diff options
| -rw-r--r-- | 900.lfacme.sh.in | 4 | ||||
| -rw-r--r-- | Makefile | 24 | ||||
| -rw-r--r-- | README | 8 | ||||
| -rw-r--r-- | acme.conf.5.in | 18 | ||||
| -rw-r--r-- | acme.conf.sample.in | 2 | ||||
| -rw-r--r-- | lfacme-dns.7.in | 1 | ||||
| -rw-r--r-- | lfacme-http.7.in | 1 | ||||
| -rw-r--r-- | lfacme-kerberos.7.in | 1 | ||||
| -rw-r--r-- | lfacme-renew.8.in | 25 | ||||
| -rw-r--r-- | lfacme-setup.8.in | 26 | ||||
| -rw-r--r-- | lfacme-ualpn.7.in | 1 | ||||
| -rw-r--r-- | lfacme.8.in (renamed from lfacme.7.in) | 62 | ||||
| -rw-r--r-- | lfacme.sh.in | 44 | ||||
| -rw-r--r-- | renew.sh.in (renamed from lfacme-renew.sh.in) | 13 | ||||
| -rw-r--r-- | setup.sh.in (renamed from lfacme-setup.sh.in) | 11 |
15 files changed, 133 insertions, 108 deletions
diff --git a/900.lfacme.sh.in b/900.lfacme.sh.in index f1fae33..599a349 100644 --- a/900.lfacme.sh.in +++ b/900.lfacme.sh.in @@ -13,7 +13,7 @@ export PATH # Exit if lfacme isn't installed but the periodic script was left over # for some reason. -if ! [ -x __BINDIR__/lfacme-renew ]; then +if ! [ -x __BINDIR__/lfacme ]; then exit 0 fi @@ -21,7 +21,7 @@ case "$daily_lfacme_enable" in [Yy][Ee][Ss]) printf 'Renewing ACME certificates with lfacme:\n' - __BINDIR__/lfacme-renew + __BINDIR__/lfacme renew ;; *) @@ -29,8 +29,9 @@ CHALLENGE= dns.sh \ ualpn.sh BINMODE?= 0755 -BIN= lfacme-renew.sh \ - lfacme-setup.sh +BIN= lfacme.sh +CMD= renew.sh \ + setup.sh CONFMODE?= 0644 CONF= acme.conf.sample \ @@ -42,12 +43,12 @@ HOOK= example-hook.sh MANMODE?= 0644 MAN5= acme.conf.5 \ domains.conf.5 -MAN7= lfacme.7 \ - lfacme-dns.7 \ +MAN7= lfacme-dns.7 \ lfacme-http.7 \ lfacme-kerberos.7 \ lfacme-ualpn.7 -MAN8= lfacme-renew.8 \ +MAN8= lfacme.8 \ + lfacme-renew.8 \ lfacme-setup.8 PERIODICMODE?= 0755 @@ -65,10 +66,10 @@ REPLACE= sed -e 's,__PREFIX__,${PREFIX},g' \ default: all -all: ${MAN5} ${MAN7} ${MAN8} ${LIB} ${BIN} ${CHALLENGE} ${HOOK} ${PERIODIC} ${CONF} +all: ${MAN5} ${MAN7} ${MAN8} ${LIB} ${BIN} ${CMD} ${CHALLENGE} ${HOOK} ${PERIODIC} ${CONF} clean: - rm -f ${MAN5} ${MAN7} ${MAN8} ${LIB} ${BIN} + rm -f ${MAN5} ${MAN7} ${MAN8} ${LIB} ${BIN} ${CMD} rm -f ${HOOK} ${CHALLENGE} ${PERIODIC} ${CONF} .sh.in.sh: @@ -86,7 +87,7 @@ clean: .8.in.8: ${REPLACE} <$< >$@ -install: install-lib install-bin install-conf install-hook install-man install-periodic +install: install-lib install-bin install-cmd install-conf install-hook install-man install-periodic install-lib: all @echo 'create ${DESTDIR}${LIBDIR}'; install -d ${DESTDIR}${LIBDIR} @@ -110,6 +111,13 @@ install-bin: all install -C -m ${BINMODE} "$$bin" "${DESTDIR}${BINDIR}/$$basename"; \ done +install-cmd: all + @echo 'create ${DESTDIR}${LIBDIR}/command'; install -d ${DESTDIR}${LIBDIR}/command + @for cmd in ${CMD}; do \ + echo "install ${DESTDIR}${LIBDIR}/command/$$cmd"; \ + install -C -m ${BINMODE} "$$cmd" "${DESTDIR}${LIBDIR}/command/$$cmd"; \ + done + install-conf: all @echo 'create ${DESTDIR}${CONFDIR}'; install -d ${DESTDIR}${CONFDIR}; @for conf in ${CONF}; do \ @@ -46,13 +46,13 @@ usage ----- + create the config files (see below) -+ run "lfacme-setup" to create an ACME account -+ run "lfacme-renew" to issue certificates -+ put "lfacme-renew" in cron if you want to renew certificates automatically. ++ run "lfacme setup" to create an ACME account ++ run "lfacme renew" to