summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@gnu.org>2019-08-26 10:43:13 (GMT)
committer Sergey Poznyakoff <gray@gnu.org>2019-08-26 10:57:25 (GMT)
commitd9d63339f7df96d7dfcdbd11edbe996359b5813e (patch) (side-by-side diff)
treecce58ed960a40e05850a3eb7858d4be1b7f0f3ed
parent5d0c176c8f14151e54959bd898df69c82b5289c0 (diff)
downloadacmeman-d9d63339f7df96d7dfcdbd11edbe996359b5813e.tar.gz
acmeman-d9d63339f7df96d7dfcdbd11edbe996359b5813e.tar.bz2
Improve docs.
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--Changes6
-rw-r--r--Makefile.PL5
-rw-r--r--README40
-rwxr-xr-xacmeman521
-rw-r--r--lib/App/Acmeman.pm5
5 files changed, 416 insertions, 161 deletions
diff --git a/Changes b/Changes
index 39a5bdf..1c25821 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,9 @@
+2.00 2019-08-26
+
+ - Released on CPAN
+ - Parses entire Apache configuration. In particular, correctly
+ handles Include statements and expands macros (the Use statement).
+
1.11 2019-08-15
- Fix acmeman --setup
diff --git a/Makefile.PL b/Makefile.PL
index 846d342..43555f8 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -8,7 +8,7 @@ use ExtUtils::MakeMaker;
my %makefile_args = (
NAME => 'App::Acmeman',
ABSTRACT_FROM => 'acmeman',
- VERSION_FROM => 'acmeman',
+ VERSION_FROM => 'lib/App/Acmeman.pm',
AUTHOR => 'Sergey Poznyakoff <gray@gnu.org>',
LICENSE => 'gpl_3',
EXE_FILES => [ 'acmeman' ],
@@ -36,8 +36,7 @@ my %makefile_args = (
'Apache::Defaults' => 1.02,
'Apache::Config::Preproc' => 1.03
},
-
- MIN_PERL_VERSION => 5.006,
+ MIN_PERL_VERSION => 5.016001,
META_MERGE => {
'meta-spec' => { version => 2 },
resources => {
diff --git a/README b/README
new file mode 100644
index 0000000..bb6da72
--- a/dev/null
+++ b/README
@@ -0,0 +1,40 @@
+acmeman
+=======
+
+Command line utility for issuing and maintaining ACME SSL certificates.
+
+While most existing ACME tools take a list of domain names for which to
+issue certificates from their command line or configuration file, acmeman
+gathers domain names directly from the configuration of the http server
+that serves them. Thus, a domain name obtains its certificate automatically,
+once the administrator configures the http server to serve it via https.
+
+The utility is normally run as a cron job.
+
+Installation
+------------
+
+To build run:
+
+ perl Makefile.PL
+
+as usual. The created Makefile will install the missing dependencies
+from CPAN automatically. If this is not desirable, run
+
+ perl Makefile.PL --no-autoinstall
+
+instead.
+
+See "man acmeman" (or "perldoc acmeman", or "acmeman --help"), for a
+detailed manual.
+
+Copying
+-------
+This package is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3, or (at your option)
+any later version.
+
+See http://www.gnu.org/licenses.
+
+
diff --git a/acmeman b/acmeman
index 8c446b2..e0f22ab 100755
--- a/acmeman
+++ b/acmeman
@@ -18,16 +18,16 @@ acmeman - manages ACME certificates
B<acmeman>
[B<-Fadns>]
[B<-D> I<N>]
-[B<-f> I<FILE>]
+[B<-f> I<FILE>]
[B<--alt-names>]
[B<--config-file=>I<FILE>]
[B<--debug>]
[B<--dry-run>]
[B<--force>]
-[B<--stage>]
+[B<--stage>]
[B<--time-delta=>I<N>]
[I<DOMAIN>...]
