From c93443364ce23ced97a80bfda8f8bb35ec19fcdb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:02:44 +0100 Subject: documentation: suggest to generate private key material with genpkey(1ssl). * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported. --- lacme.8.md | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 4098662..c1bea54 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -332,11 +332,28 @@ Valid options are: *certificate-key* -: Path the service's private key. This option is required. The - following command can be used to generate a new 4096-bits RSA key in - PEM format with mode 0600: +: Path to the service's private key. This option is required. The + [`genpkey`(1ssl)] command can be used to generate a new service RSA + key: - openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/srv.key + $ install -vm0600 /dev/null /path/to/service.rsa.key + $ openssl genpkey -algorithm RSA -out /path/to/service.rsa.key + + Alternatively, for an ECDSA key using the NIST P-256 curve: + + $ install -vm0600 /dev/null /path/to/service.ecdsa.key + $ openssl genpkey -algorithm EC -out /path/to/service.ecdsa.key \ + -pkeyopt ec_paramgen_curve:P-256 \ + -pkeyopt ec_param_enc:named_curve + + `lacme` supports any key algorithm than the underlying libssl + (OpenSSL) version is able to manipulate, but the [ACME] server might + reject CSRs associated with private keys of deprecated and/or + “exotic” algorithms. + + For a dual cert setup (for instance RSA+ECDSA), duplicate the + certificate section and use a distinct *certificate-key* resp. + *certificate* (or *certificate-chain*) value for each key algorithm. *min-days* @@ -407,3 +424,4 @@ See also [`iptables`(8)]: https://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html +[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html -- cgit v1.2.3 From f4b7c7b6130722535cb87c123d11ba554e7806c7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:20:13 +0100 Subject: wibble --- lacme.8.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index c1bea54..d98ec8e 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -410,9 +410,9 @@ Valid options are: Examples ======== - ~$ sudo lacme account --register --tos-agreed mailto:noreply@example.com - ~$ sudo lacme newOrder - ~$ sudo lacme revokeCert /path/to/server/certificate.pem + $ sudo lacme account --register --tos-agreed mailto:noreply@example.com + $ sudo lacme newOrder + $ sudo lacme revokeCert /path/to/service.crt See also ======== -- cgit v1.2.3 From 79edb6eea5e009e5b49876728f7477a8524e98ec Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:51:56 +0100 Subject: documentation: emphasize default values in the config file. Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. --- lacme.8.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index d98ec8e..5e32dcb 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -366,18 +366,21 @@ Valid options are: *CAfile* -: Path to trusted issuer certificates, used for validating each issued - certificate. Specifying an empty values skips certificate validation. +: Path to the bundle of trusted issuer certificates. This is used for + validating each certificate after issuance or renewal. Specifying + an empty value skips certificate validation. Default: `@@datadir@@/lacme/ca-certificates.crt`. *hash* -: Message digest algorithm to sign the Certificate Signing Request - with. +: Message digest to sign the Certificate Signing Request with, + overriding the [`req`(1ssl)] default. *keyUsage* -: Comma-separated list of Key Usages, see [`x509v3_config`(5ssl)]. +: Comma-separated list of Key Usages, for instance `digitalSignature, + keyEncipherment`, to include in the Certificate Signing Request. + See [`x509v3_config`(5ssl)] for a list of possible values. *subject* @@ -425,3 +428,4 @@ See also [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html [`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html +[`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html -- cgit v1.2.3 From 7af56dad957e75c4f2c3aceda868193a5e94210f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:04:47 +0100 Subject: Fix broken URLs. --- lacme.8.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 5e32dcb..3840455 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -425,7 +425,7 @@ See also [ACME]: https://tools.ietf.org/html/rfc8555 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: https://linux.die.net/man/8/iptables -[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html -[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html +[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html +[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html [`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html [`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html -- cgit v1.2.3 From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:28:46 +0100 Subject: Make unprivileged user/group for the internal client resp. webserver configurable. --- lacme.8.md | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 3840455..ecf87c3 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -168,17 +168,16 @@ of [ACME] commands and dialogues with the remote [ACME] server). *user* : The username to drop privileges to (setting both effective and real - uid). Preserve root privileges if the value is empty (not - recommended). - Default: `nobody`. + uid). Skip privilege drop if the value is empty (not recommended). + Default: `@@lacme_client_user@@`. *group* : The groupname to drop privileges to (setting both effective and real gid, and also setting the list of supplementary gids to that single - group). Preserve root privileges if the value is empty (not + group). Skip privilege drop if the value is empty (not recommended). - Default: `nogroup`. + Default: `@@lacme_client_group@@`. *command* @@ -245,17 +244,16 @@ served during certificate issuance. *user* : The username to drop privileges to (setting both effective and real - uid). Preserve root privileges if the value is empty (not - recommended). - Default: `www-data`. + uid). Skip privilege drop if the value is empty (not recommended). + Default: `@@lacme_www_user@@`. *group* : The groupname to drop privileges to (setting both effective and real gid, and also setting the list of supplementary gids to that single - group). Preserve root privileges if the value is empty (not + group). Skip privilege drop if the value is empty (not recommended). - Default: `www-data`. + Default: `@@lacme_www_group@@`. *command* @@ -283,13 +281,13 @@ UNIX-domain socket. *user* : The username to drop privileges to (setting both effective and real - uid). Preserve root privileges if the value is empty. + uid). Skip privilege drop if the value is empty. *group* : The groupname to drop privileges to (setting both effective and real gid, and also setting the list of supplementary gids to that single - group). Preserve root privileges if the value is empty. + group). Skip privilege drop if the value is empty. *command* -- cgit v1.2.3 From 0f574f73182491fe793fcdfce6632372fab4d5c3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 21:47:54 +0100 Subject: lacme: new flag `--force`. Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. --- lacme.8.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index ecf87c3..2ffdc25 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -77,7 +77,7 @@ Commands Upon success, `lacme` prints the new or updated Account Object from the [ACME] server. -`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `newOrder` [*SECTION* …] +`lacme newOrder` [`--config-certs=`*FILE*] [`--min-days=`*INT*|`--force`] [*SECTION* …] : Read the certificate configuration *FILE* (see the **[certificate configuration file](#certificate-configuration-file)** section below @@ -85,6 +85,9 @@ Commands for each of its sections (or the given list of *SECTION*s). Command alias: `new-order`. + The flag `--force` is an alias for `--min-days=-1`, which forces + renewal regardless of the expiration date of existing certificates. + `lacme` `revokeCert` *FILE* [*FILE* …] : Request that the given certificate(s) *FILE*(s) be revoked. For -- cgit v1.2.3 From 8c70ba081e9892217510b6b01f0402482161ef84 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:11:01 +0100 Subject: Raise client timeout from 10 to 30s. --- lacme.8.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 2ffdc25..3d46786 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -196,7 +196,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). : Timeout in seconds after which the client stops polling the [ACME] server and considers the request failed. - Default: `10`. + Default: `30`. *SSL_verify* -- cgit v1.2.3 From 681bf10e103b84b278491e6fff88e9d600ada72d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:13:31 +0100 Subject: Improve keyUsage documentation. --- lacme.8.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 3d46786..ee6aedd 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -382,6 +382,8 @@ Valid options are: : Comma-separated list of Key Usages, for instance `digitalSignature, keyEncipherment`, to include in the Certificate Signing Request. See [`x509v3_config`(5ssl)] for a list of possible values. + See x509v3_config(5ssl) for a list of possible values. Note that + the ACME might override the value provided here. *subject* -- cgit v1.2.3 From 43283731d372ba21bc5418bd02150671f81ce633 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:15:07 +0100 Subject: Improve user/group documentation. --- lacme.8.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index ee6aedd..384f21b 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -284,13 +284,13 @@ UNIX-domain socket. *user* : The username to drop privileges to (setting both effective and real - uid). Skip privilege drop if the value is empty. + uid). Skip privilege drop if the value is empty (the default). *group* : The groupname to drop privileges to (setting both effective and real gid, and also setting the list of supplementary gids to that single - group). Skip privilege drop if the value is empty. + group). Skip privilege drop if the value is empty (the default). *command* -- cgit v1.2.3 From 9dfb2cde7baf686113e49266c28940c8a564c1ca Mon Sep 17 00:00:00 2001 From: Benjamin Tietz Date: Wed, 23 Sep 2020 17:22:32 +0200 Subject: lacme: allow direct use challenge-directory .well-known/acme-challenge --- lacme.8.