You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

822 lines
24 KiB

5 years ago
4 years ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd November 11, 2020
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic account
  22. Array of table representing an account on one or several endpoint.
  23. .Bl -tag
  24. .It Ic contacts Ar array
  25. Array of tables describing describing the account holder's contact information. Each table must have one and only one key-value pair. Possible keys and their associated values are:
  26. .Bl -tag
  27. .It Ic mailto Ar string
  28. A mailto URI as defined by
  29. .Em RFC 6068 .
  30. This URI cannot contains neither
  31. .Dq hfields
  32. nor more than one
  33. .Dq addr-spec
  34. in the
  35. .Dq to
  36. component.
  37. .El
  38. .It Ic env Ar table
  39. Table of environment variables that will be accessible from hooks.
  40. .It Ic external_account Ar table
  41. Table containing the information required to bind the account to an external one. Possible fields and values are:
  42. .Bl -tag
  43. .It Ic identifier Ar string
  44. ASCII string identifying the key.
  45. .It Ic key Ar string
  46. Private key encoded in base64url without padding.
  47. .It Ic signature_algorithm Ar string
  48. Name of the signature algorithm used to sign the external account binding message sent to the endpoint as defined in
  49. .Em RFC 7518 .
  50. Possible values are:
  51. .Bl -dash -compact
  52. .It
  53. HS256
  54. .Aq default
  55. .It
  56. HS384
  57. .It
  58. HS512
  59. .El
  60. .El
  61. .It Ic hooks Ar array
  62. Names of hooks that will be called during operations on the account storage file. The hooks are guaranteed to be called sequentially in the declaration order.
  63. .It Cm key_type Ar string
  64. Name of the asymmetric cryptography algorithm used to generate the key pair. Possible values are:
  65. .Bl -dash -compact
  66. .It
  67. ecdsa_p256
  68. .Aq default
  69. .It
  70. ecdsa_p384
  71. .It
  72. ecdsa_p521
  73. .It
  74. rsa2048
  75. .It
  76. rsa4096
  77. .El
  78. .It Ic name Ar string
  79. The name the account is registered under. Must be unique.
  80. .It Cm signature_algorithm Ar string
  81. Name of the signature algorithm used to sign the messages sent to the endpoint as defined in
  82. .Em RFC 7518 .
  83. The default value is derived from the key type. Possible values are:
  84. .Bl -dash -compact
  85. .It
  86. ES256
  87. .It
  88. ES384
  89. .It
  90. ES512
  91. .It
  92. RS256
  93. .El
  94. .El
  95. .It Ic certificate
  96. Array of table representing a certificate that will be requested to a CA.
  97. .Pp
  98. Note that, by default, certificates are identified by the first identifier in the list of identifiers. That means that if you reorder the identifiers so that a different identifier is at the first position, a new certificate with a new name will be issued.
  99. .Bl -tag
  100. .It Ic account Ar string
  101. Name of the account to use.
  102. .It Ic csr_digest Ar string
  103. Name of the certificate's signing request digest algorithm. Possible values are:
  104. .Bl -dash -compact
  105. .It
  106. sha256
  107. .Aq default
  108. .It
  109. sha384
  110. .It
  111. sha512
  112. .El
  113. .It Ic directory Ar string
  114. Path to the directory where certificates and their associated private keys are stored.
  115. .It Ic endpoint Ar string
  116. Name of the endpoint to use.
  117. .It Ic env Ar table
  118. Table of environment variables that will be accessible from hooks.
  119. .It Ic file_name_format Ar string
  120. Template used to build the file's name. The template syntax is
  121. .Em Handlebars .
  122. See the
  123. .Sx STANDARDS
  124. section for a link to the
  125. .Em Handlebars
  126. specifications. If not specified, the value defined in the
  127. .Em endpoint
  128. element, and then the
  129. .Em global
  130. element, is used. Default is
  131. .Dq {{name}}_{{key_type}}.{{file_type}}.{{ext}} .
