You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

787 lines
23 KiB

5 years ago
4 years ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd October 27, 2020
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic account
  22. Array of table representing an account on one or several endpoint.
  23. .Bl -tag
  24. .It Ic contacts Ar array
  25. Array of tables describing describing the account holder's contact information. Each table must have one and only one key-value pair. Possible keys and their associated values are:
  26. .Bl -tag
  27. .It Ic mailto Ar string
  28. A mailto URI as defined by
  29. .Em RFC 6068 .
  30. This URI cannot contains neither "hfields" nor more than one "addr-spec" in the "to" component.
  31. .El
  32. .It Ic env Ar table
  33. Table of environment variables that will be accessible from hooks.
  34. .It Ic external_account Ar table
  35. Table containing the information required to bind the account to an external one. Possible fields and values are:
  36. .Bl -tag
  37. .It Ic identifier Ar string
  38. ASCII string identifying the key.
  39. .It Ic key Ar string
  40. Private key encoded in base64url without padding.
  41. .It Ic signature_algorithm Ar string
  42. Name of the signature algorithm used to sign the external account binding message sent to the endpoint as defined in
  43. .Em RFC 7518 .
  44. Possible values are:
  45. .Bl -dash -compact
  46. .It
  47. HS256
  48. .Aq default
  49. .It
  50. HS384
  51. .It
  52. HS512
  53. .El
  54. .El
  55. .It Ic hooks Ar array
  56. Names of hooks that will be called during operations on the account storage file. The hooks are guaranteed to be called sequentially in the declaration order.
  57. .It Cm key_type Ar string
  58. Name of the asymmetric cryptography algorithm used to generate the key pair. Possible values are:
  59. .Bl -dash -compact
  60. .It
  61. ecdsa_p256
  62. .Aq default
  63. .It
  64. ecdsa_p384
  65. .It
  66. ecdsa_p521
  67. .It
  68. rsa2048
  69. .It
  70. rsa4096
  71. .El
  72. .It Ic name Ar string
  73. The name the account is registered under. Must be unique.
  74. .It Cm signature_algorithm Ar string
  75. Name of the signature algorithm used to sign the messages sent to the endpoint as defined in
  76. .Em RFC 7518 .
  77. The default value is derived from the key type. Possible values are:
  78. .Bl -dash -compact
  79. .It
  80. ES256
  81. .It
  82. ES384
  83. .It
  84. ES512
  85. .It
  86. RS256
  87. .El
  88. .El
  89. .It Ic certificate
  90. Array of table representing a certificate that will be requested to a CA.
  91. .Pp
  92. Note that, by default, certificates are identified by the first identifier in the list of identifiers. That means that if you reorder the identifiers so that a different identifier is at the first position, a new certificate with a new name will be issued.
  93. .Bl -tag
  94. .It Ic account Ar string
  95. Name of the account to use.
  96. .It Ic csr_digest Ar string
  97. Name of the certificate's signing request digest algorithm. Possible values are:
  98. .Bl -dash -compact
  99. .It
  100. sha256
  101. .Aq default
  102. .It
  103. sha384
  104. .It
  105. sha512
  106. .El
  107. .It Ic directory Ar string
  108. Path to the directory where certificates and their associated private keys are stored.
  109. .It Ic endpoint Ar string
  110. Name of the endpoint to use.
  111. .It Ic env Ar table
  112. Table of environment variables that will be accessible from hooks.
  113. .It Ic hooks Ar array
  114. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  115. .It Ic identifiers Ar array
  116. Array of tables listing the identifiers that should be included in the certificate along with the challenge to use for each one. The
  117. .Em dns
  118. and
  119. .Em ip
  120. fields are mutually exclusive.
