You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

634 lines
19 KiB

5 years ago
4 years ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd June 12, 2020
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic include
  22. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  23. .Pp
  24. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  25. .Em A
  26. includes files
  27. .Em B
  28. and
  29. .Em C
  30. and all three defines the same global option, the final value will be the one defined in file
  31. .Em C .
  32. .It Ic global
  33. Table containing the global configuration options.
  34. .Bl -tag
  35. .It Cm accounts_directory Ar string
  36. Specify the directory where the accounts private and public keys are stored.
  37. .It Cm certificates_directory Ar string
  38. Specify the directory where the certificates and their associated private keys are stored.
  39. .It Cm cert_file_mode Ar integer
  40. Specify the permissions to use for newly-created certificates files. See
  41. .Xr chmod 2
  42. for more details.
  43. .It Cm cert_file_user Ar username|user_id Ft string
  44. Specify the user who will own newly-created certificates files. See
  45. .Xr chown 2
  46. for more details.
  47. .It Cm cert_file_group Ar group_name|group_id Ft string
  48. Specify the group who will own newly-created certificates files. See
  49. .Xr chown 2
  50. for more details.
  51. .It Ic env Ar table
  52. Table of environment variables that will be accessible from hooks.
  53. .It Cm pk_file_mode Ar integer
  54. Specify the permissions to use for newly-created private-key files. See
  55. .Xr chmod 2
  56. for more details.
  57. .It Cm pk_file_user Ar username|user_id Ft string
  58. Specify the user who will own newly-created private-key files. See
  59. .Xr chown 2
  60. for more details.
  61. .It Cm pk_file_group Ar group_name|group_id Ft string
  62. Specify the group who will own newly-created private-key files. See
  63. .Xr chown 2
  64. for more details.
  65. .El
  66. .It Ic rate-limit
  67. Array of table where each element defines a HTTPS rate limit.
  68. .Bl -tag
  69. .It Cm name Ar string
  70. The name the rate limit is registered under. Must be unique.
  71. .It Cm number Ar integer
  72. Number of requests authorized withing the time period.
  73. .It Cm period Ar string
  74. Period of time during which a maximal number of requests is authorized. The format is described in the
  75. .Sx TIME PERIODS
  76. section.
  77. .El
  78. .It Ic endpoint
  79. Array of table where each element defines a Certificate Authority
  80. .Pq CA
  81. which may be used to request certificates.
  82. .Bl -tag
  83. .It Cm name Ar string
  84. The name the endpoint is registered under. Must be unique.
  85. .It Cm rate_limits Ar array
  86. Array containing the names of the HTTPS rate limits to apply.
  87. .It Cm tos_agreed Ar boolean
  88. Set whether or not the user agrees to the Terms Of Service
  89. .Pq TOS .
  90. .It Cm url Ar string
  91. The endpoint's directory URL.
  92. .El
  93. .It Ic hook
  94. Array of table where each element defines a command that will be launched at a defined point. See section
  95. .Sx WRITING A HOOK
  96. for more details.
  97. .Bl -tag
  98. .It Cm allow_failure Ar boolean
  99. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  100. .It Cm name Ar string
  101. The name the hook is registered under. Must be unique.
  102. .It Cm type Ar array
  103. Array of strings. Possible types are:
  104. .Bl -dash -compact
  105. .It
  106. challenge-http-01
  107. .It
  108. challenge-http-01-clean
  109. .It
  110. challenge-dns-01
  111. .It
  112. challenge-dns-01-clean
  113. .It
  114. challenge-tls-alpn-01
  115. .It
  116. challenge-tls-alpn-01-clean
  117. .It
  118. file-pre-create
  119. .It
  120. file-pre-edit
  121. .It
  122. file-post-create
  123. .It
  124. file-post-edit
  125. .It
  126. post-operation
  127. .El
  128. .It Ic cmd Ar string
  129. The name of the command that will be launched.
  130. .It Ic args Ar array
  131. Array of strings representing the command's arguments.
  132. .It Ic stdin Ar string
  133. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  134. .Em stdin_str .
