aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changes79
-rw-r--r--MANIFEST.SKIP2
-rw-r--r--Makefile.PL33
-rw-r--r--README40
-rwxr-xr-xacmeman1468
-rw-r--r--bootstrap.pl61
-rw-r--r--lib/App/Acmeman.pm675
-rw-r--r--lib/App/Acmeman/Apache/Layout.pm219
-rw-r--r--lib/App/Acmeman/Apache/Layout/debian.pm44
-rw-r--r--lib/App/Acmeman/Apache/Layout/rh.pm21
-rw-r--r--lib/App/Acmeman/Apache/Layout/slackware.pm212
-rw-r--r--lib/App/Acmeman/Apache/Layout/suse.pm22
-rw-r--r--lib/App/Acmeman/Config.pm430
-rw-r--r--lib/App/Acmeman/Domain.pm1
-rw-r--r--lib/App/Acmeman/Log.pm70
-rw-r--r--lib/App/Acmeman/Source.pm33
-rw-r--r--lib/App/Acmeman/Source/Apache.pm314
-rw-r--r--lib/App/Acmeman/Source/Default.pm47
-rw-r--r--lib/App/Acmeman/Source/File.pm29
-rw-r--r--lib/App/Acmeman/Source/Pound.pm225
20 files changed, 2495 insertions, 1530 deletions
diff --git a/Changes b/Changes
index 1a2e176..c66f050 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,82 @@
+3.09 2023-01-22
+
+ - New domain source: pound.
+
+3.08 2021-06-11
+
+ - Allow for multiple per-domain postrenew statements.
+
+3.07 2021-02-12
+
+ - Change bugtracker address.
+ - Change root certificate URL and make it configurable.
+
+3.06 2020-06-15
+
+ - Improve error reporting
+
+3.05 2020-06-14
+
+ - Fix manifest
+
+3.04 2020-06-14
+
+ - Rewrite Apache configuration layout support.
+ - Improve Apache setup procedure.
+ - Make sure the generated cert.pem file is terminated with a
+ newline.
+ - Accept ServerName value with the scheme prefix.
+
+3.03 2019-12-23
+
+ - The following environment variables are set when running
+ postrenew commands defined in the [core] section:
+ ACMEMAN_CERTIFICATE_COUNT, ACMEMAN_CERTIFICATE_FILE,
+ ACMEMAN_DOMAIN_NAME, ACMEMAN_ALT_NAMES.
+ - The following environment variables are set when running
+ postrenew commands defined in [domain] sections:
+ ACMEMAN_CERTIFICATE_FILE, ACMEMAN_DOMAIN_NAME,
+ ACMEMAN_ALT_NAMES. See the manpage for a detailed discussion.
+ - Challenge files are removed before exiting.
+ - By default, a special domain source is used, which invokes
+ "apache" and, if unable to do so, outputs on standard error
+ a detailed description of the problem with a suggestion on
+ how to fix it.
+
+3.02 2019-10-23
+ - Take into account ServerName if LetsEncryptReference is given.
+
+3.01 2019-10-20
+ - Accept multiple hostnames in the ServerAlias directive
+
+3.00 2019-10-19
+ - Switch to ACMEv2
+
+2.02 2019-09-11
+ - Fix the "apache" source
+
+2.01 2019-09-11
+ - Fix the "file" source (inverted logic was assumed)
+ - Implement the --version option.
+
+2.00 2019-08-26
+
+ - Released on CPAN
+ - Parses entire Apache configuration. In particular, correctly
+ handles Include statements and expands macros (the Use statement).
+
+1.11 2019-08-15
+
+ - Fix acmeman --setup
+
+1.10 2019-03-15
+
+ - Support for multiple 'source' statements.
