You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

778 lines
23 KiB

5 years ago
4 years ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd September 26, 2020
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic include
  22. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  23. .Pp
  24. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  25. .Em A
  26. includes files
  27. .Em B
  28. and
  29. .Em C
  30. and all three defines the same global option, the final value will be the one defined in file
  31. .Em C .
  32. .Pp
  33. Unix style globing is supported.
  34. .It Ic global
  35. Table containing the global configuration options.
  36. .Bl -tag
  37. .It Cm accounts_directory Ar string
  38. Specify the directory where the accounts private and public keys are stored.
  39. .It Cm certificates_directory Ar string
  40. Specify the directory where the certificates and their associated private keys are stored.
  41. .It Cm cert_file_mode Ar integer
  42. Specify the permissions to use for newly-created certificates files. See
  43. .Xr chmod 2
  44. for more details.
  45. .It Cm cert_file_user Ar username|user_id Ft string
  46. Specify the user who will own newly-created certificates files. See
  47. .Xr chown 2
  48. for more details.
  49. .It Cm cert_file_group Ar group_name|group_id Ft string
  50. Specify the group who will own newly-created certificates files. See
  51. .Xr chown 2
  52. for more details.
  53. .It Ic env Ar table
  54. Table of environment variables that will be accessible from hooks.
  55. .It Cm pk_file_mode Ar integer
  56. Specify the permissions to use for newly-created private-key files. See
  57. .Xr chmod 2
  58. for more details.
  59. .It Cm pk_file_user Ar username|user_id Ft string
  60. Specify the user who will own newly-created private-key files. See
  61. .Xr chown 2
  62. for more details.
  63. .It Cm pk_file_group Ar group_name|group_id Ft string
  64. Specify the group who will own newly-created private-key files. See
  65. .Xr chown 2
  66. for more details.
  67. .It Cm renew_delay Ar string
  68. Period of time between the certificate renewal and its expiration date. The format is described in the
  69. .Sx TIME PERIODS
  70. section. Default is 3w.
  71. .It Cm root_certificates Ar array
  72. Array containing the path to root certificates that should be added to the trust store.
  73. .El
  74. .It Ic rate-limit
  75. Array of table where each element defines a HTTPS rate limit.
  76. .Bl -tag
  77. .It Cm name Ar string
  78. The name the rate limit is registered under. Must be unique.
  79. .It Cm number Ar integer
  80. Number of requests authorized withing the time period.
  81. .It Cm period Ar string
  82. Period of time during which a maximal number of requests is authorized. The format is described in the
  83. .Sx TIME PERIODS
  84. section.
  85. .El
  86. .It Ic endpoint
  87. Array of table where each element defines a Certificate Authority
  88. .Pq CA
  89. which may be used to request certificates.
  90. .Bl -tag
  91. .It Cm name Ar string
  92. The name the endpoint is registered under. Must be unique.
  93. .It Cm rate_limits Ar array
  94. Array containing the names of the HTTPS rate limits to apply.
  95. .It Cm tos_agreed Ar boolean
  96. Set whether or not the user agrees to the Terms Of Service
  97. .Pq TOS .
  98. .It Cm url Ar string
  99. The endpoint's directory URL.
  100. .It Cm renew_delay Ar string
  101. Period of time between the certificate renewal and its expiration date. The format is described in the
  102. .Sx TIME PERIODS
  103. section. Default is the value defined in the global section.
  104. .It Cm root_certificates Ar array
  105. Array containing the path to root certificates that should be added to the trust store.
  106. .El
  107. .It Ic hook
  108. Array of table where each element defines a command that will be launched at a defined point. See section
  109. .Sx WRITING A HOOK
  110. for more details.