  121. .Bl -tag
  122. .It Ic challenge Ar string
  123. The name of the challenge to use to prove the identifier's ownership. Possible values are:
  124. .Bl -dash -compact
  125. .It
  126. dns-01
  127. .It
  128. http-01
  129. .It
  130. tls-alpn-01
  131. .El
  132. .It Ic dns Ar string
  133. The domain name.
  134. .It Ic env Ar table
  135. Table of environment variables that will be accessible from hooks.
  136. .It Ic ip Ar string
  137. The IP address.
  138. .El
  139. .It Ic key_type Ar string
  140. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair. Possible values are:
  141. .Bl -dash -compact
  142. .It
  143. ecdsa_p256
  144. .It
  145. ecdsa_p384
  146. .It
  147. ecdsa_p521
  148. .It
  149. rsa2048
  150. .Aq default
  151. .It
  152. rsa4096
  153. .El
  154. .It Ic kp_reuse Ar boolean
  155. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  156. .It Ic name
  157. Name of the certificate. Must be unique unless the key type is different. Will be used in logs and in the associated file's name. The
  158. .Sq * ,
  159. .So
  160. :
  161. .Sc
  162. and
  163. .Sq /
  164. characters will be replaced by an underscore. Default is the first identifier.
  165. .It Cm renew_delay Ar string
  166. Period of time between the certificate renewal and its expiration date. The format is described in the
  167. .Sx TIME PERIODS
  168. section. Default is the value defined in the associated endpoint.
  169. .It Ic subject_attributes Ar table
  170. Table where the certificate's subject attributes are specified. Possible keys are:
  171. .Bl -dash -compact
  172. .It
  173. country_name
  174. .It
  175. friendly_name
  176. .It
  177. generation_qualifier
  178. .It
  179. given_name
  180. .It
  181. initials
  182. .It
  183. locality_name
  184. .It
  185. name
  186. .It
  187. organization_name
  188. .It
  189. organizational_unit_name
  190. .It
  191. pseudonym
  192. .It
  193. state_or_province_name
  194. .It
  195. street_address
  196. .It
  197. surname
  198. .It
  199. title
  200. .El
  201. .El
  202. .It Ic endpoint
  203. Array of table where each element defines a Certificate Authority
  204. .Pq CA
  205. which may be used to request certificates.
  206. .Bl -tag
  207. .It Cm name Ar string
  208. The name the endpoint is registered under. Must be unique.
  209. .It Cm rate_limits Ar array
  210. Array containing the names of the HTTPS rate limits to apply.
  211. .It Cm renew_delay Ar string
  212. Period of time between the certificate renewal and its expiration date. The format is described in the
  213. .Sx TIME PERIODS
  214. section. Default is the value defined in the global section.
  215. .It Cm root_certificates Ar array
  216. Array containing the path to root certificates that should be added to the trust store.
  217. .It Cm tos_agreed Ar boolean
  218. Set whether or not the user agrees to the Terms Of Service
  219. .Pq TOS .
  220. .It Cm url Ar string
  221. The endpoint's directory URL.
  222. .El
  223. .It Ic global
  224. Table containing the global configuration options.
  225. .Bl -tag
  226. .It Cm accounts_directory Ar string
  227. Specify the directory where the accounts private and public keys are stored.
  228. .It Cm cert_file_group Ar group_name|group_id Ft string
  229. Specify the group who will own newly-created certificates files. See
  230. .Xr chown 2
  231. for more details.
  232. .It Cm cert_file_mode Ar integer
  233. Specify the permissions to use for newly-created certificates files. See
  234. .Xr chmod 2
  235. for more details.
  236. .It Cm cert_file_user Ar username|user_id Ft string
  237. Specify the user who will own newly-created certificates files. See
  238. .Xr chown 2
  239. for more details.
  240. .It Cm certificates_directory Ar string
  241. Specify the directory where the certificates and their associated private keys are stored.
  242. .It Ic env Ar table
  243. Table of environment variables that will be accessible from hooks.
  244. .It Cm pk_file_group Ar group_name|group_id Ft string
  245. Specify the group who will own newly-created private-key files. See
  246. .Xr chown 2
  247. for more details.
  248. .It Cm pk_file_mode Ar integer
  249. Specify the permissions to use for newly-created private-key files. See
  250. .Xr chmod 2
  251. for more details.
  252. .It Cm pk_file_user Ar username|user_id Ft string
  253. Specify the user who will own newly-created private-key files. See
  254. .Xr chown 2
  255. for more details.
  256. .It Cm renew_delay Ar string
  257. Period of time between the certificate renewal and its expiration date. The format is described in the
  258. .Sx TIME PERIODS
  259. section. Default is 3w.
