diff options
authorSergey Poznyakoff <gray@gnu.org.ua>2019-10-18 17:08:24 +0300
committerSergey Poznyakoff <gray@gnu.org.ua>2019-10-18 17:08:24 +0300
commitf44aeac44eecf6dd6075e20080c0bb0b7822f30f (patch)
parent7e22b3181f963e62a44620336bdcd7d40baacb3a (diff)
Clean up account credential handling.
Credentials are saved in files specified by configuration directives account.id and account.key. The directive account.directory specifies the directory for these files.
3 files changed, 93 insertions, 38 deletions
diff --git a/acmeman b/acmeman
index e0f22ab..7ab46bb 100755
--- a/acmeman
+++ b/acmeman
@@ -445,12 +445,42 @@ Declares IP address (or addresses) of this server. Use this keyword if
the server IP cannot be reliably determined by resolving its hostname.
Special I<IP> B<$hostip> stands for the IP retrieved by resolving the
+=head2 B<[account]>
+Configures where to store ACME account credentials: account key ID and
+account private key. Both values are stored in separate files on disk.
+If the files do not exist B<acmeman> will initiate creation of a new
+account and will save its credentials for further use.
+=over 4
+=item B<directory=>I<DIR>
+Directory where to store credential files. Defaults to
+=item B<id=>I<FILE>
+Name of the file with account key ID. Unless I<FILE> begins with a
+directory separator, it is taken relative to B<account.directory>.
+Default: F</etc/ssl/acme/key.id>.
+=item B<key=>I<FILE>
+Name of the file with account key. Unless I<FILE> begins with a
+directory separator, it is taken relative to B<account.directory>.
+Default: F</etc/ssl/acme/key.pem>.
=head2 B<[domain I<CN>]>
Declares the domain for which a certificate should be maintained. I<CN> is
the canonical name for the domain. Alternative names can be specified using
the B<alt> setting within the section.
diff --git a/lib/App/Acmeman.pm b/lib/App/Acmeman.pm
index b95f87f..285342c 100644
--- a/lib/App/Acmeman.pm
+++ b/lib/App/Acmeman.pm
@@ -21,13 +21,13 @@ use App::Acmeman::Config;
use App::Acmeman::Domain qw(:files);
use Data::Dumper;
use Text::ParseWords;
use App::Acmeman::Log qw(:all :sysexits);
use feature 'state';
-our $VERSION = '2.90';
+our $VERSION = '2.02';
my $progdescr = "manages ACME certificates";
my $letsencrypt_root_cert_url =
@@ -408,70 +408,82 @@ sub save_challenge {
} else {
error("can't open $file for writing: $!");
-sub acme {
+sub account_key {
my $self = shift;
- my $key_id;
- my $account_key;
- my $idfile = File::Spec->catfile($self->cf->get('core','rootdir'),
- 'account.key_id');
- my $keyfile = File::Spec->catfile($self->cf->get('core','rootdir'),
- 'account.pem');
- if (-r $idfile) {
- if (open(my $fh, '<', $idfile)) {
- chomp($key_id = <$fh>);
- close $fh;
- debug(3, "using key_id $key_id");
- } else {
- error("can't open $idfile for reading: $!");
- }
+ unless ($self->{_account_key}) {
+ my $keyfile = $self->cf->get('account', 'key');
+ if (-r $keyfile) {
+ if (open(my $fh, '<', $keyfile)) {
+ local $/ = undef;
+ $self->{_account_key} = Crypt::OpenSSL::RSA->new_private_key(<$fh>);
+ close $fh;
+ } else {
+ error("can't open $keyfile for reading: $!");
+ }
+ } else {
+ $self->{_account_key} = Crypt::OpenSSL::RSA->generate_key($self->cf->get('core', 'key-size'));
+ }
+ return $self->{_account_key};