+
+1.09 2019-03-14
+
+ - Use absolute path to the 'service' utility on systems that have it
+
1.08 2018-10-06
- New option --server-root for the source = apache configuration
diff --git a/MANIFEST.SKIP b/MANIFEST.SKIP
index 2f9c3df..0147f1e 100644
--- a/MANIFEST.SKIP
+++ b/MANIFEST.SKIP
@@ -58,7 +58,7 @@
^tmp
^buildreq
^\.emacs\.*
-\.tar(?:\.gz)?$
+\.tar(?:\.gz(?:\.sig)?)?$
\.diff$
\.patch$
^bootstrap\.pl
diff --git a/Makefile.PL b/Makefile.PL
index 1fad0ba..8ad492a 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -1,14 +1,13 @@
# -*- perl -*-
use strict;
-use lib 'inc';
use Module::Metadata;
use Getopt::Long qw(:config gnu_getopt no_ignore_case pass_through);
use ExtUtils::MakeMaker;
my %makefile_args = (
NAME => 'App::Acmeman',
- ABSTRACT_FROM => 'acmeman',
- VERSION_FROM => 'acmeman',
+ ABSTRACT => 'manages ACME certificates',
+ VERSION_FROM => 'lib/App/Acmeman.pm',
AUTHOR => 'Sergey Poznyakoff <gray@gnu.org>',
LICENSE => 'gpl_3',
EXE_FILES => [ 'acmeman' ],
@@ -18,8 +17,7 @@ my %makefile_args = (
'File::Basename' => 2.84,
'Test::NoWarnings' => 0,
'Crypt::RSA::Parse' => 0.043,
- 'Protocol::ACME' => 1.01,
- 'Protocol::ACME::Challenge::LocalFile' => 1.01,
+ 'Net::ACME2' => 0.33,
'Crypt::Format' => 0.06,
'Crypt::OpenSSL::PKCS10' => 0.16,
'Crypt::OpenSSL::RSA' => 0.28,
@@ -32,18 +30,25 @@ my %makefile_args = (
'Text::ParseWords' => 3.27,
'Data::Dumper' => 0,
'Socket' => 0,
- 'Sys::Hostname' => 1.16
+ 'Sys::Hostname' => 1.16,
+ 'Apache::Defaults' => 1.02,
+ 'Apache::Config::Preproc' => 1.04,
+ 'Config::Parser' => 1.03,
+ 'File::BackupCopy' => 1.00
},
-
- MIN_PERL_VERSION => 5.006,
+ MIN_PERL_VERSION => 5.016001,
META_MERGE => {
'meta-spec' => { version => 2 },
resources => {
repository => {
type => 'git',
- url => 'git://git.gnu.org.ua/gsc/acmeman.git',
- web => 'http://git.gnu.org.ua/cgit/gsc/acmeman.git/',
+ url => 'git://git.gnu.org.ua/acmeman.git',
+ web => 'http://git.gnu.org.ua/cgit/acmeman.git/',
},
+ bugtracker => {
+ web => 'https://puszcza.gnu.org.ua/bugs/?group=acmeman',
+ mailto => 'gray+acmeman@gnu.org.ua'
+ }
},
provides => Module::Metadata->provides(version => '1.4',
dir => 'lib')
@@ -53,9 +58,11 @@ my %makefile_args = (
my $no_autoinstall;
GetOptions('no-autoinstall|N' => \$no_autoinstall) or exit(1);
unless ($no_autoinstall) {
- require ExtUtils::AutoInstall;
- ExtUtils::AutoInstall->import(-core => $makefile_args{PREREQ_PM});
- delete $makefile_args{PREREQ_PM};
+ eval {
+ require ExtUtils::AutoInstall;
+ ExtUtils::AutoInstall->import(-core => $makefile_args{PREREQ_PM});
+ delete $makefile_args{PREREQ_PM};
+ };
}
WriteMakefile(%makefile_args);
diff --git a/README b/README
new file mode 100644
index 0000000..bb6da72
--- /dev/null
+++ b/README
@@ -0,0 +1,40 @@
+acmeman
+=======
+
+Command line utility for issuing and maintaining ACME SSL certificates.
+
+While most existing ACME tools take a list of domain names for which to
+issue certificates from their command line or configuration file, acmeman
+gathers domain names directly from the configuration of the http server
+that serves them. Thus, a domain name obtains its certificate automatically,
+once the administrator configures the http server to serve it via https.