  132. Possible variables are:
  133. .Bl -tag
  134. .It Ic ext Ar string
  135. File extension. Currently, only
  136. .Dq pem
  137. is supported.
  138. .It Ic file_type Ar string
  139. Contains
  140. .Dq pk
  141. for the private key file and
  142. .Dq crt
  143. for the certificate file.
  144. .It Ic key_type Ar string
  145. The certificate's private key type.
  146. .It Ic name Ar string
  147. The certificate's name.
  148. .El
  149. .It Ic hooks Ar array
  150. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  151. .It Ic identifiers Ar array
  152. Array of tables listing the identifiers that should be included in the certificate along with the challenge to use for each one. The
  153. .Em dns
  154. and
  155. .Em ip
  156. fields are mutually exclusive.
  157. .Bl -tag
  158. .It Ic challenge Ar string
  159. The name of the challenge to use to prove the identifier's ownership. Possible values are:
  160. .Bl -dash -compact
  161. .It
  162. dns-01
  163. .It
  164. http-01
  165. .It
  166. tls-alpn-01
  167. .El
  168. .It Ic dns Ar string
  169. The domain name.
  170. .It Ic env Ar table
  171. Table of environment variables that will be accessible from hooks.
  172. .It Ic ip Ar string
  173. The IP address.
  174. .El
  175. .It Ic key_type Ar string
  176. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair. Possible values are:
  177. .Bl -dash -compact
  178. .It
  179. ecdsa_p256
  180. .It
  181. ecdsa_p384
  182. .It
  183. ecdsa_p521
  184. .It
  185. rsa2048
  186. .Aq default
  187. .It
  188. rsa4096
  189. .El
  190. .It Ic kp_reuse Ar boolean
  191. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  192. .It Ic name
  193. Name of the certificate. Must be unique unless the key type is different. Will be used in logs and in the associated file's name. The
  194. .Sq * ,
  195. .So
  196. :
  197. .Sc
  198. and
  199. .Sq /
  200. characters will be replaced by an underscore. Default is the first identifier.
  201. .It Cm renew_delay Ar string
  202. Period of time between the certificate renewal and its expiration date. The format is described in the
  203. .Sx TIME PERIODS
  204. section. Default is the value defined in the associated endpoint.
  205. .It Ic subject_attributes Ar table
  206. Table where the certificate's subject attributes are specified. Possible keys, with their RFC 4519 and X.500 equivalents, are:
  207. .Bl -column -offset indent ".Sy organizational_unit_name" ".Sy generationQualifier" ".Sy organizationalUnitName"
  208. .It Sy ACMEd key Ta Sy RFC 4519 Ta Sy X.500
  209. .It Li country_name Ta c Ta countryName
  210. .It Li generation_qualifier Ta generationQualifier Ta
  211. .It Li given_name Ta givenName Ta
  212. .It Li initials Ta initials Ta
  213. .It Li locality_name Ta l Ta localityName
  214. .It Li name Ta name Ta
  215. .It Li organization_name Ta o Ta organizationName
  216. .It Li organizational_unit_name Ta ou Ta organizationalUnitName
  217. .It Li pkcs9_email_address Ta Ta
  218. .It Li postal_address Ta postalAddress Ta
  219. .It Li postal_code Ta postalCode Ta
  220. .It Li state_or_province_name Ta st Ta stateOrProvinceName
  221. .It Li street Ta street Ta streetAddress
  222. .It Li surname Ta sn Ta surname
  223. .It Li title Ta title Ta
  224. .El
  225. .El
  226. .It Ic endpoint
  227. Array of table where each element defines a Certificate Authority
  228. .Pq CA
  229. which may be used to request certificates.
  230. .Bl -tag
  231. .It Cm file_name_format Ar string
  232. Template used to build the file's name. For detailed documentation, see the
  233. .Em file_name_format
  234. directive located in the
  235. .Em certificate
  236. element.
