You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

867 lines
26 KiB

5 years ago
11 months ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd Feb 10, 2024
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic account
  22. Array of table representing an account on one or several endpoint.
  23. .Bl -tag
  24. .It Ic contacts Ar array
  25. Array of tables describing describing the account holder's contact information. Each table must have one and only one key-value pair. Possible keys and their associated values are:
  26. .Bl -tag
  27. .It Ic mailto Ar string
  28. A mailto URI as defined by
  29. .Em RFC 6068 .
  30. This URI cannot contains neither
  31. .Dq hfields
  32. nor more than one
  33. .Dq addr-spec
  34. in the
  35. .Dq to
  36. component.
  37. .El
  38. .It Ic env Ar table
  39. Table of environment variables that will be accessible from hooks.
  40. .It Ic external_account Ar table
  41. Table containing the information required to bind the account to an external one. Possible fields and values are:
  42. .Bl -tag
  43. .It Ic identifier Ar string
  44. ASCII string identifying the key.
  45. .It Ic key Ar string
  46. Private key encoded in base64url without padding.
  47. .It Ic signature_algorithm Ar string
  48. Name of the signature algorithm used to sign the external account binding message sent to the endpoint as defined in
  49. .Em RFC 7518 .
  50. Possible values are:
  51. .Bl -dash -compact
  52. .It
  53. HS256
  54. .Aq default
  55. .It
  56. HS384
  57. .It
  58. HS512
  59. .El
  60. .El
  61. .It Ic hooks Ar array
  62. Names of hooks that will be called during operations on the account storage file. The hooks are guaranteed to be called sequentially in the declaration order.
  63. .It Cm key_type Ar string
  64. Name of the asymmetric cryptography algorithm used to generate the key pair. Possible values are:
  65. .Bl -dash -compact
  66. .It
  67. ed25519
  68. .It
  69. ed448
  70. .It
  71. ecdsa_p256
  72. .Aq default
  73. .It
  74. ecdsa_p384
  75. .It
  76. ecdsa_p521
  77. .It
  78. rsa2048
  79. .It
  80. rsa4096
  81. .El
  82. .It Ic name Ar string
  83. The name the account is registered under. Must be unique.
  84. .It Cm signature_algorithm Ar string
  85. Name of the signature algorithm used to sign the messages sent to the endpoint as defined in
  86. .Em RFC 7518 .
  87. The default value is derived from the key type. Possible values are:
  88. .Bl -dash -compact
  89. .It
  90. ES256
  91. .It
  92. ES384
  93. .It
  94. ES512
  95. .It
  96. RS256
  97. .El
  98. .El
  99. .It Ic certificate
  100. Array of table representing a certificate that will be requested to a CA.
  101. .Pp
  102. Note that, by default, certificates are identified by the first identifier in the list of identifiers. That means that if you reorder the identifiers so that a different identifier is at the first position, a new certificate with a new name will be issued.
  103. .Bl -tag
  104. .It Ic account Ar string
  105. Name of the account to use.
  106. .It Ic csr_digest Ar string
  107. Name of the certificate's signing request digest algorithm. Possible values are:
  108. .Bl -dash -compact
  109. .It
  110. sha256
  111. .Aq default
  112. .It
  113. sha384
  114. .It
  115. sha512
  116. .El
  117. .It Ic directory Ar string
  118. Path to the directory where certificates and their associated private keys are stored.
  119. .It Ic endpoint Ar string
  120. Name of the endpoint to use.
  121. .It Ic env Ar table
  122. Table of environment variables that will be accessible from hooks.
  123. .It Ic file_name_format Ar string
  124. Template used to build the file's name. The template syntax is
  125. .Em MiniJinja .
  126. See the
  127. .Sx STANDARDS
  128. section for a link to the
  129. .Em MiniJinja
  130. specifications. If not specified, the value defined in the
  131. .Em endpoint
  132. element, and then the
  133. .Em global
  134. element, is used. Default is
  135. .Dq {{ name }}_{{ key_type }}.{{ file_type }}.{{ ext }} .
