You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

859 lines
26 KiB

5 years ago
11 months ago
  1. .\" Copyright (c) 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>
  2. .\"
  3. .\" Copying and distribution of this file, with or without modification,
  4. .\" are permitted in any medium without royalty provided the copyright
  5. .\" notice and this notice are preserved. This file is offered as-is,
  6. .\" without any warranty.
  7. .Dd Dec 20, 2023
  8. .Dt ACMED.TOML 5
  9. .Os
  10. .Sh NAME
  11. .Nm acmed.toml
  12. .Nd ACMEd configuration file
  13. .Sh DESCRIPTION
  14. .Nm
  15. is the configuration file for
  16. .Xr acmed 8 .
  17. It is written in the
  18. .Em TOML
  19. format. The allowed elements are described below.
  20. .Bl -tag
  21. .It Ic account
  22. Array of table representing an account on one or several endpoint.
  23. .Bl -tag
  24. .It Ic contacts Ar array
  25. Array of tables describing describing the account holder's contact information. Each table must have one and only one key-value pair. Possible keys and their associated values are:
  26. .Bl -tag
  27. .It Ic mailto Ar string
  28. A mailto URI as defined by
  29. .Em RFC 6068 .
  30. This URI cannot contains neither
  31. .Dq hfields
  32. nor more than one
  33. .Dq addr-spec
  34. in the
  35. .Dq to
  36. component.
  37. .El
  38. .It Ic env Ar table
  39. Table of environment variables that will be accessible from hooks.
  40. .It Ic external_account Ar table
  41. Table containing the information required to bind the account to an external one. Possible fields and values are:
  42. .Bl -tag
  43. .It Ic identifier Ar string
  44. ASCII string identifying the key.
  45. .It Ic key Ar string
  46. Private key encoded in base64url without padding.
  47. .It Ic signature_algorithm Ar string
  48. Name of the signature algorithm used to sign the external account binding message sent to the endpoint as defined in
  49. .Em RFC 7518 .
  50. Possible values are:
  51. .Bl -dash -compact
  52. .It
  53. HS256
  54. .Aq default
  55. .It
  56. HS384
  57. .It
  58. HS512
  59. .El
  60. .El
  61. .It Ic hooks Ar array
  62. Names of hooks that will be called during operations on the account storage file. The hooks are guaranteed to be called sequentially in the declaration order.
  63. .It Cm key_type Ar string
  64. Name of the asymmetric cryptography algorithm used to generate the key pair. Possible values are:
  65. .Bl -dash -compact
  66. .It
  67. ed25519
  68. .It
  69. ed448
  70. .It
  71. ecdsa_p256
  72. .Aq default
  73. .It
  74. ecdsa_p384
  75. .It
  76. ecdsa_p521
  77. .It
  78. rsa2048
  79. .It
  80. rsa4096
  81. .El
  82. .It Ic name Ar string
  83. The name the account is registered under. Must be unique.
  84. .It Cm signature_algorithm Ar string
  85. Name of the signature algorithm used to sign the messages sent to the endpoint as defined in
  86. .Em RFC 7518 .
  87. The default value is derived from the key type. Possible values are:
  88. .Bl -dash -compact
  89. .It
  90. ES256
  91. .It
  92. ES384
  93. .It
  94. ES512
  95. .It
  96. RS256
  97. .El
  98. .El
  99. .It Ic certificate
  100. Array of table representing a certificate that will be requested to a CA.
  101. .Pp
  102. Note that, by default, certificates are identified by the first identifier in the list of identifiers. That means that if you reorder the identifiers so that a different identifier is at the first position, a new certificate with a new name will be issued.
  103. .Bl -tag
  104. .It Ic account Ar string
  105. Name of the account to use.
  106. .It Ic csr_digest Ar string
  107. Name of the certificate's signing request digest algorithm. Possible values are:
  108. .Bl -dash -compact
  109. .It
  110. sha256
  111. .Aq default
  112. .It
  113. sha384
  114. .It
  115. sha512
  116. .El
  117. .It Ic directory Ar string
  118. Path to the directory where certificates and their associated private keys are stored.
  119. .It Ic endpoint Ar string
  120. Name of the endpoint to use.
  121. .It Ic env Ar table
  122. Table of environment variables that will be accessible from hooks.
  123. .It Ic file_name_format Ar string
  124. Template used to build the file's name. The template syntax is
  125. .Em MiniJinja .
