From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:28:46 +0100 Subject: Make unprivileged user/group for the internal client resp. webserver configurable. --- config/lacme.conf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 9f4db72..cc8488d 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -19,15 +19,15 @@ #socket = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = nobody +#user = @@lacme_client_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = nogroup +#group = @@lacme_client_group@@ # Path to the ACME client executable. # @@ -72,15 +72,15 @@ #challenge-directory = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = www-data +#user = @@lacme_www_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = www-data +#group = @@lacme_www_group@@ # Path to the ACME webserver executable. # @@ -99,13 +99,13 @@ # an existing lacme-accountd(1) process via a UNIX-domain socket. # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #group = -- cgit v1.2.3 From 8c70ba081e9892217510b6b01f0402482161ef84 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:11:01 +0100 Subject: Raise client timeout from 10 to 30s. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index cc8488d..e49bd39 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -42,7 +42,7 @@ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # -#timeout = 10 +#timeout = 30 # Whether to verify the server certificate chain. # -- cgit v1.2.3 From 9dfb2cde7baf686113e49266c28940c8a564c1ca Mon Sep 17 00:00:00 2001 From: Benjamin Tietz Date: Wed, 23 Sep 2020 17:22:32 +0200 Subject: lacme: allow direct use challenge-directory .well-known/acme-challenge --- config/lacme.conf | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index e49bd39..2955984 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -71,6 +71,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly. +#hard-copy-challenge-directory = No + # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # -- cgit v1.2.3 From a903ea92dd736c560d21fe45063d4914765fa173 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 17:01:17 +0100 Subject: challenge-directory now needs to be set to an *existing* directory. Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. --- config/lacme.conf | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 2955984..4c7dc86 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -64,17 +64,14 @@ # #listen = @@runstatedir@@/lacme-www.socket -# Non-existent directory under which an external HTTP daemon is -# configured to serve GET requests for challenge files under -# "/.well-known/acme-challenge/" (for each virtual host requiring -# authorization) as static files. +# Directory under which an external HTTP daemon is configured to serve +# GET requests for challenge files under "/.well-known/acme-challenge/" +# (for each virtual host requiring authorization) as static files. +# NOTE: the directory must exist and be writable by the lacme client +# user. # #challenge-directory = -# Do not symlink the challenge-directory, but copy the challenge-files -# explictly. -#hard-copy-challenge-directory = No - # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # -- cgit v1.2.3 From d72df441f86f759bf143df745ff13fd9b90597bf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:53:31 +0100 Subject: Split client/webserver/accountd commands on whitespace. This doesn't change the default behavior. --- config/lacme.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 4c7dc86..3faed2b 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -29,7 +29,7 @@ # #group = @@lacme_client_group@@ -# Path to the ACME client executable. +# ACME client command. # #command = @@libexecdir@@/lacme/client @@ -83,7 +83,7 @@ # #group = @@lacme_www_group@@ -# Path to the ACME webserver executable. +# ACME webserver command. # #command = @@libexecdir@@/lacme/webserver @@ -110,7 +110,7 @@ # #group = -# Path to the lacme-accountd(1) executable. +# lacme-accountd(1) command. # #command = @@bindir@@/lacme-accountd -- cgit v1.2.3 From 1c4fc8c431e69780625600a4ee8526e1a3cbb3f4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:04:45 +0100 Subject: lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 3faed2b..0deba7b 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -116,7 +116,7 @@ # Path to the lacme-accountd(1) configuration file. # -#config = @@sysconfdir@@/lacme/lacme-accountd.conf +#config = # The (private) account key to use for signing requests. See # lacme-accountd(1) for details. -- cgit v1.2.3 From ad1856777bf108826008b60a1e70c1e3fbb94ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:14:23 +0100 Subject: Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. --- config/lacme.conf | 5 ----- 1 file changed, 5 deletions(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 0deba7b..a6cb9c7 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -118,11 +118,6 @@ # #config = -# The (private) account key to use for signing requests. See -# lacme-accountd(1) for details. -# -#privkey = file:/path/to/account.key - # Be quiet. # #quiet = Yes -- cgit v1.2.3 From 4a502836164821b9faa56d363c8fb116ce032321 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 18:11:09 +0100 Subject: Wording: s/option/setting/. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index a6cb9c7..98ecacb 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -12,7 +12,7 @@ # other users, or if its parent directory is writable by other users. # Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment # variable is set. -# This option is ignored when lacme-accountd(1) is spawned by lacme(8), +# This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -- cgit v1.2.3 From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 21:07:01 +0100 Subject: Add %-specifiers support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. --- config/lacme.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 98ecacb..198729d 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -10,13 +10,11 @@ # UNIX-domain socket to connect to for signature requests from the ACME # client. lacme(8) aborts if the socket is readable or writable by # other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment -# variable is set. # This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = +#socket = %t/S.lacme # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). -- cgit v1.2.3 From 626c0418b3d8c3747a7be8e2620d7c85a8c2c613 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 02:55:46 +0100 Subject: Make the ACME API server URL configurable at build time. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/lacme.conf') diff --git a/config/lacme.conf b/config/lacme.conf index 198729d..0392be5 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -35,7 +35,7 @@ # for testing # as it has relaxed rate-limiting. # -#server = https://acme-v02.api.letsencrypt.org/directory +#server = @@acmeapi_server@@ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. -- cgit v1.2.3