  111. .Bl -tag
  112. .It Cm allow_failure Ar boolean
  113. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  114. .It Cm name Ar string
  115. The name the hook is registered under. Must be unique.
  116. .It Cm type Ar array
  117. Array of strings. Possible types are:
  118. .Bl -dash -compact
  119. .It
  120. challenge-http-01
  121. .It
  122. challenge-http-01-clean
  123. .It
  124. challenge-dns-01
  125. .It
  126. challenge-dns-01-clean
  127. .It
  128. challenge-tls-alpn-01
  129. .It
  130. challenge-tls-alpn-01-clean
  131. .It
  132. file-pre-create
  133. .It
  134. file-pre-edit
  135. .It
  136. file-post-create
  137. .It
  138. file-post-edit
  139. .It
  140. post-operation
  141. .El
  142. .It Ic cmd Ar string
  143. The name of the command that will be launched.
  144. .It Ic args Ar array
  145. Array of strings representing the command's arguments.
  146. .It Ic stdin Ar string
  147. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  148. .Em stdin_str .
  149. .It Ic stdin_str Ar string
  150. String that will be written into the command's standard input. Mutually exclusive with
  151. .Em stdin .
  152. .It Ic stdout Ar string
  153. Path to the file where the command's standard output if written.
  154. .It Ic stderr Ar string
  155. Path to the file where the command's standard error output if written.
  156. .El
  157. .It Ic group
  158. Array of table allowing to group several hooks as one. A group is considered as new hook.
  159. .Bl -tag
  160. .It Cm name Ar string
  161. The name the group is registered under. This name is considered as a hook name. Must be unique.
  162. .It Cm hooks Ar array
  163. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  164. .El
  165. .It Ic account
  166. Array of table representing an account on one or several endpoint.
  167. .Bl -tag
  168. .It Ic name Ar string
  169. The name the account is registered under. Must be unique.
  170. .It Ic contacts Ar array
  171. Array of tables describing describing the account holder's contact information. Each table must have one and only one key-value pair. Possible keys and their associated values are:
  172. .Bl -tag
  173. .It Ic mailto Ar string
  174. A mailto URI as defined by
  175. .Em RFC 6068 .
  176. This URI cannot contains neither "hfields" nor more than one "addr-spec" in the "to" component.
  177. .El
  178. .It Cm key_type Ar string
  179. Name of the asymmetric cryptography algorithm used to generate the key pair. Possible values are:
  180. .Bl -dash -compact
  181. .It
  182. rsa2048
  183. .It
  184. rsa4096
  185. .It
  186. ecdsa_p256
  187. .Aq default
  188. .It
  189. ecdsa_p384
  190. .It
  191. ecdsa_p521
  192. .El
  193. .It Cm signature_algorithm Ar string
  194. Name of the signature algorithm used to sign the messages sent to the endpoint as defined in
  195. .Em RFC 7518 .
  196. The default value is derived from the key type. Possible values are:
  197. .Bl -dash -compact
  198. .It
  199. RS256
  200. .It
  201. ES256
  202. .It
  203. ES384
  204. .It
  205. ES512
  206. .El
  207. .It Ic env Ar table
  208. Table of environment variables that will be accessible from hooks.
  209. .It Ic hooks Ar array
  210. Names of hooks that will be called during operations on the account storage file. The hooks are guaranteed to be called sequentially in the declaration order.
  211. .It Ic external_account Ar table
  212. Table containing the information required to bind the account to an external one. Possible fields and values are:
  213. .Bl -tag
  214. .It Ic identifier Ar string
  215. ASCII string identifying the key.
  216. .It Ic key Ar string
  217. Private key encoded in base64url without padding.
  218. .It Ic signature_algorithm Ar string
  219. Name of the signature algorithm used to sign the external account binding message sent to the endpoint as defined in
  220. .Em RFC 7518 .
  221. Possible values are:
  222. .Bl -dash -compact
  223. .It
  224. HS256
  225. .Aq default
  226. .It
  227. HS384
  228. .It
  229. HS512
  230. .El
  231. .El
  232. .El
  233. .It Ic certificate
  234. Array of table representing a certificate that will be requested to a CA.
  235. .Pp
  236. Note that certificates are identified by the first identifier in the list of identifiers. That means that if you reorder the identifiers so that a different identifier is at the first position, a new certificate with a new name will be issued.
  237. .Bl -tag
  238. .It Ic account Ar string
  239. Name of the account to use.
  240. .It Ic endpoint Ar string
  241. Name of the endpoint to use.
  242. .It Ic env Ar table
  243. Table of environment variables that will be accessible from hooks.
  244. .It Ic identifiers Ar array
  245. Array of tables listing the identifiers that should be included in the certificate along with the challenge to use for each one. The
  246. .Em dns
  247. and
  248. .Em ip
  249. fields are mutually exclusive.