  126. See the
  127. .Sx STANDARDS
  128. section for a link to the
  129. .Em MiniJinja
  130. specifications. If not specified, the value defined in the
  131. .Em endpoint
  132. element, and then the
  133. .Em global
  134. element, is used. Default is
  135. .Dq {{ name }}_{{ key_type }}.{{ file_type }}.{{ ext }} .
  136. Possible variables are:
  137. .Bl -tag
  138. .It Ic ext Ar string
  139. File extension. Currently, only
  140. .Dq pem
  141. is supported.
  142. .It Ic file_type Ar string
  143. Contains
  144. .Dq pk
  145. for the private key file and
  146. .Dq crt
  147. for the certificate file.
  148. .It Ic key_type Ar string
  149. The certificate's private key type.
  150. .It Ic name Ar string
  151. The certificate's name.
  152. .El
  153. .It Ic hooks Ar array
  154. Names of hooks that will be called when requesting a new certificate. The hooks are guaranteed to be called sequentially in the declaration order.
  155. .It Ic identifiers Ar array
  156. Array of tables listing the identifiers that should be included in the certificate along with the challenge to use for each one. The
  157. .Em dns
  158. and
  159. .Em ip
  160. fields are mutually exclusive.
  161. .Bl -tag
  162. .It Ic challenge Ar string
  163. The name of the challenge to use to prove the identifier's ownership. Possible values are:
  164. .Bl -dash -compact
  165. .It
  166. dns-01
  167. .It
  168. http-01
  169. .It
  170. tls-alpn-01
  171. .El
  172. .It Ic dns Ar string
  173. The domain name.
  174. .It Ic env Ar table
  175. Table of environment variables that will be accessible from hooks.
  176. .It Ic ip Ar string
  177. The IP address.
  178. .El
  179. .It Ic key_type Ar string
  180. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair. Possible values are:
  181. .Bl -dash -compact
  182. .It
  183. ed25519
  184. .It
  185. ed448
  186. .It
  187. ecdsa_p256
  188. .It
  189. ecdsa_p384
  190. .It
  191. ecdsa_p521
  192. .It
  193. rsa2048
  194. .Aq default
  195. .It
  196. rsa4096
  197. .El
  198. .It Ic kp_reuse Ar boolean
  199. Set whether or not the private key should be reused when renewing the certificate. Default is false.
  200. .It Ic name
  201. Name of the certificate. Must be unique unless the key type is different. Will be used in logs and in the associated file's name. The
  202. .Sq * ,
  203. .So
  204. :
  205. .Sc
  206. and
  207. .Sq /
  208. characters will be replaced by an underscore. Default is the first identifier.
  209. .It Cm random_early_renew Ar string
  210. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  211. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  212. .Sx TIME PERIODS
  213. section. Default is the value defined in the associated endpoint.
  214. .It Cm renew_delay Ar string
  215. Period of time between the certificate renewal and its expiration date. The format is described in the
  216. .Sx TIME PERIODS
  217. section. Default is the value defined in the associated endpoint.