  135. .It Ic stdin_str Ar string
  136. String that will be written into the command's standard input. Mutually exclusive with
  137. .Em stdin .
  138. .It Ic stdout Ar string
  139. Path to the file where the command's standard output if written.
  140. .It Ic stderr Ar string
  141. Path to the file where the command's standard error output if written.
  142. .El
  143. .It Ic group
  144. Array of table allowing to group several hooks as one. A group is considered as new hook.
  145. .Bl -tag
  146. .It Cm name Ar string
  147. The name the group is registered under. This name is considered as a hook name. Must be unique.
  148. .It Cm hooks Ar array
  149. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  150. .El
  151. .It Ic account
  152. Array of table representing an account on one or several CA.
  153. .Bl -tag
  154. .It Ic name Ar string
  155. The name the account is registered under. Must be unique.
  156. .It Ic email Ar string
  157. The email address used to contact the account's holder.
  158. .El
  159. .It Ic certificate
  160. Array of table representing a certificate that will be requested to a CA.
  161. .Pp
  162. Note that certificates are identified by the first domain in the list of domains. That means that if you reorder the domains so that a different domain is at the first position, a new certificate with a new name will be issued.
  163. .Bl -tag
  164. .It Ic account Ar string
  165. Name of the account to use.
  166. .It Ic endpoint Ar string
  167. Name of the endpoint to use.
  168. .It Ic env Ar table
  169. Table of environment variables that will be accessible from hooks.
  170. .It Ic domains Ar array
  171. Array of tables listing the domains that should be included in the certificate along with the challenge to use for each one.
  172. .Bl -tag
  173. .It Ic challenge Ar string
  174. The name of the challenge to use to prove the domain's ownership. Possible values are:
  175. .Bl -dash -compact
  176. .It
  177. http-01
  178. .It
  179. dns-01
  180. .It
  181. tls-alpn-01
  182. .El
  183. .It Ic dns Ar string
  184. The domain name.
  185. .It Ic env Ar table
  186. Table of environment variables that will be accessible from hooks.
  187. .El
  188. .It Ic algorithm Ar string
  189. Name of the asymetric cryptography algorithm used to generate the certificate's key pair. Possible values are :
  190. .Bl -dash -compact
  191. .It
  192. rsa2048
  193. .Aq default
  194. .It
  195. rsa4096
  196. .It
  197. ecdsa_p256
  198. .It
  199. ecdsa_p384
  200. .El
  201. .It Ic kp_reuse Ar boolean
  202. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  203. .It Ic directory Ar string
  204. Path to the directory where certificates and their associated private keys are stored.
  205. .It Ic hooks Ar array
  206. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  207. .El
  208. .Sh WRITING A HOOK
  209. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every domains to be included: It requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: Although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  210. .Pp
  211. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  212. .Xr acmed 8
  213. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  214. .Pp
  215. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  216. .Pp
  217. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  218. .Pp
  219. When writing a hook, the values of
  220. .Em args ,
  221. .Em stdin ,
  222. .Em stdin_str ,
  223. .Em stdout
  224. and
  225. .Em stderr
  226. are considered as template strings whereas
  227. .Em cmd
  228. is not. The template syntax is
  229. .Em Handlebars .
  230. See the
  231. .Sx STANDARDS
  232. section for a link to the
  233. .Em Handlebars
  234. specifications.
  235. .Pp
  236. The available types and the associated template variable are described below.
  237. .Bl -tag
  238. .It Ic challenge-http-01
  239. Invoked when the ownership of a domain must be proved using the
  240. .Em http-01
  241. challenge. The available template variables are:
  242. .Bl -tag -compact
  243. .It Cm challenge Ar string
  244. The name of the challenge type
  245. .Aq http-01 .
  246. Mostly used in hooks with multiple types.
  247. .It Cm domain Ar string
  248. The domain name whom ownership is currently being validated.
  249. .It Cm env Ar array
  250. Array containing all the environment variables.
  251. .It Cm file_name Ar string
  252. Name of the file containing the proof. This is not a full path and does not include the
  253. .Ql .well-known/acme-challenge/
  254. prefix.