  136. Possible variables are:
  137. .Bl -tag
  138. .It Ic ext Ar string
  139. File extension. See
  140. .Xr cert_file_ext
  141. and
  142. .Xr pk_file_ext
  143. .It Ic file_type Ar string
  144. Contains
  145. .Dq pk
  146. for the private key file and
  147. .Dq crt
  148. for the certificate file.
  149. .It Ic key_type Ar string
  150. The certificate's private key type.
  151. .It Ic name Ar string
  152. The certificate's name.
  153. .El
  154. .It Ic hooks Ar array
  155. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  156. .It Ic identifiers Ar array
  157. Array of tables listing the identifiers that should be included in the certificate along with the challenge to use for each one. The
  158. .Em dns
  159. and
  160. .Em ip
  161. fields are mutually exclusive.
  162. .Bl -tag
  163. .It Ic challenge Ar string
  164. The name of the challenge to use to prove the identifier's ownership. Possible values are:
  165. .Bl -dash -compact
  166. .It
  167. dns-01
  168. .It
  169. http-01
  170. .It
  171. tls-alpn-01
  172. .El
  173. .It Ic dns Ar string
  174. The domain name.
  175. .It Ic env Ar table
  176. Table of environment variables that will be accessible from hooks.
  177. .It Ic ip Ar string
  178. The IP address.
  179. .El
  180. .It Ic key_type Ar string
  181. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair. Possible values are:
  182. .Bl -dash -compact
  183. .It
  184. ed25519
  185. .It
  186. ed448
  187. .It
  188. ecdsa_p256
  189. .It
  190. ecdsa_p384
  191. .It
  192. ecdsa_p521
  193. .It
  194. rsa2048
  195. .Aq default
  196. .It
  197. rsa4096
  198. .El
  199. .It Ic kp_reuse Ar boolean
  200. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  201. .It Ic name
  202. Name of the certificate. Must be unique unless the key type is different. Will be used in logs and in the associated file's name. The
  203. .Sq * ,
  204. .So
  205. :
  206. .Sc
  207. and
  208. .Sq /
  209. characters will be replaced by an underscore. Default is the first identifier.
  210. .It Cm random_early_renew Ar string
  211. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  212. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  213. .Sx TIME PERIODS
  214. section. Default is the value defined in the associated endpoint.
  215. .It Cm renew_delay Ar string
  216. Period of time between the certificate renewal and its expiration date. The format is described in the
  217. .Sx TIME PERIODS
  218. section. Default is the value defined in the associated endpoint.
  219. .It Ic subject_attributes Ar table
  220. Table where the certificate's subject attributes are specified. Possible keys, with their RFC 4519 and X.500 equivalents, are:
  221. .Bl -column -offset indent ".Sy organizational_unit_name" ".Sy generationQualifier" ".Sy organizationalUnitName"
  222. .It Sy ACMEd key Ta Sy RFC 4519 Ta Sy X.500
  223. .It Li country_name Ta c Ta countryName
  224. .It Li generation_qualifier Ta generationQualifier Ta
  225. .It Li given_name Ta givenName Ta
  226. .It Li initials Ta initials Ta
  227. .It Li locality_name Ta l Ta localityName
  228. .It Li name Ta name Ta
  229. .It Li organization_name Ta o Ta organizationName
  230. .It Li organizational_unit_name Ta ou Ta organizationalUnitName
  231. .It Li pkcs9_email_address Ta Ta
  232. .It Li postal_address Ta postalAddress Ta
  233. .It Li postal_code Ta postalCode Ta
  234. .It Li state_or_province_name Ta st Ta stateOrProvinceName
  235. .It Li street Ta street Ta streetAddress
  236. .It Li surname Ta sn Ta surname
  237. .It Li title Ta title Ta
  238. .El
  239. .El
  240. .It Ic endpoint
  241. Array of table where each element defines a Certificate Authority
  242. .Pq CA
  243. which may be used to request certificates.
  244. .Bl -tag
  245. .It Cm file_name_format Ar string
  246. Template used to build the file's name. For detailed documentation, see the
  247. .Em file_name_format
  248. directive located in the
  249. .Em certificate
  250. element.