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 384f21b..404180c 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -244,6 +244,11 @@ served during certificate issuance. authorization) as static files. This option is required when *listen* is empty. +*hard-copy-challenge-directory* + +: Do not symlink the challenge-directory, but copy the challenge-files + explictly. + *user* : The username to drop privileges to (setting both effective and real -- cgit v1.2.3 From a903ea92dd736c560d21fe45063d4914765fa173 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 17:01:17 +0100 Subject: challenge-directory now needs to be set to an *existing* directory. Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. --- lacme.8.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 404180c..76cdd0d 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -238,16 +238,13 @@ served during certificate issuance. *challenge-directory* -: Specify a non-existent directory under which an external HTTP daemon - is configured to serve `GET` requests for challenge files under - `/.well-known/acme-challenge/` (for each virtual host requiring - authorization) as static files. - This option is required when *listen* is empty. - -*hard-copy-challenge-directory* +: Directory under which an external HTTP daemon is configured to serve `GET` + requests for challenge files under `/.well-known/acme-challenge/` (for + each virtual host requiring authorization) as static files. + `lacme` _must_ exist beforehand, _must_ be empty, and be writable by the + lacme client user (by default @@lacme_client_user@@). -: Do not symlink the challenge-directory, but copy the challenge-files - explictly. + This option is required when *listen* is empty. *user* @@ -275,6 +272,7 @@ served during certificate issuance. : Whether to automatically install temporary [`iptables`(8)] rules to open the `ADDRESS[:PORT]` specified with *listen*. The rules are automatically removed once `lacme` exits. + This option is ignored when *challenge-directory* is set. Default: `No`. `[accountd]` section -- cgit v1.2.3 From f62a66c6ce82d9a1af241dc3952250362e601d45 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 23:46:40 +0100 Subject: Add support for TLS Feature extension from RFC 7633. This is mostly useful for OCSP Must-Staple. --- lacme.8.md | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 76cdd0d..00a62a2 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -368,6 +368,18 @@ Valid options are: Default: the value of the CLI option `--min-days`, or `21` if there is no such option. +*subject* + +: Subject field of the Certificate Signing Request, in the form + `/type0=value0/type1=value1/type2=…`. This option is required. + +*subjectAltName* + +: Comma-separated list of Subject Alternative Names, in the form + `type0:value1,type1:value1,type2:…` + The only `type` currently supported is `DNS`, to specify an + alternative domain name. + *CAfile* : Path to the bundle of trusted issuer certificates. This is used for @@ -384,21 +396,15 @@ Valid options are: : Comma-separated list of Key Usages, for instance `digitalSignature, keyEncipherment`, to include in the Certificate Signing Request. - See [`x509v3_config`(5ssl)] for a list of possible values. - See x509v3_config(5ssl) for a list of possible values. Note that - the ACME might override the value provided here. - -*subject* + See [`x509v3_config`(5ssl)] for a list of possible values. Note + that the ACME server might override the value provided here. -: Subject field of the Certificate Signing Request, in the form - `/type0=value0/type1=value1/type2=…`. This option is required. +*tlsfeature* -*subjectAltName* - -: Comma-separated list of Subject Alternative Names, in the form - `type0:value1,type1:value1,type2:…` - The only `type` currently supported is `DNS`, to specify an - alternative domain name. +: Comma-separated list of [TLS extension][TLS Feature extension] + identifiers, such as `status_request` for OCSP Must-Staple. + See [`x509v3_config`(5ssl)] for a list of possible values. Note + that the ACME server might override the value provided here. *chown* @@ -429,6 +435,7 @@ See also [`lacme-accountd`(1)] [ACME]: https://tools.ietf.org/html/rfc8555 +[TLS Feature extension]: https://tools.ietf.org/html/rfc7633 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: https://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html -- cgit v1.2.3 From db34a391d745bd3f94fbc3bba1cc8743a8831202 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 15 Feb 2021 00:01:13 +0100 Subject: typofix --- lacme.8.