From bf1424f6ccf76eeb011428918c634951fe4995cf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 Mar 2016 07:28:01 +0100 Subject: letsencrypt-accountd --- config/letsencrypt-accountd.conf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 config/letsencrypt-accountd.conf (limited to 'config') diff --git a/config/letsencrypt-accountd.conf b/config/letsencrypt-accountd.conf new file mode 100644 index 0000000..c372190 --- /dev/null +++ b/config/letsencrypt-accountd.conf @@ -0,0 +1,29 @@ +# The value of "privkey" specifies the (private) account key to use +# for signing requests. Currently supported values are: +# +# - file:FILE, to specify an encrypted private key (in PEM format) +# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format) +# +#privkey = gpg:/path/to/encrypted/priv.key.gpg +#privkey = file:/path/to/priv.key + +# For a gpg-encrypted private account key, "gpg" specifies the binary +# gpg(1) to use, as well as some default options. Default: "gpg +# --quiet". +# +#gpg = gpg2 --quiet --no-auto-check-trustdb + +# The value of "socket" specifies the UNIX-domain socket to bind against +# for signature requests from the ACME client. An error is raised if +# the path exists exists or if its parent directory is writable by other +# users. +# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR +# environment variable is set. +# +#socket = /run/user/1000/S.letsencrypt + +# Be quiet. Possible values: "Yes"/"No". +# +#quiet = Yes + +; vim:ft=dosini -- cgit v1.2.3 From 2e332833c4f1cf069262ffdcae5f66ca8b818808 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 Mar 2016 07:28:36 +0100 Subject: Refactoring to use the account key manager. --- config/letsencrypt-certs.conf | 56 ++++++++++++++++++++++++++++ config/letsencrypt.conf | 86 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 config/letsencrypt-certs.conf create mode 100644 config/letsencrypt.conf (limited to 'config') diff --git a/config/letsencrypt-certs.conf b/config/letsencrypt-certs.conf new file mode 100644 index 0000000..5613ef6 --- /dev/null +++ b/config/letsencrypt-certs.conf @@ -0,0 +1,56 @@ +# Each non-default section denotes a separate certificate issuance. +# Options in the default section apply to each sections. + +# Message digest to sign the Certificate Signing Request with. +#hash = sha512 + +# Comma-separated list of Key Usages, see x509v3_config(5ssl). +#keyUsage = digitalSignature, keyEncipherment + +#[www] + +# Where to store the issued certificate (in PEM format). +#certificate = /etc/nginx/ssl/srv.pem + +# Where to store the issued certificate, concatenated with the content +# of the file specified specified with the CAfile option (in PEM format). +#certificate-chain = /etc/nginx/ssl/srv.chain.pem + +# Path the service's private key. This option is required. +#certificate-key = /etc/nginx/ssl/srv.key + +# For an existing certificate, the minimum number of days before its +# expiration date the section is considered for re-issuance. +#min-days = 10 + +# Path to the issuer's certificate. This is used for certificate-chain +# and to verify the validity of each issued certificate. Specifying an +# empty value skip certificate validation. +#CAfile = /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem + +# Subject field of the Certificate Signing Request. This option is +# required. +#subject = /CN=example.org + +# Comma-separated list of Subject Alternative Names. +#subjectAltName = DNS:example.org,DNS:www.example.org + +# username[:groupname] to chown the issued certificate and +# certificate-chain with. +#chown = root:root + +# octal mode to chmod the issued certificate and certificate-chain with. +#chmod = 0644 + +# Command to pass the the system's command shell ("/bin/sh -c") after +# successful installation of the certificate and/or certificate-chain. +#notify = /bin/systemctl restart nginx + + +#[smtp] +#certificate-key = /etc/postfix/ssl/srv.key +#certificate-chain = /etc/postfix/ssl/srv.pem +#subject = /CN=smtp.example.org +#notify = /bin/systemctl restart postfix + +; vim:ft=dosini diff --git a/config/letsencrypt.conf b/config/letsencrypt.conf new file mode 100644 index 0000000..1502020 --- /dev/null +++ b/config/letsencrypt.conf @@ -0,0 +1,86 @@ +# For certificate issuance (new-cert command), specify the certificate +# configuration file to use +# +#config-certs = config/letsencrypt-certs.conf + +[client] +# The value of "socket" specifies the letsencrypt-accountd(1) +# UNIX-domain socket to connect to for signature requests from the ACME +# client. letsencrypt aborts if the socket is readable or writable by +# other users, or if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR +# environment variable is set. +# +#socket = /run/user/1000/S.letsencrypt + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# Default: "nobody". +# +#user = letsencrypt + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +#group = nogroup + +# Path to the ACME client executable. +#command = /usr/lib/letsencrypt-tiny/client + +# Root URI of the ACME server. NOTE: Use the staging server for testing +# as it has relaxed ratelimit. +# +#server = https://acme-v01.api.letsencrypt.org/ +#server = https://acme-staging.api.letsencrypt.org/ + +# Timeout in seconds after which the client stops polling the ACME +# server and considers the request failed. +# +#timeout = 10 + +# Whether to verify the server certificate chain. +#SSL_verify = yes + +# Specify the version of the SSL protocol used to transmit data. +#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 + +# Specify the cipher list for the connection. +#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + + +[webserver] + +# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# +#listen = 0.0.0.0:80 +#listen = [::]:80 + +# If a webserver is already running, specify a non-existent directory +# under which the webserver is configured to serve GET requests for +# challenge files under "/.well-known/acme-challenge/" (for each virtual +# hosts requiring authorization) as static files. +# +#challenge-directory = /var/www/acme-challenge + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# +#user = www-data + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +#user = www-data + +# Path to the ACME webserver executable. +#command = /usr/lib/letsencrypt-tiny/webserver + +# Whether to automatically install iptables(1) rules to open the +# ADDRESS[:PORT] specified with listen. Theses rules are automatically +# removed once letsencrypt exits. +# +#iptables = Yes + +; vim:ft=dosini -- cgit v1.2.3