.\" Automatically generated by Pandoc 1.17.2 .\" .TH "lacme\-accountd" "1" "March 2016" "" "" .hy .SH NAME .PP lacme\-accountd \- ACME client written with process isolation and minimal privileges in mind (account key manager) .SH SYNOPSIS .PP \f[C]lacme\-accountd\f[] [\f[C]\-\-config=FILENAME\f[]] [\f[C]\-\-privkey=ARG\f[]] [\f[C]\-\-socket=PATH\f[]] [\f[C]\-\-quiet\f[]] .SH DESCRIPTION .PP \f[C]lacme\-accountd\f[] is the account key manager component of \f[C]lacme\f[](1), a small ACME client written with process isolation and minimal privileges in mind. No other \f[C]lacme\f[](1) component needs access to the account key; in fact the account key could as well be stored on another host or a smartcard. .PP \f[C]lacme\-accountd\f[] binds to a UNIX\-domain socket (specified with \f[C]\-\-socket=\f[]), which ACME clients can connect to in order to request data signatures. As a consequence, \f[C]lacme\-accountd\f[] needs to be up and running before using \f[C]lacme\f[](1) to issue ACME commands. Also, the process does not automatically terminate after the last signature request: instead, one sends an \f[C]INT\f[] or \f[C]TERM\f[] \f[C]signal\f[](7) to bring the server down. .PP Furthermore, one can use the UNIX\-domain socket forwarding facility of OpenSSH 6.7 and later to run \f[C]lacme\-accountd\f[] and \f[C]lacme\f[](1) on different hosts. For instance one could store the account key on a machine that is not exposed to the internet. See the \f[B]examples\f[] section below. .SH OPTIONS .TP .B \f[C]\-\-config=\f[]\f[I]filename\f[] Use \f[I]filename\f[] as configuration file. See the \f[B]configuration file\f[] section below for the configuration options. .RS .RE .TP .B \f[C]\-\-privkey=\f[]\f[I]arg\f[] Specify the (private) account key to use for signing requests. Currently supported \f[I]arg\f[]uments are: .RS .IP \[bu] 2 \f[C]file:\f[]\f[I]FILE\f[], to specify an encrypted private key (in PEM format); and .IP \[bu] 2 \f[C]gpg:\f[]\f[I]FILE\f[], to specify a \f[C]gpg\f[](1)\-encrypted private key (in PEM format). .PP The following command can be used to generate a new 4096\-bits RSA key in PEM format with mode 0600: .IP .nf \f[C] openssl\ genrsa\ 4096\ |\ install\ \-m0600\ /dev/stdin\ /path/to/account.key \f[] .fi .RE .TP .B \f[C]\-\-socket=\f[]\f[I]path\f[] Use \f[I]path\f[] as the UNIX\-domain socket to bind against for signature requests from the ACME client. \f[C]lacme\-accountd\f[] aborts if \f[I]path\f[] exists or if its parent directory is writable by other users. .RS .RE .TP .B \f[C]\-h\f[], \f[C]\-\-help\f[] Display a brief help and exit. .RS .RE .TP .B \f[C]\-q\f[], \f[C]\-\-quiet\f[] Be quiet. .RS .RE .TP .B \f[C]\-\-debug\f[] Turn on debug mode. .RS .RE .SH CONFIGURATION FILE .PP If \f[C]\-\-config=\f[] is not given, \f[C]lacme\-accountd\f[] uses the first existing configuration file among \f[I]\&./lacme\-accountd.conf\f[], \f[I]$XDG_CONFIG_HOME/lacme/lacme\-accountd.conf\f[] (or \f[I]~/.config/lacme/lacme\-accountd.conf\f[] if the \f[C]XDG_CONFIG_HOME\f[] environment variable is not set), and \f[I]/etc/lacme/lacme\-accountd.conf\f[]. .PP When given on the command line, the \f[C]\-\-privkey=\f[], \f[C]\-\-socket=\f[] and \f[C]\-\-quiet\f[] options take precedence over their counterpart (without leading \f[C]\-\-\f[]) in the configuration file. Valid options are: .TP .B \f[I]privkey\f[] See \f[C]\-\-privkey=\f[]. This option is required when \f[C]\-\-privkey=\f[] is not specified on the command line. .RS .RE .TP .B \f[I]gpg\f[] For a \f[C]gpg\f[](1)\-encrypted private account key, specify the binary \f[C]gpg\f[](1) to use, as well as some default options. Default: \f[C]gpg\ \-\-quiet\f[]. .RS .RE .TP .B \f[I]socket\f[] See \f[C]\-\-socket=\f[]. Default: \f[I]$XDG_RUNTIME_DIR/S.lacme\f[] if the \f[C]XDG_RUNTIME_DIR\f[] environment variable is set. .RS .RE .TP .B \f[I]quiet\f[] Be quiet. Possible values: \f[C]Yes\f[]/\f[C]No\f[]. .RS .RE .SH EXAMPLES .PP Run \f[C]lacme\-accountd\f[] in a first terminal: .IP .nf \f[C] ~$\ lacme\-accountd\ \-\-privkey=file:/path/to/account.key\ \-\-socket=$XDG_RUNTIME_DIR/S.lacme \f[] .fi .PP Then, while \f[C]lacme\-accountd\f[] is running, execute locally \f[C]lacme\f[](1) in another terminal: .IP .nf \f[C] ~$\ sudo\ lacme\ \-\-socket=$XDG_RUNTIME_DIR/S.lacme\ new\-cert \f[] .fi .PP Alternatively, use OpenSSH 6.7 or later to forward the socket and execute \f[C]lacme\f[](1) remotely: .IP .nf \f[C] ~$\ ssh\ \-oExitOnForwardFailure=yes\ \-tt\ \-R\ /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme\ user\@example.org\ \\ \ \ \ sudo\ lacme\ \-\-socket=/path/to/remote.sock\ new\-cert \f[] .fi .SH BUGS AND FEEDBACK .PP Bugs or feature requests for \f[C]lacme\-accountd\f[] should be filed with the Debian project's bug tracker at . .SH SEE ALSO .PP \f[C]lacme\f[](1), \f[C]ssh\f[](1) .SH AUTHORS Guilhem Moulin (mailto:guilhem@fripost.org).