  255. .It Cm is_clean_hook Ar bool
  256. False
  257. .It Cm proof Ar string
  258. The content of the proof that must be written to
  259. .Em file_name .
  260. .El
  261. .It Ic challenge-http-01-clean
  262. Invoked once a domain ownership has been proven using the
  263. .Em http-01
  264. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  265. .Em challenge-http-01
  266. hook, excepted
  267. .Em is_clean_hook
  268. which is set to
  269. .Em true .
  270. .It Ic challenge-dns-01
  271. Invoked when the ownership of a domain must be proved using the
  272. .Em dns-01
  273. challenge. The available template variables are:
  274. .Bl -tag -compact
  275. .It Cm challenge Ar string
  276. The name of the challenge type
  277. .Aq dns-01 .
  278. Mostly used in hooks with multiple types.
  279. .It Cm domain Ar string
  280. The domain name whom ownership is currently being validated.
  281. .It Cm env Ar array
  282. Array containing all the environment variables.
  283. .It Cm is_clean_hook Ar bool
  284. False
  285. .It Cm proof Ar string
  286. The content of the proof that must be written to a
  287. .Ql TXT
  288. entry of the DNS zone for the
  289. .Ql _acme-challenge
  290. subdomain.
  291. .El
  292. .It Ic challenge-dns-01-clean
  293. Invoked once a domain ownership has been proven using the
  294. .Em dns-01
  295. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  296. .Em challenge-dns-01
  297. hook, excepted
  298. .Em is_clean_hook
  299. which is set to
  300. .Em true .
  301. .It Ic challenge-tls-alpn-01
  302. Invoked when the ownership of a domain must be proved using the
  303. .Em tls-alpn-01
  304. challenge. The available template variables are:
  305. .Bl -tag -compact
  306. .It Cm challenge Ar string
  307. The name of the challenge type
  308. .Aq tls-alpn-01 .
  309. Mostly used in hooks with multiple types.
  310. .It Cm domain Ar string
  311. The domain name whom ownership is currently being validated.
  312. .It Cm env Ar array
  313. Array containing all the environment variables.
  314. .It Cm is_clean_hook Ar bool
  315. False
  316. .It Cm proof Ar string
  317. Plain-text representation of the
  318. .Em acmeIdentifier
  319. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  320. .Qd acme-tls/1
  321. ALPN extension value.
  322. .Xr acmed 8
  323. will not generate the certificate itself since it can be done using
  324. .Xr tacd 8 .
  325. .El
  326. .It Ic challenge-tls-alpn-01-clean
  327. Invoked once a domain ownership has been proven using the
  328. .Em tls-alpn-01
  329. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  330. .Em challenge-tls-alpn-01
  331. hook, excepted
  332. .Em is_clean_hook
  333. which is set to
  334. .Em true .
  335. .It Ic file-pre-create
  336. Invoked
  337. .Em before
  338. a non-existent file
  339. .Em created .
  340. The available template variables are:
  341. .Bl -tag -compact
  342. .It Cm env Ar array
  343. Array containing all the environment variables.
  344. .It Cm file_directory Ar string
  345. Name of the directory where the impacted file is located.
  346. .It Cm file_name Ar string
  347. Name of the impacted file.
  348. .It Cm file_path Ar string
  349. Full path to the impacted file.
  350. .El
  351. .It Ic file-pre-edit
  352. Invoked
  353. .Em before
  354. an existent file
  355. .Em modified .
  356. The available template variables are the same as those available for the
  357. .Em file-pre-create
  358. type.
  359. .It Ic file-post-create
  360. Invoked
  361. .Em after
  362. a non-existent file
  363. .Em created .
  364. The available template variables are the same as those available for the
  365. .Em file-pre-create
  366. type.
  367. .It Ic file-post-edit
  368. Invoked
  369. .Em after
  370. an existent file
  371. .Em modified .
  372. The available template variables are the same as those available for the
  373. .Em file-pre-create
  374. type.