-
+
B<acmeman> B<--setup> | B<-S>
[B<-Fdn>]
[B<--config-file=>I<FILE>]
@@ -39,35 +39,253 @@ B<acmeman>
[B<-h>]
[B<--help>]
[B<--usage>]
-
-=head1 DESCRIPTION
-A tool for automatic creation and renewal of ACME (LetsEncrypt) SSL
-certificates. The list of domains to handle can be obtained from
-B<acmeman> or B<apache> configuration files, or from both. If the
-default B<acmeman> configuration file doesn't exist, the program
-scans B<apache> configuration files for a list of domains.
+=head1 DESCRIPTION
-B<Acmeman> is normally run periodically as a cronjob.
-
-If you plan to serve SSL protected domains using apache, you can skip
-right to the B<apache> section.
+B<Acmeman> is a tool for automatic management of ACME (LetsEncrypt) SSL
+certificates.
+
+Most existing ACME tools take a list of domain names for which to issue
+certificates from their command line or configuration file. B<Acmeman>
+takes a completely different approach. It gathers domain names directly
+from the configuration of the B<http> server that manages them. Thus,
+a domain name obtains its certificate automatically, once the administrator
+configures the http server to serve it via https.
+
+This version of B<acmeman> is able to handle configuration files of
+B<Apache> http server, and servers that are able to read the list of
+domain names from disk files, such as B<HAProxy>.
+
+For trivial configurations, B<acmeman> can be used without any additional
+configuration. For example, support for B<Apache> is enabled by default,
+so all the administrator has to do is to run
+
+ acmeman --setup
+
+which will set up additional macro definitions for the apache configuration
+file, then enable the B<mod_macro> module and to use the provided definitions
+in httpd configuration. This is discussed in detail in the section B<APACHE>
+below.
+
+In more complex configurations, B<acmeman> should be instructed what to
+do using its configuration file. This file, normally named
+F</etc/acmeman.conf>, supplies the definitions of I<domain sources>,
+i.e. configuration files from which to obtain domain names to form the
+certificate CNs and other parameters. At a pinch, the list of domain names
+can be declared in it as well. Several domain sources can be used
+simultaneously. E.g. you can have B<acmeman> look for domain names in
+B<Apache> and B<HAProxy> configurations and obtain an additional list of
+domains from its own configuration, all in the same time.
+
+In any case, B<acmeman> should be run as a periodic cron job, in order to
+ensure that expiring certificates are updated in time. The usual crontab
+entry (for Vixie cron) is
+
+ 0 4 * * * root /usr/bin/acmeman
+
+Exact interval configuration is entirely up to you. For Dillon cron, omit
+the user name field.
+
+When started this way, B<acmeman> will scan the existing certificates and
+select those of them which will expire within a predefined amount of time
+(24h by default, configurable by the B<core.time-delta> statement). Then
+it will scan the configured domain sources to see if any certificates are
+added an alternative CN and if any new certificates should be issued. Having
+created a list of the certificates, it will interact with the ACME server,
+issuing the new ones and updating the ones that need prolongation or
+modification.
+
+=head1 QUICK START
The following is a short introduction to the B<acmeman> configuration. For
-a detailed discussion, see the B<CONFIGURATION> section below.
+a detailed discussion, see the B<CONFIGURATION> section below. For detailed
+discussion of particular domain sources, refer to the section B<SOURCES>.
The configuration file, B</etc/acmeman.conf>, consists of statements,
which have the form B<I<KW>=I<VAL>>, grouped into sections, declared
as B<[I<NAME>]> (square brackets are part of the syntax). Empty lines
and comments (introduced by a hash sign) are ignored.
-Domains which require LetsEncrypt certificates are declared in B<domain>
-section. Each section introduces a single domain. E.g.:
+There are three main use cases
+
+=head2 APACHE
+
+In most cases no special configuration file is needed. The following
+recipe describes each configuration step. Refer to the section B<SOURCE>,
+subsection B<apache> for a detailed discussion.
+
+=over 4
+
+=item 1. Initial configuration
+
+Run
+
+ acmeman --setup
+
+It will detect the Apache layout, install an additional Apache configuration
+file, F<httpd-letsencrypt.conf> and print the instructions on how to
+enable it. Follow them and enable the B<mod_macro> module.