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 00a62a2..cea5298 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -241,8 +241,9 @@ served during certificate issuance. : Directory under which an external HTTP daemon is configured to serve `GET` requests for challenge files under `/.well-known/acme-challenge/` (for each virtual host requiring authorization) as static files. - `lacme` _must_ exist beforehand, _must_ be empty, and be writable by the - lacme client user (by default @@lacme_client_user@@). + The directory _must_ exist beforehand, _must_ be empty, and the + lacme client user (by default `@@lacme_client_user@@`) needs to be + able to create files under it. This option is required when *listen* is empty. -- cgit v1.2.3 From 2efd4458f4db7f489ecc81f4039b8e8103edf9d9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 16 Feb 2021 17:24:31 +0100 Subject: Don't load configuration files from ./ by default. This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. --- lacme.8.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index cea5298..bc711ed 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -131,10 +131,9 @@ Configuration file ================== If `--config=` is not given, `lacme` uses the first existing -configuration file among *./lacme.conf*, -*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if -the `XDG_CONFIG_HOME` environment variable is not set), and -*@@sysconfdir@@/lacme/lacme.conf*. +configuration file among *$XDG_CONFIG_HOME/lacme/lacme.conf* (or +*~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment +variable is not set), and *@@sysconfdir@@/lacme/lacme.conf*. Valid options are: Default section -- cgit v1.2.3 From d72df441f86f759bf143df745ff13fd9b90597bf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:53:31 +0100 Subject: Split client/webserver/accountd commands on whitespace. This doesn't change the default behavior. --- lacme.8.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index bc711ed..69870c4 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -183,7 +183,10 @@ of [ACME] commands and dialogues with the remote [ACME] server). *command* -: Path to the [ACME] client executable. +: The [ACME] client command. It is split on whitespace, with the + first item being the command to execute, the second its first + argument etc. (Note that `lacme` might append more arguments when + executing the command internally.) Default: `@@libexecdir@@/lacme/client`. *server* @@ -262,9 +265,13 @@ served during certificate issuance. *command* -: Path to the [ACME] webserver executable. A separate process is - spawned for each address to *listen* on. (In particular no - webserver process is forked when the *listen* option is empty.) +: The [ACME] webserver command. It is split on whitespace, with the + first item being the command to execute, the second its first + argument etc. (Note that `lacme` might append more arguments when + executing the command internally.) + A separate process is spawned for each address to *listen* on. (In + particular no webserver process is forked when the *listen* option + is empty.) Default: `@@libexecdir@@/lacme/webserver`. *iptables* @@ -297,7 +304,10 @@ UNIX-domain socket. *command* -: Path to the [`lacme-accountd`(1)] executable. +: The [`lacme-accountd`(1)] command. It is split on whitespace, with + the first item being the command to execute, the second its first + argument etc. (Note that `lacme` appends more arguments when + executing the command internally.) Default: `@@bindir@@/lacme-accountd`. *config* -- cgit v1.2.3 From 42a8f9813716ed3495b6f49edea429b127eef0f0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 00:49:46 +0100 Subject: accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. --- lacme.8.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 69870c4..c354c1a 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -308,7 +308,9 @@ UNIX-domain socket. the first item being the command to execute, the second its first argument etc. (Note that `lacme` appends more arguments when executing the command internally.) - Default: `@@bindir@@/lacme-accountd`. + Use for instance `ssh -T lacme@account.example.net lacme-accountd` + in order to spawn a remote [`lacme-accountd`(1)] server. Default: + `@@bindir@@/lacme-accountd`. *config* -- cgit v1.2.3 From 1c4fc8c431e69780625600a4ee8526e1a3cbb3f4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:04:45 +0100 Subject: lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. --- lacme.8.md | 1 - 1 file changed, 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index c354c1a..c32469d 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -315,7 +315,6 @@ UNIX-domain socket. *config* : Path to the [`lacme-accountd`(1)] configuration file. - Default: `@@sysconfdir@@/lacme/lacme-accountd.conf`. *privkey* -- cgit v1.2.3 From ad1856777bf108826008b60a1e70c1e3fbb94ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:14:23 +0100 Subject: Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. --- lacme.8.md | 5 ----- 1 file changed, 5 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index c32469d..3852b13 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -316,11 +316,6 @@ UNIX-domain socket. : Path to the [`lacme-accountd`(1)] configuration file. -*privkey* - -: The (private) account key to use for signing requests. See - [`lacme-accountd`(1)] for details. - *quiet* : Be quiet. Possible values: `Yes`/`No`. -- cgit v1.2.3 From 57afbf387cf812945ad14cd03570b0746fc4c865 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 12:22:37 +0100 Subject: Document spawning a remote lacme-accountd(1) instance. And add a test case for this. --- lacme.8.