diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2019-08-26 13:43:13 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2019-08-26 13:57:25 +0300 |
commit | d9d63339f7df96d7dfcdbd11edbe996359b5813e (patch) | |
tree | cce58ed960a40e05850a3eb7858d4be1b7f0f3ed | |
parent | 5d0c176c8f14151e54959bd898df69c82b5289c0 (diff) | |
download | acmeman-d9d63339f7df96d7dfcdbd11edbe996359b5813e.tar.gz acmeman-d9d63339f7df96d7dfcdbd11edbe996359b5813e.tar.bz2 |
Improve docs.
-rw-r--r-- | Changes | 6 | ||||
-rw-r--r-- | Makefile.PL | 5 | ||||
-rw-r--r-- | README | 40 | ||||
-rwxr-xr-x | acmeman | 521 | ||||
-rw-r--r-- | lib/App/Acmeman.pm | 5 |
5 files changed, 416 insertions, 161 deletions
@@ -1,3 +1,9 @@ | |||
1 | 2.00 2019-08-26 | ||
2 | |||
3 | - Released on CPAN | ||
4 | - Parses entire Apache configuration. In particular, correctly | ||
5 | handles Include statements and expands macros (the Use statement). | ||
6 | |||
1 | 1.11 2019-08-15 | 7 | 1.11 2019-08-15 |
2 | 8 | ||
3 | - Fix acmeman --setup | 9 | - Fix acmeman --setup |
diff --git a/Makefile.PL b/Makefile.PL index 846d342..43555f8 100644 --- a/Makefile.PL +++ b/Makefile.PL | |||
@@ -8,7 +8,7 @@ use ExtUtils::MakeMaker; | |||
8 | my %makefile_args = ( | 8 | my %makefile_args = ( |
9 | NAME => 'App::Acmeman', | 9 | NAME => 'App::Acmeman', |
10 | ABSTRACT_FROM => 'acmeman', | 10 | ABSTRACT_FROM => 'acmeman', |
11 | VERSION_FROM => 'acmeman', | 11 | VERSION_FROM => 'lib/App/Acmeman.pm', |
12 | AUTHOR => 'Sergey Poznyakoff <gray@gnu.org>', | 12 | AUTHOR => 'Sergey Poznyakoff <gray@gnu.org>', |
13 | LICENSE => 'gpl_3', | 13 | LICENSE => 'gpl_3', |
14 | EXE_FILES => [ 'acmeman' ], | 14 | EXE_FILES => [ 'acmeman' ], |
@@ -36,8 +36,7 @@ my %makefile_args = ( | |||
36 | 'Apache::Defaults' => 1.02, | 36 | 'Apache::Defaults' => 1.02, |
37 | 'Apache::Config::Preproc' => 1.03 | 37 | 'Apache::Config::Preproc' => 1.03 |
38 | }, | 38 | }, |
39 | 39 | MIN_PERL_VERSION => 5.016001, | |
40 | MIN_PERL_VERSION => 5.006, | ||
41 | META_MERGE => { | 40 | META_MERGE => { |
42 | 'meta-spec' => { version => 2 }, | 41 | 'meta-spec' => { version => 2 }, |
43 | resources => { | 42 | resources => { |
@@ -0,0 +1,40 @@ | |||
1 | acmeman | ||
2 | ======= | ||
3 | |||
4 | Command line utility for issuing and maintaining ACME SSL certificates. | ||
5 | |||
6 | While most existing ACME tools take a list of domain names for which to | ||
7 | issue certificates from their command line or configuration file, acmeman | ||
8 | gathers domain names directly from the configuration of the http server | ||
9 | that serves them. Thus, a domain name obtains its certificate automatically, | ||
10 | once the administrator configures the http server to serve it via https. | ||
11 | |||
12 | The utility is normally run as a cron job. | ||
13 | |||
14 | Installation | ||
15 | ------------ | ||
16 | |||
17 | To build run: | ||
18 | |||
19 | perl Makefile.PL | ||
20 | |||
21 | as usual. The created Makefile will install the missing dependencies | ||
22 | from CPAN automatically. If this is not desirable, run | ||
23 | |||
24 | perl Makefile.PL --no-autoinstall | ||
25 | |||
26 | instead. | ||
27 | |||
28 | See "man acmeman" (or "perldoc acmeman", or "acmeman --help"), for a | ||
29 | detailed manual. | ||
30 | |||
31 | Copying | ||
32 | ------- | ||
33 | This package is free software; you can redistribute it and/or modify | ||
34 | it under the terms of the GNU General Public License as published by | ||
35 | the Free Software Foundation; either version 3, or (at your option) | ||
36 | any later version. | ||
37 | |||
38 | See http://www.gnu.org/licenses. | ||
39 | |||
40 | |||
@@ -18,16 +18,16 @@ acmeman - manages ACME certificates | |||
