From e8980fb172221cbffd7fa672d65da0a806524e72 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:36:06 +0100 Subject: documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. --- config/lacme-accountd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/lacme-accountd.conf') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 94d2556..7248eb5 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -1,8 +1,8 @@ # The value of "privkey" specifies the (private) account key to use # for signing requests. Currently supported values are: # -# - file:FILE, to specify an encrypted private key (in PEM format) -# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format) +# - file:FILE, for a private key in PEM format (optionally encrypted) +# - gpg:FILE, for a gpg-encrypted private key # #privkey = gpg:/path/to/encrypted/account.key.gpg #privkey = file:/path/to/account.key -- cgit v1.2.3 From ad1856777bf108826008b60a1e70c1e3fbb94ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:14:23 +0100 Subject: Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. --- config/lacme-accountd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/lacme-accountd.conf') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 7248eb5..10f332e 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -4,8 +4,8 @@ # - file:FILE, for a private key in PEM format (optionally encrypted) # - gpg:FILE, for a gpg-encrypted private key # -#privkey = gpg:/path/to/encrypted/account.key.gpg #privkey = file:/path/to/account.key +#privkey = gpg:/path/to/encrypted/account.key.gpg # For a gpg-encrypted private account key, "gpg" specifies the binary # gpg(1) to use, as well as some default options. Default: "gpg -- cgit v1.2.3 From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 21:07:01 +0100 Subject: Add %-specifiers support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. --- config/lacme-accountd.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'config/lacme-accountd.conf') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 10f332e..f31cf67 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -17,10 +17,8 @@ # for signature requests from the ACME client. An error is raised if # the path exists or if its parent directory is writable by other # users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR -# environment variable is set. # -#socket = /run/user/1000/S.lacme +#socket = %t/S.lacme # Be quiet. Possible values: "Yes"/"No". # -- cgit v1.2.3 From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 18:49:14 +0100 Subject: lacme-accountd(1): new setting 'keyid'. This saves a round trip and provides a safeguard against malicious clients. --- config/lacme-accountd.conf | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'config/lacme-accountd.conf') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index f31cf67..d31c6c8 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -20,6 +20,12 @@ # #socket = %t/S.lacme +# The "Key ID", as shown by `acme account`, to give the ACME client. +# A non-empty value revokes all account management access (status +# change, contact address updates etc.) from the client. +# +#keyid = + # Be quiet. Possible values: "Yes"/"No". # #quiet = Yes -- cgit v1.2.3 From 3d7cbb119cae717e0a3e5546d9a2b6ae982c514b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 00:19:14 +0100 Subject: Add 'logfile' to lacme-account.conf. --- config/lacme-accountd.conf | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config/lacme-accountd.conf') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index d31c6c8..5c769cf 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -20,6 +20,10 @@ # #socket = %t/S.lacme +# An optional file where to log to. +# +#logfile = + # The "Key ID", as shown by `acme account`, to give the ACME client. # A non-empty value revokes all account management access (status # change, contact address updates etc.) from the client. -- cgit v1.2.3