Provided by: lacme-accountd_0.6-1_all bug


       lacme-accountd - ACME client written with process isolation and minimal privileges in mind
       (account key manager)


       lacme-accountd [--config=FILENAME] [--privkey=ARG] [--socket=PATH] [--quiet]


       lacme-accountd is the account key manager component  of  lacme(1),  a  small  ACME  client
       written  with  process  isolation  and  minimal  privileges  in  mind.   No other lacme(1)
       component needs access to the account key; in fact the account key could as well be stored
       on another host or a smartcard.

       lacme-accountd  binds  to  a  UNIX-domain  socket  (specified  with --socket=), which ACME
       clients  can  connect  to  in  order  to  request  data  signatures.   As  a  consequence,
       lacme-accountd  needs  to  be up and running before using lacme(1) to issue ACME commands.
       Also, the process does not automatically  terminate  after  the  last  signature  request:
       instead, one sends an INT or TERM signal(7) to bring the server down.

       Furthermore,  one  can  use  the UNIX-domain socket forwarding facility of OpenSSH 6.7 and
       later to run lacme-accountd and lacme(1) on different hosts.  For instance one could store
       the  account  key  on  a  machine  that  is not exposed to the internet.  See the examples
       section below.


              Use filename as configuration file.  See the configuration file section  below  for
              the configuration options.

              Specify the (private) account key to use for signing requests.  Currently supported
              arguments are:

              · file:FILE, to specify an encrypted private key (in PEM format); and

              · gpg:FILE, to specify a gpg(1)-encrypted private key (in PEM format).

              The following command can be used to generate a new 4096-bits RSA key in PEM format
              with mode 0600:

                     openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/account.key

              Use  path as the UNIX-domain socket to bind against for signature requests from the
              ACME client.  lacme-accountd aborts if path exists or if its  parent  directory  is
              writable by other users.

       -h, --help
              Display a brief help and exit.

       -q, --quiet
              Be quiet.

              Turn on debug mode.


       If --config= is not given, lacme-accountd uses the first existing configuration file among
       ./lacme-accountd.conf,           $XDG_CONFIG_HOME/lacme/lacme-accountd.conf            (or
       ~/.config/lacme/lacme-accountd.conf  if  the  XDG_CONFIG_HOME  environment variable is not
       set), and /etc/lacme/lacme-accountd.conf.

       When given on the command  line,  the  --privkey=,  --socket=  and  --quiet  options  take
       precedence  over  their counterpart (without leading --) in the configuration file.  Valid
       options are:

              See --privkey=.  This option is required when --privkey= is not  specified  on  the
              command line.

       gpg    For  a  gpg(1)-encrypted  private account key, specify the binary gpg(1) to use, as
              well as some default options.  Default: gpg --quiet.

       socket See  --socket=.    Default:   $XDG_RUNTIME_DIR/S.lacme   if   the   XDG_RUNTIME_DIR
              environment variable is set.

       quiet  Be quiet.  Possible values: Yes/No.


       Run lacme-accountd in a first terminal:

              ~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

       Then, while lacme-accountd is running, execute locally lacme(1) in another terminal:

              ~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder

       Alternatively,  use  OpenSSH  6.7  or  later  to  forward  the socket and execute lacme(1)

              ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme \
                 sudo lacme --socket=/path/to/remote.sock newOrder


       Bugs or feature requests for lacme-accountd should be filed with the Debian project's  bug
       tracker at <>.


       lacme(1), ssh(1)


       Guilhem Moulin (

                                            March 2016                          lacme-accountd(1)