  251. .It Cm name Ar string
  252. The name the endpoint is registered under. Must be unique.
  253. .It Cm rate_limits Ar array
  254. Array containing the names of the HTTPS rate limits to apply.
  255. .It Cm random_early_renew Ar string
  256. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  257. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  258. .Sx TIME PERIODS
  259. section. Default is the value defined in the global section.
  260. .It Cm renew_delay Ar string
  261. Period of time between the certificate renewal and its expiration date. The format is described in the
  262. .Sx TIME PERIODS
  263. section. Default is the value defined in the global section.
  264. .It Cm root_certificates Ar array
  265. Array containing the path to root certificates that should be added to the trust store.
  266. .It Cm tos_agreed Ar boolean
  267. Set whether or not the user agrees to the Terms Of Service
  268. .Pq TOS .
  269. .It Cm url Ar string
  270. The endpoint's directory URL.
  271. .El
  272. .It Ic global
  273. Table containing the global configuration options.
  274. .Bl -tag
  275. .It Cm accounts_directory Ar string
  276. Specify the directory where the accounts private and public keys are stored.
  277. .It Cm cert_file_group Ar group_name|group_id Ft string
  278. Specify the group who will own newly-created certificates files. See
  279. .Xr chown 2
  280. for more details.
  281. .It Cm cert_file_mode Ar integer
  282. Specify the permissions to use for newly-created certificates files. See
  283. .Xr chmod 2
  284. for more details.
  285. .It Cm cert_file_user Ar username|user_id Ft string
  286. Specify the user who will own newly-created certificates files. See
  287. .Xr chown 2
  288. for more details.
  289. .It Cm cert_file_ext Ft string
  290. Specify the file extension of certificate files.
  291. .It Cm certificates_directory Ar string
  292. Specify the directory where the certificates and their associated private keys are stored.
  293. .It Ic env Ar table
  294. Table of environment variables that will be accessible from hooks.
  295. .It Ic file_name_format Ar string
  296. Template used to build the file's name. For detailed documentation, see the
  297. .Em file_name_format
  298. directive located in the
  299. .Em certificate
  300. element.
  301. .It Cm pk_file_group Ar group_name|group_id Ft string
  302. Specify the group who will own newly-created private-key files. See
  303. .Xr chown 2
  304. for more details.
  305. .It Cm pk_file_mode Ar integer
  306. Specify the permissions to use for newly-created private-key files. See
  307. .Xr chmod 2
  308. for more details.
  309. .It Cm pk_file_user Ar username|user_id Ft string
  310. Specify the user who will own newly-created private-key files. See
  311. .Xr chown 2
  312. for more details.
  313. .It Cm pk_file_ext Ft string
  314. Specify the file extension of private-key files.
  315. .It Cm random_early_renew Ar string
  316. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  317. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  318. .Sx TIME PERIODS
  319. section. By default, this is disabled, or rather, the time frame is set to 0.
  320. .It Cm renew_delay Ar string
  321. Period of time between the certificate renewal and its expiration date. The format is described in the
  322. .Sx TIME PERIODS
  323. section. Default is 30d.
  324. .It Cm root_certificates Ar array
  325. Array containing the path to root certificates that should be added to the trust store.
  326. .El
  327. .It Ic group
  328. Array of table allowing to group several hooks as one. A group is considered as new hook.
  329. .Bl -tag
  330. .It Cm hooks Ar array
  331. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  332. .It Cm name Ar string
  333. The name the group is registered under. This name is considered as a hook name. Must be unique.
  334. .El
  335. .It Ic hook
  336. Array of table where each element defines a command that will be launched at a defined point. See section
  337. .Sx WRITING A HOOK
  338. for more details.
  339. .Bl -tag
  340. .It Cm allow_failure Ar boolean
  341. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  342. .It Ic args Ar array
  343. Array of strings representing the command's arguments.
  344. .It Ic cmd Ar string
  345. The name of the command that will be launched.
  346. .It Cm name Ar string
  347. The name the hook is registered under. Must be unique.
  348. .It Ic stderr Ar string
  349. Path to the file where the command's standard error output if written.
  350. .It Ic stdin Ar string
  351. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  352. .Em stdin_str .
  353. .It Ic stdin_str Ar string
  354. String that will be written into the command's standard input. Mutually exclusive with
  355. .Em stdin .
