You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

478 lines
14 KiB

  1. .\" Copyright (c) 2019 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd May 3, 2019
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic global
  22. Table containing the global configuration options.
  23. .Bl -tag
  24. .It Cm accounts_directory Ar string
  25. Specify the directory where the accounts private and public keys are stored.
  26. .It Cm certificates_directory Ar string
  27. Specify the directory where the certificates and their associated private keys are stored.
  28. .It Cm cert_file_mode Ar integer
  29. Specify the permissions to use for newly-created certificates files. See
  30. .Xr chmod 2
  31. for more details.
  32. .It Cm cert_file_user Ar user_id Ft string
  33. Specify the user who will own newly-created certificates files. See
  34. .Xr chown 2
  35. for more details.
  36. .It Cm cert_file_group Ar group_id Ft string
  37. Specify the group who will own newly-created certificates files. See
  38. .Xr chown 2
  39. for more details.
  40. .It Cm pk_file_mode Ar integer
  41. Specify the permissions to use for newly-created private-key files. See
  42. .Xr chmod 2
  43. for more details.
  44. .It Cm pk_file_user Ar user_id Ft string
  45. Specify the user who will own newly-created private-key files. See
  46. .Xr chown 2
  47. for more details.
  48. .It Cm pk_file_group Ar group_id Ft string
  49. Specify the group who will own newly-created private-key files. See
  50. .Xr chown 2
  51. for more details.
  52. .El
  53. .It Ic endpoint
  54. Array of table where each element defines a Certificate Authority
  55. .Pq CA
  56. which may be used to request certificates.
  57. .Bl -tag
  58. .It Cm name Ar string
  59. The name the endpoint is registered under. Must be unique.
  60. .It Cm url Ar string
  61. The endpoint's directory URL.
  62. .It Cm tos_agreed Ar boolean
  63. Set whether or not the user agrees to the Terms Of Service
  64. .Pq TOS .
  65. .El
  66. .It Ic hook
  67. Array of table where each element defines a command that will be launched at a defined point. See section
  68. .Sx WRITING A HOOK
  69. for more details.
  70. .Bl -tag
  71. .It Cm name Ar string
  72. The name the hook is registered under. Must be unique.
  73. .It Cm hook_type Ar array
  74. Array of strings. Possible types are:
  75. .Bl -dash -compact
  76. .It
  77. challenge-http-01
  78. .It
  79. challenge-http-01-clean
  80. .It
  81. challenge-dns-01
  82. .It
  83. challenge-dns-01-clean
  84. .It
  85. challenge-tls-alpn-01
  86. .It
  87. challenge-tls-alpn-01-clean
  88. .It
  89. file-pre-create
  90. .It
  91. file-pre-edit
  92. .It
  93. file-post-create
  94. .It
  95. file-post-edit
  96. .It
  97. post-operation
  98. .El
  99. .It Ic cmd Ar string
  100. The name of the command that will be launched.
  101. .It Ic args Ar array
  102. Array of strings representing the command's arguments.
  103. .It Ic stdin Ar string
  104. String that will be written into the command's standard input.
  105. .It Ic stdout Ar string
  106. Path to the file where the command's standard output if written.
  107. .It Ic stderr Ar string
  108. Path to the file where the command's standard error output if written.
  109. .El
  110. .It Ic group
  111. Array of table allowing to group several hooks as one. A group is considered as new hook.
  112. .Bl -tag
  113. .It Cm name Ar string
  114. The name the group is registered under. This name is considered as a hook name. Must be unique.
  115. .It Cm hooks Ar array
  116. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  117. .El
  118. .It Ic account
  119. Array of table representing an account on one or several CA.
  120. .Bl -tag
  121. .It Ic name Ar string
  122. The name the account is registered under. Must be unique.
  123. .It Ic email Ar string
  124. The email address used to contact the account's holder.
  125. .El
  126. .It Ic certificate
  127. Array of table representing a certificate that will be requested to a CA.
  128. .Bl -tag
  129. .It Ic account Ar string
  130. Name of the account to use.
  131. .It Ic endpoint Ar string
  132. Name of the endpoint to use.
  133. .It Ic domains Ar array
  134. Array of tables listing the domains that should be included in the certificate along with the challenge to use for each one.