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 3852b13..6218d36 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -435,6 +435,21 @@ Examples $ sudo lacme newOrder $ sudo lacme revokeCert /path/to/service.crt +Automatic renewal can be scheduled via [`crontab`(5)] or +[`systemd.timer`(5)]. In order to avoid deploying a single account key +onto multiple nodes and/or dealing with multiple account keys, one can +install a single [`lacme-accountd`(1)] instance on a dedicated host, +generate a single account key there (and keep it well), and set the +following in the [`[accountd]` section](#accountd-section): + + command = ssh -T lacme@account.example.net lacme-accountd + +If the user running `lacme` can connect to `lacme@account.example.net` +using (passwordless) key authentication, this setting will spawn a +remote [`lacme-accountd`(1)] and use it to sign [ACME] requests. +Further hardening can be achieved my means of [`authorized_keys`(5)] +restrictions. + See also ======== @@ -448,3 +463,6 @@ See also [`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html [`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html [`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html +[`crontab`(5)]: https://linux.die.net/man/5/crontab +[`systemd.timer`(5)]: https://www.freedesktop.org/software/systemd/man/systemd.timer.html +[`authorized_keys`(5)]: https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT -- cgit v1.2.3 From 4a502836164821b9faa56d363c8fb116ce032321 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 18:11:09 +0100 Subject: Wording: s/option/setting/. --- lacme.8.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 6218d36..4dfc67e 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -37,9 +37,9 @@ with its own executable: For certificate issuances (`newOrder` command), it also generates Certificate Signing Requests, then verifies the validity of the issued certificate, and optionally reloads or restarts services when - the *notify* option is set. + the *notify* setting is set. - 3. An actual [ACME] client (specified with the *command* option of the + 3. An actual [ACME] client (specified with the *command* setting of the [`[client]` section](#client-section) of the configuration file), which builds [ACME] commands and dialogues with the remote [ACME] server. @@ -49,7 +49,7 @@ with its own executable: requested by writing the data to be signed to the socket. 4. For certificate issuances (`newOrder` command), an optional - webserver (specified with the *command* option of the [`[webserver]` + webserver (specified with the *command* setting of the [`[webserver]` section](#webserver-section) of the configuration file), which is spawned by the “master” `lacme`. (The only challenge type currently supported by `lacme` is `http-01`, which requires a webserver to @@ -95,8 +95,8 @@ Commands account key or the server's private key. Command alias: `revoke-cert`. -Generic options -=============== +Generic settings +================ `--config=`*filename* @@ -110,7 +110,7 @@ Generic options connect to for signature requests from the [ACME] client. `lacme` aborts if `path` is readable or writable by other users, or if its parent directory is writable by other users. - This command-line option overrides the *socket* option of the + This command-line option overrides the *socket* setting of the [`[client]` section](#client-section) of the configuration file; it also causes the [`[accountd]` section](#accountd-section) to be ignored. @@ -134,7 +134,7 @@ If `--config=` is not given, `lacme` uses the first existing configuration file among *$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment variable is not set), and *@@sysconfdir@@/lacme/lacme.conf*. -Valid options are: +Valid settings are: Default section --------------- @@ -247,7 +247,7 @@ served during certificate issuance. lacme client user (by default `@@lacme_client_user@@`) needs to be able to create files under it. - This option is required when *listen* is empty. + This setting is required when *listen* is empty. *user* @@ -270,7 +270,7 @@ served during certificate issuance. argument etc. (Note that `lacme` might append more arguments when executing the command internally.) A separate process is spawned for each address to *listen* on. (In - particular no webserver process is forked when the *listen* option + particular no webserver process is forked when the *listen* setting is empty.) Default: `@@libexecdir@@/lacme/webserver`. @@ -279,7 +279,7 @@ served during certificate issuance. : Whether to automatically install temporary [`iptables`(8)] rules to open the `ADDRESS[:PORT]` specified with *listen*. The rules are automatically removed once `lacme` exits. - This option is ignored when *challenge-directory* is set. + This setting is ignored when *challenge-directory* is set. Default: `No`. `[accountd]` section @@ -327,7 +327,7 @@ For certificate issuances (`newOrder` command), a separate file is used to configure paths to the certificate and key, as well as the subject, subjectAltName, etc. to