You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

101 lines
6.1 KiB

6 years ago
6 years ago
6 years ago
  1. [//]: # (Copyright 2019 Rodolphe Bréard <rodolphe@breard.tf>)
  2. [//]: # (Copying and distribution of this file, with or without modification,)
  3. [//]: # (are permitted in any medium without royalty provided the copyright)
  4. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  5. [//]: # (without any warranty.)
  6. # ACMEd
  7. [![Build Status](https://api.travis-ci.org/breard-r/acmed.svg?branch=master)](https://travis-ci.org/breard-r/acmed)
  8. [![Minimum rustc version](https://img.shields.io/badge/rustc-1.32.0+-lightgray.svg)](#build-from-source)
  9. [![LICENSE MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE-MIT.txt)
  10. [![LICENSE Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE-APACHE-2.0.txt)
  11. The Automatic Certificate Management Environment (ACME), is an internet standard ([RFC 8555](https://tools.ietf.org/html/rfc8555)) which allows to automate X.509 certificates signing by a Certification Authority (CA). ACMEd is one of the many clients for this protocol.
  12. ## Key features
  13. - http-01, dns-01 and tls-alpn-01 challenges
  14. - RSA 2048, RSA 4096, ECDSA P-256 and ECDSA P-384 certificates
  15. - Fully customizable challenge validation action
  16. - Fully customizable archiving method (yes, you can use git or anything else)
  17. - Nice and simple configuration file
  18. - Run as a deamon: no need to set-up timers, crontab or other time-triggered process
  19. - Retry of HTTPS request rejected with a badNonce or other recoverable errors
  20. - Customizable HTTPS requests rate limits.
  21. - Optional key pair reuse (useful for [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning))
  22. - For a given certificate, each domain name may be validated using a different challenge.
  23. - A standalone server dedicated to the tls-alpn-01 challenge validation (tacd).
  24. ## Planned features
  25. - A pre-built set of hooks that can be used in most circumstances
  26. - Daemon and certificates management via the `acmectl` tool
  27. - Nonce scoping configuration
  28. - HTTP/2 support
  29. ## Project status
  30. This project is usable, but is still a work in progress. Each release should works well and accordingly to its documentation.
  31. Because the API has not been stabilized yet, breaking changes may occur. Therefore, before any upgrade, you are invited to read the [CHANGELOG](CHANGELOG.md) and check if any change can break your setup.
  32. Please keep in mind this software has neither been subject to a peer review nor to a security audit.
  33. ## Documentation
  34. This project provides the following man pages:
  35. - acmed (8)
  36. - acmed.toml (5)
  37. - tacd (8)
  38. ## Build from source
  39. In order to compile ACMEd, you will need the [Rust](https://www.rust-lang.org/) compiler and its package manager, Cargo. The minimal required Rust version is 1.34.2, although it is recommended to use the latest stable one.
  40. ACMEd depends OpenSSL 1.1.0 or higher.
  41. On systems based on Debian/Ubuntu, you may need to install the `libssl-dev`, `build-essential` and `pkg-config` packages.
  42. ```
  43. $ make
  44. $ make install
  45. ```
  46. ## Frequently Asked Questions
  47. ### Why this project?
  48. After testing multiple ACME clients, I found out none supported all the features I wished for (see the key features above). It may have been possible to contribute or fork an existing project, however I believe those project made architectural choices incompatible with what i wanted, and therefore it would be as much or less work to start a new project from scratch.
  49. ### Is it free and open-source software?
  50. Yes, ACMEd is dual-licensed under the MIT and Apache 2.0 terms. See [LICENSE-MIT.txt](LICENSE-MIT.txt) and [LICENSE-APACHE-2.0.txt](LICENSE-APACHE-2.0.txt) for details.
  51. The man pages, the default hooks configuration file, the `CHANGELOG.md` and the `README.md` files are released under the [GNU All-Permissive License](https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html).
  52. ### Can it automatically change my server configuration?
  53. Short answer: No.
  54. Long answer: At some points in a certificate's life, ACMEd triggers hook in order to let you customize how some actions are done, therefore you can use those hooks to modify any server configuration you wish. However, this may not be what you are looking for since it cannot proactively detect which certificates should be emitted since ACMEd only manages certificates that have already been declared in the configuration files.
  55. ### Is it suitable for beginners?
  56. It depends on your definition of a beginner. This software is intended to be used by system administrator with a certain knowledge of their environment. Furthermore, it is also expected to know the bases of the ACME protocol. Let's Encrypt wrote a nice article about [how it works](https://letsencrypt.org/how-it-works/).
  57. ### Why is RSA 2048 the default?
  58. Yes, ACMED support RSA 4096, ECDSA P-256 and ECDSA P-384. However, those are not (yet) fitted to be the default choice.
  59. It is not obvious at the first sight, but [RSA 4096](https://gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) is NOT twice more secure than RSA 2048. In fact, it adds a lot more calculation while providing only a small security improvement. If you think you will use it anyway since you are more concerned about security than performance, please check your certificate chain up to the root. Most of the time, the root certificate and the intermediates will be RSA 2048 ones (that is the case for [Let’s Encrypt](https://letsencrypt.org/certificates/)). If so, using RSA 4096 in the final certificate will not add any additional security since a system's global security level is equal to the level of its weakest point.
  60. ECDSA certificates may be a good alternative to RSA since, for the same security level, they are smaller and requires less computation, hence improve performance. Unfortunately, as X.509 certificates may be used in various contexts, some software may not support this not-so-recent technology. To achieve maximal compatibility while using ECC, you usually have to set-up an hybrid configuration with both an ECDSA and a RSA certificate to fall-back to. Therefore, even if you are encouraged to use ECDSA certificates, it should not currently be the default. That said, it may be in a soon future.