  135. .Bl -tag
  136. .It Ic dns
  137. The domain name.
  138. .It Ic challenge
  139. The name of the challenge to use to prove the domain's ownership. Possible values are:
  140. .Bl -dash -compact
  141. .It
  142. http-01
  143. .It
  144. dns-01
  145. .It
  146. tls-alpn-01
  147. .El
  148. .El
  149. .It Ic algorithm Ar string
  150. Name of the asymetric cryptography algorithm used to generate the certificate's key pair. Possible values are :
  151. .Bl -dash -compact
  152. .It
  153. rsa2048
  154. .Aq default
  155. .It
  156. rsa4096
  157. .It
  158. ecdsa_p256
  159. .It
  160. ecdsa_p384
  161. .El
  162. .It Ic kp_reuse Ar boolean
  163. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  164. .It Ic directory Ar string
  165. Path to the directory where certificates and their associated private keys are stored.
  166. .It Ic hooks Ar array
  167. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  168. .El
  169. .Sh WRITING A HOOK
  170. When requesting a certificate to a CA using ACME, there is three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every domains to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that uses a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  171. .Pp
  172. In order to allow a full automation of the three above steps without imposing arbitrary restrictions or methods,
  173. .Xr acmed 8
  174. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such approach allows admins to use any executable script or program located on the machine to customize the process.
  175. .Pp
  176. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  177. .Pp
  178. A hook have a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  179. .Pp
  180. When writing a hook, the values of
  181. .Em args ,
  182. .Em stdin ,
  183. .Em stdout
  184. and
  185. .Em stderr
  186. are considered as template strings whereas
  187. .Em cmd
  188. is not. The template syntax is
  189. .Em Handlebars .
  190. See the
  191. .Sx STANDARDS
  192. section for a link to the
  193. .Em Handlebars
  194. specifications.
  195. .Pp
  196. The available types and the associated template variable are described below.
  197. .Bl -tag
  198. .It Ic challenge-http-01
  199. Invoked when the ownership of a domain must be proved using the
  200. .Em http-01
  201. challenge. The available template variables are:
  202. .Bl -tag -compact
  203. .It Cm domain Ar string
  204. The domain name whom ownership is currently being validated.
  205. .It Cm challenge Ar string
  206. The name of the challenge type
  207. .Aq http-01 .
  208. Mostly used in hooks with multiple types.
  209. .It Cm file_name Ar string
  210. Name of the file containing the proof. This is not a full path and does not include the
  211. .Ql .well-known/acme-challenge/
  212. prefix.
  213. .It Cm proof Ar string
  214. The content of the proof that must be written to
  215. .Em file_name .
  216. .It Cm is_clean_hook Ar bool
  217. False
  218. .El
  219. .It Ic challenge-http-01-clean
  220. Invoked once a domain ownership has been proven using the
  221. .Em http-01
  222. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  223. .Em challenge-http-01
  224. hook, excepted
  225. .Em is_clean_hook
  226. which is set to
  227. .Em true .
  228. .It Ic challenge-dns-01
  229. Invoked when the ownership of a domain must be proved using the
  230. .Em dns-01
  231. challenge. The available template variables are:
  232. .Bl -tag -compact
  233. .It Cm domain Ar string
  234. The domain name whom ownership is currently being validated.
  235. .It Cm challenge Ar string
  236. The name of the challenge type
  237. .Aq dns-01 .
  238. Mostly used in hooks with multiple types.
  239. .It Cm proof Ar string
  240. The content of the proof that must be written to a
  241. .Ql TXT
  242. entry of the DNS zone for the
  243. .Ql _acme-challenge
  244. subdomain.
