Provided by: lacme-accountd_0.6-1_all bug

NAME

       lacme-accountd - ACME client written with process isolation and minimal privileges in mind
       (account key manager)

SYNOPSIS

       lacme-accountd [--config=FILENAME] [--privkey=ARG] [--socket=PATH] [--quiet]

DESCRIPTION

       lacme-accountd is the account key manager component  of  lacme(1),  a  small  ACME  client
       written  with  process  isolation  and  minimal  privileges  in  mind.   No other lacme(1)
       component needs access to the account key; in fact the account key could as well be stored
       on another host or a smartcard.

       lacme-accountd  binds  to  a  UNIX-domain  socket  (specified  with --socket=), which ACME
       clients  can  connect  to  in  order  to  request  data  signatures.   As  a  consequence,
       lacme-accountd  needs  to  be up and running before using lacme(1) to issue ACME commands.
       Also, the process does not automatically  terminate  after  the  last  signature  request:
       instead, one sends an INT or TERM signal(7) to bring the server down.

       Furthermore,  one  can  use  the UNIX-domain socket forwarding facility of OpenSSH 6.7 and
       later to run lacme-accountd and lacme(1) on different hosts.  For instance one could store
       the  account  key  on  a  machine  that  is not exposed to the internet.  See the examples
       section below.

OPTIONS

       --config=filename
              Use filename as configuration file.  See the configuration file section  below  for
              the configuration options.

       --privkey=arg
              Specify the (private) account key to use for signing requests.  Currently supported
              arguments are:

              · file:FILE, to specify an encrypted private key (in PEM format); and

              · gpg:FILE, to specify a gpg(1)-encrypted private key (in PEM format).

              The following command can be used to generate a new 4096-bits RSA key in PEM format
              with mode 0600:

                     openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/account.key

       --socket=path
              Use  path as the UNIX-domain socket to bind against for signature requests from the
              ACME client.  lacme-accountd aborts if path exists or if its  parent  directory  is
              writable by other users.

       -h, --help
              Display a brief help and exit.

       -q, --quiet
              Be quiet.

       --debug
              Turn on debug mode.

CONFIGURATION FILE

       If --config= is not given, lacme-accountd uses the first existing configuration file among
       ./lacme-accountd.conf,           $XDG_CONFIG_HOME/lacme/lacme-accountd.conf            (or
       ~/.config/lacme/lacme-accountd.conf  if  the  XDG_CONFIG_HOME  environment variable is not
       set), and /etc/lacme/lacme-accountd.conf.

       When given on the command  line,  the  --privkey=,  --socket=  and  --quiet  options  take
       precedence  over  their counterpart (without leading --) in the configuration file.  Valid
       options are:

       privkey
              See --privkey=.  This option is required when --privkey= is not  specified  on  the
              command line.

       gpg    For  a  gpg(1)-encrypted  private account key, specify the binary gpg(1) to use, as
              well as some default options.  Default: gpg --quiet.

       socket See  --socket=.    Default:   $XDG_RUNTIME_DIR/S.lacme   if   the   XDG_RUNTIME_DIR
              environment variable is set.

       quiet  Be quiet.  Possible values: Yes/No.

EXAMPLES

       Run lacme-accountd in a first terminal:

              ~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

       Then, while lacme-accountd is running, execute locally lacme(1) in another terminal:

              ~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder

       Alternatively,  use  OpenSSH  6.7  or  later  to  forward  the socket and execute lacme(1)
       remotely:

              ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
                 sudo lacme --socket=/path/to/remote.sock newOrder

BUGS AND FEEDBACK

       Bugs or feature requests for lacme-accountd should be filed with the Debian project's  bug
       tracker at <https://www.debian.org/Bugs/>.

SEE ALSO

       lacme(1), ssh(1)

AUTHORS

       Guilhem Moulin (mailto:guilhem@fripost.org).

                                            March 2016                          lacme-accountd(1)