+
+=item 2. Apache domain setup: plain HTTP
+
+To declare that a virtual host needs SSL certificate, add the following
+line to the Apache B<VirtualHost> block serving plain HTTP for that host:
+
+ Use LetsEncryptChallenge
+
+This will instruct Apache B<httpd> to serve ACME challenges and B<acmeman>
+to request a certificate for that virtual host. The hostname declared with
+the B<ServerName> statement will be used as the B<CN> for the certificate,
+and any names declared via B<ServerAlias> statements will form the list of
+alternative names. For example:
+
+ <VirtualHost *:80>
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptChallenge
+ ...
+ </VirtualHost>
+
+=item 3. Issue the certificate
+
+This step is needed if there is no certificate for this domain yet. Reload
+B<httpd> to fire up the new configuration and run B<acmeman> to issue the
+certificate. If anything goes wrong, try adding one or more B<-d> options
+to B<acmeman> to see what's going on. You can also use the B<-s> option
+during initial debugging of the configuration. This option instructs B<acmeman>
+to use the staging ACME server, instead of the production one. This eliminates
+the risk of hitting the ACME request per IP limit.
+
+=item 4. Apache domain setup: HTTPS
+
+To use the created certificate, add another virtual server for that domain,
+with the same B<ServerName> as above and with 443 as its port value. Add
+the following statement to it:
+
+ Use LetsEncryptSSL DOMAIN
+
+where I<DOMAIN> must be the same as the B<ServerName> value. For example,
+the HTTPS virtual host corresponding to the above example will be:
+
+ <VirtualHost *:443>
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptSSL example.org
+ ...
+ </VirtualHost>
+
+This can be further simplified by using the B<LetsEncryptServer> macro instead
+of the B<ServerName> and B<LetsEncryptSSL> statements, as in:
+
+ <VirtualHost *:443>
+ Use LetsEncryptServer example.org
+ ServerAlias www.example.com
+ ...
+ </VirtualHost>
+
+=back
+
+=head2 HAPROXY
+
+Use the B<file> source. This domain source reads the list of domain
+names from a disk file. The first name in the list becomes the certificate
+B<CN>, rest of names (if any) are used as alternative CNs. For a detailed
+discussion of the B<file> source, refer to the section B<SOURCE>,
+subsection B<file>.
+
+=over 4
+
+=item 1. Create a directory for storing domain name files
+
+This directory will keep domain name files, named after the corresponding
+HAProxy backends. E.g.
+
+ mkdir /etc/haproxy/hosts
+
+=item 2. Configure acmeman
+
+Example F</etc/acmeman.conf> file is:
+
+ [core]
+ source = file /etc/haproxy/hosts
+ postrenew = /usr/sbin/service haproxy restart
+ [files default]
+ type = single
+ certificate-file = /etc/ssl/acme/crt/$domain.pem
+
+The B<core> section declares the source to use. The first argument to
+the B<file> source is the name of the directory where the domain name lists
+are stored. The B<postrenew> statement declares the command to be run
+after all certificates have been renewed. In our case, this command restarts
+B<haproxy>, forcing it to re-read the certificates.
+
+The B<files> statement instructs the program to create, for each domain,
+a single file containing the private key, certificate chain and the domain
+certificate for that domain. The B<$domain> variable in the
+B<certificate-file> declaration will be replaced by the first domain name
+from the list (the B<CN>) for that certificate.
+
+This configuration will keep a separate certificate for each backend in
+B<haproxy> that supports https access. If concerned about request rate
+limit, you can instruct B<acmeman> to maintain a single certificate with
+all domain names as X509v3 subject alternative names instead. To do so,
+use the B<--host> option in the source definition. Its argument specifies
+the domain name to use as the CN for the certificate. E.g.:
+
+ [core]
+ source = file /etc/haproxy/hosts --host=www.example.com
+ ...
