path: root/config/lacme.conf

# For certificate issuance (newOrder command), specify a space-separated
# certificate configuration files or directories to use
#
#config-certs = lacme-certs.conf lacme-certs.conf.d/


[client]

# The value of "socket" specifies the path to the lacme-accountd(1)
# UNIX-domain socket to connect to for signature requests from the ACME
# client.  lacme(8) aborts if the socket is readable or writable by
# other users, or if its parent directory is writable by other users.
# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
# variable is set.
# This option is ignored when lacme-accountd(1) is spawned by lacme(8),
# since the two processes communicate through a socket pair.  See the
# "accountd" section below for details.
#
#socket =

# username to drop privileges to (setting both effective and real uid).
# Skip privilege drop if the value is empty (not recommended).
#
#user = @@lacme_client_user@@

# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Skip privilege drop if the value is empty (not recommended).
#
#group = @@lacme_client_group@@

# ACME client command.
#
#command = @@libexecdir@@/lacme/client

# URI of the ACME server's directory.  NOTE: Use the staging server
# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
# as it has relaxed rate-limiting.
#
#server = https://acme-v02.api.letsencrypt.org/directory

# Timeout in seconds after which the client stops polling the ACME
# server and considers the request failed.
#
#timeout = 30

# Whether to verify the server certificate chain.
#
#SSL_verify = yes

# Specify the version of the SSL protocol used to transmit data.
#
#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2

# Specify the cipher list for the connection.
#
#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL


[webserver]

# Comma- or space-separated list of addresses to listen on, for instance
# "0.0.0.0:80 [::]:80".
#
#listen = @@runstatedir@@/lacme-www.socket

# Directory under which an external HTTP daemon is configured to serve
# GET requests for challenge files under "/.well-known/acme-challenge/"
# (for each virtual host requiring authorization) as static files.
# NOTE: the directory must exist and be writable by the lacme client
# user.
#
#challenge-directory =

# username to drop privileges to (setting both effective and real uid).
# Skip privilege drop if the value is empty (not recommended).
#
#user = @@lacme_www_user@@

# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Skip privilege drop if the value is empty (not recommended).
#
#group = @@lacme_www_group@@

# ACME webserver command.
#
#command = @@libexecdir@@/lacme/webserver

# Whether to automatically install iptables(8) rules to open the
# ADDRESS[:PORT] specified with listen.  Theses rules are automatically
# removed once lacme(8) exits.
#
#iptables = No


[accountd]
# lacme-accound(1) section.  Comment out this section (including its
# header), or use the --socket= CLI option, to make lacme(8) connect to
# an existing lacme-accountd(1) process via a UNIX-domain socket.

# username to drop privileges to (setting both effective and real uid).
# Skip privilege drop if the value is empty.
#
#user =

# groupname to drop privileges to (setting both effective and real gid,
# and also setting the list of supplementary gids to that single group).
# Skip privilege drop if the value is empty.
#
#group =

# lacme-accountd(1) command.
#
#command = @@bindir@@/lacme-accountd

# Path to the lacme-accountd(1) configuration file.
#
#config =

# The (private) account key to use for signing requests.  See
# lacme-accountd(1) for details.
#
#privkey = file:/path/to/account.key

# Be quiet.
#
#quiet = Yes

; vim:ft=dosini