+
+The utility is normally run as a cron job.
+
+Installation
+------------
+
+To build run:
+
+ perl Makefile.PL
+
+as usual. The created Makefile will install the missing dependencies
+from CPAN automatically. If this is not desirable, run
+
+ perl Makefile.PL --no-autoinstall
+
+instead.
+
+See "man acmeman" (or "perldoc acmeman", or "acmeman --help"), for a
+detailed manual.
+
+Copying
+-------
+This package is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3, or (at your option)
+any later version.
+
+See http://www.gnu.org/licenses.
+
+
diff --git a/acmeman b/acmeman
index ec678d7..5225751 100755
--- a/acmeman
+++ b/acmeman
@@ -1,66 +1,33 @@
#!/bin/sh
#! -*-perl-*-
-eval 'exec perl -x -wS $0 ${1+"$@"}'
+eval 'exec perl -x -S $0 ${1+"$@"}'
if 0;
-# Copyright (C) 2017, 2018 Sergey Poznyakoff <gray@gnu.org>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
use strict;
-use feature 'state';
-use Protocol::ACME;
-use Protocol::ACME::Challenge::LocalFile;
-use Crypt::Format;
-use Crypt::OpenSSL::PKCS10 qw(:const);
-use Crypt::OpenSSL::RSA;
-use Crypt::OpenSSL::X509;
-use File::Basename;
-use File::Path qw(make_path);
-use DateTime::Format::Strptime;
-use LWP::UserAgent;
-use LWP::Protocol::https;
-use Socket qw(inet_ntoa);
-use Sys::Hostname;
-use Pod::Usage;
-use Pod::Man;
-use Getopt::Long qw(:config gnu_getopt no_ignore_case auto_version);
-use POSIX qw(strftime time floor);
-use App::Acmeman::Config;
-use App::Acmeman::Domain qw(:files);
-use Data::Dumper;
-use Text::ParseWords;
-
-our $VERSION = '1.09';
+use warnings;
+use App::Acmeman;
+
+App::Acmeman->new->run;
=head1 NAME
-App::Acmeman - manages ACME certificates
+acmeman - manages ACME certificates
=head1 SYNOPSIS
B<acmeman>
[B<-Fadns>]
[B<-D> I<N>]
-[B<-f> I<FILE>]
+[B<-f> I<FILE>]
[B<--alt-names>]
[B<--config-file=>I<FILE>]
[B<--debug>]
[B<--dry-run>]
[B<--force>]
-[B<--stage>]
+[B<--stage>]
[B<--time-delta=>I<N>]
[I<DOMAIN>...]
-
+
B<acmeman> B<--setup> | B<-S>
[B<-Fdn>]
[B<--config-file=>I<FILE>]
@@ -72,35 +39,304 @@ B<acmeman>
[B<-h>]
[B<--help>]
[B<--usage>]
-
-=head1 DESCRIPTION
-A tool for automatic creation and renewal of ACME (LetsEncrypt) SSL
-certificates. The list of domains to handle can be obtained from
-B<acmeman> or B<apache> configuration files, or from both. If the
-default B<acmeman> configuration file doesn't exist, the program
-scans B<apache> configuration files for a list of domains.
+=head1 DESCRIPTION
-B<Acmeman> is normally run periodically as a cronjob.
-
-If you plan to serve SSL protected domains using apache, you can skip
-right to the B<apache> section.
+B<Acmeman> is a tool for automatic management of ACME (LetsEncrypt) SSL
+certificates.
+
+Most existing ACME tools take a list of domain names for which to issue
+certificates from their command line or configuration file. B<Acmeman>
+takes a completely different approach. It gathers domain names directly
+from the configuration of the B<http> server that manages them. Thus,
+a domain name obtains its certificate automatically, once the administrator
+configures the http server to serve it via https.
+
+This version of B<acmeman> is able to handle configuration files of
+B<Apache> http server, and servers that are able to read the list of
+domain names from disk files, such as B<HAProxy>.