  237. .It Cm name Ar string
  238. The name the endpoint is registered under. Must be unique.
  239. .It Cm rate_limits Ar array
  240. Array containing the names of the HTTPS rate limits to apply.
  241. .It Cm renew_delay Ar string
  242. Period of time between the certificate renewal and its expiration date. The format is described in the
  243. .Sx TIME PERIODS
  244. section. Default is the value defined in the global section.
  245. .It Cm root_certificates Ar array
  246. Array containing the path to root certificates that should be added to the trust store.
  247. .It Cm tos_agreed Ar boolean
  248. Set whether or not the user agrees to the Terms Of Service
  249. .Pq TOS .
  250. .It Cm url Ar string
  251. The endpoint's directory URL.
  252. .El
  253. .It Ic global
  254. Table containing the global configuration options.
  255. .Bl -tag
  256. .It Cm accounts_directory Ar string
  257. Specify the directory where the accounts private and public keys are stored.
  258. .It Cm cert_file_group Ar group_name|group_id Ft string
  259. Specify the group who will own newly-created certificates files. See
  260. .Xr chown 2
  261. for more details.
  262. .It Cm cert_file_mode Ar integer
  263. Specify the permissions to use for newly-created certificates files. See
  264. .Xr chmod 2
  265. for more details.
  266. .It Cm cert_file_user Ar username|user_id Ft string
  267. Specify the user who will own newly-created certificates files. See
  268. .Xr chown 2
  269. for more details.
  270. .It Cm certificates_directory Ar string
  271. Specify the directory where the certificates and their associated private keys are stored.
  272. .It Ic env Ar table
  273. Table of environment variables that will be accessible from hooks.
  274. .It Ic file_name_format Ar string
  275. Template used to build the file's name. For detailed documentation, see the
  276. .Em file_name_format
  277. directive located in the
  278. .Em certificate
  279. element.
  280. .It Cm pk_file_group Ar group_name|group_id Ft string
  281. Specify the group who will own newly-created private-key files. See
  282. .Xr chown 2
  283. for more details.
  284. .It Cm pk_file_mode Ar integer
  285. Specify the permissions to use for newly-created private-key files. See
  286. .Xr chmod 2
  287. for more details.
  288. .It Cm pk_file_user Ar username|user_id Ft string
  289. Specify the user who will own newly-created private-key files. See
  290. .Xr chown 2
  291. for more details.
  292. .It Cm renew_delay Ar string
  293. Period of time between the certificate renewal and its expiration date. The format is described in the
  294. .Sx TIME PERIODS
  295. section. Default is 3w.
  296. .It Cm root_certificates Ar array
  297. Array containing the path to root certificates that should be added to the trust store.
  298. .El
  299. .It Ic group
  300. Array of table allowing to group several hooks as one. A group is considered as new hook.
  301. .Bl -tag
  302. .It Cm hooks Ar array
  303. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  304. .It Cm name Ar string
  305. The name the group is registered under. This name is considered as a hook name. Must be unique.
  306. .El
  307. .It Ic hook
  308. Array of table where each element defines a command that will be launched at a defined point. See section
  309. .Sx WRITING A HOOK
  310. for more details.
  311. .Bl -tag
  312. .It Cm allow_failure Ar boolean
  313. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  314. .It Ic args Ar array
  315. Array of strings representing the command's arguments.
  316. .It Ic cmd Ar string
  317. The name of the command that will be launched.
  318. .It Cm name Ar string
  319. The name the hook is registered under. Must be unique.
  320. .It Ic stderr Ar string
  321. Path to the file where the command's standard error output if written.
  322. .It Ic stdin Ar string
  323. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  324. .Em stdin_str .
  325. .It Ic stdin_str Ar string
  326. String that will be written into the command's standard input. Mutually exclusive with
  327. .Em stdin .