  218. .It Ic subject_attributes Ar table
  219. Table where the certificate's subject attributes are specified. Possible keys, with their RFC 4519 and X.500 equivalents, are:
  220. .Bl -column -offset indent ".Sy organizational_unit_name" ".Sy generationQualifier" ".Sy organizationalUnitName"
  221. .It Sy ACMEd key Ta Sy RFC 4519 Ta Sy X.500
  222. .It Li country_name Ta c Ta countryName
  223. .It Li generation_qualifier Ta generationQualifier Ta
  224. .It Li given_name Ta givenName Ta
  225. .It Li initials Ta initials Ta
  226. .It Li locality_name Ta l Ta localityName
  227. .It Li name Ta name Ta
  228. .It Li organization_name Ta o Ta organizationName
  229. .It Li organizational_unit_name Ta ou Ta organizationalUnitName
  230. .It Li pkcs9_email_address Ta Ta
  231. .It Li postal_address Ta postalAddress Ta
  232. .It Li postal_code Ta postalCode Ta
  233. .It Li state_or_province_name Ta st Ta stateOrProvinceName
  234. .It Li street Ta street Ta streetAddress
  235. .It Li surname Ta sn Ta surname
  236. .It Li title Ta title Ta
  237. .El
  238. .El
  239. .It Ic endpoint
  240. Array of table where each element defines a Certificate Authority
  241. .Pq CA
  242. which may be used to request certificates.
  243. .Bl -tag
  244. .It Cm file_name_format Ar string
  245. Template used to build the file's name. For detailed documentation, see the
  246. .Em file_name_format
  247. directive located in the
  248. .Em certificate
  249. element.
  250. .It Cm name Ar string
  251. The name the endpoint is registered under. Must be unique.
  252. .It Cm rate_limits Ar array
  253. Array containing the names of the HTTPS rate limits to apply.
  254. .It Cm random_early_renew Ar string
  255. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  256. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  257. .Sx TIME PERIODS
  258. section. Default is the value defined in the global section.
  259. .It Cm renew_delay Ar string
  260. Period of time between the certificate renewal and its expiration date. The format is described in the
  261. .Sx TIME PERIODS
  262. section. Default is the value defined in the global section.
  263. .It Cm root_certificates Ar array
  264. Array containing the path to root certificates that should be added to the trust store.
  265. .It Cm tos_agreed Ar boolean
  266. Set whether or not the user agrees to the Terms Of Service
  267. .Pq TOS .
  268. .It Cm url Ar string
  269. The endpoint's directory URL.
  270. .El
  271. .It Ic global
  272. Table containing the global configuration options.
  273. .Bl -tag
  274. .It Cm accounts_directory Ar string
  275. Specify the directory where the accounts private and public keys are stored.
  276. .It Cm cert_file_group Ar group_name|group_id Ft string
  277. Specify the group who will own newly-created certificates files. See
  278. .Xr chown 2
  279. for more details.
  280. .It Cm cert_file_mode Ar integer
  281. Specify the permissions to use for newly-created certificates files. See
  282. .Xr chmod 2
  283. for more details.
  284. .It Cm cert_file_user Ar username|user_id Ft string
  285. Specify the user who will own newly-created certificates files. See
  286. .Xr chown 2
  287. for more details.
  288. .It Cm certificates_directory Ar string
  289. Specify the directory where the certificates and their associated private keys are stored.
  290. .It Ic env Ar table
  291. Table of environment variables that will be accessible from hooks.
  292. .It Ic file_name_format Ar string
  293. Template used to build the file's name. For detailed documentation, see the
  294. .Em file_name_format
  295. directive located in the
  296. .Em certificate
  297. element.
  298. .It Cm pk_file_group Ar group_name|group_id Ft string
  299. Specify the group who will own newly-created private-key files. See
  300. .Xr chown 2
  301. for more details.
  302. .It Cm pk_file_mode Ar integer
  303. Specify the permissions to use for newly-created private-key files. See
  304. .Xr chmod 2
  305. for more details.
  306. .It Cm pk_file_user Ar username|user_id Ft string
  307. Specify the user who will own newly-created private-key files. See
  308. .Xr chown 2
  309. for more details.
  310. .It Cm random_early_renew Ar string
  311. Period of time before the usual certificate renewal, in which the certificate will renew at a random time. This is useful for when
  312. you want to even out your certificate orders when you're dealing with very large numbers of certificates. The format is described in the
  313. .Sx TIME PERIODS
  314. section. By default, this is disabled, or rather, the time frame is set to 0.
  315. .It Cm renew_delay Ar string
  316. Period of time between the certificate renewal and its expiration date. The format is described in the
  317. .Sx TIME PERIODS
  318. section. Default is 30d.
