NAME¶

lacme-accountd - ACME client written with process isolation and minimal privileges in mind (account key manager)

SYNOPSIS¶

lacme-accountd [--config=FILENAME] [--privkey=ARG] [--socket=PATH] [--quiet]

DESCRIPTION¶

lacme-accountd is the account key manager component of lacme(1), a small ACME client written with process isolation and minimal privileges in mind. No other lacme(1) component needs access to the account key; in fact the account key could as well be stored on another host or a smartcard.

lacme-accountd binds to a UNIX-domain socket (specified with --socket=), which ACME clients can connect to in order to request data signatures. As a consequence, lacme-accountd needs to be up and running before using lacme(1) to issue ACME commands. Also, the process does not automatically terminate after the last signature request: instead, one sends an INT or TERM signal(7) to bring the server down.

Furthermore, one can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run lacme-accountd and lacme(1) on different hosts. For instance one could store the account key on a machine that is not exposed to the internet. See the examples section below.

OPTIONS¶

--config=filename: Use filename as configuration file. See the configuration file section below for the configuration options.

--privkey=arg: Specify the (private) account key to use for signing requests. Currently supported arguments are:

•: file:FILE, to specify an encrypted private key (in PEM format); and
•: gpg:FILE, to specify a gpg(1)-encrypted private key (in PEM format).

The following command can be used to generate a new 4096-bits RSA key in PEM format with mode 0600:


openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/account.key

--socket=path: Use path as the UNIX-domain socket to bind against for signature requests from the ACME client. lacme-accountd aborts if path exists or if its parent directory is writable by other users.

-h, --help: Display a brief help and exit.

-q, --quiet: Be quiet.

--debug: Turn on debug mode.

CONFIGURATION FILE¶

If --config= is not given, lacme-accountd uses the first existing configuration file among ./lacme-accountd.conf, $XDG_CONFIG_HOME/lacme/lacme-accountd.conf (or ~/.config/lacme/lacme-accountd.conf if the XDG_CONFIG_HOME environment variable is not set), and /etc/lacme/lacme-accountd.conf.

When given on the command line, the --privkey=, --socket= and --quiet options take precedence over their counterpart (without leading --) in the configuration file. Valid options are:

privkey: See --privkey=. This option is required when --privkey= is not specified on the command line.

gpg: For a gpg(1)-encrypted private account key, specify the binary gpg(1) to use, as well as some default options. Default: gpg --quiet.

socket: See --socket=. Default: $XDG_RUNTIME_DIR/S.lacme if the XDG_RUNTIME_DIR environment variable is set.

quiet: Be quiet. Possible values: Yes/No.

EXAMPLES¶

Run lacme-accountd in a first terminal:


~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

Then, while lacme-accountd is running, execute locally lacme(1) in another terminal:


~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme new-cert

Alternatively, use OpenSSH 6.7 or later to forward the socket and execute lacme(1) remotely:


~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
   sudo lacme --socket=/path/to/remote.sock new-cert

BUGS AND FEEDBACK¶

Bugs or feature requests for lacme-accountd should be filed with the Debian project's bug tracker at <https://www.debian.org/Bugs/>.

AUTHORS¶

Guilhem Moulin (mailto:guilhem@fripost.org).

March 2016

Source file:	lacme-accountd.1.en.gz (from lacme-accountd 0.2-1)
Source last updated:	2016-12-05T15:35:59Z
Converted to HTML:	2019-06-03T08:14:23Z