diff options
| author | Lexi Winter <ivy@FreeBSD.org> | 2025-06-03 12:39:02 +0100 |
|---|---|---|
| committer | Lexi Winter <ivy@FreeBSD.org> | 2025-06-03 12:39:02 +0100 |
| commit | ec720c482d125cf77b11c5b1dc703dd19c3d1003 (patch) | |
| tree | 03e93fa505f6dbabc53c07a106a970961b291b3a /README | |
| parent | 40c249d4401f6ee889c2e398e7605952772eb6ce (diff) | |
| download | lfacme-ec720c482d125cf77b11c5b1dc703dd19c3d1003.tar.gz lfacme-ec720c482d125cf77b11c5b1dc703dd19c3d1003.tar.bz2 | |
README: mention the new "http" handler
Diffstat (limited to 'README')
| -rw-r--r-- | README | 21 |
1 files changed, 12 insertions, 9 deletions
@@ -4,10 +4,9 @@ lfacme: a simple ACME client based on uacme lfacme is a wrapper around uacme to make it a bit more flexible. i wrote it primarily for my own use, but you're welcome to use it too. -currently, there is one major limitation: the only supported domain validation -method is dns-01 with Kerberized nsupdate. patches to improve this would be -welcome. if you don't want to use Kerberos, you can provide your own -uacme-compatible challenge handler, or just use one from uacme itself. +lfacme comes with challenge handlers for basic HTTP validation (http-01) and +for DNS (dns-01) validation using Kerberized nsupdate. it can also be used +with any uacme-compatible challenge handler. it's only tested on FreeBSD and may or may not work on other platforms. if it doesn't work, it shouldn't be difficult to port. @@ -18,6 +17,13 @@ requirements + POSIX-compatible /bin/sh + uacme (in FreeBSD: security/uacme) + OpenSSL command-line tool + +if you want to use the HTTP challenge handler: + ++ a web server installed on the host + +if you want to use the Kerberized nsupdate challenge handler: + + BIND's "dig" and "nsupdate" (in FreeBSD: dns/bind-tools) + Kerberos kinit (either MIT or Heimdal should work) @@ -29,9 +35,6 @@ install usage ----- -+ if you're using the provided "kerberos" challenge handler, make sure - /etc/krb5.keytab exists since this will be used to issue the Kerberos - ticket for domain validation. + create the config files (see below): /usr/local/etc/uacme/acme.conf and /usr/local/etc/uacme/domains.conf @@ -66,8 +69,8 @@ and sample configs are provided. BIND + Kerberos configuration ----------------------------- -if you want to use the default (and only) Kerberos dns-01 challenge, you must -configure your DNS server to accept Kerberos-authenticated dynamic updates. +if you want to use the provided Kerberos dns-01 challenge, you must configure +your DNS server to accept Kerberos-authenticated dynamic updates. first, tell BIND where to load its Kerberos keytab from: |