  245. .It Cm is_clean_hook Ar bool
  246. False
  247. .El
  248. .It Ic challenge-dns-01-clean
  249. Invoked once a domain ownership has been proven using the
  250. .Em dns-01
  251. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  252. .Em challenge-dns-01
  253. hook, excepted
  254. .Em is_clean_hook
  255. which is set to
  256. .Em true .
  257. .It Ic challenge-tls-alpn-01
  258. Invoked when the ownership of a domain must be proved using the
  259. .Em tls-alpn-01
  260. challenge. The available template variables are:
  261. .Bl -tag -compact
  262. .It Cm domain Ar string
  263. The domain name whom ownership is currently being validated.
  264. .It Cm challenge Ar string
  265. The name of the challenge type
  266. .Aq tls-alpn-01 .
  267. Mostly used in hooks with multiple types.
  268. .It Cm proof Ar string
  269. Plain-text representation of the
  270. .Em acmeIdentifier
  271. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  272. .Qd acme-tls/1
  273. ALPN extension value.
  274. .Xr acmed 8
  275. will not generate the certificate itself since it can be done using
  276. .Xr tacd 8 .
  277. .It Cm is_clean_hook Ar bool
  278. False
  279. .El
  280. .It Ic challenge-tls-alpn-01-clean
  281. Invoked once a domain ownership has been proven using the
  282. .Em tls-alpn-01
  283. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  284. .Em challenge-tls-alpn-01
  285. hook, excepted
  286. .Em is_clean_hook
  287. which is set to
  288. .Em true .
  289. .It Ic file-pre-create
  290. Invoked
  291. .Em before
  292. a non-existent file
  293. .Em created .
  294. The available template variables are:
  295. .Bl -tag -compact
  296. .It Cm file_name Ar string
  297. Name of the impacted file.
  298. .It Cm file_directory Ar string
  299. Name of the directory where the impacted file is located.
  300. .It Cm file_path Ar string
  301. Full path to the impacted file.
  302. .El
  303. .It Ic file-pre-edit
  304. Invoked
  305. .Em before
  306. an existent file
  307. .Em modified .
  308. The available template variables are the same as those available for the
  309. .Em file-pre-create
  310. type.
  311. .It Ic file-post-create
  312. Invoked
  313. .Em after
  314. a non-existent file
  315. .Em created .
  316. The available template variables are the same as those available for the
  317. .Em file-pre-create
  318. type.
  319. .It Ic file-post-edit
  320. Invoked
  321. .Em after
  322. an existent file
  323. .Em modified .
  324. The available template variables are the same as those available for the
  325. .Em file-pre-create
  326. type.
  327. .It Ic post-operation
  328. Invoked at the end of the certificate request process. The available template variables are:
  329. .Bl -tag -compact
  330. .It Cm domains Ar string
  331. Array containing the domain names included in the requested certificate.
  332. .It Cm algorithm Ar string
  333. Name of the algorithm used in the certificate.
  334. .It Cm status Ar string
  335. Human-readable status. If the certificate request failed, it contains the error description.
  336. .It Cm is_success Ar boolean
  337. True if the certificate request is successful.
  338. .El
  339. .El
  340. .Sh FILES
  341. .Bl -tag
  342. .It Pa /etc/acmed/acmed.toml
  343. Default
  344. .Xr acmed 8
  345. configuration file.