  260. .It Cm root_certificates Ar array
  261. Array containing the path to root certificates that should be added to the trust store.
  262. .El
  263. .It Ic group
  264. Array of table allowing to group several hooks as one. A group is considered as new hook.
  265. .Bl -tag
  266. .It Cm hooks Ar array
  267. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  268. .It Cm name Ar string
  269. The name the group is registered under. This name is considered as a hook name. Must be unique.
  270. .El
  271. .It Ic hook
  272. Array of table where each element defines a command that will be launched at a defined point. See section
  273. .Sx WRITING A HOOK
  274. for more details.
  275. .Bl -tag
  276. .It Cm allow_failure Ar boolean
  277. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  278. .It Ic args Ar array
  279. Array of strings representing the command's arguments.
  280. .It Ic cmd Ar string
  281. The name of the command that will be launched.
  282. .It Cm name Ar string
  283. The name the hook is registered under. Must be unique.
  284. .It Ic stderr Ar string
  285. Path to the file where the command's standard error output if written.
  286. .It Ic stdin Ar string
  287. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  288. .Em stdin_str .
  289. .It Ic stdin_str Ar string
  290. String that will be written into the command's standard input. Mutually exclusive with
  291. .Em stdin .
  292. .It Ic stdout Ar string
  293. Path to the file where the command's standard output if written.
  294. .It Cm type Ar array
  295. Array of strings. Possible types are:
  296. .Bl -dash -compact
  297. .It
  298. challenge-dns-01
  299. .It
  300. challenge-dns-01-clean
  301. .It
  302. challenge-http-01
  303. .It
  304. challenge-http-01-clean
  305. .It
  306. challenge-tls-alpn-01
  307. .It
  308. challenge-tls-alpn-01-clean
  309. .It
  310. file-post-create
  311. .It
  312. file-post-edit
  313. .It
  314. file-pre-create
  315. .It
  316. file-pre-edit
  317. .It
  318. post-operation
  319. .El
  320. .El
  321. .It Ic include
  322. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  323. .Pp
  324. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  325. .Em A
  326. includes files
  327. .Em B
  328. and
  329. .Em C
  330. and all three defines the same global option, the final value will be the one defined in file
  331. .Em C .
  332. .Pp
  333. Unix style globing is supported.
  334. .It Ic rate-limit
  335. Array of table where each element defines a HTTPS rate limit.
  336. .Bl -tag
  337. .It Cm name Ar string
  338. The name the rate limit is registered under. Must be unique.
  339. .It Cm number Ar integer
  340. Number of requests authorized withing the time period.
  341. .It Cm period Ar string
  342. Period of time during which a maximal number of requests is authorized. The format is described in the
  343. .Sx TIME PERIODS
  344. section.
  345. .El
  346. .El
  347. .Sh WRITING A HOOK
  348. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every identifier to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  349. .Pp
  350. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  351. .Xr acmed 8
  352. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  353. .Pp
  354. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  355. .Pp
  356. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  357. .Pp
  358. When writing a hook, the values of
  359. .Em args ,
  360. .Em stdin ,
  361. .Em stdin_str ,
  362. .Em stdout
  363. and
  364. .Em stderr
  365. are considered as template strings whereas
  366. .Em cmd
  367. is not. The template syntax is
  368. .Em Handlebars .
  369. See the
  370. .Sx STANDARDS
  371. section for a link to the
  372. .Em Handlebars
  373. specifications.
  374. .Pp
  375. The available types and the associated template variable are described below.
  376. .Bl -tag
  377. .It Ic challenge-dns-01
  378. Invoked when the ownership of an identifier must be proved using the
  379. .Em dns-01
  380. challenge. The available template variables are:
  381. .Bl -tag -compact
  382. .It Cm challenge Ar string
  383. The name of the challenge type
  384. .Aq dns-01 .
  385. Mostly used in hooks with multiple types.
  386. .It Cm env Ar array
  387. Array containing all the environment variables.
  388. .It Cm identifier Ar string
  389. The identifier name whom ownership is currently being validated.
  390. .It Cm identifier_tls_alpn Ar string
  391. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  392. .It Cm is_clean_hook Ar bool
  393. False
  394. .It Cm proof Ar string
  395. The content of the proof that must be written to a
  396. .Ql TXT
  397. entry of the DNS zone for the
  398. .Ql _acme-challenge
  399. subdomain.