18 | B<acmeman> | 18 | B<acmeman> |
19 | [B<-Fadns>] | 19 | [B<-Fadns>] |
20 | [B<-D> I<N>] | 20 | [B<-D> I<N>] |
21 | [B<-f> I<FILE>] | 21 | [B<-f> I<FILE>] |
22 | [B<--alt-names>] | 22 | [B<--alt-names>] |
23 | [B<--config-file=>I<FILE>] | 23 | [B<--config-file=>I<FILE>] |
24 | [B<--debug>] | 24 | [B<--debug>] |
25 | [B<--dry-run>] | 25 | [B<--dry-run>] |
26 | [B<--force>] | 26 | [B<--force>] |
27 | [B<--stage>] | 27 | [B<--stage>] |
28 | [B<--time-delta=>I<N>] | 28 | [B<--time-delta=>I<N>] |
29 | [I<DOMAIN>...] | 29 | [I<DOMAIN>...] |
30 | 30 | ||
31 | B<acmeman> B<--setup> | B<-S> | 31 | B<acmeman> B<--setup> | B<-S> |
32 | [B<-Fdn>] | 32 | [B<-Fdn>] |
33 | [B<--config-file=>I<FILE>] | 33 | [B<--config-file=>I<FILE>] |
@@ -39,35 +39,253 @@ B<acmeman> | |||
39 | [B<-h>] | 39 | [B<-h>] |
40 | [B<--help>] | 40 | [B<--help>] |
41 | [B<--usage>] | 41 | [B<--usage>] |
42 | |||
43 | =head1 DESCRIPTION | ||
44 | 42 | ||
45 | A tool for automatic creation and renewal of ACME (LetsEncrypt) SSL | 43 | =head1 DESCRIPTION |
46 | certificates. The list of domains to handle can be obtained from | ||
47 | B<acmeman> or B<apache> configuration files, or from both. If the | ||
48 | default B<acmeman> configuration file doesn't exist, the program | ||
49 | scans B<apache> configuration files for a list of domains. | ||
50 | 44 | ||
51 | B<Acmeman> is normally run periodically as a cronjob. | 45 | B<Acmeman> is a tool for automatic management of ACME (LetsEncrypt) SSL |
52 | 46 | certificates. | |
53 | If you plan to serve SSL protected domains using apache, you can skip | 47 | |
54 | right to the B<apache> section. | 48 | Most existing ACME tools take a list of domain names for which to issue |
49 | certificates from their command line or configuration file. B<Acmeman> | ||
50 | takes a completely different approach. It gathers domain names directly | ||
51 | from the configuration of the B<http> server that manages them. Thus, | ||
52 | a domain name obtains its certificate automatically, once the administrator | ||
53 | configures the http server to serve it via https. | ||
54 | |||
55 | This version of B<acmeman> is able to handle configuration files of | ||
56 | B<Apache> http server, and servers that are able to read the list of | ||
57 | domain names from disk files, such as B<HAProxy>. | ||
58 | |||
59 | For trivial configurations, B<acmeman> can be used without any additional | ||
60 | configuration. For example, support for B<Apache> is enabled by default, | ||
61 | so all the administrator has to do is to run | ||
62 | |||
63 | acmeman --setup | ||
64 | |||
65 | which will set up additional macro definitions for the apache configuration | ||
66 | file, then enable the B<mod_macro> module and to use the provided definitions | ||
67 | in httpd configuration. This is discussed in detail in the section B<APACHE> | ||
68 | below. | ||
69 | |||
70 | In more complex configurations, B<acmeman> should be instructed what to | ||
71 | do using its configuration file. This file, normally named | ||
72 | F</etc/acmeman.conf>, supplies the definitions of I<domain sources>, | ||
73 | i.e. configuration files from which to obtain domain names to form the | ||
74 | certificate CNs and other parameters. At a pinch, the list of domain names | ||
75 | can be declared in it as well. Several domain sources can be used | ||
76 | simultaneously. E.g. you can have B<acmeman> look for domain names in | ||
77 | B<Apache> and B<HAProxy> configurations and obtain an additional list of | ||
78 | domains from its own configuration, all in the same time. | ||
79 | |||
80 | In any case, B<acmeman> should be run as a periodic cron job, in order to | ||
81 | ensure that expiring certificates are updated in time. The usual crontab | ||
