aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--acme.conf.510
-rw-r--r--acme.conf.sample7
-rw-r--r--kerberos.sh6
3 files changed, 22 insertions, 1 deletions
diff --git a/acme.conf.5 b/acme.conf.5
index 550123a..269b99b 100644
--- a/acme.conf.5
+++ b/acme.conf.5
@@ -50,6 +50,16 @@ challenge with the
challenge handler.
The default value is
.Dq host/$(hostname) .
+.It Va ACME_KERBEROS_KEYTAB
+The Kerberos keytab to use when responding to a
+.Dq dns-01
+challenge with the
+.Dq kerberos
+challenge handler.
+The keytab must contain a Kerberos key for the principal configured in
+.Va ACME_KERBEROS_PRINCIPAL .
+The default value is
+.Pa /etc/krb5.keytab .
.El
.Sh SEE ALSO
.Xr domains.conf 5 ,
diff --git a/acme.conf.sample b/acme.conf.sample
index 5805a7d..86d8693 100644
--- a/acme.conf.sample
+++ b/acme.conf.sample
@@ -44,3 +44,10 @@
# default realm is configured in /etc/krb5.conf.
#ACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG"
+
+### ACME_KERBEROS_KEYTAB
+# When using the "kerberos" challenge handler, this is the keytab used to
+# issue the ticket. It must contain a key for $ACME_KERBEROS_PRINCIPAL.
+# The default is /etc/krb5.keytab.
+
+#ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
diff --git a/kerberos.sh b/kerberos.sh
index 9b5d3ae..dad7aad 100644
--- a/kerberos.sh
+++ b/kerberos.sh
@@ -22,7 +22,11 @@ if [ "$METHOD" != "dns-01" ]; then
exit 1
fi
-if ! kinit -k -t /etc/krb5.keytab "$ACME_KERBEROS_PRINCIPAL"; then
+if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
+ ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
+fi
+
+if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
_fatal "failed to obtain a Kerberos ticket"
fi