  328. .It Ic stdout Ar string
  329. Path to the file where the command's standard output if written.
  330. .It Cm type Ar array
  331. Array of strings. Possible types are:
  332. .Bl -dash -compact
  333. .It
  334. challenge-dns-01
  335. .It
  336. challenge-dns-01-clean
  337. .It
  338. challenge-http-01
  339. .It
  340. challenge-http-01-clean
  341. .It
  342. challenge-tls-alpn-01
  343. .It
  344. challenge-tls-alpn-01-clean
  345. .It
  346. file-post-create
  347. .It
  348. file-post-edit
  349. .It
  350. file-pre-create
  351. .It
  352. file-pre-edit
  353. .It
  354. post-operation
  355. .El
  356. .El
  357. .It Ic include
  358. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  359. .Pp
  360. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  361. .Em A
  362. includes files
  363. .Em B
  364. and
  365. .Em C
  366. and all three defines the same global option, the final value will be the one defined in file
  367. .Em C .
  368. .Pp
  369. Unix style globing is supported.
  370. .It Ic rate-limit
  371. Array of table where each element defines a HTTPS rate limit.
  372. .Bl -tag
  373. .It Cm name Ar string
  374. The name the rate limit is registered under. Must be unique.
  375. .It Cm number Ar integer
  376. Number of requests authorized withing the time period.
  377. .It Cm period Ar string
  378. Period of time during which a maximal number of requests is authorized. The format is described in the
  379. .Sx TIME PERIODS
  380. section.
  381. .El
  382. .El
  383. .Sh WRITING A HOOK
  384. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every identifier to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  385. .Pp
  386. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  387. .Xr acmed 8
  388. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  389. .Pp
  390. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  391. .Pp
  392. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  393. .Pp
  394. When writing a hook, the values of
  395. .Em args ,
  396. .Em stdin ,
  397. .Em stdin_str ,
  398. .Em stdout
  399. and
  400. .Em stderr
  401. are considered as template strings whereas
  402. .Em cmd
  403. is not. The template syntax is
  404. .Em Handlebars .
  405. See the
  406. .Sx STANDARDS
  407. section for a link to the
  408. .Em Handlebars
  409. specifications.
  410. .Pp
  411. The available types and the associated template variable are described below.
  412. .Bl -tag
  413. .It Ic challenge-dns-01
  414. Invoked when the ownership of an identifier must be proved using the
  415. .Em dns-01
  416. challenge. The available template variables are:
  417. .Bl -tag -compact
  418. .It Cm challenge Ar string
  419. The name of the challenge type
  420. .Aq dns-01 .
  421. Mostly used in hooks with multiple types.
  422. .It Cm env Ar array
  423. Array containing all the environment variables.
  424. .It Cm identifier Ar string
  425. The identifier name whom ownership is currently being validated.
  426. .It Cm is_clean_hook Ar bool
  427. False
  428. .It Cm proof Ar string
  429. The content of the proof that must be written to a
  430. .Ql TXT
  431. entry of the DNS zone for the
  432. .Ql _acme-challenge
  433. subdomain.
  434. .El
  435. .It Ic challenge-dns-01-clean
  436. Invoked once an identifier ownership has been proven using the
  437. .Em dns-01
  438. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  439. .Em challenge-dns-01
  440. hook, excepted
  441. .Em is_clean_hook
  442. which is set to
  443. .Em true .
  444. .It Ic challenge-http-01
  445. Invoked when the ownership of an identifier must be proved using the
  446. .Em http-01
  447. challenge. The available template variables are:
  448. .Bl -tag -compact
  449. .It Cm challenge Ar string
  450. The name of the challenge type
  451. .Aq http-01 .
  452. Mostly used in hooks with multiple types.
  453. .It Cm env Ar array
  454. Array containing all the environment variables.
  455. .It Cm file_name Ar string
  456. Name of the file containing the proof. This is not a full path and does not include the
  457. .Ql .well-known/acme-challenge/
  458. prefix.
