From e8980fb172221cbffd7fa672d65da0a806524e72 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:36:06 +0100 Subject: documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. --- config/lacme-accountd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 94d2556..7248eb5 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -1,8 +1,8 @@ # The value of "privkey" specifies the (private) account key to use # for signing requests. Currently supported values are: # -# - file:FILE, to specify an encrypted private key (in PEM format) -# - gpg:FILE, to specify a gpg-encrypted private key (in PEM format) +# - file:FILE, for a private key in PEM format (optionally encrypted) +# - gpg:FILE, for a gpg-encrypted private key # #privkey = gpg:/path/to/encrypted/account.key.gpg #privkey = file:/path/to/account.key -- cgit v1.2.3 From 79edb6eea5e009e5b49876728f7477a8524e98ec Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:51:56 +0100 Subject: documentation: emphasize default values in the config file. Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. --- config/lacme-certs.conf | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 232c85b..3e7a577 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,13 +1,27 @@ # Each non-default section refer to separate certificate issuance # requests. Options in the default section apply to each sections. -# Message digest to sign the Certificate Signing Request with. +# Message digest to sign the Certificate Signing Request with, +# overriding the req(1ssl) default. # -#hash = sha512 +#hash = -# Comma-separated list of Key Usages, see x509v3_config(5ssl). +# Comma-separated list of Key Usages, for instance "digitalSignature, +# keyEncipherment", to include in the Certificate Signing Request. +# See x509v3_config(5ssl) for a list of possible values. # -#keyUsage = digitalSignature, keyEncipherment +#keyUsage = + +# Path to the bundle of trusted issuer certificates. This is used for +# validating each certificate after issuance or renewal. Specifying an +# empty value skips certificate validation. +# +#CAfile = @@datadir@@/lacme/ca-certificates.crt + +# For an existing certificate, the minimum number of days before its +# expiration date the section is considered for re-issuance. +# +#min-days = 21 #[www] @@ -25,16 +39,6 @@ # #certificate-chain = /etc/nginx/ssl/srv.chain.pem -# For an existing certificate, the minimum number of days before its -# expiration date the section is considered for re-issuance. -# -#min-days = 21 - -# Path to trusted issuer certificates, used for validating each issued -# certificate. Specifying an empty value skips certificate validation. -# -#CAfile = @@datadir@@/lacme/ca-certificates.crt - # Subject field of the Certificate Signing Request. This option is # required. # -- cgit v1.2.3 From e751a1e0215342be52da2c086ad2e7bc8901229e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:10:30 +0100 Subject: s/\.pem$/.crt/ --- config/lacme-certs.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 3e7a577..038d685 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -32,12 +32,12 @@ # Where to store the issued certificate (in PEM format). # -#certificate = /etc/nginx/ssl/srv.pem +#certificate = /etc/nginx/ssl/srv.crt # Where to store the issued certificate along with its chain of trust # (in PEM format). # -#certificate-chain = /etc/nginx/ssl/srv.chain.pem +#certificate-chain = /etc/nginx/ssl/srv.chain.crt # Subject field of the Certificate Signing Request. This option is # required. @@ -65,7 +65,7 @@ #[smtp] #certificate-key = /etc/postfix/ssl/srv.key -#certificate-chain = /etc/postfix/ssl/srv.pem +#certificate-chain = /etc/postfix/ssl/srv.crt #subject = /CN=smtp.example.org #notify = /bin/systemctl reload postfix -- cgit v1.2.3 From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:28:46 +0100 Subject: Make unprivileged user/group for the internal client resp. webserver configurable. --- config/lacme.conf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 9f4db72..cc8488d 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -19,15 +19,15 @@ #socket = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = nobody +#user = @@lacme_client_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = nogroup +#group = @@lacme_client_group@@ # Path to the ACME client executable. # @@ -72,15 +72,15 @@ #challenge-directory = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#user = www-data +#user = @@lacme_www_user@@ # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -#group = www-data +#group = @@lacme_www_group@@ # Path to the ACME webserver executable. # @@ -99,13 +99,13 @@ # an existing lacme-accountd(1) process via a UNIX-domain socket. # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #user = # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty. +# Skip privilege drop if the value is empty. # #group = -- cgit v1.2.3 From 8c70ba081e9892217510b6b01f0402482161ef84 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:11:01 +0100 Subject: Raise client timeout from 10 to 30s. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index cc8488d..e49bd39 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -42,7 +42,7 @@ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # -#timeout = 10 +#timeout = 30 # Whether to verify the server certificate chain. # -- cgit v1.2.3 From 681bf10e103b84b278491e6fff88e9d600ada72d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:13:31 +0100 Subject: Improve keyUsage documentation. --- config/lacme-certs.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 038d685..91c2b3d 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -8,7 +8,8 @@ # Comma-separated list of Key Usages, for instance "digitalSignature, # keyEncipherment", to include in the Certificate Signing Request. -# See x509v3_config(5ssl) for a list of possible values. +# See x509v3_config(5ssl) for a list of possible values. Note that the +# ACME might override the value provided here. # #keyUsage = -- cgit v1.2.3 From 9dfb2cde7baf686113e49266c28940c8a564c1ca Mon Sep 17 00:00:00 2001 From: Benjamin Tietz Date: Wed, 23 Sep 2020 17:22:32 +0200 Subject: lacme: allow direct use challenge-directory .well-known/acme-challenge --- config/lacme.conf | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index e49bd39..2955984 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -71,6 +71,10 @@ # #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly. +#hard-copy-challenge-directory = No + # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # -- cgit v1.2.3 From a903ea92dd736c560d21fe45063d4914765fa173 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 17:01:17 +0100 Subject: challenge-directory now needs to be set to an *existing* directory. Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. --- config/lacme.conf | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 2955984..4c7dc86 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -64,17 +64,14 @@ # #listen = @@runstatedir@@/lacme-www.socket -# Non-existent directory under which an external HTTP daemon is -# configured to serve GET requests for challenge files under -# "/.well-known/acme-challenge/" (for each virtual host requiring -# authorization) as static files. +# Directory under which an external HTTP daemon is configured to serve +# GET requests for challenge files under "/.well-known/acme-challenge/" +# (for each virtual host requiring authorization) as static files. +# NOTE: the directory must exist and be writable by the lacme client +# user. # #challenge-directory = -# Do not symlink the challenge-directory, but copy the challenge-files -# explictly. -#hard-copy-challenge-directory = No - # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). # -- cgit v1.2.3 From d72df441f86f759bf143df745ff13fd9b90597bf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:53:31 +0100 Subject: Split client/webserver/accountd commands on whitespace. This doesn't change the default behavior. --- config/lacme.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 4c7dc86..3faed2b 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -29,7 +29,7 @@ # #group = @@lacme_client_group@@ -# Path to the ACME client executable. +# ACME client command. # #command = @@libexecdir@@/lacme/client @@ -83,7 +83,7 @@ # #group = @@lacme_www_group@@ -# Path to the ACME webserver executable. +# ACME webserver command. # #command = @@libexecdir@@/lacme/webserver @@ -110,7 +110,7 @@ # #group = -# Path to the lacme-accountd(1) executable. +# lacme-accountd(1) command. # #command = @@bindir@@/lacme-accountd -- cgit v1.2.3 From 1c4fc8c431e69780625600a4ee8526e1a3cbb3f4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:04:45 +0100 Subject: lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 3faed2b..0deba7b 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -116,7 +116,7 @@ # Path to the lacme-accountd(1) configuration file. # -#config = @@sysconfdir@@/lacme/lacme-accountd.conf +#config = # The (private) account key to use for signing requests. See # lacme-accountd(1) for details. -- cgit v1.2.3 From ad1856777bf108826008b60a1e70c1e3fbb94ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:14:23 +0100 Subject: Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. --- config/lacme-accountd.conf | 2 +- config/lacme.conf | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) (limited to 'config') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 7248eb5..10f332e 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -4,8 +4,8 @@ # - file:FILE, for a private key in PEM format (optionally encrypted) # - gpg:FILE, for a gpg-encrypted private key # -#privkey = gpg:/path/to/encrypted/account.key.gpg #privkey = file:/path/to/account.key +#privkey = gpg:/path/to/encrypted/account.key.gpg # For a gpg-encrypted private account key, "gpg" specifies the binary # gpg(1) to use, as well as some default options. Default: "gpg diff --git a/config/lacme.conf b/config/lacme.conf index 0deba7b..a6cb9c7 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -118,11 +118,6 @@ # #config = -# The (private) account key to use for signing requests. See -# lacme-accountd(1) for details. -# -#privkey = file:/path/to/account.key - # Be