  250. .Bl -tag
  251. .It Ic challenge Ar string
  252. The name of the challenge to use to prove the identifier's ownership. Possible values are:
  253. .Bl -dash -compact
  254. .It
  255. http-01
  256. .It
  257. dns-01
  258. .It
  259. tls-alpn-01
  260. .El
  261. .It Ic dns Ar string
  262. The domain name.
  263. .It Ic ip Ar string
  264. The IP address.
  265. .It Ic env Ar table
  266. Table of environment variables that will be accessible from hooks.
  267. .El
  268. .It subject_attributes Ar table
  269. Table where the certificate's subject attributes are specified. Possible keys are:
  270. .Bl -dash -compact
  271. .It
  272. country_name
  273. .It
  274. locality_name
  275. .It
  276. state_or_province_name
  277. .It
  278. street_address
  279. .It
  280. organization_name
  281. .It
  282. organizational_unit_name
  283. .It
  284. name
  285. .It
  286. given_name
  287. .It
  288. initials
  289. .It
  290. title
  291. .It
  292. surname
  293. .It
  294. pseudonym
  295. .It
  296. generation_qualifier
  297. .It
  298. friendly_name
  299. .El
  300. .It Ic key_type Ar string
  301. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair. Possible values are:
  302. .Bl -dash -compact
  303. .It
  304. rsa2048
  305. .Aq default
  306. .It
  307. rsa4096
  308. .It
  309. ecdsa_p256
  310. .It
  311. ecdsa_p384
  312. .It
  313. ecdsa_p521
  314. .El
  315. .It Ic csr_digest Ar string
  316. Name of the certificate's signing request digest algorithm. Possible values are:
  317. .Bl -dash -compact
  318. .It
  319. sha256
  320. .Aq default
  321. .It
  322. sha384
  323. .It
  324. sha512
  325. .El
  326. .It Ic kp_reuse Ar boolean
  327. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  328. .It Ic directory Ar string
  329. Path to the directory where certificates and their associated private keys are stored.
  330. .It Ic hooks Ar array
  331. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  332. .It Cm renew_delay Ar string
  333. Period of time between the certificate renewal and its expiration date. The format is described in the
  334. .Sx TIME PERIODS
  335. section. Default is the value defined in the associated endpoint.
  336. .El
  337. .El
  338. .Sh WRITING A HOOK
  339. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every identifier to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  340. .Pp
  341. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  342. .Xr acmed 8
  343. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  344. .Pp
  345. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  346. .Pp
  347. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  348. .Pp
  349. When writing a hook, the values of
  350. .Em args ,
  351. .Em stdin ,
  352. .Em stdin_str ,
  353. .Em stdout
  354. and
  355. .Em stderr
  356. are considered as template strings whereas
  357. .Em cmd
  358. is not. The template syntax is
  359. .Em Handlebars .
  360. See the
  361. .Sx STANDARDS
  362. section for a link to the
  363. .Em Handlebars
  364. specifications.
  365. .Pp
  366. The available types and the associated template variable are described below.
  367. .Bl -tag
  368. .It Ic challenge-http-01
  369. Invoked when the ownership of an identifier must be proved using the
  370. .Em http-01
  371. challenge. The available template variables are:
  372. .Bl -tag -compact
  373. .It Cm challenge Ar string
  374. The name of the challenge type
  375. .Aq http-01 .
  376. Mostly used in hooks with multiple types.
  377. .It Cm identifier Ar string
  378. The identifier name whom ownership is currently being validated.
  379. .It Cm identifier_tls_alpn Ar string
  380. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  381. .It Cm env Ar array
  382. Array containing all the environment variables.
  383. .It Cm file_name Ar string
  384. Name of the file containing the proof. This is not a full path and does not include the
  385. .Ql .well-known/acme-challenge/
  386. prefix.
  387. .It Cm is_clean_hook Ar bool
  388. False
  389. .It Cm proof Ar string
  390. The content of the proof that must be written to
  391. .Em file_name .