+
+=item 3. Configure haproxy
+
+First, configure the plain HTTP frontend, which will be responsible for
+serving ACME challenges and redirecting the rest of the requests to
+HTTPS. The simplest definition is:
+
+ frontend http-in
+ mode http
+ bind :::80 v4v6
+ http-request redirect code 301 location https://%[hdr(host)]%[capture.req.uri] unless { path_beg /.well-known/acme-challenge }
+ use_backend acme if { path_beg /.well-known/acme-challenge }
+
+Actual backend configuration for the B<acme> backend is beyond the scope of
+this manual. Use some simple and lightweight B<http> server capable of serving
+static files, such as B<fileserv> (L<https://www.gnu.org.ua/projects/fileserv>),
+for example.
+
+Then, configure HTTPS section to use certificates from the certificate file
+directory:
+
+ frontend https-in
+ mode http
+ bind :::443 v4v6 ssl crt /etc/ssl/acme/crt
+ # Direct each group of domain names to the corresponding
+ # backend.
+ use_backend d1 if { hdr(host) -f /etc/haproxy/hosts/d1 }
+ use_backend d2 if { hdr(host) -f /etc/haproxy/hosts/d2 }
+ ...
+
+Finally, define the backends.
+
+=back
+
+=head2 Direct configuration
+
+Use direct configuration if none of the provided source types can
+be used. In this case, you define each domain which needs a
+certificate in the F</etc/acmeman.conf> file. First, instruct
+B<acmeman> that no external source of domain names will be used:
+
+ [core]
+ source = null
+
+Then, for each domain name use the B<domain> section, as shown in the
+example below:
[domain example.com]
- alt = www.example.com
- files = default
-
+ alt = www.example.com
+ files = default
+
This section instructs B<acmeman> that a certificate is needed for
domain B<example.com>, using B<www.example.com> as its alternative name,
The B<files> statement identifies the name of a B<files> section containing
@@ -75,80 +293,66 @@ rules for creating certificate files for that domain. This section must be
defined elsewhere in the configuration file. For example:
[files default]
- type = split
- certificate-file = /etc/ssl/acme/$domain/cert.pem
- key-file = /etc/ssl/acme/$domain/privkey.pem
- ca-file = /etc/ssl/acme/$domain/ca.pem
- argument = $domain
-
-This definition tells B<acmeman> that it should store certificate, certficate
+ type = split
+ certificate-file = /etc/ssl/acme/$domain/cert.pem
+ key-file = /etc/ssl/acme/$domain/privkey.pem
+ ca-file = /etc/ssl/acme/$domain/ca.pem
+ argument = $domain
+
+This definition tells B<acmeman> that it should store certificate, certificate
key, and certificate authority chain in three separate files. Names of these
files will be created by replacing the B<$domain> string in the corresponding
-definition with the domain name from the B<domain> section,
-
-In fact, the B<files> section above is the default one. It will be created
-implicitly if no other B<files> section is defined in the configuration file.
-Moreover, the string B<default> is the default identifier, which is used if
-the B<domain> section lacks the B<files> keyword.
-
-The special section B<[core]> contains basic settings that control the
-program behavior. One of the important settings is B<source>, which declares
-an external source from which domain settings must be obtained. As
-of B<acmeman> version 1.05, the following sources are available:
-B<null>, B<apache>, and B<file>.
-
-Consider the following configuration:
+definition with the domain name from the B<domain> section.
- [core]
- source = apache
+Several B<[domain]> section can share the same B<[files]> definition, or
+they can have their one, depending on your needs.
-It instructs B<acmeman> to read domain settings from Apache configuration
-files. This is basically the configuration that is used in the absense of
-the configuration file. See the B<APACHE> section for a detailed discussion
-of this operation mode.
-
=head1 CONFIGURATION
Configuration file controls the operation of B<acmeman>. By default,
its name is B</etc/acmeman.conf>. If it is absent, B<acmeman> falls
back to the legacy operation mode, scanning Apache configuration files
for domains that use LetsEncrypt SSL certificates. See the B<APACHE>
-section below for a detailed description.
+section below for a detailed description.
The configuration file has a traditional line-oriented syntax. Comments
are introduced with a hash sign. Empty lines are ignored. Leading and
trailing whitespace is removed prior to parsing. Long statements can be
split over several physical lines by ending each line excepting the last
one with a backslash immediately followed by a newline character.
