diff options
Diffstat (limited to 'roles/lacme/files/etc/lacme/lacme.conf')
-rw-r--r-- | roles/lacme/files/etc/lacme/lacme.conf | 119 |
1 files changed, 78 insertions, 41 deletions
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf index 5aa1252..28633b6 100644 --- a/roles/lacme/files/etc/lacme/lacme.conf +++ b/roles/lacme/files/etc/lacme/lacme.conf @@ -1,86 +1,123 @@ -# For certificate issuance (new-cert command), specify the certificate -# configuration file to use +# For certificate issuance (newOrder command), specify a space-separated +# certificate configuration files or directories to use # -#config-certs = config/lacme-certs.conf +#config-certs = lacme-certs.conf lacme-certs.conf.d/ + [client] -# The value of "socket" specifies the lacme-accountd(1) UNIX-domain -# socket to connect to for signature requests from the ACME client. -# lacme(1) aborts if the socket is readable or writable by other users, -# or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment -# variable is set. + +# The value of "socket" specifies the path to the lacme-accountd(1) +# UNIX-domain socket to connect to for signature requests from the ACME +# client. lacme(8) aborts if the socket is readable or writable by +# other users, or if its parent directory is writable by other users. +# This setting is ignored when lacme-accountd(1) is spawned by lacme(8), +# since the two processes communicate through a socket pair. See the +# "accountd" section below for details. # -#socket = /run/user/1000/S.lacme +#socket = %t/S.lacme # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". +# Skip privilege drop if the value is empty (not recommended). # -user = lacme +#user = _lacme-client # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -group = nogroup +#group = nogroup -# Path to the ACME client executable. -#command = /usr/lib/lacme/client +# ACME client command. +# +#command = /usr/libexec/lacme/client -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed ratelimit. +# URI of the ACME server's directory. NOTE: Use the staging server +# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing +# as it has relaxed rate-limiting. # -#server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ +#server = https://acme-v02.api.letsencrypt.org/directory # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # -#timeout = 10 +#timeout = 30 # Whether to verify the server certificate chain. -SSL_verify = yes +# +#SSL_verify = yes # Specify the version of the SSL protocol used to transmit data. -SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 +# +#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 # Specify the cipher list for the connection. -SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +# +#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL [webserver] -# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# Comma- or space-separated list of addresses to listen on, for instance +# "0.0.0.0:80 [::]:80". # -#listen = 0.0.0.0:80 -listen = [::]:80 +#listen = /run/lacme-www.socket -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. +# Directory under which an external HTTP daemon is configured to serve +# GET requests for challenge files under "/.well-known/acme-challenge/" +# (for each virtual host requiring authorization) as static files. +# NOTE: the directory must exist and be writable by the lacme client +# user. # -challenge-directory = /var/www/acme-challenge +#challenge-directory = # username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -user = www-data +#user = _lacme-www # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). +# Skip privilege drop if the value is empty (not recommended). # -user = www-data +#group = nogroup -# Path to the ACME webserver executable. -#command = /usr/lib/lacme/webserver +# ACME webserver command. +# +#command = /usr/libexec/lacme/webserver # Whether to automatically install iptables(8) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once lacme(1) exits. +# removed once lacme(8) exits. +# +#iptables = No + + +[accountd] +# lacme-accound(1) section. Comment out this section (including its +# header), or use the --socket= CLI option, to make lacme(8) connect to +# an existing lacme-accountd(1) process via a UNIX-domain socket. + +# username to drop privileges to (setting both effective and real uid). +# Skip privilege drop if the value is empty. +# +#user = + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Skip privilege drop if the value is empty. +# +#group = + +# lacme-accountd(1) command. +# +#command = /usr/bin/lacme-accountd + +# Path to the lacme-accountd(1) configuration file. +# +#config = + +# Be quiet. # -#iptables = Yes +#quiet = Yes ; vim:ft=dosini |