  392. .El
  393. .It Ic challenge-http-01-clean
  394. Invoked once an identifier ownership has been proven using the
  395. .Em http-01
  396. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  397. .Em challenge-http-01
  398. hook, excepted
  399. .Em is_clean_hook
  400. which is set to
  401. .Em true .
  402. .It Ic challenge-dns-01
  403. Invoked when the ownership of an identifier must be proved using the
  404. .Em dns-01
  405. challenge. The available template variables are:
  406. .Bl -tag -compact
  407. .It Cm challenge Ar string
  408. The name of the challenge type
  409. .Aq dns-01 .
  410. Mostly used in hooks with multiple types.
  411. .It Cm identifier Ar string
  412. The identifier name whom ownership is currently being validated.
  413. .It Cm identifier_tls_alpn Ar string
  414. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  415. .It Cm env Ar array
  416. Array containing all the environment variables.
  417. .It Cm is_clean_hook Ar bool
  418. False
  419. .It Cm proof Ar string
  420. The content of the proof that must be written to a
  421. .Ql TXT
  422. entry of the DNS zone for the
  423. .Ql _acme-challenge
  424. subdomain.
  425. .El
  426. .It Ic challenge-dns-01-clean
  427. Invoked once an identifier ownership has been proven using the
  428. .Em dns-01
  429. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  430. .Em challenge-dns-01
  431. hook, excepted
  432. .Em is_clean_hook
  433. which is set to
  434. .Em true .
  435. .It Ic challenge-tls-alpn-01
  436. Invoked when the ownership of an identifier must be proved using the
  437. .Em tls-alpn-01
  438. challenge. The available template variables are:
  439. .Bl -tag -compact
  440. .It Cm challenge Ar string
  441. The name of the challenge type
  442. .Aq tls-alpn-01 .
  443. Mostly used in hooks with multiple types.
  444. .It Cm identifier Ar string
  445. The identifier name whom ownership is currently being validated.
  446. .It Cm identifier_tls_alpn Ar string
  447. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  448. .It Cm env Ar array
  449. Array containing all the environment variables.
  450. .It Cm is_clean_hook Ar bool
  451. False
  452. .It Cm proof Ar string
  453. Plain-text representation of the
  454. .Em acmeIdentifier
  455. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  456. .Qd acme-tls/1
  457. ALPN extension value.
  458. .Xr acmed 8
  459. will not generate the certificate itself since it can be done using
  460. .Xr tacd 8 .
  461. .El
  462. .It Ic challenge-tls-alpn-01-clean
  463. Invoked once an identifier ownership has been proven using the
  464. .Em tls-alpn-01
  465. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  466. .Em challenge-tls-alpn-01
  467. hook, excepted
  468. .Em is_clean_hook
  469. which is set to
  470. .Em true .
  471. .It Ic file-pre-create
  472. Invoked
  473. .Em before
  474. a non-existent file
  475. .Em created .
  476. The available template variables are:
  477. .Bl -tag -compact
  478. .It Cm env Ar array
  479. Array containing all the environment variables.
  480. .It Cm file_directory Ar string
  481. Name of the directory where the impacted file is located.
  482. .It Cm file_name Ar string
  483. Name of the impacted file.
  484. .It Cm file_path Ar string
  485. Full path to the impacted file.
  486. .El
  487. .It Ic file-pre-edit
  488. Invoked
  489. .Em before
  490. an existent file
  491. .Em modified .
  492. The available template variables are the same as those available for the
  493. .Em file-pre-create
  494. type.
  495. .It Ic file-post-create
  496. Invoked
  497. .Em after
  498. a non-existent file
  499. .Em created .
  500. The available template variables are the same as those available for the
  501. .Em file-pre-create
  502. type.
  503. .It Ic file-post-edit
  504. Invoked
  505. .Em after
  506. an existent file
  507. .Em modified .
  508. The available template variables are the same as those available for the
  509. .Em file-pre-create
  510. type.
  511. .It Ic post-operation
  512. Invoked at the end of the certificate request process. The available template variables are:
  513. .Bl -tag -compact
  514. .It Cm key_type Ar string
  515. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair.