  356. .It Ic stdout Ar string
  357. Path to the file where the command's standard output if written.
  358. .It Cm type Ar array
  359. Array of strings. Possible types are:
  360. .Bl -dash -compact
  361. .It
  362. challenge-dns-01
  363. .It
  364. challenge-dns-01-clean
  365. .It
  366. challenge-http-01
  367. .It
  368. challenge-http-01-clean
  369. .It
  370. challenge-tls-alpn-01
  371. .It
  372. challenge-tls-alpn-01-clean
  373. .It
  374. file-post-create
  375. .It
  376. file-post-edit
  377. .It
  378. file-pre-create
  379. .It
  380. file-pre-edit
  381. .It
  382. post-operation
  383. .El
  384. .El
  385. .It Ic include
  386. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  387. .Pp
  388. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  389. .Em A
  390. includes files
  391. .Em B
  392. and
  393. .Em C
  394. and all three defines the same global option, the final value will be the one defined in file
  395. .Em C .
  396. .Pp
  397. Unix style globing is supported.
  398. .It Ic rate-limit
  399. Array of table where each element defines a HTTPS rate limit.
  400. .Bl -tag
  401. .It Cm name Ar string
  402. The name the rate limit is registered under. Must be unique.
  403. .It Cm number Ar integer
  404. Number of requests authorized withing the time period.
  405. .It Cm period Ar string
  406. Period of time during which a maximal number of requests is authorized. The format is described in the
  407. .Sx TIME PERIODS
  408. section.
  409. .El
  410. .El
  411. .Sh WRITING A HOOK
  412. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every identifier to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  413. .Pp
  414. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  415. .Xr acmed 8
  416. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  417. .Pp
  418. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  419. .Pp
  420. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  421. .Pp
  422. When writing a hook, the values of
  423. .Em args ,
  424. .Em stdin ,
  425. .Em stdin_str ,
  426. .Em stdout
  427. and
  428. .Em stderr
  429. are considered as template strings whereas
  430. .Em cmd
  431. is not. The template syntax is
  432. .Em MiniJinja .
  433. See the
  434. .Sx STANDARDS
  435. section for a link to the
  436. .Em MiniJinja
  437. specifications.
  438. .Pp
  439. The available types and the associated template variable are described below.
  440. .Bl -tag
  441. .It Ic challenge-dns-01
  442. Invoked when the ownership of an identifier must be proved using the
  443. .Em dns-01
  444. challenge. The available template variables are:
  445. .Bl -tag -compact
  446. .It Cm challenge Ar string
  447. The name of the challenge type
  448. .Aq dns-01 .
  449. Mostly used in hooks with multiple types.
  450. .It Cm env Ar array
  451. Array containing all the environment variables.
  452. .It Cm identifier Ar string
  453. The identifier name whom ownership is currently being validated.
  454. .It Cm is_clean_hook Ar bool
  455. False
  456. .It Cm proof Ar string
  457. The content of the proof that must be written to a
  458. .Ql TXT
  459. entry of the DNS zone for the
  460. .Ql _acme-challenge
  461. subdomain.
  462. .El
  463. .It Ic challenge-dns-01-clean
  464. Invoked once an identifier ownership has been proven using the
  465. .Em dns-01
  466. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  467. .Em challenge-dns-01
  468. hook, excepted
  469. .Em is_clean_hook
  470. which is set to
  471. .Em true .
  472. .It Ic challenge-http-01
  473. Invoked when the ownership of an identifier must be proved using the
  474. .Em http-01
  475. challenge. The available template variables are:
  476. .Bl -tag -compact
  477. .It Cm challenge Ar string
  478. The name of the challenge type
  479. .Aq http-01 .
  480. Mostly used in hooks with multiple types.
  481. .It Cm env Ar array
  482. Array containing all the environment variables.
  483. .It Cm file_name Ar string
  484. Name of the file containing the proof. This is not a full path and does not include the
  485. .Ql .well-known/acme-challenge/
  486. prefix.
  487. .It Cm identifier Ar string
  488. The identifier name whom ownership is currently being validated.
  489. .It Cm is_clean_hook Ar bool
  490. False
  491. .It Cm proof Ar string
  492. The content of the proof that must be written to
  493. .Em file_name .