  346. .It Pa /etc/acmed/accounts
  347. Default accounts private and public keys directory.
  348. .It Pa /etc/acmed/certs
  349. Default certificates and associated private keys directory.
  350. .Sh EXAMPLES
  351. The following example defines a typical endpoint, account and certificate for a domain and several subdomains.
  352. .Bd -literal -offset indent
  353. [[endpoint]]
  354. name = "example name"
  355. url = "https://acme.example.org/directory"
  356. tos_agreed = true
  357. [[account]]
  358. name = "my test account"
  359. email = "certs@exemple.net"
  360. [[certificate]]
  361. endpoint = "example name"
  362. account = "my test account"
  363. domains = [
  364. { dns = "exemple.net", challenge = "http-01"},
  365. { dns = "1.exemple.net", challenge = "http-01"},
  366. { dns = "2.exemple.net", challenge = "dns-01"},
  367. { dns = "3.exemple.net", challenge = "tls-alpn-01"},
  368. ]
  369. hooks = ["example-hook-1", "example-hook-2", "example-hook-3"]
  370. .Ed
  371. .Pp
  372. It is possible to use
  373. .Xr echo 1
  374. to solve the
  375. .Em http-01
  376. challenge and
  377. .Xr rm 1
  378. to clean it.
  379. .Xr mkdir 1
  380. and
  381. .Xr chmod 1
  382. are used to prevent issues related to file access.
  383. .Bd -literal -offset indent
  384. [[hook]]
  385. name = "http-01-echo-mkdir"
  386. type = ["challenge-http-01"]
  387. cmd = "mkdir"
  388. args = [
  389. "-m", "0755",
  390. "-p", "/var/www/{{domain}}/.well-known/acme-challenge"
  391. ]
  392. [[hook]]
  393. name = "http-01-echo-echo"
  394. type = ["challenge-http-01"]
  395. cmd = "echo"
  396. args = ["{{proof}}"]
  397. stdout = "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  398. [[hook]]
  399. name = "http-01-echo-chmod"
  400. type = ["challenge-http-01-clean"]
  401. cmd = "chmod"
  402. args = [
  403. "a+r",
  404. "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  405. ]
  406. [[hook]]
  407. name = "http-01-echo-clean"
  408. type = ["challenge-http-01-clean"]
  409. cmd = "rm"
  410. args = [
  411. "-f",
  412. "/var/www/{{domain}}/.well-known/acme-challenge/{{file_name}}"
  413. ]
  414. .Ed
  415. .Pp
  416. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  417. .Bd -literal -offset indent
  418. [[group]]
  419. name = "http-01-echo-var-www"
  420. hooks = [
  421. "http-01-echo-mkdir",
  422. "http-01-echo-echo",
  423. "http-01-echo-chmod",
  424. "http-01-echo-clean"
  425. ]
  426. [[certificate]]
  427. # Some fields omitted
  428. hooks = ["http-01-echo-var-www"]
  429. .Ed
  430. .Pp
  431. It is also possible to use
  432. .Xr sendmail 8
  433. in a hook in order to notif someone when the certificate request process is done.
  434. .Bd -literal -offset indent
  435. [[hook]]
  436. name = "email-report"
  437. type = ["post-operation"]
  438. cmd = "sendmail"
  439. args = [
  440. "-f", "noreply.certs@example.net",
  441. "contact@example.net"
  442. ]
  443. stdin = """Subject: Certificate renewal {{#if is_success}}succeeded{{else}}failed{{/if}} for {{domains.[0]}}
  444. The following certificate has {{#unless is_success}}*not* {{/if}}been renewed.
  445. domains: {{#each domains}}{{#if @index}}, {{/if}}{{this}}{{/each}}
  446. algorithm: {{algorithm}}
  447. status: {{status}}"""
  448. .Ed
  449. .Sh SEE ALSO
  450. .Xr acmed 8 ,
  451. .Xr tacd 8
  452. .Sh STANDARDS
  453. .Bl
  454. .It
  455. .Rs
  456. .%A Tom Preston-Werner
  457. .%D July 2018
  458. .%T TOML v0.5.0
  459. .%U https://github.com/toml-lang/toml
  460. .Re
  461. .It
  462. .Rs
  463. .%A Yehuda Katz
  464. .%T Handlebars
  465. .%U https://handlebarsjs.com/
  466. .Re
  467. .El
  468. .Sh AUTHORS
  469. .An Rodolphe Bréard
  470. .Aq rodolphe@breard.tf