  319. .It Cm root_certificates Ar array
  320. Array containing the path to root certificates that should be added to the trust store.
  321. .El
  322. .It Ic group
  323. Array of table allowing to group several hooks as one. A group is considered as new hook.
  324. .Bl -tag
  325. .It Cm hooks Ar array
  326. Array containing the names of the hooks that are grouped. The hooks are guaranteed to be called sequentially in the declaration order.
  327. .It Cm name Ar string
  328. The name the group is registered under. This name is considered as a hook name. Must be unique.
  329. .El
  330. .It Ic hook
  331. Array of table where each element defines a command that will be launched at a defined point. See section
  332. .Sx WRITING A HOOK
  333. for more details.
  334. .Bl -tag
  335. .It Cm allow_failure Ar boolean
  336. Defines if an error return value for this hook is allowed or not. If not allowed, a failure in this hook will fail the whole certificate request process. Default is false.
  337. .It Ic args Ar array
  338. Array of strings representing the command's arguments.
  339. .It Ic cmd Ar string
  340. The name of the command that will be launched.
  341. .It Cm name Ar string
  342. The name the hook is registered under. Must be unique.
  343. .It Ic stderr Ar string
  344. Path to the file where the command's standard error output if written.
  345. .It Ic stdin Ar string
  346. Path to the file that will be written into the command's standard intput. Mutually exclusive with
  347. .Em stdin_str .
  348. .It Ic stdin_str Ar string
  349. String that will be written into the command's standard input. Mutually exclusive with
  350. .Em stdin .
  351. .It Ic stdout Ar string
  352. Path to the file where the command's standard output if written.
  353. .It Cm type Ar array
  354. Array of strings. Possible types are:
  355. .Bl -dash -compact
  356. .It
  357. challenge-dns-01
  358. .It
  359. challenge-dns-01-clean
  360. .It
  361. challenge-http-01
  362. .It
  363. challenge-http-01-clean
  364. .It
  365. challenge-tls-alpn-01
  366. .It
  367. challenge-tls-alpn-01-clean
  368. .It
  369. file-post-create
  370. .It
  371. file-post-edit
  372. .It
  373. file-pre-create
  374. .It
  375. file-pre-edit
  376. .It
  377. post-operation
  378. .El
  379. .El
  380. .It Ic include
  381. Array containing the path to configuration file to include. The path can be either relative or absolute. If relative, it is relative to the configuration file which included it.
  382. .Pp
  383. In case or overlapping global option definition, the one of the last included file will be used. For example, if a file
  384. .Em A
  385. includes files
  386. .Em B
  387. and
  388. .Em C
  389. and all three defines the same global option, the final value will be the one defined in file
  390. .Em C .
  391. .Pp
  392. Unix style globing is supported.
  393. .It Ic rate-limit
  394. Array of table where each element defines a HTTPS rate limit.
  395. .Bl -tag
  396. .It Cm name Ar string
  397. The name the rate limit is registered under. Must be unique.
  398. .It Cm number Ar integer
  399. Number of requests authorized withing the time period.
  400. .It Cm period Ar string
  401. Period of time during which a maximal number of requests is authorized. The format is described in the
  402. .Sx TIME PERIODS
  403. section.
  404. .El
  405. .El
  406. .Sh WRITING A HOOK
  407. When requesting a certificate from a CA using ACME, there are three steps that are hard to automatize. The first one is solving challenges in order to prove the ownership of every identifier to be included: it requires to interact with the configuration of other services, hence depends on how the infrastructure works. The second one is restarting all the services that use a given certificate, for the same reason. The last one is archiving: although several default methods can be implemented, sometimes admins wants or are required to do it in a different way.
  408. .Pp
  409. In order to allow full automation of the three above steps without imposing arbitrary restrictions or methods,
  410. .Xr acmed 8
  411. uses hooks. Fundamentally, a hook is a command line template that will be called at a specific time of the process. Such an approach allows admins to use any executable script or program located on the machine to customize the process.