  400. .El
  401. .It Ic challenge-dns-01-clean
  402. Invoked once an identifier ownership has been proven using the
  403. .Em dns-01
  404. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  405. .Em challenge-dns-01
  406. hook, excepted
  407. .Em is_clean_hook
  408. which is set to
  409. .Em true .
  410. .It Ic challenge-http-01
  411. Invoked when the ownership of an identifier must be proved using the
  412. .Em http-01
  413. challenge. The available template variables are:
  414. .Bl -tag -compact
  415. .It Cm challenge Ar string
  416. The name of the challenge type
  417. .Aq http-01 .
  418. Mostly used in hooks with multiple types.
  419. .It Cm env Ar array
  420. Array containing all the environment variables.
  421. .It Cm file_name Ar string
  422. Name of the file containing the proof. This is not a full path and does not include the
  423. .Ql .well-known/acme-challenge/
  424. prefix.
  425. .It Cm identifier Ar string
  426. The identifier name whom ownership is currently being validated.
  427. .It Cm identifier_tls_alpn Ar string
  428. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  429. .It Cm is_clean_hook Ar bool
  430. False
  431. .It Cm proof Ar string
  432. The content of the proof that must be written to
  433. .Em file_name .
  434. .El
  435. .It Ic challenge-http-01-clean
  436. Invoked once an identifier ownership has been proven using the
  437. .Em http-01
  438. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  439. .Em challenge-http-01
  440. hook, excepted
  441. .Em is_clean_hook
  442. which is set to
  443. .Em true .
  444. .It Ic challenge-tls-alpn-01
  445. Invoked when the ownership of an identifier must be proved using the
  446. .Em tls-alpn-01
  447. challenge. The available template variables are:
  448. .Bl -tag -compact
  449. .It Cm challenge Ar string
  450. The name of the challenge type
  451. .Aq tls-alpn-01 .
  452. Mostly used in hooks with multiple types.
  453. .It Cm env Ar array
  454. Array containing all the environment variables.
  455. .It Cm identifier Ar string
  456. The identifier name whom ownership is currently being validated.
  457. .It Cm identifier_tls_alpn Ar string
  458. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  459. .It Cm is_clean_hook Ar bool
  460. False
  461. .It Cm proof Ar string
  462. Plain-text representation of the
  463. .Em acmeIdentifier
  464. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  465. .Qd acme-tls/1
  466. ALPN extension value.
  467. .Xr acmed 8
  468. will not generate the certificate itself since it can be done using
  469. .Xr tacd 8 .
  470. .El
  471. .It Ic challenge-tls-alpn-01-clean
  472. Invoked once an identifier ownership has been proven using the
  473. .Em tls-alpn-01
  474. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  475. .Em challenge-tls-alpn-01
  476. hook, excepted
  477. .Em is_clean_hook
  478. which is set to
  479. .Em true .
  480. .It Ic file-post-create
  481. Invoked
  482. .Em after
  483. a non-existent file
  484. .Em created .
  485. The available template variables are the same as those available for the
  486. .Em file-pre-create
  487. type.
  488. .It Ic file-post-edit
  489. Invoked
  490. .Em after
  491. an existent file
  492. .Em modified .
  493. The available template variables are the same as those available for the
  494. .Em file-pre-create
  495. type.
  496. .It Ic file-pre-create
  497. Invoked
  498. .Em before
  499. a non-existent file
  500. .Em created .
  501. The available template variables are:
  502. .Bl -tag -compact
  503. .It Cm env Ar array
  504. Array containing all the environment variables.
  505. .It Cm file_directory Ar string
  506. Name of the directory where the impacted file is located.
  507. .It Cm file_name Ar string
  508. Name of the impacted file.
  509. .It Cm file_path Ar string
  510. Full path to the impacted file.
  511. .El
  512. .It Ic file-pre-edit
  513. Invoked
  514. .Em before
  515. an existent file
  516. .Em modified .
  517. The available template variables are the same as those available for the
  518. .Em file-pre-create
  519. type.
  520. .It Ic post-operation
  521. Invoked at the end of the certificate request process. The available template variables are:
  522. .Bl -tag -compact
  523. .It Cm env Ar array
  524. Array containing all the environment variables.
  525. .It Cm identifiers Ar string
  526. Array containing the identifiers included in the requested certificate.
  527. .It Cm is_success Ar boolean
  528. True if the certificate request is successful.
  529. .It Cm key_type Ar string
  530. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair.