+
+For trivial configurations, B<acmeman> can be used without any additional
+configuration. For example, support for B<Apache> is enabled by default,
+so all the administrator has to do is to run
+
+ acmeman --setup
+
+which will set up additional macro definitions for the apache configuration
+file, then enable the B<mod_macro> module and to use the provided definitions
+in httpd configuration. This is discussed in detail in the section B<APACHE>
+below.
+
+In more complex configurations, B<acmeman> should be instructed what to
+do using its configuration file. This file, normally named
+F</etc/acmeman.conf>, supplies the definitions of I<domain sources>,
+i.e. configuration files from which to obtain domain names to form the
+certificate CNs and other parameters. At a pinch, the list of domain names
+can be declared in it as well. Several domain sources can be used
+simultaneously. E.g. you can have B<acmeman> look for domain names in
+B<Apache> and B<HAProxy> configurations and obtain an additional list of
+domains from its own configuration, all in the same time.
+
+In any case, B<acmeman> should be run as a periodic cron job, in order to
+ensure that expiring certificates are updated in time. The usual crontab
+entry (for Vixie cron) is
+
+ 0 4 * * * root /usr/bin/acmeman
+
+Exact interval configuration is entirely up to you. For Dillon cron, omit
+the user name field.
+
+When started this way, B<acmeman> will scan the existing certificates and
+select those of them which will expire within a predefined amount of time
+(24h by default, configurable by the B<core.time-delta> statement). Then
+it will scan the configured domain sources to see if any certificates are
+added an alternative CN and if any new certificates should be issued. Having
+created a list of the certificates, it will interact with the ACME server,
+issuing the new ones and updating the ones that need prolongation or
+modification.
+
+=head1 QUICK START
The following is a short introduction to the B<acmeman> configuration. For
-a detailed discussion, see the B<CONFIGURATION> section below.
+a detailed discussion, see the B<CONFIGURATION> section below. For detailed
+discussion of particular domain sources, refer to the section B<SOURCES>.
The configuration file, B</etc/acmeman.conf>, consists of statements,
which have the form B<I<KW>=I<VAL>>, grouped into sections, declared
as B<[I<NAME>]> (square brackets are part of the syntax). Empty lines
and comments (introduced by a hash sign) are ignored.
-Domains which require LetsEncrypt certificates are declared in B<domain>
-section. Each section introduces a single domain. E.g.:
+There are four main use cases:
+
+=head2 APACHE
+
+In most cases no special configuration file is needed. The following
+recipe describes each configuration step. Refer to the section B<SOURCE>,
+subsection B<apache> for a detailed discussion.
+
+=over 4
+
+=item 1. Initial configuration
+
+Run
+
+ acmeman --setup
+
+It will detect the Apache layout, install an additional Apache configuration
+file, F<httpd-letsencrypt.conf> and print the instructions on how to
+enable it. Follow them and enable the B<mod_macro> module.
+
+=item 2. Apache domain setup: plain HTTP
+
+To declare that a virtual host needs SSL certificate, add the following
+line to the Apache B<VirtualHost> block serving plain HTTP for that host:
+
+ Use LetsEncryptChallenge
+
+This will instruct Apache B<httpd> to serve ACME challenges and B<acmeman>
+to request a certificate for that virtual host. The hostname declared with
+the B<ServerName> statement will be used as the B<CN> for the certificate,
+and any names declared via B<ServerAlias> statements will form the list of
+alternative names. For example:
+
+ <VirtualHost *:80>
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptChallenge
+ ...
+ </VirtualHost>
+
+=item 3. Issue the certificate
+
+This step is needed if there is no certificate for this domain yet. Reload
+B<httpd> to fire up the new configuration and run B<acmeman> to issue the
+certificate. If anything goes wrong, try adding one or more B<-d> options
+to B<acmeman> to see what's going on. You can also use the B<-s> option
+during initial debugging of the configuration. This option instructs B<acmeman>
+to use the staging ACME server, instead of the production one. This eliminates
+the risk of hitting the ACME request per IP limit.