  412. .Pp
  413. For a given certificate, hooks are guaranteed to be called sequentially in the declaration order. It is therefore possible to have a hook that depends on another one. Nevertheless, several certificates may be renewed at the same time. Hence, hooks shall not use globing or any other action that may disrupt hooks called by a different certificate.
  414. .Pp
  415. A hook has a type that will influence both the moment it is called and the available template variables. It is possible to declare several types. In such a case, the hook will be invoked whenever one of its type request it. When called, the hook only have access to template variable for the current type. If a hook uses a template variable that does not exists for the current type it is invoked for, the variable is empty.
  416. .Pp
  417. When writing a hook, the values of
  418. .Em args ,
  419. .Em stdin ,
  420. .Em stdin_str ,
  421. .Em stdout
  422. and
  423. .Em stderr
  424. are considered as template strings whereas
  425. .Em cmd
  426. is not. The template syntax is
  427. .Em MiniJinja .
  428. See the
  429. .Sx STANDARDS
  430. section for a link to the
  431. .Em MiniJinja
  432. specifications.
  433. .Pp
  434. The available types and the associated template variable are described below.
  435. .Bl -tag
  436. .It Ic challenge-dns-01
  437. Invoked when the ownership of an identifier must be proved using the
  438. .Em dns-01
  439. challenge. The available template variables are:
  440. .Bl -tag -compact
  441. .It Cm challenge Ar string
  442. The name of the challenge type
  443. .Aq dns-01 .
  444. Mostly used in hooks with multiple types.
  445. .It Cm env Ar array
  446. Array containing all the environment variables.
  447. .It Cm identifier Ar string
  448. The identifier name whom ownership is currently being validated.
  449. .It Cm is_clean_hook Ar bool
  450. False
  451. .It Cm proof Ar string
  452. The content of the proof that must be written to a
  453. .Ql TXT
  454. entry of the DNS zone for the
  455. .Ql _acme-challenge
  456. subdomain.
  457. .El
  458. .It Ic challenge-dns-01-clean
  459. Invoked once an identifier ownership has been proven using the
  460. .Em dns-01
  461. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  462. .Em challenge-dns-01
  463. hook, excepted
  464. .Em is_clean_hook
  465. which is set to
  466. .Em true .
  467. .It Ic challenge-http-01
  468. Invoked when the ownership of an identifier must be proved using the
  469. .Em http-01
  470. challenge. The available template variables are:
  471. .Bl -tag -compact
  472. .It Cm challenge Ar string
  473. The name of the challenge type
  474. .Aq http-01 .
  475. Mostly used in hooks with multiple types.
  476. .It Cm env Ar array
  477. Array containing all the environment variables.
  478. .It Cm file_name Ar string
  479. Name of the file containing the proof. This is not a full path and does not include the
  480. .Ql .well-known/acme-challenge/
  481. prefix.
  482. .It Cm identifier Ar string
  483. The identifier name whom ownership is currently being validated.
  484. .It Cm is_clean_hook Ar bool
  485. False
  486. .It Cm proof Ar string
  487. The content of the proof that must be written to
  488. .Em file_name .
  489. .El
  490. .It Ic challenge-http-01-clean
  491. Invoked once an identifier ownership has been proven using the
  492. .Em http-01
  493. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  494. .Em challenge-http-01
  495. hook, excepted
  496. .Em is_clean_hook
  497. which is set to
  498. .Em true .
  499. .It Ic challenge-tls-alpn-01
  500. Invoked when the ownership of an identifier must be proved using the
  501. .Em tls-alpn-01
  502. challenge. The available template variables are:
  503. .Bl -tag -compact
  504. .It Cm challenge Ar string
  505. The name of the challenge type
  506. .Aq tls-alpn-01 .
  507. Mostly used in hooks with multiple types.
  508. .It Cm env Ar array
  509. Array containing all the environment variables.
  510. .It Cm identifier Ar string
  511. The identifier name whom ownership is currently being validated.
  512. .It Cm identifier_tls_alpn Ar string
  513. The identifier name whom ownership is currently being validated, in a form suitable for the TLS ALPN challenge.
  514. .It Cm is_clean_hook Ar bool
  515. False
  516. .It Cm proof Ar string
  517. Plain-text representation of the
  518. .Em acmeIdentifier
  519. extension that should be used in the self-signed certificate presented when a TLS connection is initiated with the
  520. .Qd acme-tls/1
  521. ALPN extension value.
  522. .Xr acmed 8
  523. will not generate the certificate itself since it can be done using
  524. .Xr tacd 8 .
