diff options
Diffstat (limited to 'letsencrypt-accountd.1')
-rw-r--r-- | letsencrypt-accountd.1 | 153 |
1 files changed, 0 insertions, 153 deletions
diff --git a/letsencrypt-accountd.1 b/letsencrypt-accountd.1 deleted file mode 100644 index a06cdcc..0000000 --- a/letsencrypt-accountd.1 +++ /dev/null @@ -1,153 +0,0 @@ -.TH LETSENCRYPT\-ACCOUNTD "1" "MARCH 2016" "Tiny Let's Encrypt ACME client (account key manager)" "User Commands" - -.SH NAME -letsencrypt\-accountd \- Tiny Let's Encrypt ACME client (account key manager) - -.SH SYNOPSIS -.B letsencrypt\-accountd\fR [\fB\-\-config=\fIFILENAME\fR] -[\fB\-\-privkey=\fIARG\fR] [\fB\-\-socket=\fIPATH\fR] [\fB\-\-quiet\fR] - - -.SH DESCRIPTION -.PP -.B letsencrypt\-accountd\fR is the account key manager component of -\fIletsencrypt\fR(1), a tiny ACME client written with process isolation -and minimal privileges in mind. No other \fIletsencrypt\fR(1) component -need access to the account key; in fact the account key could also be -stored on a smartcard. - -.B letsencrypt\-accountd\fR binds to a UNIX\-domain socket (specified -with \fB\-\-socket=\fR), which ACME clients can connect to in order to -request data signatures. -As a consequence, \fBletsencrypt\-accountd\fR needs to be up and running -before using \fIletsencrypt\fR(1) to issue ACME commands. -Also, the process does not automatically terminate after the last -signature request: instead, one sends an \fIINT\fR or \fITERM\fR signal -to bring the server down. - -Furthermore, one can use the UNIX\-domain socket forwarding facility of -OpenSSH 6.7 and later to run \fBletsencrypt\-accountd\fR and -\fIletsencrypt\fR(1) on different hosts. For instance one could store -the account key on a machine that is not exposed to the internet. See -the \fBEXAMPLES\fR section below. - - -.SH OPTIONS -.TP -.B \-\-config=\fIfilename\fR -Use \fIfilename\fR as configuration file. See the \fBCONFIGURATION -FILE\fR section below for the configuration options. - -.TP -.B \-\-privkey=\fIarg\fR -Specify the (private) account key to use for signing requests. -Currently supported \fIarg\fRuments are: - -.RS -.IP \[bu] 2 -file:\fIFILE\fR, to specify an encrypted private key (in PEM format); and -.IP \[bu] -gpg:\fIFILE\fR, to specify a \fIgpg\fR(1)\-encrypted private key (in PEM format). - -.PP -The following command can be used to generate a new 4096\-bits RSA key in -PEM format with mode 0600: - -.nf - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key -.fi -.RE - -.TP -.B \-\-socket=\fIpath\fR -Use \fIpath\fR as the UNIX\-domain socket to bind against for signature -requests from the ACME client. \fBletsencrypt\-accountd\fR aborts if -\fIpath\fR exists or if its parent directory is writable by other users. - -.TP -.B \-?\fR, \fB\-\-help\fR -Display a brief help and exit. - -.TP -.B \-q\fR, \fB\-\-quiet\fR -Be quiet. - -.TP -.B \-\-debug -Turn on debug mode. - - -.SH CONFIGURATION FILE -If \fB\-\-config=\fR is not given, \fBletsencrypt\-accountd\fR uses the -first existing configuration file among -\fI./letsencrypt\-accountd.conf\fR, -\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR (or -\fI~/.config/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR if the -XDG_CONFIG_HOME environment variable is not set), and -\fI/etc/letsencrypt\-tiny/letsencrypt\-accountd.conf\fR. - -When given on the command line, the \fB\-\-privkey=\fR, -\fB\-\-socket=\fR and \fB\-\-quiet\fR options take precedence over their -counterpart (without leading \(lq\-\-\(rq) in the configuration file. -Valid options are: - -.TP -.I privkey -See \fB\-\-privkey=\fR. -This option is required when \fB\-\-privkey=\fR is not specified on the -command line. - -.TP -.I gpg -For a \fIgpg\fR(1)\-encrypted private account key, specify the binary -\fIgpg\fR(1) to use, as well as some default options. -Default: \(lqgpg \-\-quiet\(rq. - -.TP -.I socket -See \fB\-\-socket=\fR. -Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR -environment variable is set. - -.TP -.I quiet -Be quiet. Possible values: \(lqYes\(rq/\(lqNo\(rq. - - -.SH EXAMPLES - -Run \fBletsencrypt\-accountd\fR in a first terminal: - -.nf - ~$ letsencrypt\-accountd \-\-privkey=file:/path/to/priv.key \-\-socket=/run/user/1000/S.letsencrypt -.fi - -Then, while \fBletsencrypt\-accountd\fR is running, execute locally -\fIletsencrypt\fR(1) in another terminal: - -.nf - ~$ sudo letsencrypt \-\-socket=/run/user/1000/S.letsencrypt new\-cert -.fi - -Alternatively, use \fIssh\fR(1) to forward the socket and execute -\fIletsencrypt\fR(1) remotely: - -.nf - ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:/run/user/1000/S.letsencrypt user@example.org \\ - sudo letsencrypt --socket=/path/to/remote.sock new-cert -.fi - - -.SH SEE ALSO -\fBletsencrypt\fR(1), \fBssh\fR(1) - -.SH AUTHOR -.ie \n[www-html] \{\ - Written by -. MTO guilhem@fripost.org "Guilhem Moulin" . -\} -.el \{\ - Written by Guilhem Moulin -. MT guilhem@fripost.org -. ME . -\} |