  459. .It Cm identifier Ar string
  460. The identifier name whom ownership is currently being validated.
  461. .It Cm is_clean_hook Ar bool
  462. False
  463. .It Cm proof Ar string
  464. The content of the proof that must be written to
  465. .Em file_name .
  466. .El
  467. .It Ic challenge-http-01-clean
  468. Invoked once an identifier ownership has been proven using the
  469. .Em http-01
  470. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  471. .Em challenge-http-01
  472. hook, excepted
  473. .Em is_clean_hook
  474. which is set to
  475. .Em true .
  476. .It Ic challenge-tls-alpn-01
  477. Invoked when the ownership of an identifier must be proved using the
  478. .Em tls-alpn-01
  479. challenge. The available template variables are:
  480. .Bl -tag -compact
  481. .It Cm challenge Ar string
  482. The name of the challenge type
  483. .Aq tls-alpn-01 .
  484. Mostly used in hooks with multiple types.
  485. .It Cm env Ar array
  486. Array containing all the environment variables.
  487. .It Cm identifier Ar string
  488. The identifier name whom ownership is currently being validated.
  489. .It Cm identifier_tls_alpn Ar string
  490. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  491. .It Cm is_clean_hook Ar bool
  492. False
  493. .It Cm proof Ar string
  494. Plain-text representation of the
  495. .Em acmeIdentifier
  496. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  497. .Qd acme-tls/1
  498. ALPN extension value.
  499. .Xr acmed 8
  500. will not generate the certificate itself since it can be done using
  501. .Xr tacd 8 .
  502. .El
  503. .It Ic challenge-tls-alpn-01-clean
  504. Invoked once an identifier ownership has been proven using the
  505. .Em tls-alpn-01
  506. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  507. .Em challenge-tls-alpn-01
  508. hook, excepted
  509. .Em is_clean_hook
  510. which is set to
  511. .Em true .
  512. .It Ic file-post-create
  513. Invoked
  514. .Em after
  515. a non-existent file
  516. .Em created .
  517. The available template variables are the same as those available for the
  518. .Em file-pre-create
  519. type.
  520. .It Ic file-post-edit
  521. Invoked
  522. .Em after
  523. an existent file
  524. .Em modified .
  525. The available template variables are the same as those available for the
  526. .Em file-pre-create
  527. type.
  528. .It Ic file-pre-create
  529. Invoked
  530. .Em before
  531. a non-existent file
  532. .Em created .
  533. The available template variables are:
  534. .Bl -tag -compact
  535. .It Cm env Ar array
  536. Array containing all the environment variables.
  537. .It Cm file_directory Ar string
  538. Name of the directory where the impacted file is located.
  539. .It Cm file_name Ar string
  540. Name of the impacted file.
  541. .It Cm file_path Ar string
  542. Full path to the impacted file.
  543. .El
  544. .It Ic file-pre-edit
  545. Invoked
  546. .Em before
  547. an existent file
  548. .Em modified .
  549. The available template variables are the same as those available for the
  550. .Em file-pre-create
  551. type.
  552. .It Ic post-operation
  553. Invoked at the end of the certificate request process. The available template variables are:
  554. .Bl -tag -compact
  555. .It Cm env Ar array
  556. Array containing all the environment variables.
  557. .It Cm identifiers Ar string
  558. Array containing the identifiers included in the requested certificate.
  559. .It Cm is_success Ar boolean
  560. True if the certificate request is successful.
  561. .It Cm key_type Ar string
  562. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair.
  563. .It Cm status Ar string
  564. Human-readable status. If the certificate request failed, it contains the error description.
  565. .El
  566. .El
  567. .Sh DEFAULT HOOKS
  568. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  569. .Bl -tag
  570. .It Pa git
  571. This hook uses
  572. .Xr git 1
  573. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  574. .Ev GIT_USERNAME
  575. and
  576. .Ev GIT_EMAIL
  577. environment variables.