  516. .It Cm identifiers Ar string
  517. Array containing the identifiers included in the requested certificate.
  518. .It Cm env Ar array
  519. Array containing all the environment variables.
  520. .It Cm is_success Ar boolean
  521. True if the certificate request is successful.
  522. .It Cm status Ar string
  523. Human-readable status. If the certificate request failed, it contains the error description.
  524. .El
  525. .El
  526. .Sh DEFAULT HOOKS
  527. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  528. .Bl -tag
  529. .It Pa git
  530. This hook uses
  531. .Xr git 1
  532. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  533. .Ev GIT_USERNAME
  534. and
  535. .Ev GIT_EMAIL
  536. environment variables.
  537. .It Pa http-01-echo
  538. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  539. .Pa {{env.HTTP_ROOT}}/{{identifier}}/.well-known/acme-challenge/{{file_name}} .
  540. .Pp
  541. The web server must be configured so the file
  542. .Pa http://{{identifier}}/.well-known/acme-challenge/{{file_name}}
  543. can be accessed from the CA.
  544. .Pp
  545. If
  546. .Ev HTTP_ROOT
  547. is not specified, it will be set to
  548. .Pa /var/www .
  549. .It Pa tls-alpn-01-tacd-tcp
  550. This hook is designed to solve the tls-alpn-01 challenge using
  551. .Xr tacd 8 .
  552. It requires
  553. .Xr pkill 1
  554. to support the
  555. .Em -F
  556. option.
  557. .Pp
  558. .Xr tacd 8
  559. will listen on the host defined by the
  560. .Ev TACD_HOST
  561. environment variable (default is the identifier to be validated) and on the port defined by the
  562. .Ev TACD_PORT
  563. environment variable (default is 5001).
  564. .Pp
  565. .Xr tacd 8
  566. will store its pid into
  567. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  568. If
  569. .Ev TACD_PID_ROOT
  570. is not specified, it will be set to
  571. .Pa /run .
  572. .It Pa tls-alpn-01-tacd-unix
  573. This hook is designed to solve the tls-alpn-01 challenge using
  574. .Xr tacd 8 .
  575. It requires
  576. .Xr pkill 1
  577. to support the
  578. .Em -F
  579. option.
  580. .Pp
  581. .Xr tacd 8
  582. will listen on the unix socket
  583. .Pa {{env.TACD_SOCK_ROOT}}/tacd_{{identifier}}.sock .
  584. If
  585. .Ev TACD_SOCK_ROOT
  586. is not specified, it will be set to
  587. .Pa /run .
  588. .Pp
  589. .Xr tacd 8
  590. will store its pid into
  591. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  592. If
  593. .Ev TACD_PID_ROOT
  594. is not specified, it will be set to
  595. .Pa /run .
  596. .El
  597. .Sh TIME PERIODS
  598. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  599. .Ar PM[PM...]
  600. where
  601. .Ar M
  602. is case sensitive character representing a length and
  603. .Ar P
  604. is an integer representing a multiplayer for the following length. The authorized length are:
  605. .Bl -dash -compact
  606. .It
  607. .Ar s :
  608. second
  609. .It
  610. .Ar m :
  611. minute
  612. .It
  613. .Ar h :
  614. hour
  615. .It
  616. .Ar d :
  617. day
  618. .It
  619. .Ar w :
  620. week
  621. .El
  622. The
  623. .Ar PM
  624. couples can be specified multiple times and in any order.
  625. .Pp
  626. For example,
  627. .Dq 1d42s and
  628. .Dq 40s20h4h2s
  629. both represents a period of one day and forty-two seconds.
  630. .Sh FILES
  631. .Bl -tag
  632. .It Pa /etc/acmed/acmed.toml
  633. Default
  634. .Xr acmed 8
  635. configuration file.
  636. .It Pa /etc/acmed/accounts
  637. Default accounts private and public keys directory.
  638. .It Pa /etc/acmed/certs
  639. Default certificates and associated private keys directory.
  640. .El
  641. .Sh EXAMPLES
  642. The following example defines a typical endpoint, account and certificate for a domain, several subdomains and an IP address.