quiet. # #quiet = Yes -- cgit v1.2.3 From 4a502836164821b9faa56d363c8fb116ce032321 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 18:11:09 +0100 Subject: Wording: s/option/setting/. --- config/lacme-certs.conf | 6 +++--- config/lacme.conf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 91c2b3d..5259690 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -1,5 +1,5 @@ # Each non-default section refer to separate certificate issuance -# requests. Options in the default section apply to each sections. +# requests. Settings in the default section apply to each sections. # Message digest to sign the Certificate Signing Request with, # overriding the req(1ssl) default. @@ -27,7 +27,7 @@ #[www] -# Path the service's private key. This option is required. +# Path the service's private key. This setting is required. # #certificate-key = /etc/nginx/ssl/srv.key @@ -40,7 +40,7 @@ # #certificate-chain = /etc/nginx/ssl/srv.chain.crt -# Subject field of the Certificate Signing Request. This option is +# Subject field of the Certificate Signing Request. This setting is # required. # #subject = /CN=example.org diff --git a/config/lacme.conf b/config/lacme.conf index a6cb9c7..98ecacb 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -12,7 +12,7 @@ # other users, or if its parent directory is writable by other users. # Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment # variable is set. -# This option is ignored when lacme-accountd(1) is spawned by lacme(8), +# This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -- cgit v1.2.3 From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 21:07:01 +0100 Subject: Add %-specifiers support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. --- config/lacme-accountd.conf | 4 +--- config/lacme.conf | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'config') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index 10f332e..f31cf67 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -17,10 +17,8 @@ # for signature requests from the ACME client. An error is raised if # the path exists or if its parent directory is writable by other # users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR -# environment variable is set. # -#socket = /run/user/1000/S.lacme +#socket = %t/S.lacme # Be quiet. Possible values: "Yes"/"No". # diff --git a/config/lacme.conf b/config/lacme.conf index 98ecacb..198729d 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -10,13 +10,11 @@ # UNIX-domain socket to connect to for signature requests from the ACME # client. lacme(8) aborts if the socket is readable or writable by # other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment -# variable is set. # This setting is ignored when lacme-accountd(1) is spawned by lacme(8), # since the two processes communicate through a socket pair. See the # "accountd" section below for details. # -#socket = +#socket = %t/S.lacme # username to drop privileges to (setting both effective and real uid). # Skip privilege drop if the value is empty (not recommended). -- cgit v1.2.3 From 626c0418b3d8c3747a7be8e2620d7c85a8c2c613 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 02:55:46 +0100 Subject: Make the ACME API server URL configurable at build time. --- config/lacme.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/lacme.conf b/config/lacme.conf index 198729d..0392be5 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -35,7 +35,7 @@ # for testing # as it has relaxed rate-limiting. # -#server = https://acme-v02.api.letsencrypt.org/directory +#server = @@acmeapi_server@@ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. -- cgit v1.2.3 From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 18:49:14 +0100 Subject: lacme-accountd(1): new setting 'keyid'. This saves a round trip and provides a safeguard against malicious clients. --- config/lacme-accountd.conf | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'config') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index f31cf67..d31c6c8 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -20,6 +20,12 @@ # #socket = %t/S.lacme +# The "Key ID", as shown by `acme account`, to give the ACME client. +# A non-empty value revokes all account management access (status +# change, contact address updates etc.) from the client. +# +#keyid = + # Be quiet. Possible values: "Yes"/"No". # #quiet = Yes -- cgit v1.2.3 From 3d7cbb119cae717e0a3e5546d9a2b6ae982c514b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 00:19:14 +0100 Subject: Add 'logfile' to lacme-account.conf. --- config/lacme-accountd.conf | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config') diff --git a/config/lacme-accountd.conf b/config/lacme-accountd.conf index d31c6c8..5c769cf 100644 --- a/config/lacme-accountd.conf +++ b/config/lacme-accountd.conf @@ -20,6 +20,10 @@ # #socket = %t/S.lacme +# An optional file where to log to. +# +#logfile = + # The "Key ID", as shown by `acme account`, to give the ACME client. # A non-empty value revokes all account management access (status # change, contact address updates etc.) from the client. -- cgit v1.2.3