+
+=item 4. Apache domain setup: HTTPS
+
+To use the created certificate, add another virtual server for that domain,
+with the same B<ServerName> as above and with 443 as its port value. Add
+the following statement to it:
+
+ Use LetsEncryptSSL DOMAIN
+
+where I<DOMAIN> must be the same as the B<ServerName> value. For example,
+the HTTPS virtual host corresponding to the above example will be:
+
+ <VirtualHost *:443>
+ ServerName example.org
+ ServerAlias www.example.com
+ Use LetsEncryptSSL example.org
+ ...
+ </VirtualHost>
+
+This can be further simplified by using the B<LetsEncryptServer> macro instead
+of the B<ServerName> and B<LetsEncryptSSL> statements, as in:
+
+ <VirtualHost *:443>
+ Use LetsEncryptServer example.org
+ ServerAlias www.example.com
+ ...
+ </VirtualHost>
+
+=back
+
+=head2 HAPROXY
+
+Use the B<file> source. This domain source reads the list of domain
+names from a disk file. The first name in the list becomes the certificate
+B<CN>, rest of names (if any) are used as alternative CNs. For a detailed
+discussion of the B<file> source, refer to the section B<SOURCE>,
+subsection B<file>.
+
+=over 4
+
+=item 1. Create a directory for storing domain name files
+
+This directory will keep domain name files, named after the corresponding
+HAProxy backends. E.g.
+
+ mkdir /etc/haproxy/hosts
+
+=item 2. Configure acmeman
+
+Example F</etc/acmeman.conf> file is:
+
+ [core]
+ source = file /etc/haproxy/hosts
+ postrenew = /usr/sbin/service haproxy restart
+ [files default]
+ type = single
+ certificate-file = /etc/ssl/acme/crt/$domain.pem
+
+The B<core> section declares the source to use. The first argument to
+the B<file> source is the name of the directory where the domain name lists
+are stored. The B<postrenew> statement declares the command to be run
+after all certificates have been renewed. In our case, this command restarts
+B<haproxy>, forcing it to re-read the certificates.
+
+The B<files> statement instructs the program to create, for each domain,
+a single file containing the private key, certificate chain and the domain
+certificate for that domain. The B<$domain> variable in the
+B<certificate-file> declaration will be replaced by the first domain name
+from the list (the B<CN>) for that certificate.
+
+This configuration will keep a separate certificate for each backend in
+B<haproxy> that supports https access. If concerned about request rate
+limit, you can instruct B<acmeman> to maintain a single certificate with
+all domain names as X509v3 subject alternative names instead. To do so,
+use the B<--host> option in the source definition. Its argument specifies
+the domain name to use as the CN for the certificate. E.g.:
+
+ [core]
+ source = file /etc/haproxy/hosts --host=www.example.com
+ ...
+
+=item 3. Configure haproxy
+
+First, configure the plain HTTP frontend, which will be responsible for
+serving ACME challenges and redirecting the rest of the requests to
+HTTPS. The simplest definition is:
+
+ frontend http-in
+ mode http
+ bind :::80 v4v6
+ http-request redirect code 301 location https://%[hdr(host)]%[capture.req.uri] unless { path_beg /.well-known/acme-challenge }
+ use_backend acme if { path_beg /.well-known/acme-challenge }
+
+Actual backend configuration for the B<acme> backend is beyond the scope of
+this manual. Use some simple and lightweight B<http> server capable of serving
+static files, such as B<fileserv> (L<https://www.gnu.org.ua/projects/fileserv>),
+for example.
+
+Then, configure HTTPS section to use certificates from the certificate file
+directory:
+
+ frontend https-in
+ mode http
+ bind :::443 v4v6 ssl crt /etc/ssl/acme/crt
+ # Direct each group of domain names to the corresponding
+ # backend.
+ use_backend d1 if { hdr(host) -f /etc/haproxy/hosts/d1 }
+ use_backend d2 if { hdr(host) -f /etc/haproxy/hosts/d2 }
+ ...
+
+Finally, define the backends.