82 | entry (for Vixie cron) is | ||
83 | |||
84 | 0 4 * * * root /usr/bin/acmeman | ||
85 | |||
86 | Exact interval configuration is entirely up to you. For Dillon cron, omit | ||
87 | the user name field. | ||
88 | |||
89 | When started this way, B<acmeman> will scan the existing certificates and | ||
90 | select those of them which will expire within a predefined amount of time | ||
91 | (24h by default, configurable by the B<core.time-delta> statement). Then | ||
92 | it will scan the configured domain sources to see if any certificates are | ||
93 | added an alternative CN and if any new certificates should be issued. Having | ||
94 | created a list of the certificates, it will interact with the ACME server, | ||
95 | issuing the new ones and updating the ones that need prolongation or | ||
96 | modification. | ||
97 | |||
98 | =head1 QUICK START | ||
55 | 99 | ||
56 | The following is a short introduction to the B<acmeman> configuration. For | 100 | The following is a short introduction to the B<acmeman> configuration. For |
57 | a detailed discussion, see the B<CONFIGURATION> section below. | 101 | a detailed discussion, see the B<CONFIGURATION> section below. For detailed |
102 | discussion of particular domain sources, refer to the section B<SOURCES>. | ||
58 | 103 | ||
59 | The configuration file, B</etc/acmeman.conf>, consists of statements, | 104 | The configuration file, B</etc/acmeman.conf>, consists of statements, |
60 | which have the form B<I<KW>=I<VAL>>, grouped into sections, declared | 105 | which have the form B<I<KW>=I<VAL>>, grouped into sections, declared |
61 | as B<[I<NAME>]> (square brackets are part of the syntax). Empty lines | 106 | as B<[I<NAME>]> (square brackets are part of the syntax). Empty lines |
62 | and comments (introduced by a hash sign) are ignored. | 107 | and comments (introduced by a hash sign) are ignored. |
63 | 108 | ||
64 | Domains which require LetsEncrypt certificates are declared in B<domain> | 109 | There are three main use cases |
65 | section. Each section introduces a single domain. E.g.: | 110 | |
111 | =head2 APACHE | ||
112 | |||
113 | In most cases no special configuration file is needed. The following | ||
114 | recipe describes each configuration step. Refer to the section B<SOURCE>, | ||
115 | subsection B<apache> for a detailed discussion. | ||
116 | |||
117 | =over 4 | ||
118 | |||
119 | =item 1. Initial configuration | ||
120 | |||
121 | Run | ||
122 | |||
123 | acmeman --setup | ||
124 | |||
125 | It will detect the Apache layout, install an additional Apache configuration | ||
126 | file, F<httpd-letsencrypt.conf> and print the instructions on how to | ||
127 | enable it. Follow them and enable the B<mod_macro> module. | ||
128 | |||
129 | =item 2. Apache domain setup: plain HTTP | ||
130 | |||
131 | To declare that a virtual host needs SSL certificate, add the following | ||
132 | line to the Apache B<VirtualHost> block serving plain HTTP for that host: | ||
133 | |||
134 | Use LetsEncryptChallenge | ||
135 | |||
136 | This will instruct Apache B<httpd> to serve ACME challenges and B<acmeman> | ||
137 | to request a certificate for that virtual host. The hostname declared with | ||
138 | the B<ServerName> statement will be used as the B<CN> for the certificate, | ||
139 | and any names declared via B<ServerAlias> statements will form the list of | ||
140 | alternative names. For example: | ||
141 | |||
142 | <VirtualHost *:80> | ||
143 | ServerName example.org | ||
144 | ServerAlias www.example.com | ||
145 | Use LetsEncryptChallenge | ||
146 | ... | ||
147 | </VirtualHost> | ||
148 | |||
149 | =item 3. Issue the certificate | ||
150 | |||
151 |