encrypted private account key, "gpg" specifies the binary # gpg(1) to use, as well as some default options. Default: "gpg @@ -17,10 +17,18 @@ # for signature requests from the ACME client. An error is raised if # the path exists or if its parent directory is writable by other # users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR -# environment variable is set. # -#socket = /run/user/1000/S.lacme +#socket = %t/S.lacme + +# An optional file where to log to. +# +#logfile = + +# The "Key ID", as shown by `acme account`, to give the ACME client. +# A non-empty value revokes all account management access (status +# change, contact address updates etc.) from the client. +# +#keyid = # Be quiet. Possible values: "Yes"/"No". # diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 232c85b..5259690 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,41 +1,46 @@ # Each non-default section refer to separate certificate issuance -# requests. Options in the default section apply to each sections. +# requests. Settings in the default section apply to each sections. -# Message digest to sign the Certificate Signing Request with. +# Message digest to sign the Certificate Signing Request with, +# overriding the req(1ssl) default. # -#hash = sha512 +#hash = -# Comma-separated list of Key Usages, see x509v3_config(5ssl). +# Comma-separated list of Key Usages, for instance "digitalSignature, +# keyEncipherment", to include in the Certificate Signing Request. +# See x509v3_config(5ssl) for a list of possible values. Note that the +# ACME might override the value provided here. # -#keyUsage = digitalSignature, keyEncipherment +#keyUsage = + +# Path to the bundle of trusted issuer certificates. This is used for +# validating each certificate after issuance or renewal. Specifying an +# empty value skips certificate validation. +# +#CAfile = @@datadir@@/lacme/ca-certificates.crt + +# For an existing certificate, the minimum number of days before its +# expiration date the section is considered for re-issuance. +# +#min-days = 21 #[www] -# Path the service's private key. This option is required. +# Path the service's private key. This setting is required. # #certificate-key = /etc/nginx/ssl/srv.key # Where to store the issued certificate (in PEM format). # -#certificate = /etc/nginx/ssl/srv.pem +#certificate = /etc/nginx/ssl/srv.crt # Where to store the issued certificate along with its chain of trust # (in PEM format). # -#certificate-chain = /etc/nginx/ssl/srv.chain.pem - -# For an existing certificate, the minimum number of days before its -# expiration date the section is considered for re-issuance. -# -#min-days = 21 - -# Path to trusted issuer certificates, used for validating each issued -# certificate. Specifying an empty value skips certificate validation. -# -#CAfile = @@datadir@@/lacme/ca-certificates.crt +#certificate-chain = /etc/nginx/ssl/srv.chain.crt -# Subject field of the Certificate Signing Request. This option is +# Subject field of the Certificate Signing Request. This setting is # required. # #subject = /CN=example.org @@ -61,7 +66,7 @@ #[smtp] #certificate-key = /etc/postfix/ssl/srv.key -#certificate-chain = /etc/postfix/ssl/srv.pem +#certificate-chain = /etc/postfix/ssl/srv.crt #subject = /CN=smtp.example.org #notify = /bin/systemctl reload postfix diff --git a/config/lacme.conf b/config/lacme.conf index 9f4db72..0392be5 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -10,26 +10,24 @@ # UNIX-domain socket to connect to for signature requests from the ACME # client. lacme(8) aborts if the socket is readable or writable by # other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment -# variable is set. -# This option is ignored when lacme-accountd(1) is spawned by lacme(8), +# This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = +#socket = %t/S.lacme # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = nobody +#user = @@lacme_client_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = nogroup +#group = @@lacme_client_group@@ -# Path to the ACME client executable. +# ACME client command. # #command = @@libexecdir@@/lacme/client @@ -37,12 +35,12 @@ # <https://acme-staging-v02.api.letsencrypt.org/directory> for testing # as it has relaxed rate-limiting. # -#server = https://acme-v02.api.letsencrypt.org/directory +#server = @@acmeapi_server@@ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # -#timeout = 10 +#timeout = 30 # Whether to verify the server certificate chain. # @@ -64,25 +62,26 @@ # #listen = @@runstatedir@@/lacme-www.socket -# Non-existent directory under which an external HTTP daemon is -# configured to serve GET requests for challenge files under -# "/.well-known/acme-challenge/" (for each virtual host requiring -# authorization) as static files. +# Directory under which an external HTTP daemon is configured to serve +# GET requests for challenge files under "/.well-known/acme-challenge/" +# (for each virtual host requiring authorization) as static files. +# NOTE: the directory must exist and be writable by the lacme client +# user. # #challenge-directory = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = www-data +#user = @@lacme_www_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = www-data +#group = @@lacme_www_group@@ -# Path to the ACME webserver executable. +# ACME webserver command. # #command = @@libexecdir@@/lacme/webserver @@ -99,28 +98,23 @@ # an existing lacme-accountd(1) process via a UNIX-domain socket. # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #group = -# Path to the lacme-accountd(1) executable. +# lacme-accountd(1) command. # #command = @@bindir@@/lacme-accountd # Path to the lacme-accountd(1) configuration file. # -#config = @@sysconfdir@@/lacme/lacme-accountd.conf - -# The (private) account key to use for signing requests. See -# lacme-accountd(1) for details. -# -#privkey = file:/path/to/account.key +#config = # Be quiet. # |