generate Certificate Signing Requests. Each section denotes a separate certificate issuance. -Valid options are: +Valid settings are: *certificate* @@ -342,7 +342,7 @@ Valid options are: *certificate-key* -: Path to the service's private key. This option is required. The +: Path to the service's private key. This setting is required. The [`genpkey`(1ssl)] command can be used to generate a new service RSA key: @@ -377,7 +377,7 @@ Valid options are: *subject* : Subject field of the Certificate Signing Request, in the form - `/type0=value0/type1=value1/type2=…`. This option is required. + `/type0=value0/type1=value1/type2=…`. This setting is required. *subjectAltName* -- cgit v1.2.3 From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 21:07:01 +0100 Subject: Add %-specifiers support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. --- lacme.8.md | 90 +++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 68 insertions(+), 22 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 4dfc67e..aab448f 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -100,16 +100,22 @@ Generic settings `--config=`*filename* -: Use *filename* as configuration file. See the **[configuration - file](#configuration-file)** section below for the configuration - options. +: Use *filename* as configuration file instead of + `%E/lacme/lacme.conf`. The value is subject to [%-specifier + expansion](#percent-specifiers). + + See the **[configuration file](#configuration-file)** section below + for the configuration options. `--socket=`*path* : Use *path* as the [`lacme-accountd`(1)] UNIX-domain socket to - connect to for signature requests from the [ACME] client. `lacme` - aborts if `path` is readable or writable by other users, or if its - parent directory is writable by other users. + connect to for signature requests from the [ACME] client. The value + is subject to [%-specifier expansion](#percent-specifiers). + `lacme` aborts if *path* exists or if its parent directory is + writable by other users. + Default: `%t/S.lacme`. + This command-line option overrides the *socket* setting of the [`[client]` section](#client-section) of the configuration file; it also causes the [`[accountd]` section](#accountd-section) to be @@ -130,10 +136,6 @@ Generic settings Configuration file ================== -If `--config=` is not given, `lacme` uses the first existing -configuration file among *$XDG_CONFIG_HOME/lacme/lacme.conf* (or -*~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment -variable is not set), and *@@sysconfdir@@/lacme/lacme.conf*. Valid settings are: Default section @@ -145,13 +147,15 @@ Default section space-separated list of certificate configuration files or directories to use (see the **[certificate configuration file](#certificate-configuration-file)** section below for the - configuration options). + configuration options). Each item in that list is independently + subject to [%-specifier expansion](#percent-specifiers). - Paths not starting with `/` are relative to the directory name of - the **[configuration filename](#configuration-file)**. The list of - files and directories is processed in order, with the later items - taking precedence. Files in a directory are processed in - lexicographic order, only considering the ones with suffix `.conf`. + Paths not starting with `/` (after %-expansion) are relative to the + parent directory of the **[configuration filename](#configuration-file)**. + The list of files and directories is processed in the specified + order, with the later items taking precedence. Files in a directory + are processed in lexicographic order, only considering the ones with + suffix `.conf`. Default: `lacme-certs.conf lacme-certs.conf.d/`. @@ -164,8 +168,6 @@ of [ACME] commands and dialogues with the remote [ACME] server). *socket* : See `--socket=`. - Default: *$XDG_RUNTIME_DIR/S.lacme* if the `XDG_RUNTIME_DIR` - environment variable is set. *user* @@ -247,7 +249,9 @@ served during certificate issuance. lacme client user (by default `@@lacme_client_user@@`) needs to be able to create files under it. - This setting is required when *listen* is empty. + This setting is required when *listen* is empty. Moreover its value + is subject to [%-specifier expansion](#percent-specifiers) _before_ + privilege drop. *user* @@ -308,13 +312,18 @@ UNIX-domain socket. the first item being the command to execute, the second its first argument etc. (Note that `lacme` appends more arguments when executing the command internally.) + Each item in that list is independently subject to [%-specifier + expansion](#percent-specifiers) _after_ privilege drop. + Default: `@@bindir@@/lacme-accountd`. + Use for instance `ssh -T lacme@account.example.net lacme-accountd` - in order to spawn a remote [`lacme-accountd`(1)] server. Default: - `@@bindir@@/lacme-accountd`. + in order to spawn a remote [`lacme-accountd`(1)] server. *config* -: Path to the [`lacme-accountd`(1)] configuration file. +: Path to the [`lacme-accountd`(1)] configuration file. The value is + subject to [%-specifier expansion](#percent-specifiers) _after_ + privilege