  525. .El
  526. .It Ic challenge-tls-alpn-01-clean
  527. Invoked once an identifier ownership has been proven using the
  528. .Em tls-alpn-01
  529. challenge. This hook is intended to remove the proof since it is no longer required. The template variables are strictly identical to those given in the corresponding
  530. .Em challenge-tls-alpn-01
  531. hook, excepted
  532. .Em is_clean_hook
  533. which is set to
  534. .Em true .
  535. .It Ic file-post-create
  536. Invoked
  537. .Em after
  538. a non-existent file
  539. .Em created .
  540. The available template variables are the same as those available for the
  541. .Em file-pre-create
  542. type.
  543. .It Ic file-post-edit
  544. Invoked
  545. .Em after
  546. an existent file
  547. .Em modified .
  548. The available template variables are the same as those available for the
  549. .Em file-pre-create
  550. type.
  551. .It Ic file-pre-create
  552. Invoked
  553. .Em before
  554. a non-existent file
  555. .Em created .
  556. The available template variables are:
  557. .Bl -tag -compact
  558. .It Cm env Ar array
  559. Array containing all the environment variables.
  560. .It Cm file_directory Ar string
  561. Name of the directory where the impacted file is located.
  562. .It Cm file_name Ar string
  563. Name of the impacted file.
  564. .It Cm file_path Ar string
  565. Full path to the impacted file.
  566. .El
  567. .It Ic file-pre-edit
  568. Invoked
  569. .Em before
  570. an existent file
  571. .Em modified .
  572. The available template variables are the same as those available for the
  573. .Em file-pre-create
  574. type.
  575. .It Ic post-operation
  576. Invoked at the end of the certificate request process. The available template variables are:
  577. .Bl -tag -compact
  578. .It Cm env Ar array
  579. Array containing all the environment variables.
  580. .It Cm identifiers Ar string
  581. Array containing the identifiers included in the requested certificate.
  582. .It Cm is_success Ar boolean
  583. True if the certificate request is successful.
  584. .It Cm key_type Ar string
  585. Name of the asymmetric cryptography algorithm used to generate the certificate's key pair.
  586. .It Cm status Ar string
  587. Human-readable status. If the certificate request failed, it contains the error description.
  588. .It Cm certificate_path Ar string
  589. Path to the file containing the certificate.
  590. .It Cm private_key_path Ar string
  591. Path to the file containing the private key.
  592. .El
  593. .El
  594. .Sh DEFAULT HOOKS
  595. Because many people have the same needs, ACMEd comes with a set of hooks that should serve most situations. Hook names being unique, the following names and any other name starting by those is reserved and should not be used.
  596. .Bl -tag
  597. .It Pa git
  598. This hook uses
  599. .Xr git 1
  600. to archive private keys, public keys and certificates. It is possible to customize the commit username and email by using respectively the
  601. .Ev GIT_USERNAME
  602. and
  603. .Ev GIT_EMAIL
  604. environment variables.
  605. .It Pa http-01-echo
  606. This hook is designed to solve the http-01 challenge. For this purpose, it will write the proof into
  607. .Pa {{ env.HTTP_ROOT }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }} .
  608. .Pp
  609. The web server must be configured so the file
  610. .Pa http://{{ identifier }}/.well-known/acme-challenge/{{ file_name }}
  611. can be accessed from the CA.
  612. .Pp
  613. If
  614. .Ev HTTP_ROOT
  615. is not specified, it will be set to
  616. .Pa /var/www .
  617. .It Pa tls-alpn-01-tacd-tcp
  618. This hook is designed to solve the tls-alpn-01 challenge using
  619. .Xr tacd 8 .