+
+=back
+
+=head2 Pound
+
+B<Pound> is a light-weight proxy server available from L<https://github.com/graygnuorg/pound>. It is supported by the B<acmeman> source B<pound>, which
+scans the B<pound> configuration file F</etc/pound.cfg>, and extracts domain
+names from the B<Host> directives in B<ListenHTTP> sections that contain
+the B<ACME> statement. Below is a short usage instruction for this source
+module. For a detailed discussion, refer to the section B<SOURCE>, subsection
+B<pound>.
+
+=over 4
+
+=item 1. Add the B<ACME> directive to the B<ListenHTTP> section of your
+F</etc/pound.cfg> file. Its argument is a directory on local file system
+where ACME challenge files will be stored. Make sure that this directory
+is the F<.well-known/acme-challenge> subdirectory of the B<rootdir> in your
+B<acmeman> configuration file.
+
+=item 2. In the same B<ListenHTTP> section, define hostnames which will obtain
+ACME certificates. Make sure to use B<Host> statements with exact string
+matching algorithm. If serving several host names, use the B<Match OR> block.
+
+=back
+
+After these two steps, your listener section will look like:
+
+ ListenHTTP
+ Address 0.0.0.0
+ Port 80
+ ACME "/var/lib/pound/acme/.well-known/acme-challenge"
+ Service
+ Match OR
+ Host "www.example.org"
+ Host "example.org"
+ End
+ ...
+ End
+ End
+
+=over 4
+
+=item 3. Configure B<acmeman>. Use the B<pound> source and make sure
+B<rootdir> is synchronized with the B<ACME> statement in F<pound.cfg>, as
+described in point 1. E.g.:
+
+ [core]
+ source = pound
+ rootdir = /var/lib/pound/acme
+ postrenew = /usr/bin/systemctl restart pound
+
+=back
+
+=head2 Direct configuration
+
+Use direct configuration if none of the provided source types can
+be used. In this case, you define each domain which needs a
+certificate in the F</etc/acmeman.conf> file. First, instruct
+B<acmeman> that no external source of domain names will be used:
+
+ [core]
+ source = null
+
+Then, for each domain name use the B<domain> section, as shown in the
+example below:
[domain example.com]
- alt = www.example.com
- files = default
-
+ alt = www.example.com
+ files = default
+
This section instructs B<acmeman> that a certificate is needed for
domain B<example.com>, using B<www.example.com> as its alternative name,
The B<files> statement identifies the name of a B<files> section containing
@@ -108,80 +344,66 @@ rules for creating certificate files for that domain. This section must be
defined elsewhere in the configuration file. For example:
[files default]
- type = split
- certificate-file = /etc/ssl/acme/$domain/cert.pem
- key-file = /etc/ssl/acme/$domain/privkey.pem
- ca-file = /etc/ssl/acme/$domain/ca.pem
- argument = $domain
-
-This definition tells B<acmeman> that it should store certificate, certficate
+ type = split
+ certificate-file = /etc/ssl/acme/$domain/cert.pem
+ key-file = /etc/ssl/acme/$domain/privkey.pem
+ ca-file = /etc/ssl/acme/$domain/ca.pem
+ argument = $domain
+
+This definition tells B<acmeman> that it should store certificate, certificate
key, and certificate authority chain in three separate files. Names of these
files will be created by replacing the B<$domain> string in the corresponding
-definition with the domain name from the B<domain> section,
-
-In fact, the B<files> section above is the default one. It will be created
-implicitly if no other B<files> section is defined in the configuration file.
-Moreover, the string B<default> is the default identifier, which is used if
-the B<domain> section lacks the B<files> keyword.
+definition with the domain name from the B<domain> section.
-The special section B<[core]> contains basic settings that control the
-program behavior. One of the important settings is B<source>, which declares
-an external source from which domain settings must be obtained. As
-of B<acmeman> version 1.05, the following sources are available:
-B<null>, B<apache>, and B<file>.
-
-Consider the following configuration:
+Several B<[domain]> section can share the same B<[files]> definition, or
+they can have their one, depending on your needs.