  578. .It Pa http-01-echo
  579. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  580. .Pa {{env.HTTP_ROOT}}/{{identifier}}/.well-known/acme-challenge/{{file_name}} .
  581. .Pp
  582. The web server must be configured so the file
  583. .Pa http://{{identifier}}/.well-known/acme-challenge/{{file_name}}
  584. can be accessed from the CA.
  585. .Pp
  586. If
  587. .Ev HTTP_ROOT
  588. is not specified, it will be set to
  589. .Pa /var/www .
  590. .It Pa tls-alpn-01-tacd-tcp
  591. This hook is designed to solve the tls-alpn-01 challenge using
  592. .Xr tacd 8 .
  593. It requires
  594. .Xr pkill 1
  595. to support the
  596. .Em -F
  597. option.
  598. .Pp
  599. .Xr tacd 8
  600. will listen on the host defined by the
  601. .Ev TACD_HOST
  602. environment variable (default is the identifier to be validated) and on the port defined by the
  603. .Ev TACD_PORT
  604. environment variable (default is 5001).
  605. .Pp
  606. .Xr tacd 8
  607. will store its pid into
  608. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  609. If
  610. .Ev TACD_PID_ROOT
  611. is not specified, it will be set to
  612. .Pa /run .
  613. .It Pa tls-alpn-01-tacd-unix
  614. This hook is designed to solve the tls-alpn-01 challenge using
  615. .Xr tacd 8 .
  616. It requires
  617. .Xr pkill 1
  618. to support the
  619. .Em -F
  620. option.
  621. .Pp
  622. .Xr tacd 8
  623. will listen on the unix socket
  624. .Pa {{env.TACD_SOCK_ROOT}}/tacd_{{identifier}}.sock .
  625. If
  626. .Ev TACD_SOCK_ROOT
  627. is not specified, it will be set to
  628. .Pa /run .
  629. .Pp
  630. .Xr tacd 8
  631. will store its pid into
  632. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  633. If
  634. .Ev TACD_PID_ROOT
  635. is not specified, it will be set to
  636. .Pa /run .
  637. .El
  638. .Sh TIME PERIODS
  639. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  640. .Ar PM[PM...]
  641. where
  642. .Ar M
  643. is case sensitive character representing a length and
  644. .Ar P
  645. is an integer representing a multiplayer for the following length. The authorized length are:
  646. .Bl -dash -compact
  647. .It
  648. .Ar s :
  649. second
  650. .It
  651. .Ar m :
  652. minute
  653. .It
  654. .Ar h :
  655. hour
  656. .It
  657. .Ar d :
  658. day
  659. .It
  660. .Ar w :
  661. week
  662. .El
  663. The
  664. .Ar PM
  665. couples can be specified multiple times and in any order.
  666. .Pp
  667. For example,
  668. .Dq 1d42s
  669. and
  670. .Dq 40s20h4h2s
  671. both represents a period of one day and forty-two seconds.
  672. .Sh FILES
  673. .Bl -tag
  674. .It Pa /etc/acmed/accounts
  675. Default accounts private and public keys directory.
  676. .It Pa /etc/acmed/acmed.toml
  677. Default
  678. .Xr acmed 8
  679. configuration file.
  680. .It Pa /etc/acmed/certs
  681. Default certificates and associated private keys directory.
  682. .El
  683. .Sh EXAMPLES
  684. The following example defines a typical endpoint, account and certificate for a domain, several subdomains and an IP address.