  375. .It Ic post-operation
  376. Invoked at the end of the certificate request process. The available template variables are:
  377. .Bl -tag -compact
  378. .It Cm algorithm Ar string
  379. Name of the algorithm used in the certificate.
  380. .It Cm domains Ar string
  381. Array containing the domain names included in the requested certificate.
  382. .It Cm env Ar array
  383. Array containing all the environment variables.
  384. .It Cm is_success Ar boolean
  385. True if the certificate request is successful.
  386. .It Cm status Ar string
  387. Human-readable status. If the certificate request failed, it contains the error description.
  388. .El
  389. .El
  390. .Sh DEFAULT HOOKS
  391. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  392. .Bl -tag
  393. .It Pa git
  394. This hook uses
  395. .Xr git 1
  396. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  397. .Ev GIT_USERNAME
  398. and
  399. .Ev GIT_EMAIL
  400. environment variables.
  401. .It Pa http-01-echo
  402. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  403. .Pa {{env.HTTP_ROOT}}/{{domain}}/.well-known/acme-challenge/{{file_name}} .
  404. .Pp
  405. The web server must be configured so the file
  406. .Pa http://{{domain}}/.well-known/acme-challenge/{{file_name}}
  407. can be accessed from the CA.
  408. .Pp
  409. If
  410. .Ev HTTP_ROOT
  411. is not specified, it will be set to
  412. .Pa /var/www .
  413. .It Pa tls-alpn-01-tacd-tcp
  414. This hook is designed to solve the tls-alpn-01 challenge using
  415. .Xr tacd 8 .
  416. It requires
  417. .Xr pkill 1
  418. to support the
  419. .Em Ar -F
  420. option.
  421. .Pp
  422. .Xr tacd 8
  423. will listen on the host defined by the
  424. .Ev TACD_HOST
  425. environment variable (default is the domain to be validated) and on the port defined by the
  426. .Ev TACD_PORT
  427. environment variable (default is 5001).
  428. .Pp
  429. .Xr tacd 8
  430. will store its pid into
  431. .Pa {{TACD_PID_ROOT}}/tacd_{{domain}}.pid .
  432. If
  433. .Ev TACD_PID_ROOT
  434. is not specified, it will be set to
  435. .Pa /run .
  436. .It Pa tls-alpn-01-tacd-unix
  437. This hook is designed to solve the tls-alpn-01 challenge using
  438. .Xr tacd 8 .
  439. It requires
  440. .Xr pkill 1
  441. to support the
  442. .Em Ar -F
  443. option.
  444. .Pp
  445. .Xr tacd 8
  446. will listen on the unix socket
  447. .Pa {{env.TACD_SOCK_ROOT}}/tacd_{{domain}}.sock .
  448. If
  449. .Ev TACD_SOCK_ROOT
  450. is not specified, it will be set to
  451. .Pa /run .
  452. .Pp
  453. .Xr tacd 8
  454. will store its pid into
  455. .Pa {{TACD_PID_ROOT}}/tacd_{{domain}}.pid .
  456. If
  457. .Ev TACD_PID_ROOT
  458. is not specified, it will be set to
  459. .Pa /run .
  460. .El
  461. .Sh TIME PERIODS
  462. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  463. .Ar PM[PM...]
  464. where
  465. .Ar M
  466. is case sensitive character representing a length and
  467. .Ar P
  468. is an integer representing a multiplayer for the following length. The authorized length are:
  469. .Bl -dash -compact
  470. .It
  471. .Ar s :
  472. second
  473. .It
  474. .Ar m :
  475. minute
  476. .It
  477. .Ar h :
  478. hour
  479. .It
  480. .Ar d :
  481. day
  482. .It
  483. .Ar w :
  484. week
  485. .El
  486. The
  487. .Ar PM
  488. couples can be specified multiple times and in any order.
  489. .Pp
  490. For example,
  491. .Dq 1d42s and
  492. .Dq 40s20h4h2s
  493. both represents a period of one day and forty-two seconds.
  494. .Sh FILES
  495. .Bl -tag
  496. .It Pa /etc/acmed/acmed.toml
  497. Default
  498. .Xr acmed 8
  499. configuration file.