- [core]
- source = apache
-
-It instructs B<acmeman> to read domain settings from Apache configuration
-files. This is basically the configuration that is used in the absense of
-the configuration file. See the B<APACHE> section for a detailed discussion
-of this operation mode.
-
=head1 CONFIGURATION
Configuration file controls the operation of B<acmeman>. By default,
its name is B</etc/acmeman.conf>. If it is absent, B<acmeman> falls
back to the legacy operation mode, scanning Apache configuration files
for domains that use LetsEncrypt SSL certificates. See the B<APACHE>
-section below for a detailed description.
+section below for a detailed description.
The configuration file has a traditional line-oriented syntax. Comments
are introduced with a hash sign. Empty lines are ignored. Leading and
trailing whitespace is removed prior to parsing. Long statements can be
split over several physical lines by ending each line excepting the last
one with a backslash immediately followed by a newline character.
-
-Statements have the following syntax:
- KEYWORD = VALUES
+Configuration consists of settings grouped into sections. Syntactically,
+a I<setting> is
+
+ KEYWORD = VALUE
where I<KEYWORD> stands for a symbolic name consisting of alphanumeric
characters, dashes and underscores, and I<VALUE> stands for any sequence
of characters.
-Statements are grouped in sections. Each section is identified by its name
-and optional arguments. The section begins with the construct
+A I<section> is identified by its name and optional arguments. It begins
+with the following construct:
[NAME]
or, if arguments are present:
-
+
[NAME ARG1 ARG2 ...]
The square brackets are part of the syntax.
+A section can contain one or more settings.
+
The statements in the configuration file form a directed graph. Often
in this document we will identify the statement by its I<path>, i.e. a
-list of section name, arguments and the keyword, separated by dots. For
+list of section name, its arguments, and the keyword, separated by dots. For
example, the path B<files.apache.type> corresponds to the following
configuration file fragment:
[files apache]
type = single
+
The following describes the available sections and keywords
=head2 B<[core]>
@@ -197,11 +419,11 @@ Root directory is the directory under which the
F<.well-known/acme-challenge> subdirectory is located.
=item B<time-delta=>I<SECONDS>
-
+
Sets the time window before the actual expiration time, when the certificate
becomes eligible for renewal. I<N> is time in seconds. The default
value is 86400, which means that B<acmeman> will attempt to renew any
-certificate that expires within 24 hours.
+certificate that expires within 24 hours.
The command line option B<--time-delta> overrides this setting.
@@ -213,13 +435,41 @@ server (or whatever server is using the certificates). If more than one
B<postrenew> statements are defined, they will be run in sequence, in the
same order as they appeared in the configuration file.
-=item B<source=>I<ID> [I<ARG>...]
+I<COMMAND> inherits the environment from the B<acmeman> process, with the
+following additional variables:
-Defines additional source of information. B<App::Acmeman> version 1.05
-is shipped with three sources: B<null>, B<apache>, and B<file>.
+=over 8
-The B<null> module is an empty source. Command line arguments are ignored.
-Use this source if all domains are described in the configuration file.
+=item ACMEMAN_CERTIFICATE_COUNT
+
+Total count of renewed certificate files.
+
+=item ACMEMAN_CERTIFICATE_FILE
+
+Whitespace-delimited list of renewed certificate files
+
+=item ACMEMAN_DOMAIN_NAME
+
+Whitespace-delimited list of renewed domain names (CNs).
+
+=item ACMEMAN_ALT_NAMES
+
+Whitespace-delimited list of alternative DNS names from the renewed
+certificate files.
+
+=back
+
+=item B<source=>I<NAME> [I<ARG>...]
+
+Defines the source of domain names. The I<NAME> parameter identifies the
+source, and additional arguments supply the initialization parameters.
+
+The present version of B<acmeman> is shipped with three sources: B<null>,
+B<apache>, and B<file>.
+
+The B<null> module is an empty source. It takes no additional arguments.
+Use this source if all domains are described in the configuration file
+using one or more B<domain> sections.
