From 8fd46f8f562345bb6c26b3eb8307994378732b94 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 22:45:12 +0200 Subject: Improve docs. --- lacme.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index 4146515..7f2e616 100644 --- a/lacme.md +++ b/lacme.md @@ -223,7 +223,8 @@ of [ACME] commands and dialogues with the remote [ACME] server). `[webserver]` section --------------------- -This section is used for configuring the [ACME] webserver. +This section is used to configure how [ACME] challenge responses are +served. *listen* @@ -258,7 +259,8 @@ This section is used for configuring the [ACME] webserver. *command* -: Path to the [ACME] webserver executable. +: Path to the [ACME] webserver executable. A separate process is + spawned for each address to *listen* on. Default: `/usr/lib/lacme/webserver`. *iptables* -- cgit v1.2.3 From 73ac1dd0d4d47905e8a407bcb1bf2ac494c34c86 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 09:44:43 +0200 Subject: Improve docs. --- lacme.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index 7f2e616..3ba4a44 100644 --- a/lacme.md +++ b/lacme.md @@ -224,7 +224,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). --------------------- This section is used to configure how [ACME] challenge responses are -served. +served during certificate issuance. *listen* @@ -232,6 +232,12 @@ served. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). + Since the webserver component listens to a UNIX-domain socket by + default, it is only suitable when an external HTTP daemon is + publicly reachable and passes all ACME challenge requests to that + socket; if that's not the case, one needs to set *listen* to `[::]` + (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is disabled or + unavailable), and possibly also set *iptables* to `Yes`. Default: `/var/run/lacme.socket`. *challenge-directory* -- cgit v1.2.3 From 7da82bf4ce1d40b730c4ace0817ccbcb862221ee Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 09:49:05 +0200 Subject: wibble --- lacme.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index 3ba4a44..d2a3b46 100644 --- a/lacme.md +++ b/lacme.md @@ -232,14 +232,15 @@ served during certificate issuance. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). - Since the webserver component listens to a UNIX-domain socket by - default, it is only suitable when an external HTTP daemon is - publicly reachable and passes all ACME challenge requests to that - socket; if that's not the case, one needs to set *listen* to `[::]` - (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is disabled or - unavailable), and possibly also set *iptables* to `Yes`. Default: `/var/run/lacme.socket`. + Note: The default value is only suitable when an external HTTP + daemon is publicly reachable and passes all ACME challenge requests + to the webserver component through the UNIX-domain socket + `/var/run/lacme.socket`; if that's not the case, one needs to set + *listen* to `[::]` (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is + disabled or unavailable), and possibly also set *iptables* to `Yes`. + *challenge-directory* : Specify a non-existent directory under which an external HTTP daemon -- cgit v1.2.3 From 3dde7848732e6fe3f0323866b7fe06cc12748bf5 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 10:01:21 +0200 Subject: wibble --- lacme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index d2a3b46..d18b176 100644 --- a/lacme.md +++ b/lacme.md @@ -238,7 +238,7 @@ served during certificate issuance. daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket `/var/run/lacme.socket`; if that's not the case, one needs to set - *listen* to `[::]` (or `0.0.0.0 [::]` when dual stack IPv4/IPv6 is + *listen* to `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or unavailable), and possibly also set *iptables* to `Yes`. *challenge-directory* -- cgit v1.2.3 From d93660085ceba3f81631bba4744b23af7984cd9d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 22:43:33 +0200 Subject: Improve docs. --- lacme.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index d18b176..0f6f3ee 100644 --- a/lacme.md +++ b/lacme.md @@ -234,12 +234,15 @@ served during certificate issuance. absolute path of a UNIX-domain socket (created with mode `0666`). Default: `/var/run/lacme.socket`. - Note: The default value is only suitable when an external HTTP + **Note**: The default value is only suitable when an external HTTP daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket - `/var/run/lacme.socket`; if that's not the case, one needs to set - *listen* to `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is - disabled or unavailable), and possibly also set *iptables* to `Yes`. + `/var/run/lacme.socket` (for instance using the provided + `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration + snippets for each virtual host requiring authorization). If there + is no HTTP daemon bound to port 80 one needs to set *listen* to + `[::]` (or `0.0.0.0 [::]` when dual IPv4/IPv6 stack is disabled or + unavailable), and possibly also set *iptables* to `Yes`. *challenge-directory* @@ -267,7 +270,8 @@ served during certificate issuance. *command* : Path to the [ACME] webserver executable. A separate process is - spawned for each address to *listen* on. + spawned for each address to *listen* on. (In particular no + webserver process is forked when the *listen* option is empty.) Default: `/usr/lib/lacme/webserver`. *iptables* -- cgit v1.2.3