  494. .El
  495. .It Ic challenge-http-01-clean
  496. Invoked once an identifier ownership has been proven using the
  497. .Em http-01
  498. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  499. .Em challenge-http-01
  500. hook, excepted
  501. .Em is_clean_hook
  502. which is set to
  503. .Em true .
  504. .It Ic challenge-tls-alpn-01
  505. Invoked when the ownership of an identifier must be proved using the
  506. .Em tls-alpn-01
  507. challenge. The available template variables are:
  508. .Bl -tag -compact
  509. .It Cm challenge Ar string
  510. The name of the challenge type
  511. .Aq tls-alpn-01 .
  512. Mostly used in hooks with multiple types.
  513. .It Cm env Ar array
  514. Array containing all the environment variables.
  515. .It Cm identifier Ar string
  516. The identifier name whom ownership is currently being validated.
  517. .It Cm identifier_tls_alpn Ar string
  518. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  519. .It Cm is_clean_hook Ar bool
  520. False
  521. .It Cm proof Ar string
  522. Plain-text representation of the
  523. .Em acmeIdentifier
  524. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  525. .Qd acme-tls/1
  526. ALPN extension value.
  527. .Xr acmed 8
  528. will not generate the certificate itself since it can be done using
  529. .Xr tacd 8 .
  530. .It Cm raw_proof Ar string
  531. The SHA-256 digest of the key authorization, encoded using Base64 URL scheme without padding. This is intended for the use of ACMEd with a TLS-ALPN responder other than
  532. .Xr tacd 8 .
  533. .El
  534. .It Ic challenge-tls-alpn-01-clean
  535. Invoked once an identifier ownership has been proven using the
  536. .Em tls-alpn-01
  537. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  538. .Em challenge-tls-alpn-01
  539. hook, excepted
  540. .Em is_clean_hook
  541. which is set to
  542. .Em true .
  543. .It Ic file-post-create
  544. Invoked
  545. .Em after
  546. a non-existent file
  547. .Em created .
  548. The available template variables are the same as those available for the
  549. .Em file-pre-create
  550. type.
  551. .It Ic file-post-edit
  552. Invoked
  553. .Em after
  554. an existent file
  555. .Em modified .
  556. The available template variables are the same as those available for the
  557. .Em file-pre-create
  558. type.
  559. .It Ic file-pre-create
  560. Invoked
  561. .Em before
  562. a non-existent file
  563. .Em created .
  564. The available template variables are:
  565. .Bl -tag -compact
  566. .It Cm env Ar array
  567. Array containing all the environment variables.
  568. .It Cm file_directory Ar string
  569. Name of the directory where the impacted file is located.
  570. .It Cm file_name Ar string
  571. Name of the impacted file.
  572. .It Cm file_path Ar string
  573. Full path to the impacted file.
  574. .El
  575. .It Ic file-pre-edit
  576. Invoked
  577. .Em before
  578. an existent file
  579. .Em modified .
  580. The available template variables are the same as those available for the
  581. .Em file-pre-create
  582. type.
  583. .It Ic post-operation
  584. Invoked at the end of the certificate request process. The available template variables are:
  585. .Bl -tag -compact
  586. .It Cm env Ar array
  587. Array containing all the environment variables.
  588. .It Cm identifiers Ar string
  589. Array containing the identifiers included in the requested certificate.
  590. .It Cm is_success Ar boolean
  591. True if the certificate request is successful.
  592. .It Cm key_type Ar string
  593. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair.
  594. .It Cm status Ar string
  595. Human-readable status. If the certificate request failed, it contains the error description.
  596. .It Cm certificate_path Ar string
  597. Path to the file containing the certificate.
  598. .It Cm private_key_path Ar string
  599. Path to the file containing the private key.
  600. .El
  601. .El
  602. .Sh DEFAULT HOOKS
  603. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  604. .Bl -tag
  605. .It Pa git
  606. This hook uses
  607. .Xr git 1
  608. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  609. .Ev GIT_USERNAME
  610. and
  611. .Ev GIT_EMAIL
  612. environment variables.