-
-Statements have the following syntax:
- KEYWORD = VALUES
+Configuration consists of settings grouped into sections. Syntactically,
+a I<setting> is
+
+ KEYWORD = VALUE
where I<KEYWORD> stands for a symbolic name consisting of alphanumeric
characters, dashes and underscores, and I<VALUE> stands for any sequence
of characters.
-Statements are grouped in sections. Each section is identified by its name
-and optional arguments. The section begins with the construct
+A I<section> is identified by its name and optional arguments. It begins
+with the following construct:
[NAME]
or, if arguments are present:
-
+
[NAME ARG1 ARG2 ...]
The square brackets are part of the syntax.
+A section can contain one or more settings.
+
The statements in the configuration file form a directed graph. Often
in this document we will identify the statement by its I<path>, i.e. a
-list of section name, arguments and the keyword, separated by dots. For
+list of section name, its arguments, and the keyword, separated by dots. For
example, the path B<files.apache.type> corresponds to the following
configuration file fragment:
[files apache]
type = single
+
The following describes the available sections and keywords
=head2 B<[core]>
@@ -164,11 +368,11 @@ Root directory is the directory under which the
F<.well-known/acme-challenge> subdirectory is located.
=item B<time-delta=>I<SECONDS>
-
+
Sets the time window before the actual expiration time, when the certificate
becomes eligible for renewal. I<N> is time in seconds. The default
value is 86400, which means that B<acmeman> will attempt to renew any
-certificate that expires within 24 hours.
+certificate that expires within 24 hours.
The command line option B<--time-delta> overrides this setting.
@@ -180,13 +384,17 @@ server (or whatever server is using the certificates). If more than one
B<postrenew> statements are defined, they will be run in sequence, in the
same order as they appeared in the configuration file.
-=item B<source=>I<ID> [I<ARG>...]
+=item B<source=>I<NAME> [I<ARG>...]
-Defines additional source of information. B<App::Acmeman> version 1.05
-is shipped with three sources: B<null>, B<apache>, and B<file>.
+Defines the source of domain names. The I<NAME> parameter identifies the
+source, and additional arguments supply the initialization parameters.
-The B<null> module is an empty source. Command line arguments are ignored.
-Use this source if all domains are described in the configuration file.
+The present version of B<acmeman> is shipped with three sources: B<null>,
+B<apache>, and B<file>.
+
+The B<null> module is an empty source. It takes no additional arguments.
+Use this source if all domains are described in the configuration file
+using one or more B<domain> sections.
The B<apache> source module is the default. It scans B<httpd> configuration
files as described in section B<apache>. One argument is allowed. If supplied,
@@ -199,14 +407,14 @@ mandatory argument specifies the name of the directory where the files
are located. This mode is suitable for use with B<haproxy> pattern files.
Multiple B<source> statements can be defined. They will be processed
-sequentially.
-
+sequentially.
+
=item B<files=>I<NAME>
Identifies the B<[files]> section which describes how to create certificate
files for domains which lack explicit B<files> keyword. Default I<NAME> is
B<default>. See the description of the B<files> statement in B<domain>
-section.
+section.
=item B<check-alt-names=>I<BOOL>
@@ -217,8 +425,7 @@ don't match. This uses an ad-hoc logic, due to the deficiency of the
underlying X509 module, and therefore is not enabled by default.
Valid values for I<BOOL> are: B<1>, B<on>, B<true>, or B<yes>, for
-true, and B<0>, B<off>, B<false>, or B<no> for false (all values
-case-insensitive).
+true, and B<0>, B<off>, B<false>, or B<no> for false.
=item B<check-dns=>I<BOOL>
@@ -227,7 +434,7 @@ host name has an A DNS record pointing back to one of the IP addresses
of the server. Hostnames which don't satisfy this condition will be ignored.
The IP of the server is determined by looking up the A record for its
hostname. This can be overridden using the B<my-ip> configuration statement.
-
+
=item B<key-size=>I<N>
Size of the RSA key to use, in bits. Default is 4096.
@@ -236,55 +443,55 @@ Size of the RSA key to use, in bits. Default is 4096.
Declares IP address (or addresses) of this server. Use this keyword if
the server IP cannot be reliably determined by resolving its hostname.
