aboutsummaryrefslogtreecommitdiffstats
path: root/debian/control
diff options
context:
space:
mode:
Diffstat (limited to 'debian/control')
-rw-r--r--debian/control47
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..2ab25eb
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,47 @@
+Source: letsencrypt-tiny
+Section: utils
+Priority: optional
+Maintainer: Guilhem Moulin <guilhem@guilhem.org>
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.6
+Vcs-Git: https://git.guilhem.org/letsencrypt-tiny
+Vcs-Browser: https://git.guilhem.org/letsencrypt-tiny
+
+Package: letsencrypt-tiny
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends},
+ libwww-perl, libjson-perl, libconfig-tiny-perl,
+ libnet-ssleay-perl, openssl
+Recommends: liblwp-protocol-https-perl,
+ libcrypt-openssl-bignum-perl, libcrypt-openssl-rsa-perl
+Conflicts: letsencrypt
+Description: Tiny ACME client for Let's Encrypt
+ Tiny ACME client written with process isolation and minimal privileges in
+ mind. It is divided into four components, each with its own executable:
+ .
+ * A process to manage the account key and issue SHA-256 signatures needed for
+ each ACME command. (This process binds to a UNIX-domain socket to reply to
+ signature requests from the ACME client.) One can use the UNIX-domain
+ socket forwarding facility of OpenSSH 6.7 and later to run this process on
+ a different host.
+ .
+ * A "master" process, which runs as root and is the only component
+ with access to the private key material of the server keys. It is used to
+ fork the ACME client (and optionally the ACME webserver) after dropping
+ root privileges. For certificate issuances, it also generates Certificate
+ Signing Requests, then verifies the validity of the issued certificate, and
+ optionally reloads or restarts services.
+ .
+ * An actual ACME client, which builds ACME commands and dialogues with
+ the remote ACME server. Since ACME commands need to be signed with the
+ account key, the "master" process passes the UNIX-domain socket of the
+ account key manager to the ACME client: data signatures are requested by
+ writing the data to be signed to the socket.
+ .
+ * For certificate issuances, an optional webserver, which is spawned
+ by the "master" process when no service is listening on the HTTP port.
+ (The only challenge type currently supported is "http-01", which requires a
+ webserver to answer challenges.) That webserver only processes GET and
+ HEAD requests under the "/.well-known/acme-challenge/" URI. By default
+ some iptables(1) rules are automatically installed to open the HTTP port,
+ and removed afterwards.