  613. .It Pa http-01-echo
  614. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  615. .Pa {{ env.HTTP_ROOT }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }} .
  616. .Pp
  617. The web server must be configured so the file
  618. .Pa http://{{ identifier }}/.well-known/acme-challenge/{{ file_name }}
  619. can be accessed from the CA.
  620. .Pp
  621. If
  622. .Ev HTTP_ROOT
  623. is not specified, it will be set to
  624. .Pa /var/www .
  625. .It Pa tls-alpn-01-tacd-tcp
  626. This hook is designed to solve the tls-alpn-01 challenge using
  627. .Xr tacd 8 .
  628. It requires
  629. .Xr pkill 1
  630. to support the
  631. .Em -F
  632. option.
  633. .Pp
  634. .Xr tacd 8
  635. will listen on the host defined by the
  636. .Ev TACD_HOST
  637. environment variable (default is the identifier to be validated) and on the port defined by the
  638. .Ev TACD_PORT
  639. environment variable (default is 5001).
  640. .Pp
  641. .Xr tacd 8
  642. will store its pid into
  643. .Pa {{ TACD_PID_ROOT }}/tacd_{{ identifier }}.pid .
  644. If
  645. .Ev TACD_PID_ROOT
  646. is not specified, it will be set to
  647. .Pa /run .
  648. .It Pa tls-alpn-01-tacd-unix
  649. This hook is designed to solve the tls-alpn-01 challenge using
  650. .Xr tacd 8 .
  651. It requires
  652. .Xr pkill 1
  653. to support the
  654. .Em -F
  655. option.
  656. .Pp
  657. .Xr tacd 8
  658. will listen on the unix socket
  659. .Pa {{ env.TACD_SOCK_ROOT }}/tacd_{{ identifier }}.sock .
  660. If
  661. .Ev TACD_SOCK_ROOT
  662. is not specified, it will be set to
  663. .Pa /run .
  664. .Pp
  665. .Xr tacd 8
  666. will store its pid into
  667. .Pa {{ TACD_PID_ROOT }}/tacd_{{ identifier }}.pid .
  668. If
  669. .Ev TACD_PID_ROOT
  670. is not specified, it will be set to
  671. .Pa /run .
  672. .El
  673. .Sh TIME PERIODS
  674. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  675. .Ar PM[PM...]
  676. where
  677. .Ar M
  678. is case sensitive character representing a length and
  679. .Ar P
  680. is an integer representing a multiplayer for the following length. The authorized length are:
  681. .Bl -dash -compact
  682. .It
  683. .Ar s :
  684. second
  685. .It
  686. .Ar m :
  687. minute
  688. .It
  689. .Ar h :
  690. hour
  691. .It
  692. .Ar d :
  693. day
  694. .It
  695. .Ar w :
  696. week
  697. .El
  698. The
  699. .Ar PM
  700. couples can be specified multiple times and in any order.
  701. .Pp
  702. For example,
  703. .Dq 1d42s
  704. and
  705. .Dq 40s20h4h2s
  706. both represents a period of one day and forty-two seconds.
  707. .Sh TEMPLATE FILTERS
  708. In addition the the filters provided by default by MiniJinja, ACMEd provides the following filters:
  709. .Bl -tag
  710. .It Pa rev_labels
  711. Reverts the labels of a domain name (eg:
  712. .Dq mx1.example.org
  713. becomes
  714. .Dq org.example.mx1
  715. ).
  716. .El
  717. .Sh FILES
  718. .Bl -tag
  719. .It Pa /var/lib/acmed/accounts
  720. Default accounts private and public keys directory.
  721. .It Pa /etc/acmed/acmed.toml
  722. Default
  723. .Xr acmed 8
  724. configuration file.
  725. .It Pa /var/lib/acmed/certs
  726. Default certificates and associated private keys directory.
  727. .El
  728. .Sh EXAMPLES
  729. The following example defines a typical endpoint, account and certificate for a domain, several subdomains and an IP address.