-Special I<IP> B<$hostip> stands for the IP retreived by resolving the
+Special I<IP> B<$hostip> stands for the IP retrieved by resolving the
hostname.
-
+
=back
=head2 B<[domain I<CN>]>
Declares the domain for which a certificate should be maintained. I<CN> is
the canonical name for the domain. Alternative names can be specified using
-the B<alt> keyword.
-
+the B<alt> setting within the section.
+
=over 4
=item B<files=>I<ID>
Identifies the B<[files]> section which describes how to create certificate
-files for this domain. In the absense of this statement, the B<files>
+files for this domain. In the absence of this statement, the B<files>
statement from the B<[core]> section will be used.
-
+
=item B<alt=>I<NAME>
Defines alternative name for the certificate. Multiple B<alt> statements
-are allowed.
+are allowed.
=item B<key-size=>I<N>
Size of the RSA key to use, in bits. If not set, the B<core.key-size>
-setting is used.
+setting is used.
=item B<postrenew=>I<CMD>
Run I<CMD> after successful update. If not given, the B<core.postrenew>
-commands will be run.
-
+commands will be run.
+
=back
-
+
=head2 B<[files I<ID>]>
The B<files> section instructs B<acmeman> how to create certificate files.
It is applied to particular domains by placing the B<files=I<ID>> statement
-in the coresponding domain sections.
+in the corresponding domain sections.
The I<FILENAME> arguments to the keywords below can contain references to
a I<meta-variable>, which will be replaced by the actual domain name when
handling this section for a particular domain. By default, this meta-variable
-is B<$domain>.
-
+is B<$domain>.
+
=over 4
-
+
=item B<type=>B<single>|B<split>
Type of the certificate to create. When set to B<single>, a single
@@ -294,31 +501,31 @@ certificate chain and the signature, in this order.
When set to B<split>, the certificate, certificate chain and the signature
will be saved to three distinct files, whose names are defined by
-B<certificate-file>, B<ca-file>, and B<key-file>, correspondingly. If
+B<certificate-file>, B<ca-file>, and B<key-file>, correspondingly. If
B<ca-file> is not defined, only certificate and key files will be created.
The default is B<split>.
-
+
=item B<certificate-file=>I<FILENAME>
Defines the name of the certificate file for this domain. This statement
-is mandatory.
-
+is mandatory.
+
=item B<key-file=>I<FILENAME>
Defines the name of the certificate key file. This statement must be present
-if B<type> is set to B<split>.
-
+if B<type> is set to B<split>.
+
=item B<ca-file=>I<FILENAME>
Defines the name of the certificate authority file. This statement may
-be present if B<type> is set to B<split>.
-
+be present if B<type> is set to B<split>.
+
=item B<argument=>I<STRING>
Defines the name of the meta-variable in I<FILENAME> arguments, which will
-be replaced with the actual domain name. Default is B<$domain>.
-
+be replaced with the actual domain name. Default is B<$domain>.
+
=back
=head1 SOURCES
@@ -326,17 +533,17 @@ be replaced with the actual domain name. Default is B<$domain>.
=head2 null
[core]
- source = null
+ source = null
Declares empty source. This means that B<acmeman> will handle only domain
names explicitly declared in the configuration file using the B<domain>
setting.
-
+
=head2 apache
[core]
- source = apache [--server-root=DIR] [LAYOUT]
-
+ source = apache [--server-root=DIR] [LAYOUT]
+
This is the default source. It assumes Apache httpd, version 2.4 or later
(although only minor changes are necessary to make it work with version 2.2).
The optional I<LAYOUT> argument defines the layout of the apache configuration
@@ -347,19 +554,19 @@ Use the B<--server-root> option to supply the name of the server root
directory, if for some reason the module is unable to determine it
automatically.
-A special directory should be configured for receiving ACME challenges.
+A special directory should be configured for receiving ACME challenges.
The package provides two Apache macros: for serving ACME challenges and
-declaring SSL virtual hosts.
-
+declaring SSL virtual hosts.
