From 84f6363da57ccc3a58fc72f60cf51ca70cea34f6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Feb 2017 13:36:11 +0100 Subject: new-cert: new CLI option "min-days" --- lacme.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index f5b5559..aec2cd1 100644 --- a/lacme.md +++ b/lacme.md @@ -88,7 +88,7 @@ Commands When specified, the list of *CONTACT* information and the agreement *URI* are sent to the server to replace the existing values. -`lacme` [`--config-certs=`*FILE*] `new-cert` [*SECTION* …] +`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …] : Read the certificate configuration *FILE* (see the **[certificate configuration file](#certificate-configuration-file)** section below @@ -339,7 +339,10 @@ Valid options are: : For an existing certificate, the minimum number of days before its expiration date the section is considered for re-issuance. - Default: `10`. + A negative value forces reissuance, while the number `0` limits + reissuance to expired certificates. + Default: the value of the CLI option `--min-days`, or `10` if there + is no such option. *CAfile* -- cgit v1.2.3 From 944407621f313c15f6cfd53267da1ddbdaceec9f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 17:19:46 +0200 Subject: webserver: allow listening to multiple addresses. (Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket . Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. --- lacme.md | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index aec2cd1..94b40cb 100644 --- a/lacme.md +++ b/lacme.md @@ -51,13 +51,12 @@ with its own executable: 4. For certificate issuances (`new-cert` command), an optional webserver (specified with the *command* option of the [`[webserver]` section](#webserver-section) of the configuration file), which is - spawned by the “master” `lacme` process when no service is listening - on the HTTP port. (The only challenge type currently supported by - `lacme` is `http-01`, which requires a webserver to answer - challenges.) That webserver only processes `GET` and `HEAD` requests - under the `/.well-known/acme-challenge/` URI. - By default some [`iptables`(8)] rules are automatically installed to - open the HTTP port, and removed afterwards. + spawned by the “master” `lacme`. (The only challenge type currently + supported by `lacme` is `http-01`, which requires a webserver to + answer challenges.) That webserver only processes `GET` and `HEAD` + requests under the `/.well-known/acme-challenge/` URI. + Moreover temporary [`iptables`(8)] rules can be automatically + installed to open the HTTP port. Commands ======== @@ -228,18 +227,19 @@ This section is used for configuring the [ACME] webserver. *listen* -: Specify the local address to listen on, in the form - `ADDRESS[:PORT]`. If `ADDRESS` is enclosed with brackets ‘[’/‘]’ - then it denotes an IPv6; an empty `ADDRESS` means `0.0.0.0`. - Default: `:80`. +: Comma- or space-separated list of addresses to listen on. Valid + addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the + `:PORT` suffix is optional and defaults to the HTTP port 80), or an + absolute path of a UNIX-domain socket (created with mode `0666`). + Default: `/var/run/lacme.socket`. *challenge-directory* -: If a webserver is already running, specify a non-existent directory - under which the webserver is configured to serve `GET` requests for - challenge files under `/.well-known/acme-challenge/` (for each - virtual hosts requiring authorization) as static files. - Default: `/var/www/acme-challenge`. +: Specify a non-existent directory under which an external HTTP daemon + is configured to serve `GET` requests for challenge files under + `/.well-known/acme-challenge/` (for each virtual host requiring + authorization) as static files. + This option is required when *listen* is empty. *user* @@ -263,10 +263,10 @@ This section is used for configuring the [ACME] webserver. *iptables* -: Whether to automatically install [`iptables`(8)] rules to open the - `ADDRESS[:PORT]` specified with *listen*. Theses rules are +: Whether to automatically install temporary [`iptables`(8)] rules to + open the `ADDRESS[:PORT]` specified with *listen*. The rules are automatically removed once `lacme` exits. - Default: `Yes`. + Default: `No`. `[accountd]` section --------------------- -- cgit v1.2.3 From 40a54d2ad35630b1c8a7cd88791db032a7983d4d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 21:33:40 +0200 Subject: Change the default 'min-days' from 10 to 21. This avoids expiration notices from Let's Encrypt when auto-renewal is done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before expiration. --- lacme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index 94b40cb..4146515 100644 --- a/lacme.md +++ b/lacme.md @@ -341,7 +341,7 @@ Valid options are: expiration date the section is considered for re-issuance. A negative value forces reissuance, while the number `0` limits reissuance to expired certificates. - Default: the value of the CLI option `--min-days`, or `10` if there + Default: the value of the CLI option `--min-days`, or `21` if there is no such option. *CAfile* -- cgit v1.2.3