lunar (1) lacme-accountd.1.gz

Provided by: lacme-accountd_0.8.1-1_all bug

NAME

       lacme-accountd - ACME client written with process isolation and minimal privileges in mind
       (account key manager)

SYNOPSIS

       lacme-accountd [--config=FILENAME] [--privkey=ARG] [--socket=PATH] [--quiet]

DESCRIPTION

       lacme-accountd is the account key manager component  of  lacme(8),  a  small  ACME  client
       written  with  process  isolation  and  minimal  privileges  in  mind.   No other lacme(8)
       component needs access to the account key; in fact the account key could as well be stored
       on another host or a smartcard.

       lacme-accountd  binds  to  a  UNIX-domain  socket  (specified  with --socket=), which ACME
       clients can connect to in order to request data  signatures.   As  a  consequence,  lacme-
       accountd  needs  to be up and running before using lacme(8) to issue ACME commands.  Also,
       the process does not automatically terminate after the last  signature  request:  instead,
       one sends an INT or TERM signal(7) to bring the server down.

       Furthermore,  one  can  use  the UNIX-domain socket forwarding facility of OpenSSH 6.7 and
       later to run lacme-accountd and lacme(8) on different hosts.  For instance one could store
       the  account  key  on  a  machine  that  is not exposed to the internet.  See the examples
       section below.

OPTIONS

       --config=filename
              Use filename as configuration file instead  of  %E/lacme/lacme-accountd.conf.   The
              value  is subject to %-specifier expansion.  lacme-accountd fails when --config= is
              used with a non-existent file, but a non-existent default location is treated as if
              it were an empty file.

              See the configuration file section below for the configuration options.

       --privkey=value
              Specify the (private) account key to use for signing requests.  Currently supported
              values are:

              • file:FILE, for a private key in PEM format (optionally symmetrically encrypted)

              • gpg:FILE, for a gpg(1)-encrypted private key

              FILE is subject to %-specifier expansion.

              The genpkey(1ssl) command can be used to generate a new private (account) key:

                     $ install -vm0600 /dev/null /path/to/account.key
                     $ openssl genpkey -algorithm RSA -out /path/to/account.key

              Currently lacme-accountd only supports RSA account keys.

       --socket=path
              Use path as the UNIX-domain socket to bind to for signature requests from the  ACME
              client.   The  value is subject to %-specifier expansion.  lacme-accountd aborts if
              path exists or if its parent  directory  is  writable  by  other  users.   Default:
              %t/S.lacme  (omitting  --socket=  therefore  yields  an  error  when lacme-accountd
              doesn’t run as and the XDG_RUNTIME_DIR environment variable is unset or empty).

       --stdio
              Read signature requests from  the  standard  input  and  write  signatures  to  the
              standard  output,  instead of using a UNIX-domain socket for communication with the
              ACME client.  This internal flag should never be used by standalone  lacme-accountd
              instances, only for those lacme(8) spawns.

       -h, --help
              Display a brief help and exit.

       -q, --quiet
              Be quiet.

       --debug
              Turn on debug mode.

CONFIGURATION FILE

       When  given  on  the  command  line,  the  --privkey=,  --socket= and --quiet options take
       precedence over their counterpart (without leading --) in the configuration  file.   Valid
       settings are:

       privkey
              See  --privkey=.   This setting is required when --privkey= is not specified on the
              command line.

       gpg    For a gpg(1)-encrypted private account key, specify the binary gpg(1)  to  use,  as
              well as some default options.  Default: gpg --quiet.

       socket See --socket=.

       logfile
              An optional file where to log to.  The value is subject to %-specifier expansion.

       keyid  The  “Key  ID”, as shown by `acme account`, to give the ACME client.  With an empty
              keyid (the default) the client forwards the JSON Web Key (JWK) to the  ACME  server
              to retrieve the correct value.  A non-empty value therefore saves a round-trip.

              A non-empty value also causes lacme-accountd to send an empty JWK, thereby revoking
              all account management access (status change, contact address updates  etc.)   from
              the client: any `acme account` command (or any command from lacme(8) before version
              0.8.0) is bound to be rejected by the  ACME  server.   This  provides  a  safeguard
              against malicious clients.

       quiet  Be quiet.  Possible values: Yes/No.

%-SPECIFIERS

       The  value  the  --config=,  --privkey=  and  --socket= CLI options (and also the privkey,
       socket and logfile settings from the configuration file) are subject  to  %-expansion  for
       the following specifiers.

       %C       /var/cache  for  the  root  user,  and $XDG_CACHE_HOME for other
                users  (or  $HOME/.cache  if  the   XDG_CACHE_HOME   environment
                variable is unset or empty).
       %E       /etc for the root user, and $XDG_CONFIG_HOME for other users (or
                $HOME/.config if the  XDG_CONFIG_HOME  environment  variable  is
                unset or empty).
       %g       Current group name.
       %G       Current group ID.
       %h       Home directory of the current user.
       %t       /run  for  the  root user, and $XDG_RUNTIME_DIR for other users.
                Non-root  users  may  only  use  %t  when  the   XDG_RUNTIME_DIR
                environment variable is set to a non-empty value.
       %T       $TMPDIR,  or /tmp if the TMPDIR environment variable is unset or
                empty.
       %u       Current user name.
       %U       Current user ID.
       %%       A literal %.

EXAMPLES

       Run lacme-accountd in a first terminal:

              $ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

       Then, while lacme-accountd is running, execute locally lacme(8) in another terminal:

              $ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder

       Alternatively, use OpenSSH 6.7 or  later  to  forward  the  socket  and  execute  lacme(8)
       remotely:

              $ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
                  sudo lacme --socket=/path/to/remote.sock newOrder

       Consult  the  lacme(8)  manual  for a solution involving connecting to lacme-accountd on a
       dedicated  remote  host.   Doing  so  enables  automatic   renewal   via   crontab(5)   or
       systemd.timer(5).

BUGS AND FEEDBACK

       Bugs  or feature requests for lacme-accountd should be filed with the Debian project’s bug
       tracker at <https://www.debian.org/Bugs/>.

SEE ALSO

       lacme(8), ssh(1)

AUTHORS

       Guilhem Moulin (mailto:guilhem@fripost.org).

                                            March 2016                          lacme-accountd(1)