The B<apache> source module is the default. It scans B<httpd> configuration
files as described in section B<apache>. One argument is allowed. If supplied,
@@ -227,16 +477,21 @@ it defines the apache configuration layout. Allowed values are: B<debian>,
B<slackware>, B<suse> and B<rh> (for Red Hat). Without arguments, the layout
will be autodetected.
+The B<pound> source gathers host names from B<pound> configuration file.
+
The B<file> source reads domain names from one or more disk files. A
mandatory argument specifies the name of the directory where the files
are located. This mode is suitable for use with B<haproxy> pattern files.
-
+
+Multiple B<source> statements can be defined. They will be processed
+sequentially.
+
=item B<files=>I<NAME>
Identifies the B<[files]> section which describes how to create certificate
files for domains which lack explicit B<files> keyword. Default I<NAME> is
B<default>. See the description of the B<files> statement in B<domain>
-section.
+section.
=item B<check-alt-names=>I<BOOL>
@@ -247,8 +502,7 @@ don't match. This uses an ad-hoc logic, due to the deficiency of the
underlying X509 module, and therefore is not enabled by default.
Valid values for I<BOOL> are: B<1>, B<on>, B<true>, or B<yes>, for
-true, and B<0>, B<off>, B<false>, or B<no> for false (all values
-case-insensitive).
+true, and B<0>, B<off>, B<false>, or B<no> for false.
=item B<check-dns=>I<BOOL>
@@ -257,7 +511,7 @@ host name has an A DNS record pointing back to one of the IP addresses
of the server. Hostnames which don't satisfy this condition will be ignored.
The IP of the server is determined by looking up the A record for its
hostname. This can be overridden using the B<my-ip> configuration statement.
-
+
=item B<key-size=>I<N>
Size of the RSA key to use, in bits. Default is 4096.
@@ -266,55 +520,108 @@ Size of the RSA key to use, in bits. Default is 4096.
Declares IP address (or addresses) of this server. Use this keyword if
the server IP cannot be reliably determined by resolving its hostname.
-Special I<IP> B<$hostip> stands for the IP retreived by resolving the
+Special I<IP> B<$hostip> stands for the IP retrieved by resolving the
hostname.
-
+
+=back
+
+=head2 B<[account]>
+
+Configures where to store ACME account credentials: account key ID and
+account private key. Both values are stored in separate files on disk.
+If the files do not exist B<acmeman> will initiate creation of a new
+account and will save its credentials for further use.
+
+=over 4
+
+=item B<directory=>I<DIR>
+
+Directory where to store credential files. Defaults to
+F</etc/ssl/acme>.
+
+=item B<id=>I<FILE>
+
+Name of the file with account key ID. Unless I<FILE> begins with a
+directory separator, it is taken relative to B<account.directory>.
+
+Default: F</etc/ssl/acme/key.id>.
+
+=item B<key=>I<FILE>
+
+Name of the file with account key. Unless I<FILE> begins with a
+directory separator, it is taken relative to B<account.directory>.
+
+Default: F</etc/ssl/acme/key.pem>.
+
=back
=head2 B<[domain I<CN>]>
Declares the domain for which a certificate should be maintained. I<CN> is
the canonical name for the domain. Alternative names can be specified using
-the B<alt> keyword.
-
+the B<alt> setting within the section.
+
=over 4
=item B<files=>I<ID>
Identifies the B<[files]> section which describes how to create certificate
-files for this domain. In the absense of this statement, the B<files>
+files for this domain. In the absence of this statement, the B<files>
statement from the B<[core]> section will be used.
-
+
=item B<alt=>I<NAME>
Defines alternative name for the certificate. Multiple B<alt> statements
-are allowed.
+are allowed.
=item B<key-size=>I<N>
Size of the RSA key to use, in bits. If not set, the B<core.key-size>
-setting is used.
+setting is used.
=item B<postrenew=>I<CMD>
Run I<CMD> after successful update. If not given, the B<core.postrenew>
-commands will be run.
-
+commands will be run.
+
+If more than one B<postrenew> statements are defined, they will be run in
+sequence, in the same order as they appeared in the configuration file.