drop. *quiet* @@ -428,6 +437,43 @@ Valid settings are: after successful installation of the *certificate* and/or *certificate-chain*. +%-specifiers {#percent-specifiers} +============ + +Some CLI options and configuration settings are subject to %-expansion +for the following specifiers. Check the documentation of each setting +to see which ones are affected. + +---- ------------------------------------------------------------------ +`%C` `@@localstatedir@@/cache` for the root user, and `$XDG_CACHE_HOME` + for other users (or `$HOME/.cache` if the `XDG_CACHE_HOME` + environment variable is unset or empty). + +`%E` `@@sysconfdir@@` for the root user, and `$XDG_CONFIG_HOME` for + other users (or `$HOME/.config` if the `XDG_CONFIG_HOME` + environment variable is unset or empty). + +`%g` Current group name. + +`%G` Current group ID. + +`%h` Home directory of the current user. + +`%t` `@@runstatedir@@` for the root user, and `$XDG_RUNTIME_DIR` for + other users. Non-root users may only use `%t` when the + `XDG_RUNTIME_DIR` environment variable is set to a non-empty + value. + +`%T` `$TMPDIR`, or `/tmp` if the `TMPDIR` environment variable is unset + or empty. + +`%u` Current user name. + +`%U` Current user ID. + +`%%` A literal `%`. +---- ------------------------------------------------------------------ + Examples ======== -- cgit v1.2.3 From 8e612e071b8c0fc99ebf91673f53ca5f0d6bdd11 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 19:56:15 +0100 Subject: Document `lacme-accountd --stdio`. It's an internal flag, but can be useful for authorized_keys(5) restrictions. --- lacme.8.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index aab448f..9a14d75 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -493,8 +493,10 @@ following in the [`[accountd]` section](#accountd-section): If the user running `lacme` can connect to `lacme@account.example.net` using (passwordless) key authentication, this setting will spawn a remote [`lacme-accountd`(1)] and use it to sign [ACME] requests. -Further hardening can be achieved my means of [`authorized_keys`(5)] -restrictions. +Further hardening can be achieved by means of [`authorized_keys`(5)] +restrictions: + + restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa … See also ======== -- cgit v1.2.3 From f5a8ada638d9fcef9939b00f941588288f6287cc Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 20:38:48 +0100 Subject: =?UTF-8?q?Documentation:=20Wrap=20commands=20in=20`=E2=80=A6`.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lacme.8.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 9a14d75..ca47470 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -316,8 +316,9 @@ UNIX-domain socket. expansion](#percent-specifiers) _after_ privilege drop. Default: `@@bindir@@/lacme-accountd`. - Use for instance `ssh -T lacme@account.example.net lacme-accountd` - in order to spawn a remote [`lacme-accountd`(1)] server. + Use for instance `` `ssh -T lacme@account.example.net + lacme-accountd` `` in order to spawn a remote [`lacme-accountd`(1)] + server. *config* @@ -433,7 +434,7 @@ Valid settings are: *notify* -: Command to pass the the system's command shell (`/bin/sh -c`) +: Command to pass the the system's command shell (`` `/bin/sh -c` ``) after successful installation of the *certificate* and/or *certificate-chain*. -- cgit v1.2.3 From 74c0a11722cf1e01b9a9834e89a07b55eaf01080 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 22:05:18 +0100 Subject: lacme-accountd: new setting 'logfile' to log signature requests. Prefixed with a timestamp. --- lacme.8.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index ca47470..7d66e79 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -497,7 +497,7 @@ remote [`lacme-accountd`(1)] and use it to sign [ACME] requests. Further hardening can be achieved by means of [`authorized_keys`(5)] restrictions: - restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa … + restrict,from="…",command="/usr/bin/lacme-accountd --quiet --stdio" ssh-rsa … See also ======== -- cgit v1.2.3 From 626c0418b3d8c3747a7be8e2620d7c85a8c2c613 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 02:55:46 +0100 Subject: Make the ACME API server URL configurable at build time. --- lacme.8.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 7d66e79..30de221 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -194,7 +194,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). *server* : Root URI of the [ACME] server. - Default: `https://acme-v02.api.letsencrypt.org/directory`. + Default: `@@acmeapi_server@@`. *timeout* -- cgit v1.2.3 From d56b957dbae6c8214d50ce88d0ea04eb4654b843 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 17:34:51 +0100 Subject: wording --- lacme.8.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 30de221..ad6dab6 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -92,7 +92,7 @@ Commands : Request that the given certificate(s) *FILE*(s) be revoked. For this command, [`lacme-accountd`(1)] can be pointed to either the - account key or the server's private key. + account key or the certificate key. Command alias: `revoke-cert`. Generic settings -- cgit v1.2.3