  500. .It Pa /etc/acmed/accounts
  501. Default accounts private and public keys directory.
  502. .It Pa /etc/acmed/certs
  503. Default certificates and associated private keys directory.
  504. .Sh EXAMPLES
  505. The following example defines a typical endpoint, account and certificate for a domain and several subdomains.
  506. .Bd -literal -offset indent
  507. [[endpoint]]
  508. name = "example name"
  509. url = "https://acme.example.org/directory"
  510. tos_agreed = true
  511. [[account]]
  512. name = "my test account"
  513. email = "certs@exemple.net"
  514. [[certificate]]
  515. endpoint = "example name"
  516. account = "my test account"
  517. domains = [
  518. { dns = "exemple.net", challenge = "http-01"},
  519. { dns = "1.exemple.net", challenge = "dns-01"},
  520. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  521. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  522. ]
  523. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  524. env.HTTP_ROOT = "/srv/http"
  525. .Ed
  526. .Pp
  527. It is possible to use
  528. .Xr echo 1
  529. to solve the
  530. .Em http-01
  531. challenge and
  532. .Xr rm 1
  533. to clean it.
  534. .Xr mkdir 1
  535. and
  536. .Xr chmod 1
  537. are used to prevent issues related to file access.
  538. .Bd -literal -offset indent
  539. [[hook]]
  540. name = "http-01-echo-mkdir"
  541. type = ["challenge-http-01"]
  542. cmd = "mkdir"
  543. args = [
  544. "-m", "0755",
  545. "-p", "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{domain}}/.well-known/acme-challenge"
  546. ]
  547. [[hook]]
  548. name = "http-01-echo-echo"
  549. type = ["challenge-http-01"]
  550. cmd = "echo"
  551. args = ["{{proof}}"]
  552. stdout = "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  553. [[hook]]
  554. name = "http-01-echo-chmod"
  555. type = ["challenge-http-01-clean"]
  556. cmd = "chmod"
  557. args = [
  558. "a+r",
  559. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  560. ]
  561. [[hook]]
  562. name = "http-01-echo-clean"
  563. type = ["challenge-http-01-clean"]
  564. cmd = "rm"
  565. args = [
  566. "-f",
  567. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  568. ]
  569. .Ed
  570. .Pp
  571. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  572. .Bd -literal -offset indent
  573. [[group]]
  574. name = "http-01-echo-var-www"
  575. hooks = [
  576. "http-01-echo-mkdir",
  577. "http-01-echo-echo",
  578. "http-01-echo-chmod",
  579. "http-01-echo-clean"
  580. ]
  581. [[certificate]]
  582. # Some fields omitted
  583. hooks = ["http-01-echo"]
  584. env.HTTP_ROOT = "/srv/http"
  585. .Ed
  586. .Pp
  587. It is also possible to use
  588. .Xr sendmail 8
  589. in a hook in order to notif someone when the certificate request process is done.
  590. .Bd -literal -offset indent
  591. [[hook]]
  592. name = "email-report"
  593. type = ["post-operation"]
  594. cmd = "sendmail"
  595. args = [
  596. "-f", "noreply.certs@example.net",
  597. "contact@example.net"
  598. ]
  599. stdin_str = """Subject: Certificate renewal {{#if is_success}}succeeded{{else}}failed{{/if}} for {{domains.[0]}}
  600. The following certificate has {{#unless is_success}}*not* {{/unless}}been renewed.
  601. domains: {{#each domains}}{{#if @index}}, {{/if}}{{this}}{{/each}}
  602. algorithm: {{algorithm}}
  603. status: {{status}}"""
  604. .Ed
  605. .Sh SEE ALSO
  606. .Xr acmed 8 ,
  607. .Xr tacd 8
  608. .Sh STANDARDS
  609. .Bl
  610. .It
  611. .Rs
  612. .%A Tom Preston-Werner
  613. .%D July 2018
  614. .%T TOML v0.5.0
  615. .%U https://github.com/toml-lang/toml
  616. .Re
  617. .It
  618. .Rs
  619. .%A Yehuda Katz
  620. .%T Handlebars
  621. .%U https://handlebarsjs.com/
  622. .Re
  623. .El
  624. .Sh AUTHORS
  625. .An Rodolphe Bréard
  626. .Aq rodolphe@breard.tf