diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/lacme-certs.conf | 2 | ||||
-rw-r--r-- | config/lacme.conf | 34 | ||||
-rw-r--r-- | config/nginx.conf | 18 |
3 files changed, 35 insertions, 19 deletions
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 12fcd54..97d588a 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -28,7 +28,7 @@ # For an existing certificate, the minimum number of days before its # expiration date the section is considered for re-issuance. # -#min-days = 10 +#min-days = 21 # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an diff --git a/config/lacme.conf b/config/lacme.conf index c5efb03..874bb1f 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -16,18 +16,16 @@ # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = /run/user/1000/S.lacme +#socket = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". # -#user = lacme +#user = nobody # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). -# Default: "nogroup". # #group = nogroup @@ -35,11 +33,11 @@ # #command = /usr/lib/lacme/client -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed rate-limiting. +# Root URI of the ACME server. NOTE: Use the staging server +# <https://acme-staging.api.letsencrypt.org/> for testing as it has +# relaxed rate-limiting. # #server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. @@ -61,17 +59,17 @@ [webserver] -# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# Comma- or space-separated list of addresses to listen on, for instance +# "0.0.0.0:80 [::]:80". # -#listen = 0.0.0.0:80 -#listen = [::]:80 +#listen = /var/run/lacme.socket -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. +# Non-existent directory under which an external HTTP daemon is +# configured to serve GET requests for challenge files under +# "/.well-known/acme-challenge/" (for each virtual host requiring +# authorization) as static files. # -#challenge-directory = /var/www/acme-challenge +#challenge-directory = # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). @@ -92,7 +90,7 @@ # ADDRESS[:PORT] specified with listen. Theses rules are automatically # removed once lacme(1) exits. # -#iptables = Yes +#iptables = No [accountd] @@ -103,13 +101,13 @@ # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty. # -#user = root +#user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty. # -#group = root +#group = # Path to the lacme-accountd(1) executable. # diff --git a/config/nginx.conf b/config/nginx.conf new file mode 100644 index 0000000..f842c12 --- /dev/null +++ b/config/nginx.conf @@ -0,0 +1,18 @@ +# Let nginx serve ACME requests directly, or pass them to lacme's +# webserver component. +# +# This file needs to be sourced to the server directives (at least the +# non-ssl one) of each virtual host requiring authorization. + +location /.well-known/acme-challenge/ { + # Pass ACME requests to lacme's webserver component + proxy_pass http://unix:/var/run/lacme.socket; + + ## Alternatively, you can let nginx serve the requests by + ## setting 'challenge-directory' to '/var/www/acme-challenge' in + ## lacme's configuration file + # alias /var/www/acme-challenge/; + # default_type application/jose+json; + # disable_symlinks on from=$document_root; + # autoindex off; +} |