  531. .It Cm status Ar string
  532. Human-readable status. If the certificate request failed, it contains the error description.
  533. .El
  534. .El
  535. .Sh DEFAULT HOOKS
  536. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  537. .Bl -tag
  538. .It Pa git
  539. This hook uses
  540. .Xr git 1
  541. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  542. .Ev GIT_USERNAME
  543. and
  544. .Ev GIT_EMAIL
  545. environment variables.
  546. .It Pa http-01-echo
  547. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  548. .Pa {{env.HTTP_ROOT}}/{{identifier}}/.well-known/acme-challenge/{{file_name}} .
  549. .Pp
  550. The web server must be configured so the file
  551. .Pa http://{{identifier}}/.well-known/acme-challenge/{{file_name}}
  552. can be accessed from the CA.
  553. .Pp
  554. If
  555. .Ev HTTP_ROOT
  556. is not specified, it will be set to
  557. .Pa /var/www .
  558. .It Pa tls-alpn-01-tacd-tcp
  559. This hook is designed to solve the tls-alpn-01 challenge using
  560. .Xr tacd 8 .
  561. It requires
  562. .Xr pkill 1
  563. to support the
  564. .Em -F
  565. option.
  566. .Pp
  567. .Xr tacd 8
  568. will listen on the host defined by the
  569. .Ev TACD_HOST
  570. environment variable (default is the identifier to be validated) and on the port defined by the
  571. .Ev TACD_PORT
  572. environment variable (default is 5001).
  573. .Pp
  574. .Xr tacd 8
  575. will store its pid into
  576. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  577. If
  578. .Ev TACD_PID_ROOT
  579. is not specified, it will be set to
  580. .Pa /run .
  581. .It Pa tls-alpn-01-tacd-unix
  582. This hook is designed to solve the tls-alpn-01 challenge using
  583. .Xr tacd 8 .
  584. It requires
  585. .Xr pkill 1
  586. to support the
  587. .Em -F
  588. option.
  589. .Pp
  590. .Xr tacd 8
  591. will listen on the unix socket
  592. .Pa {{env.TACD_SOCK_ROOT}}/tacd_{{identifier}}.sock .
  593. If
  594. .Ev TACD_SOCK_ROOT
  595. is not specified, it will be set to
  596. .Pa /run .
  597. .Pp
  598. .Xr tacd 8
  599. will store its pid into
  600. .Pa {{TACD_PID_ROOT}}/tacd_{{identifier}}.pid .
  601. If
  602. .Ev TACD_PID_ROOT
  603. is not specified, it will be set to
  604. .Pa /run .
  605. .El
  606. .Sh TIME PERIODS
  607. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  608. .Ar PM[PM...]
  609. where
  610. .Ar M
  611. is case sensitive character representing a length and
  612. .Ar P
  613. is an integer representing a multiplayer for the following length. The authorized length are:
  614. .Bl -dash -compact
  615. .It
  616. .Ar s :
  617. second
  618. .It
  619. .Ar m :
  620. minute
  621. .It
  622. .Ar h :
  623. hour
  624. .It
  625. .Ar d :
  626. day
  627. .It
  628. .Ar w :
  629. week
  630. .El
  631. The
  632. .Ar PM
  633. couples can be specified multiple times and in any order.
  634. .Pp
  635. For example,
  636. .Dq 1d42s and
  637. .Dq 40s20h4h2s
  638. both represents a period of one day and forty-two seconds.
  639. .Sh FILES
  640. .Bl -tag
  641. .It Pa /etc/acmed/accounts
  642. Default accounts private and public keys directory.
  643. .It Pa /etc/acmed/acmed.toml
  644. Default
  645. .Xr acmed 8
  646. configuration file.
  647. .It Pa /etc/acmed/certs
  648. Default certificates and associated private keys directory.
  649. .El
  650. .Sh EXAMPLES
  651. The following example defines a typical endpoint, account and certificate for a domain, several subdomains and an IP address.