+
Upon startup the program scans Apache configuration for virtual hosts
that use ACME certificates, checks their expiration times, and renews those
of the certificates that are nearing their expiration times within a
predefined number of seconds (24 hours by default). If any of the
certificates were updated during the run, B<acmeman> will restart the
-B<httpd> server.
+B<httpd> server.
-=head3 Setup
+=head3 Setup
To set up the necessary infrastructure, run B<acmeman --setup>. It will
create the configuration file B<httpd-letsencrypt.conf>, defining two
@@ -377,13 +584,13 @@ may also wish to revise B<httpd-letsencrypt.conf> and edit the paths to
SSL files configured there. By default, the directory F</etc/acme/I<DOMAIN>>
will be created for each domain name needing SSL, and two files will be placed
there: F<cert.pem>, containing the leaf and intermediate certificates for that
-domain, and F<privkey.pem>, containing the private key for that domain.
+domain, and F<privkey.pem>, containing the private key for that domain.
The program will refuse to overwrite existing files B<httpd-letsencrypt.conf>,
unless given the B<--force> (B<-F>) option.
=head3 Configuring SSL
-
+
To declare that a virtual host needs SSL certificate, add the following
line to the Apache B<VirtualHost> block serving plain HTTP for that host:
@@ -399,7 +606,7 @@ If such a certificate doesn't exist, it will be requested and created when
B<acmeman> is run.
To use the created certificate, create a new B<VirtualHost> block that
-contains the following statement:
+contains the following statement:
Use LetsEncryptServer DOMAIN
@@ -412,27 +619,27 @@ macro is expanded.
Example:
<VirtualHost *:80>
- ServerName example.org
- ServerAlias www.example.com
- Use LetsEncryptChallenge
- ...
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptChallenge
+ ...
</VirtualHost>
<VirtualHost *:443>
- Use LetsEncryptServer example.org
- ServerAlias www.example.com
- ...
+ Use LetsEncryptServer example.org
+ ServerAlias www.example.com
+ ...
</VirtualHost>
Alternatively, you can use the B<LetsEncryptSSL> macro, which differs from
B<LetsEncryptServer> in that it configures only SSL settings, without the
-B<ServerName> statement, which therefore must be included explicitly:
-
+B<ServerName> statement, which therefore must be included explicitly:
+
<VirtualHost *:443>
- ServerName example.org
- ServerAlias www.example.com
- Use LetsEncryptSSL example.org
- ...
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptSSL example.org
+ ...
</VirtualHost>
LetsEncrypt limits the number of certificates requested for a single
@@ -442,36 +649,36 @@ virtual hosts. The special macro B<LetsEncryptReference> is provided for
that purpose. Suppose, for example, that you wish to configure server
name B<git.example.org> to use the same certificate as B<example.org>
(configured in the example above). You then declare the virtual host
-for the plain HTTP as follows:
+for the plain HTTP as follows:
<VirtualHost *:80>
- ServerName git.example.org
- Use LetsEncryptReference example.org
- ...
+ ServerName git.example.org
+ Use LetsEncryptReference example.org
+ ...
</VirtualHost>
The argument to the B<LetsEncryptReference> macro indicates the CN name of
the certificate to which the current server name (and aliases, if any) are
to be added as alternative names. The corresponding virtual host for SSL
-will use the B<LetsEncryptSSL> macro to configure the correct certificate:
+will use the B<LetsEncryptSSL> macro to configure the correct certificate:
<VirtualHost *:80>
- ServerName git.example.org
- Use LetsEncryptSSL example.org
- ...
+ ServerName git.example.org
+ Use LetsEncryptSSL example.org
+ ...
</VirtualHost>
=head2 file
[core]
- source = file PATTERN [--ignore=RX] [--host=HOST]
+ source = file PATTERN [--ignore=RX] [--host=HOST]
Domain names will be read from files matching I<PATTERN>. The argument
can be a single file or directory name, or a valid globbing pattern.
If I<PATTERN> is a directory name, the module will read all files from
that directory, except those matching the following perl regexp:
C<^\.|~$|\.bak$|^#.*#$>. The default regexp can be overridden using the
-B<--ignore> (B<-i>) option.