  685. .Bd -literal -offset indent
  686. [[endpoint]]
  687. name = "example name"
  688. url = "https://acme.example.org/directory"
  689. tos_agreed = true
  690. [[account]]
  691. name = "my test account"
  692. contacts = [
  693. { mailto = "certs@exemple.net" }
  694. ]
  695. [[certificate]]
  696. endpoint = "example name"
  697. account = "my test account"
  698. identifiers = [
  699. { dns = "exemple.net", challenge = "http-01"},
  700. { dns = "1.exemple.net", challenge = "dns-01"},
  701. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  702. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  703. { ip = "203.0.113.1", challenge = "http-01"},
  704. ]
  705. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  706. env.HTTP_ROOT = "/srv/http"
  707. .Ed
  708. .Pp
  709. It is possible to use
  710. .Xr echo 1
  711. to solve the
  712. .Em http-01
  713. challenge and
  714. .Xr rm 1
  715. to clean it.
  716. .Xr mkdir 1
  717. and
  718. .Xr chmod 1
  719. are used to prevent issues related to file access.
  720. .Bd -literal -offset indent
  721. [[hook]]
  722. name = "http-01-echo-mkdir"
  723. type = ["challenge-http-01"]
  724. cmd = "mkdir"
  725. args = [
  726. "-m", "0755",
  727. "-p", "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge"
  728. ]
  729. [[hook]]
  730. name = "http-01-echo-echo"
  731. type = ["challenge-http-01"]
  732. cmd = "echo"
  733. args = ["{{proof}}"]
  734. stdout = "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  735. [[hook]]
  736. name = "http-01-echo-chmod"
  737. type = ["challenge-http-01-clean"]
  738. cmd = "chmod"
  739. args = [
  740. "a+r",
  741. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  742. ]
  743. [[hook]]
  744. name = "http-01-echo-clean"
  745. type = ["challenge-http-01-clean"]
  746. cmd = "rm"
  747. args = [
  748. "-f",
  749. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  750. ]
  751. .Ed
  752. .Pp
  753. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  754. .Bd -literal -offset indent
  755. [[group]]
  756. name = "http-01-echo-var-www"
  757. hooks = [
  758. "http-01-echo-mkdir",
  759. "http-01-echo-echo",
  760. "http-01-echo-chmod",
  761. "http-01-echo-clean"
  762. ]
  763. [[certificate]]
  764. # Some fields omitted
  765. hooks = ["http-01-echo"]
  766. env.HTTP_ROOT = "/srv/http"
  767. .Ed
  768. .Pp
  769. It is also possible to use
  770. .Xr sendmail 8
  771. in a hook in order to notify someone when the certificate request process is done.
  772. .Bd -literal -offset indent
  773. [[hook]]
  774. name = "email-report"
  775. type = ["post-operation"]
  776. cmd = "sendmail"
  777. args = [
  778. "-f", "noreply.certs@example.net",
  779. "contact@example.net"
  780. ]
  781. stdin_str = """Subject: Certificate renewal {{#if is_success}}succeeded{{else}}failed{{/if}} for {{identifiers.[0]}}
  782. The following certificate has {{#unless is_success}}*not* {{/unless}}been renewed.
  783. identifiers: {{#each identifiers}}{{#if @index}}, {{/if}}{{this}}{{/each}}
  784. key type: {{key_type}}
  785. status: {{status}}"""
  786. .Ed
  787. .Sh SEE ALSO
  788. .Xr acmed 8 ,
  789. .Xr tacd 8
  790. .Sh STANDARDS
  791. .Bl -hyphen
  792. .It
  793. .Rs
  794. .%A Tom Preston-Werner
  795. .%D July 2018
  796. .%T TOML v0.5.0
  797. .%U https://toml.io/en/v0.5.0
  798. .Re
  799. .It
  800. .Rs
  801. .%A Yehuda Katz
  802. .%T Handlebars
  803. .%U https://handlebarsjs.com/
  804. .Re
  805. .It
  806. .Rs
  807. .%A M. Jones
  808. .%D May 2015
  809. .%R RFC 7518
  810. .%T JSON Web Algorithms (JWA)
  811. .Re
  812. .El
  813. .Sh AUTHORS
  814. .An Rodolphe Bréard
  815. .Aq rodolphe@breard.tf