diff options
Diffstat (limited to 'lacme.md')
| -rw-r--r-- | lacme.md | 52 |
1 files changed, 48 insertions, 4 deletions
@@ -26,7 +26,9 @@ with its own executable: the [ACME] client.) One can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run [`lacme-accountd`(1)] and `lacme` on different - hosts. + hosts. Alternatively, the [`lacme-accountd`(1)] process can be + spawned by the “master” `lacme` process below; in that case, the + two processes communicate through a socket pair. 2. A “master” `lacme` process, which runs as root and is the only component with access to the private key material of the server @@ -117,10 +119,14 @@ Generic options *socket* option of the [`[client]` section](#client-section) of the configuration file. -`-?`, `--help` +`-h`, `--help` : Display a brief help and exit. +`-q`, `--quiet` + +: Be quiet. + `--debug` : Turn on debug mode. @@ -249,6 +255,44 @@ This section is used for configuring the [ACME] webserver. automatically removed once `lacme` exits. Default: `Yes`. +`[accountd]` section +--------------------- + +This section is used for configuring the [`lacme-accountd`(1)] process. +If the section (including its header) is absent or commented out, +`lacme` connects to an existing UNIX-domain socket bound by a running +[`lacme-accountd`(1)] process. + +*user* + +: The username to drop privileges to (setting both effective and real + uid). Preserve root privileges if the value is empty. + +*group* + +: The groupname to drop privileges to (setting both effective and real + gid, and also setting the list of supplementary gids to that single + group). Preserve root privileges if the value is empty. + +*command* + +: Path to the [`lacme-accountd`(1)] executable. + Default: `/usr/bin/lacme-accountd`. + +*config* + +: Path to the [`lacme-accountd`(1)] configuration file. + Default: `/etc/lacme/lacme-accountd.conf`. + +*privkey* + +: The (private) account key to use for signing requests. See + [`lacme-accountd`(1)] for details. + +*quiet* + +: Be quiet. Possible values: `Yes`/`No`. + Certificate configuration file ============================== @@ -282,7 +326,7 @@ Valid options are: following command can be used to generate a new 4096-bits RSA key in PEM format with mode 0600: - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key + openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key *min-days* @@ -339,7 +383,7 @@ Examples ======== ~$ sudo lacme new-reg mailto:noreply@example.com - ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf + ~$ sudo lacme reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf ~$ sudo lacme new-cert ~$ sudo lacme revoke-cert /path/to/server/certificate.pem |