From 37a1daaf01431038de4ea983c4093fd2e271336f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 10:56:11 +0100 Subject: lacme.conf: mention the default groupname for the ACME client. --- config/lacme.conf | 1 + 1 file changed, 1 insertion(+) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 39cfd36..a52689a 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -25,6 +25,7 @@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). +# Default: "nogroup". # #group = nogroup -- cgit v1.2.3 From d39ec1c01a622996b5470ec6ce359be254f5274e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 13:52:14 +0100 Subject: wibble --- config/lacme-certs.conf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 9b9df2f..45c46a8 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -7,8 +7,12 @@ # Comma-separated list of Key Usages, see x509v3_config(5ssl). #keyUsage = digitalSignature, keyEncipherment + #[www] +# Path the service's private key. This option is required. +#certificate-key = /etc/nginx/ssl/srv.key + # Where to store the issued certificate (in PEM format). #certificate = /etc/nginx/ssl/srv.pem @@ -16,9 +20,6 @@ # of the file specified specified with the CAfile option (in PEM format). #certificate-chain = /etc/nginx/ssl/srv.chain.pem -# Path the service's private key. This option is required. -#certificate-key = /etc/nginx/ssl/srv.key - # For an existing certificate, the minimum number of days before its # expiration date the section is considered for re-issuance. #min-days = 10 @@ -39,7 +40,7 @@ # certificate-chain with. #chown = root:root -# octal mode to chmod the issued certificate and certificate-chain with. +# Octal mode to chmod the issued certificate and certificate-chain with. #chmod = 0644 # Command to pass the the system's command shell ("/bin/sh -c") after -- cgit v1.2.3 From ac0362fb5a5e83b0ed6c1e31c2c1f3d1dfbc1ced Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 13:59:25 +0100 Subject: Improve formatting of config files. --- config/lacme-certs.conf | 16 ++++++++++++++-- config/lacme.conf | 16 +++++++++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 45c46a8..12fcd54 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,50 +1,62 @@ -# Each non-default section denotes a separate certificate issuance. -# Options in the default section apply to each sections. +# Each non-default section refer to separate certificate issuance +# requests. Options in the default section apply to each sections. # Message digest to sign the Certificate Signing Request with. +# #hash = sha512 # Comma-separated list of Key Usages, see x509v3_config(5ssl). +# #keyUsage = digitalSignature, keyEncipherment #[www] # Path the service's private key. This option is required. +# #certificate-key = /etc/nginx/ssl/srv.key # Where to store the issued certificate (in PEM format). +# #certificate = /etc/nginx/ssl/srv.pem # Where to store the issued certificate, concatenated with the content # of the file specified specified with the CAfile option (in PEM format). +# #certificate-chain = /etc/nginx/ssl/srv.chain.pem # For an existing certificate, the minimum number of days before its # expiration date the section is considered for re-issuance. +# #min-days = 10 # Path to the issuer's certificate. This is used for certificate-chain # and to verify the validity of each issued certificate. Specifying an # empty value skip certificate validation. +# #CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem # Subject field of the Certificate Signing Request. This option is # required. +# #subject = /CN=example.org # Comma-separated list of Subject Alternative Names. +# #subjectAltName = DNS:example.org,DNS:www.example.org # username[:groupname] to chown the issued certificate and # certificate-chain with. +# #chown = root:root # Octal mode to chmod the issued certificate and certificate-chain with. +# #chmod = 0644 # Command to pass the the system's command shell ("/bin/sh -c") after # successful installation of the certificate and/or certificate-chain. +# #notify = /bin/systemctl reload nginx diff --git a/config/lacme.conf b/config/lacme.conf index a52689a..08afeb4 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -3,7 +3,9 @@ # #config-certs = /etc/lacme/lacme-certs.conf + [client] + # The value of "socket" specifies the path to the lacme-accountd(1) # UNIX-domain socket to connect to for signature requests from the ACME # client. lacme(1) aborts if the socket is readable or writable by @@ -30,6 +32,7 @@ #group = nogroup # Path to the ACME client executable. +# #command = /usr/lib/lacme/client # Root URI of the ACME server. NOTE: Use the staging server for testing @@ -44,12 +47,15 @@ #timeout = 10 # Whether to verify the server certificate chain. +# #SSL_verify = yes # Specify the version of the SSL protocol used to transmit data. +# #SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 # Specify the cipher list for the connection. +# #SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL @@ -88,10 +94,10 @@ #iptables = Yes -# lacme-accound(1) section. Comment out the following section to make -# lacme(1) connect to an existing UNIX-domain socket bound by a running -# acme-accountd(1) process. [accountd] +# lacme-accound(1) section. Comment out this section (including its +# header) to make lacme(1) connect to an existing UNIX-domain socket +# bound by a running acme-accountd(1) process. # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty. @@ -105,16 +111,20 @@ #group = root # Path to the lacme-accountd(1) executable. +# #command = /usr/bin/lacme-accountd # Path to the lacme-accountd(1) configuration file. +# #config = /etc/lacme/lacme-accountd.conf # The (private) account key to use for signing requests. See # lacme-accountd(1) for details. +# #privkey = file:/path/to/account.key # Be quiet. +# #quiet = Yes ; vim:ft=dosini -- cgit v1.2.3 From bb5efce091215432fd2b82fbf50aff1536d415f6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 5 Dec 2016 14:54:28 +0100 Subject: "config-certs" now points to a list of files or directories. --- config/lacme.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 08afeb4..f963128 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -1,7 +1,7 @@ -# For certificate issuance (new-cert command), specify the certificate -# configuration file to use +# For certificate issuance (new-cert command), specify a space-separated +# certificate configuration files or directories to use # -#config-certs = /etc/lacme/lacme-certs.conf +#config-certs = lacme-certs.conf lacme-certs.d/ [client] -- cgit v1.2.3 From 0eb9f40182299b2615f5ac0190d40429f5f64ed7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 5 Dec 2016 16:45:27 +0100 Subject: s/lacme-certs.d/lacme-certs.conf.d/ --- config/lacme.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index f963128..c5efb03 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -1,7 +1,7 @@ # For certificate issuance (new-cert command), specify a space-separated # certificate configuration files or directories to use # -#config-certs = lacme-certs.conf lacme-certs.d/ +#config-certs = lacme-certs.conf lacme-certs.conf.d/ [client] @@ -85,6 +85,7 @@ #group = www-data # Path to the ACME webserver executable. +# #command = /usr/lib/lacme/webserver # Whether to automatically install iptables(8) rules to open the -- cgit v1.2.3