- if (-r $keyfile) {
- if (open(my $fh, '<', $keyfile)) {
- local $/ = undef;
- $account_key = Crypt::OpenSSL::RSA->new_private_key(<$fh>);
+sub account_key_id {
+ my $self = shift;
+ my $idfile = $self->cf->get('account', 'id');
+ if (my $val = shift) {
+ $self->{_account_key_id} = $val;
+ $self->prep_dir($idfile);
+ if (open(my $fh, '>', $idfile)) {
+ print $fh $val;
close $fh;
} else {
- error("can't open $keyfile for reading: $!");
- }
- } else {
- $account_key = Crypt::OpenSSL::RSA->generate_key($self->cf->get('core', 'key-size'));
+ error("can't open $idfile for writing: $!");
+ }
+ } elsif (!$self->{_account_key_id}) {
+ if (-r $idfile) {
+ if (open(my $fh, '<', $idfile)) {
+ chomp($self->{_account_key_id} = <$fh>);
+ close $fh;
+ debug(3, "using key_id $self->{_account_key_id}");
+ } else {
+ error("can't open $idfile for reading: $!");
+ }
+ }
+ return $self->{_account_key_id};
+sub acme {
+ my $self = shift;
unless ($self->{_acme}) {
my $acme = Net::ACME2::LetsEncrypt->new(
environment => $self->acme_host,
- key => $account_key->get_private_key_string(),
- key_id => $key_id
+ key => $self->account_key->get_private_key_string(),
+ key_id => $self->account_key_id
$self->{_acme} = $acme;
unless ($acme->key_id()) {
# Create new account
debug(3, "creating account");
my $terms_url = $acme->get_terms_of_service();
$acme->create_account(termsOfServiceAgreed => 1);
debug(3, "saving account credentials");
- if (open(my $fh, '>', $idfile)) {
- print $fh $acme->key_id();
- close $fh;
- } else {
- error("can't open $idfile for writing: $!");
- }
+ $self->account_key_id($acme->key_id());
+ my $keyfile = $self->cf->get('account', 'key');
if (open(my $fh, '>', $keyfile)) {
- print $fh $account_key->get_private_key_string();
+ print $fh $self->account_key->get_private_key_string();
close $fh;
} else {
- error("can't open $idfile for writing: $!");
+ error("can't open $keyfile for writing: $!");
return $self->{_acme};
diff --git a/lib/App/Acmeman/Config.pm b/lib/App/Acmeman/Config.pm
index 6707ee0..da60700 100644
--- a/lib/App/Acmeman/Config.pm
+++ b/lib/App/Acmeman/Config.pm
@@ -3,12 +3,13 @@ package App::Acmeman::Config;
use strict;
use warnings;
use Carp;
use parent 'Config::Parser::Ini';
use Text::ParseWords;
use App::Acmeman::Log qw(debug_level :sysexits);
+use File::Spec;
sub new {
my $class = shift;
my $filename = shift;
my %args;
if (-e $filename) {
@@ -100,12 +101,20 @@ sub mangle {
} else {
+ my $dir = $self->get(qw(account directory));
+ for my $k (qw(id key)) {
+ my $file = $self->get('account', $k);
+ unless (File::Spec->file_name_is_absolute($file)) {
+ $self->set('account', $k, File::Spec->catfile($dir, $file));
+ }
+ }
exit(EX_CONFIG) if $err;
@@ -116,12 +125,16 @@ __DATA__
source = STRING :default=apache :array
check-alt-names = BOOL :default=0
check-dns = BOOL :default=1
my-ip = STRING :array
key-size = NUMBER :default=4096
verbose = NUMBER :default=0
+ directory = STRING :default=/etc/ssl/acme
+ id = STRING :default=key.id
+ key = STRING :default=key.pem
[files ANY]
type = STRING :re="^(single|split)$"
certificate-file = STRING
key-file = STRING
ca-file = STRING
argument = STRING

Return to:

Send suggestions and report system problems to the System administrator.