  652. .Bd -literal -offset indent
  653. [[endpoint]]
  654. name = "example name"
  655. url = "https://acme.example.org/directory"
  656. tos_agreed = true
  657. [[account]]
  658. name = "my test account"
  659. email = "certs@exemple.net"
  660. [[certificate]]
  661. endpoint = "example name"
  662. account = "my test account"
  663. identifiers = [
  664. { dns = "exemple.net", challenge = "http-01"},
  665. { dns = "1.exemple.net", challenge = "dns-01"},
  666. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  667. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  668. { ip = "203.0.113.1", challenge = "http-01"},
  669. ]
  670. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  671. env.HTTP_ROOT = "/srv/http"
  672. .Ed
  673. .Pp
  674. It is possible to use
  675. .Xr echo 1
  676. to solve the
  677. .Em http-01
  678. challenge and
  679. .Xr rm 1
  680. to clean it.
  681. .Xr mkdir 1
  682. and
  683. .Xr chmod 1
  684. are used to prevent issues related to file access.
  685. .Bd -literal -offset indent
  686. [[hook]]
  687. name = "http-01-echo-mkdir"
  688. type = ["challenge-http-01"]
  689. cmd = "mkdir"
  690. args = [
  691. "-m", "0755",
  692. "-p", "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge"
  693. ]
  694. [[hook]]
  695. name = "http-01-echo-echo"
  696. type = ["challenge-http-01"]
  697. cmd = "echo"
  698. args = ["{{proof}}"]
  699. stdout = "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  700. [[hook]]
  701. name = "http-01-echo-chmod"
  702. type = ["challenge-http-01-clean"]
  703. cmd = "chmod"
  704. args = [
  705. "a+r",
  706. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  707. ]
  708. [[hook]]
  709. name = "http-01-echo-clean"
  710. type = ["challenge-http-01-clean"]
  711. cmd = "rm"
  712. args = [
  713. "-f",
  714. "{{%if env.HTTP_ROOT}}{{env.HTTP_ROOT}}{{else}}/var/www{{/if}}/{{identifier}}/.well-known/acme-challenge/{{file_name}}"
  715. ]
  716. .Ed
  717. .Pp
  718. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  719. .Bd -literal -offset indent
  720. [[group]]
  721. name = "http-01-echo-var-www"
  722. hooks = [
  723. "http-01-echo-mkdir",
  724. "http-01-echo-echo",
  725. "http-01-echo-chmod",
  726. "http-01-echo-clean"
  727. ]
  728. [[certificate]]
  729. # Some fields omitted
  730. hooks = ["http-01-echo"]
  731. env.HTTP_ROOT = "/srv/http"
  732. .Ed
  733. .Pp
  734. It is also possible to use
  735. .Xr sendmail 8
  736. in a hook in order to notif someone when the certificate request process is done.
  737. .Bd -literal -offset indent
  738. [[hook]]
  739. name = "email-report"
  740. type = ["post-operation"]
  741. cmd = "sendmail"
  742. args = [
  743. "-f", "noreply.certs@example.net",
  744. "contact@example.net"
  745. ]
  746. stdin_str = """Subject: Certificate renewal {{#if is_success}}succeeded{{else}}failed{{/if}} for {{identifiers.[0]}}
  747. The following certificate has {{#unless is_success}}*not* {{/unless}}been renewed.
  748. identifiers: {{#each identifiers}}{{#if @index}}, {{/if}}{{this}}{{/each}}
  749. key type: {{key_type}}
  750. status: {{status}}"""
  751. .Ed
  752. .Sh SEE ALSO
  753. .Xr acmed 8 ,
  754. .Xr tacd 8
  755. .Sh STANDARDS
  756. .Bl -hyphen
  757. .It
  758. .Rs
  759. .%A Tom Preston-Werner
  760. .%D July 2018
  761. .%T TOML v0.5.0
  762. .%U https://toml.io/en/v0.5.0
  763. .Re
  764. .It
  765. .Rs
  766. .%A Yehuda Katz
  767. .%T Handlebars
  768. .%U https://handlebarsjs.com/
  769. .Re
  770. .It
  771. .Rs
  772. .%A M. Jones
  773. .%D May 2015
  774. .%R RFC 7518
  775. .%T JSON Web Algorithms (JWA)
  776. .Re
  777. .El
  778. .Sh AUTHORS
  779. .An Rodolphe Bréard
  780. .Aq rodolphe@breard.tf