  620. It requires
  621. .Xr pkill 1
  622. to support the
  623. .Em -F
  624. option.
  625. .Pp
  626. .Xr tacd 8
  627. will listen on the host defined by the
  628. .Ev TACD_HOST
  629. environment variable (default is the identifier to be validated) and on the port defined by the
  630. .Ev TACD_PORT
  631. environment variable (default is 5001).
  632. .Pp
  633. .Xr tacd 8
  634. will store its pid into
  635. .Pa {{ TACD_PID_ROOT }}/tacd_{{ identifier }}.pid .
  636. If
  637. .Ev TACD_PID_ROOT
  638. is not specified, it will be set to
  639. .Pa /run .
  640. .It Pa tls-alpn-01-tacd-unix
  641. This hook is designed to solve the tls-alpn-01 challenge using
  642. .Xr tacd 8 .
  643. It requires
  644. .Xr pkill 1
  645. to support the
  646. .Em -F
  647. option.
  648. .Pp
  649. .Xr tacd 8
  650. will listen on the unix socket
  651. .Pa {{ env.TACD_SOCK_ROOT }}/tacd_{{ identifier }}.sock .
  652. If
  653. .Ev TACD_SOCK_ROOT
  654. is not specified, it will be set to
  655. .Pa /run .
  656. .Pp
  657. .Xr tacd 8
  658. will store its pid into
  659. .Pa {{ TACD_PID_ROOT }}/tacd_{{ identifier }}.pid .
  660. If
  661. .Ev TACD_PID_ROOT
  662. is not specified, it will be set to
  663. .Pa /run .
  664. .El
  665. .Sh TIME PERIODS
  666. ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
  667. .Ar PM[PM...]
  668. where
  669. .Ar M
  670. is case sensitive character representing a length and
  671. .Ar P
  672. is an integer representing a multiplayer for the following length. The authorized length are:
  673. .Bl -dash -compact
  674. .It
  675. .Ar s :
  676. second
  677. .It
  678. .Ar m :
  679. minute
  680. .It
  681. .Ar h :
  682. hour
  683. .It
  684. .Ar d :
  685. day
  686. .It
  687. .Ar w :
  688. week
  689. .El
  690. The
  691. .Ar PM
  692. couples can be specified multiple times and in any order.
  693. .Pp
  694. For example,
  695. .Dq 1d42s
  696. and
  697. .Dq 40s20h4h2s
  698. both represents a period of one day and forty-two seconds.
  699. .Sh TEMPLATE FILTERS
  700. In addition the the filters provided by default by MiniJinja, ACMEd provides the following filters:
  701. .Bl -tag
  702. .It Pa rev_labels
  703. Reverts the labels of a domain name (eg:
  704. .Dq mx1.example.org
  705. becomes
  706. .Dq org.example.mx1
  707. ).
  708. .El
  709. .Sh FILES
  710. .Bl -tag
  711. .It Pa /var/lib/acmed/accounts
  712. Default accounts private and public keys directory.
  713. .It Pa /etc/acmed/acmed.toml
  714. Default
  715. .Xr acmed 8
  716. configuration file.
  717. .It Pa /var/lib/acmed/certs
  718. Default certificates and associated private keys directory.
  719. .El
  720. .Sh EXAMPLES
  721. The following example defines a typical endpoint, account and certificate for a domain, several subdomains and an IP address.
  722. .Bd -literal -offset indent
  723. [[endpoint]]
  724. name = "example name"
  725. url = "https://acme.example.org/directory"
  726. tos_agreed = true
  727. [[account]]
  728. name = "my test account"
  729. contacts = [
  730. { mailto = "certs@exemple.net" }
  731. ]
  732. [[certificate]]
  733. endpoint = "example name"
  734. account = "my test account"
  735. identifiers = [
  736. { dns = "exemple.net", challenge = "http-01"},
  737. { dns = "1.exemple.net", challenge = "dns-01"},
  738. { dns = "2.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5010"},
  739. { dns = "3.exemple.net", challenge = "tls-alpn-01", env.TACD_PORT="5011"},
  740. { ip = "203.0.113.1", challenge = "http-01"},
  741. ]
  742. hooks = ["git", "http-01-echo", "tls-alpn-01-tacd-tcp", "some-dns-01-hook"]
  743. env.HTTP_ROOT = "/srv/http"
  744. .Ed
  745. .Pp
  746. It is possible to use
  747. .Xr echo 1
  748. to solve the
  749. .Em http-01
  750. challenge and
  751. .Xr rm 1
  752. to clean it.
