From d1bc3ad109a3000bda8a7876673ff9a0281e8c7b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 26 Apr 2018 20:29:44 +0200 Subject: Use ACME v2 endpoints https://tools.ietf.org/html/draft-ietf-acme-acme-12 --- lacme.md | 59 +++++++++++++++++++++++++---------------------------------- 1 file changed, 25 insertions(+), 34 deletions(-) (limited to 'lacme.md') diff --git a/lacme.md b/lacme.md index ba1e5be..2d70c49 100644 --- a/lacme.md +++ b/lacme.md @@ -34,7 +34,7 @@ with its own executable: component with access to the private key material of the server keys. It is used to fork the [ACME] client (and optionally the [ACME] webserver) after dropping root privileges. - For certificate issuances (`new-cert` command), it also generates + For certificate issuances (`newOrder` command), it also generates Certificate Signing Requests, then verifies the validity of the issued certificate, and optionally reloads or restarts services when the *notify* option is set. @@ -48,7 +48,7 @@ with its own executable: UNIX-domain socket to the [ACME] client: data signatures are requested by writing the data to be signed to the socket. - 4. For certificate issuances (`new-cert` command), an optional + 4. For certificate issuances (`newOrder` command), an optional webserver (specified with the *command* option of the [`[webserver]` section](#webserver-section) of the configuration file), which is spawned by the “master” `lacme`. (The only challenge type currently @@ -61,44 +61,36 @@ with its own executable: Commands ======== -`lacme` [`--agreement-uri=`*URI*] `new-reg` [*CONTACT* …] +`lacme account` [`--tos-agreed`] [`--register`] [*CONTACT* …] -: Register the account key managed by [`lacme-accountd`(1)]. A list - of *CONTACT* information (such as `maito:` URIs) can be specified in - order for the server to contact the client for issues related to - this registration (such as notifications about server-initiated - revocations). +: Register (if `--registered` is set) a [`lacme-accountd`(1)]-managed + account key. A list of *CONTACT* information (such as `maito:` + URIs) can be specified in order for the [ACME] server to contact the + client for issues related to this registration (such as + notifications about server-initiated revocations). `--tos-agreed` + indicates agreement with the [ACME] server's Terms of Service (and + might be required for registration). - `--agreement-uri=` can be used to specify a *URI* referring to a - subscriber agreement or terms of service provided by the server; - adding this options indicates the client's agreement with the - referenced terms. Note that the server might require the client to - agree to subscriber agreement before performing any further actions. + If the account key is already registered, update the contact info + with the given list of *CONTACT* information. - If the account key is already registered, `lacme` prints the URI of - the existing registration and aborts. + Upon success, `lacme` prints the new or updated Account Object from + the [ACME] server. -`lacme` [`--agreement-uri=`*URI*] `reg=`*URI* [*CONTACT* …] - -: Dump or edit the registration *URI* (relative to the [ACME] server - URI, which is specified with the *server* option of the [`[client]` - section](#client-section) of the configuration file). - - When specified, the list of *CONTACT* information and the agreement - *URI* are sent to the server to replace the existing values. - -`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …] +`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `newOrder` [*SECTION* …] : Read the certificate configuration *FILE* (see the **[certificate configuration file](#certificate-configuration-file)** section below for the configuration options), and request new Certificate Issuance for each of its sections (or the given list of *SECTION*s). + Command alias: `new-order`. -`lacme` `revoke-cert` *FILE* [*FILE* …] +`lacme` `revokeCert` *FILE* [*FILE* …] : Request that the given certificate(s) *FILE*(s) be revoked. For this command, [`lacme-accountd`(1)] can be pointed to either the account key or the server's private key. + Command alias: `revoke-cert`. Generic options =============== @@ -149,7 +141,7 @@ Default section *config-certs* -: For certificate issuances (`new-cert` command), specify the +: For certificate issuances (`newOrder` command), specify the space-separated list of certificate configuration files or directories to use (see the **[certificate configuration file](#certificate-configuration-file)** section below for the @@ -198,7 +190,7 @@ of [ACME] commands and dialogues with the remote [ACME] server). *server* : Root URI of the [ACME] server. - Default: `https://acme-v01.api.letsencrypt.org/`. + Default: `https://acme-v02.api.letsencrypt.org/directory`. *timeout* @@ -322,7 +314,7 @@ If the section (including its header) is absent or commented out, Certificate configuration file ============================== -For certificate issuances (`new-cert` command), a separate file is used +For certificate issuances (`newOrder` command), a separate file is used to configure paths to the certificate and key, as well as the subject, subjectAltName, etc. to generate Certificate Signing Requests. Each section denotes a separate certificate issuance. @@ -405,17 +397,16 @@ Valid options are: Examples ======== - ~$ sudo lacme new-reg mailto:noreply@example.com - ~$ sudo lacme reg=/acme/reg/123456 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf - ~$ sudo lacme new-cert - ~$ sudo lacme revoke-cert /path/to/server/certificate.pem + ~$ sudo lacme account --register --tos-agreed mailto:noreply@example.com + ~$ sudo lacme newOrder + ~$ sudo lacme revokeCert /path/to/server/certificate.pem See also ======== [`lacme-accountd`(1)] -[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 +[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: http://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html -- cgit v1.2.3