Man page - lacme-accountd(1)

Packages contains this manual

Package:  lacme-accountd
apt-get install lacme-accountd

Manuals in package:
• lacme-accountd(1)
Documentations in package:
• lacme-accountd

Manual

lacme-accountd

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
CONFIGURATION FILE
%-SPECIFIERS
EXAMPLES
BUGS AND FEEDBACK
SEE ALSO
AUTHORS

---

NAME

lacme-accountd - ACME client written with process isolation and minimal privileges in mind (account key manager)

SYNOPSIS

lacme-accountd [ --config=FILENAME ] [ --privkey=ARG ] [ --socket=PATH ] [ --quiet ]

DESCRIPTION

lacme-accountd is the account key manager component of lacme (8), a small ACME client written with process isolation and minimal privileges in mind. No other lacme (8) component needs access to the account key; in fact the account key could as well be stored on another host or a smartcard.

lacme-accountd binds to a UNIX-domain socket (specified with --socket= ), which ACME clients can connect to in order to request data signatures. As a consequence, lacme-accountd needs to be up and running before using lacme (8) to issue ACME commands. Also, the process does not automatically terminate after the last signature request: instead, one sends an INT or TERM signal (7) to bring the server down.

Furthermore, one can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run lacme-accountd and lacme (8) on different hosts. For instance one could store the account key on a machine that is not exposed to the internet. See the examples section below.

OPTIONS

--config= filename

Use filename as configuration file instead of %E/lacme/lacme-accountd.conf . The value is subject to %-specifier expansion. lacme-accountd fails when --config= is used with a non-existent file, but a non-existent default location is treated as if it were an empty file.

See the configuration file section below for the configuration options.

--privkey= value

Specify the (private) account key to use for signing requests. Currently supported value s are:

	•		file: FILE , for a private key in PEM format (optionally symmetrically encrypted)
	•		gpg: FILE , for a gpg (1)-encrypted private key

FILE is subject to %-specifier expansion.

The genpkey (1ssl) command can be used to generate a new private (account) key:

$ install -vm0600 /dev/null /path/to/account.key
$ openssl genpkey -algorithm RSA -out /path/to/account.key

Currently lacme-accountd only supports RSA account keys.

--socket= path

Use path as the UNIX-domain socket to bind to for signature requests from the ACME client. The value is subject to %-specifier expansion. lacme-accountd aborts if path exists or if its parent directory is writable by other users. Default: %t/S.lacme (omitting --socket= therefore yields an error when lacme-accountd doesn’t run as and the XDG_RUNTIME_DIR environment variable is unset or empty).

--stdio

Read signature requests from the standard input and write signatures to the standard output, instead of using a UNIX-domain socket for communication with the ACME client. This internal flag should never be used by standalone lacme-accountd instances, only for those lacme (8) spawns.

-h , --help

Display a brief help and exit.

-q , --quiet

Be quiet.

--debug

Turn on debug mode.

CONFIGURATION FILE

When given on the command line, the --privkey= , --socket= and --quiet options take precedence over their counterpart (without leading -- ) in the configuration file. Valid settings are:
privkey

See --privkey= . This setting is required when --privkey= is not specified on the command line.

	gpg		For a gpg (1)-encrypted private account key, specify the binary gpg (1) to use, as well as some default options. Default: gpg --quiet .
	socket		See --socket= .

logfile

An optional file where to log to. The value is subject to %-specifier expansion.

keyid

The “Key ID”, as shown by `acme account` , to give the ACME client. With an empty keyid (the default) the client forwards the JSON Web Key (JWK) to the ACME server to retrieve the correct value. A non-empty value therefore saves a round-trip.

A non-empty value also causes lacme-accountd to send an empty JWK, thereby revoking all account management access (status change, contact address updates etc.) from the client: any `acme account` command (or any command from lacme (8) before version 0.8.0) is bound to be rejected by the ACME server. This provides a safeguard against malicious clients.

quiet

Be quiet. Possible values: Yes / No .

%-SPECIFIERS

The value the --config= , --privkey= and --socket= CLI options (and also the privkey , socket and logfile settings from the configuration file) are subject to %-expansion for the following specifiers.

EXAMPLES

Run lacme-accountd in a first terminal:

$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

Then, while lacme-accountd is running, execute locally lacme (8) in another terminal:

$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder

Alternatively, use OpenSSH 6.7 or later to forward the socket and execute lacme (8) remotely:

$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \
    sudo lacme --socket=/path/to/remote.sock newOrder

Consult the lacme (8) manual for a solution involving connecting to lacme-accountd on a dedicated remote host. Doing so enables automatic renewal via crontab (5) or systemd.timer (5).

BUGS AND FEEDBACK

Bugs or feature requests for lacme-accountd should be filed with the Debian project’s bug tracker at <https://www.debian.org/Bugs/>.

SEE ALSO

lacme (8), ssh (1)

AUTHORS

Guilhem Moulin (mailto:guilhem@fripost.org).

---