+B<--ignore> (B<-i>) option.
The input files must contain exactly one domain name per line. No empty
lines or comments are allowed. The first domain name will become the B<CN>
@@ -480,8 +687,8 @@ names.
If the B<--host> (B<-h>) option is used, only one certificate will be
issued. The I<HOST> will be used as its B<CN>. All the domain names read
-from the input files will form the list of its alternative names.
-
+from the input files will form the list of its alternative names.
+
=head1 OPTIONS
=over 4
@@ -491,26 +698,26 @@ from the input files will form the list of its alternative names.
Sets the time window before the actual expiration time, when the certificate
becomes eligible for renewal. I<N> is time in seconds. The default
value is 86400, which means that B<acmeman> will attempt to renew any
-certificate that expires within 24 hours.
+certificate that expires within 24 hours.
This option overrides the B<core.time-delta> configuration setting.
-
+
=item B<-F>, B<--force>
Force renewal of certificates, no matter their expire date. With B<--setup>,
force installing the B<httpd-letsencrypt.conf> file even if it already
-exists.
+exists.
=item B<-a>, B<--alt-names>
Compare the list of alternative names of each certificate with the one
-gathered from the Apache configuration, and reissue the certificate
+gathered from the Apache configuration, and reissue the certificate
if the two lists don't match. This uses an ad-hoc logic, due to the
deficiency of the underlying X509 module, and therefore is not enabled
-by default.
+by default.
This option overrides the B<core.check-alt-names> configuration setting.
-
+
=item B<-d>, B<--debug>
Increase debugging level. Multiple options accumulate. Three debugging
@@ -521,36 +728,36 @@ levels are implemented:
=item B<-d>
List certificates being renewed.
-
+
=item B<-dd>
List files being created. Show basic information about ACME transactions for
-each certificate.
+each certificate.
=item B<-ddd>
Verbosely report parsing of Apache configuration files. Show detailed
-debugging information about ACME transactions for each certificate.
-
-=back
-
+debugging information about ACME transactions for each certificate.
+
+=back
+
=item B<-f>, B<--config-file=>I<FILE>
Read configuration from I<FILE>, instead of the default F</etc/acmeman.conf>.
-
+
=item B<-n>, B<--dry-run>
Don't modify any files, just print what would have been done.
-Implies B<--debug>.
+Implies B<--debug>.
=item B<-S>, B<--setup>
Set up the B<acmeman> infrastructure files.
-
+
=item B<-s>, B<--stage>
-
+
Use LetsEncrypt staging server.
-
+
=back
The following options are informational:
@@ -560,25 +767,27 @@ The following options are informational:
=item B<-h>
Prints a short usage summary.
-
+
=item B<--help>
-Prints detailed user manual.
+Prints detailed user manual.
=item B<--usage>
Outputs a terse reminder of the command line syntax along with a
list of available options.
-=back
-
-=head1 AUTHOR
+=back
-Sergey Poznyakoff <gray@gnu.org>
-
-=cut
+=head1 AUTHOR
+Sergey Poznyakoff <gray@gnu.org>
+=head1 LICENSE
+GPLv3+: GNU GPL version 3 or later, see L<http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+=cut
diff --git a/lib/App/Acmeman.pm b/lib/App/Acmeman.pm
index c867c1b..8f253b2 100644
--- a/lib/App/Acmeman.pm
+++ b/lib/App/Acmeman.pm
@@ -25,7 +25,7 @@ use Text::ParseWords;
use App::Acmeman::Log qw(:all :sysexits);
use feature 'state';
-our $VERSION = '1.11';
+our $VERSION = '2.00';
my $progdescr = "manages ACME certificates";
@@ -250,7 +250,8 @@ sub collect {
cn => $k,
alt => $alt,
postrenew => $v->{postrenew},
- %{$self->cf->getnode('files', $self->cf->get(qw(core files)))->as_hash});
+ %{$self->cf->getnode('files',
+ $self->cf->get(qw(core files)))->as_hash});
}
$self->domains($dom);
}

Return to:

Send suggestions and report system problems to the System administrator.