  730. .Bd -literal -offset indent
  731. [[endpoint]]
  732. name = "example name"
  733. url = "https://acme.example.org/directory"
  734. tos_agreed = true
  735. [[account]]
  736. name = "my test account"
  737. contacts = [
  738. { mailto = "certs@exemple.net" }
  739. ]
  740. [[certificate]]
  741. endpoint = "example name"
  742. account = "my test account"
  743. identifiers = [
  744. { dns = "exemple.net", challenge = "http-01"},
  745. { dns = "1.exemple.net", challenge = "dns-01"},
  746. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  747. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  748. { ip = "203.0.113.1", challenge = "http-01"},
  749. ]
  750. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  751. env.HTTP_ROOT = "/srv/http"
  752. .Ed
  753. .Pp
  754. It is possible to use
  755. .Xr echo 1
  756. to solve the
  757. .Em http-01
  758. challenge and
  759. .Xr rm 1
  760. to clean it.
  761. .Xr mkdir 1
  762. and
  763. .Xr chmod 1
  764. are used to prevent issues related to file access.
  765. .Bd -literal -offset indent
  766. [[hook]]
  767. name = "http-01-echo-mkdir"
  768. type = ["challenge-http-01"]
  769. cmd = "mkdir"
  770. args = [
  771. "-m", "0755",
  772. "-p", "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge"
  773. ]
  774. [[hook]]
  775. name = "http-01-echo-echo"
  776. type = ["challenge-http-01"]
  777. cmd = "echo"
  778. args = ["{ proof }"]
  779. stdout = "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  780. [[hook]]
  781. name = "http-01-echo-chmod"
  782. type = ["challenge-http-01-clean"]
  783. cmd = "chmod"
  784. args = [
  785. "a+r",
  786. "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  787. ]
  788. [[hook]]
  789. name = "http-01-echo-clean"
  790. type = ["challenge-http-01-clean"]
  791. cmd = "rm"
  792. args = [
  793. "-f",
  794. "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  795. ]
  796. .Ed
  797. .Pp
  798. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  799. .Bd -literal -offset indent
  800. [[group]]
  801. name = "http-01-echo-var-www"
  802. hooks = [
  803. "http-01-echo-mkdir",
  804. "http-01-echo-echo",
  805. "http-01-echo-chmod",
  806. "http-01-echo-clean"
  807. ]
  808. [[certificate]]
  809. # Some fields omitted
  810. hooks = ["http-01-echo"]
  811. env.HTTP_ROOT = "/srv/http"
  812. .Ed
  813. .Pp
  814. It is also possible to use
  815. .Xr sendmail 8
  816. in a hook in order to notify someone when the certificate request process is done.
  817. .Bd -literal -offset indent
  818. [[hook]]
  819. name = "email-report"
  820. type = ["post-operation"]
  821. cmd = "sendmail"
  822. args = [
  823. "-f", "noreply.certs@example.net",
  824. "contact@example.net"
  825. ]
  826. stdin_str = """Subject: Certificate renewal {{ 'succeeded' if is_success else 'failed' }} for {{ identifiers.0 }}
  827. The following certificate has {{ '' if is_success else '*not* ' }}been renewed.
  828. identifiers: {% for ident in identifiers %}{% if not loop.first %}, {% endif %}{{ ident }}{% endfor %}
  829. key type: {{ key_type }}
  830. status: {{ status }}"""
  831. .Ed
  832. .Sh SEE ALSO
  833. .Xr acmed 8 ,
  834. .Xr tacd 8
  835. .Sh STANDARDS
  836. .Bl -hyphen
  837. .It
  838. .Rs
  839. .%A Tom Preston-Werner
  840. .%D July 2018
  841. .%T TOML v0.5.0
  842. .%U https://toml.io/en/v0.5.0
  843. .Re
  844. .It
  845. .Rs
  846. .%A Armin Ronacher
  847. .%T MiniJinja
  848. .%U https://docs.rs/minijinja/latest/minijinja/syntax/index.html
  849. .Re
  850. .It
  851. .Rs
  852. .%A M. Jones
  853. .%D May 2015
  854. .%R RFC 7518
  855. .%T JSON Web Algorithms (JWA)
  856. .Re
  857. .El
  858. .Sh AUTHORS
  859. .An Rodolphe Bréard
  860. .Aq rodolphe@breard.tf