  753. .Xr mkdir 1
  754. and
  755. .Xr chmod 1
  756. are used to prevent issues related to file access.
  757. .Bd -literal -offset indent
  758. [[hook]]
  759. name = "http-01-echo-mkdir"
  760. type = ["challenge-http-01"]
  761. cmd = "mkdir"
  762. args = [
  763. "-m", "0755",
  764. "-p", "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge"
  765. ]
  766. [[hook]]
  767. name = "http-01-echo-echo"
  768. type = ["challenge-http-01"]
  769. cmd = "echo"
  770. args = ["{ proof }"]
  771. stdout = "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  772. [[hook]]
  773. name = "http-01-echo-chmod"
  774. type = ["challenge-http-01-clean"]
  775. cmd = "chmod"
  776. args = [
  777. "a+r",
  778. "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  779. ]
  780. [[hook]]
  781. name = "http-01-echo-clean"
  782. type = ["challenge-http-01-clean"]
  783. cmd = "rm"
  784. args = [
  785. "-f",
  786. "{{ env.HTTP_ROOT | default('/var/www') }}/{{ identifier }}/.well-known/acme-challenge/{{ file_name }}"
  787. ]
  788. .Ed
  789. .Pp
  790. The hooks from the previous example can be grouped in order to reduce the number of hooks to define in the certificate.
  791. .Bd -literal -offset indent
  792. [[group]]
  793. name = "http-01-echo-var-www"
  794. hooks = [
  795. "http-01-echo-mkdir",
  796. "http-01-echo-echo",
  797. "http-01-echo-chmod",
  798. "http-01-echo-clean"
  799. ]
  800. [[certificate]]
  801. # Some fields omitted
  802. hooks = ["http-01-echo"]
  803. env.HTTP_ROOT = "/srv/http"
  804. .Ed
  805. .Pp
  806. It is also possible to use
  807. .Xr sendmail 8
  808. in a hook in order to notify someone when the certificate request process is done.
  809. .Bd -literal -offset indent
  810. [[hook]]
  811. name = "email-report"
  812. type = ["post-operation"]
  813. cmd = "sendmail"
  814. args = [
  815. "-f", "noreply.certs@example.net",
  816. "contact@example.net"
  817. ]
  818. stdin_str = """Subject: Certificate renewal {{ 'succeeded' if is_success else 'failed' }} for {{ identifiers.0 }}
  819. The following certificate has {{ '' if is_success else '*not* ' }}been renewed.
  820. identifiers: {% for ident in identifiers %}{% if not loop.first %}, {% endif %}{{ ident }}{% endfor %}
  821. key type: {{ key_type }}
  822. status: {{ status }}"""
  823. .Ed
  824. .Sh SEE ALSO
  825. .Xr acmed 8 ,
  826. .Xr tacd 8
  827. .Sh STANDARDS
  828. .Bl -hyphen
  829. .It
  830. .Rs
  831. .%A Tom Preston-Werner
  832. .%D July 2018
  833. .%T TOML v0.5.0
  834. .%U https://toml.io/en/v0.5.0
  835. .Re
  836. .It
  837. .Rs
  838. .%A Armin Ronacher
  839. .%T MiniJinja
  840. .%U https://docs.rs/minijinja/latest/minijinja/syntax/index.html
  841. .Re
  842. .It
  843. .Rs
  844. .%A M. Jones
  845. .%D May 2015
  846. .%R RFC 7518
  847. .%T JSON Web Algorithms (JWA)
  848. .Re
  849. .El
  850. .Sh AUTHORS
  851. .An Rodolphe Bréard
  852. .Aq rodolphe@breard.tf