  643. .Bd -literal -offset indent
  644. [[endpoint]]
  645. name = "example name"
  646. url = "https://acme.example.org/directory"
  647. tos_agreed = true
  648. [[account]]
  649. name = "my test account"
  650. email = "certs@exemple.net"
  651. [[certificate]]
  652. endpoint = "example name"
  653. account = "my test account"
  654. identifiers = [
  655. { dns = "exemple.net", challenge = "http-01"},
  656. { dns = "1.exemple.net", challenge = "dns-01"},
  657. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  658. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  659. { ip = "203.0.113.1", challenge = "http-01"},
  660. ]
  661. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  662. env.HTTP_ROOT = "/srv/http"
  663. .Ed
  664. .Pp
  665. It is possible to use
  666. .Xr echo 1
  667. to solve the
  668. .Em http-01
  669. challenge and
  670. .Xr rm 1
  671. to clean it.
  672. .Xr mkdir 1
  673. and
  674. .Xr chmod 1
  675. are used to prevent issues related to file access.
  676. .Bd -literal -offset indent
  677. [[hook]]
  678. name = "http-01-echo-mkdir"
  679. type = ["challenge-http-01"]
  680. cmd = "mkdir"
  681. args = [
  682. "-m", "0755",
  683. "-p", "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge"
  684. ]
  685. [[hook]]
  686. name = "http-01-echo-echo"
  687. type = ["challenge-http-01"]
  688. cmd = "echo"
  689. args = ["{{proof}}"]
  690. stdout = "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  691. [[hook]]
  692. name = "http-01-echo-chmod"
  693. type = ["challenge-http-01-clean"]
  694. cmd = "chmod"
  695. args = [
  696. "a+r",
  697. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  698. ]
  699. [[hook]]
  700. name = "http-01-echo-clean"
  701. type = ["challenge-http-01-clean"]
  702. cmd = "rm"
  703. args = [
  704. "-f",
  705. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  706. ]
  707. .Ed
  708. .Pp
  709. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  710. .Bd -literal -offset indent
  711. [[group]]
  712. name = "http-01-echo-var-www"
  713. hooks = [
  714. "http-01-echo-mkdir",
  715. "http-01-echo-echo",
  716. "http-01-echo-chmod",
  717. "http-01-echo-clean"
  718. ]
  719. [[certificate]]
  720. # Some fields omitted
  721. hooks = ["http-01-echo"]
  722. env.HTTP_ROOT = "/srv/http"
  723. .Ed
  724. .Pp
  725. It is also possible to use
  726. .Xr sendmail 8
  727. in a hook in order to notif someone when the certificate request process is done.
  728. .Bd -literal -offset indent
  729. [[hook]]
  730. name = "email-report"
  731. type = ["post-operation"]
  732. cmd = "sendmail"
  733. args = [
  734. "-f", "noreply.certs@example.net",
  735. "contact@example.net"
  736. ]
  737. stdin_str = """Subject: Certificate renewal {{#if is_success}}succeeded{{else}}failed{{/if}} for {{identifiers.[0]}}
  738. The following certificate has {{#unless is_success}}*not* {{/unless}}been renewed.
  739. identifiers: {{#each identifiers}}{{#if @index}}, {{/if}}{{this}}{{/each}}
  740. key type: {{key_type}}
  741. status: {{status}}"""
  742. .Ed
  743. .Sh SEE ALSO
  744. .Xr acmed 8 ,
  745. .Xr tacd 8
  746. .Sh STANDARDS
  747. .Bl -hyphen
  748. .It
  749. .Rs
  750. .%A Tom Preston-Werner
  751. .%D July 2018
  752. .%T TOML v0.5.0
  753. .%U https://github.com/toml-lang/toml
  754. .Re
  755. .It
  756. .Rs
  757. .%A Yehuda Katz
  758. .%T Handlebars
  759. .%U https://handlebarsjs.com/
  760. .Re
  761. .It
  762. .Rs
  763. .%A M. Jones
  764. .%D May 2015
  765. .%R RFC 7518
  766. .%T JSON Web Algorithms (JWA)
  767. .Re
  768. .El
  769. .Sh AUTHORS
  770. .An Rodolphe Bréard
  771. .Aq rodolphe@breard.tf