issue certificates ++ put "lfacme renew" in cron if you want to renew certificates automatically. it's fine to run this once a day, since it won't renew certificates unless they're going to expire soon. -the lfacme documentation is provided as online manual pages; see lfacme(7) +the lfacme documentation is provided as online manual pages; see lfacme(8) to begin with. known issues diff --git a/acme.conf.5.in b/acme.conf.5.in index 2210cad..d968c74 100644 --- a/acme.conf.5.in +++ b/acme.conf.5.in @@ -18,13 +18,12 @@ variable assignment, i.e. .Dq Ar option Ns = Ns Ar value . .Pp Alternatively, options may be set as environment variables prior to running -.Nm lfacme -utilities. -If all required options are set in the environment, then creating the +.Nm lfacme . +If all required options are set in the environment, then the .Nm file is not required. .Pp -The following configuration variables are supported: +The following configuration options are supported: .Bl -tag -width indent .It Va ACME_URL (Required.) @@ -32,13 +31,13 @@ The URL of the ACME server. .It Va ACME_DATADIR The path to the runtime data directory, where the ACME account key and any issued certificates will be stored. -The default value is +The default path is .Pa /var/db/lfacme . .It Va ACME_HOOKDIR The path to a directory containing hooks to invoke when issuing certificates (see .Xr domains.conf 5 ) . -The default value is +The default path is .Pa __CONFDIR__/hooks . .El .Pp @@ -46,5 +45,8 @@ Additional configuration variables may be used by the ACME validation hooks; refer to the manual page for each hook for more details. .Sh SEE ALSO .Xr domains.conf 5 , -.Xr lfacme-renew 8 , -.Xr lfacme-setup 8 +.Xr lfacme 8 , +.Xr lfacme-dns 7 , +.Xr lfacme-http 7 , +.Xr lfacme-kerberos 7 , +.Xr lfacme-ualpn 7 diff --git a/acme.conf.sample.in b/acme.conf.sample.in index d6cea21..3bf5df8 100644 --- a/acme.conf.sample.in +++ b/acme.conf.sample.in @@ -46,7 +46,7 @@ # When using the "http" challenge handler, this is the directory which contains # ACME challenges. This must be served at /.well-known/acme-challenge on any # domain using http validation. -# No default, you must set this if you use the "http" handler. +# No default; you must set this if you use the "http" handler. #ACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge" diff --git a/lfacme-dns.7.in b/lfacme-dns.7.in index 5e46215..441931f 100644 --- a/lfacme-dns.7.in +++ b/lfacme-dns.7.in @@ -56,6 +56,5 @@ to authenticate the DNS update. .Sh SEE ALSO .Xr acme.conf 5 , .Xr domains.conf 5 , -.Xr lfacme 7 , .Xr lfacme-renew 8 , .Xr nsupdate 1 diff --git a/lfacme-http.7.in b/lfacme-http.7.in index 25b7aac..4e853d5 100644 --- a/lfacme-http.7.in +++ b/lfacme-http.7.in @@ -53,5 +53,4 @@ on the web server for the domain to be validated. .Sh SEE ALSO .Xr acme.conf 5 , .Xr domains.conf 5 , -.Xr lfacme 7 , .Xr lfacme-renew 8 diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in index 8b9f85e..a2bd73b 100644 --- a/lfacme-kerberos.7.in +++ b/lfacme-kerberos.7.in @@ -96,6 +96,5 @@ DNS server) is left as an exercise for the reader. .Xr acme.conf 5 , .Xr domains.conf 5 , .Xr kinit 1 , -.Xr lfacme 7 , .Xr lfacme-renew 8 , .Xr nsupdate 1 diff --git a/lfacme-renew.8.in b/lfacme-renew.8.in index 6e4ebd9..e2f7904 100644 --- a/lfacme-renew.8.in +++ b/lfacme-renew.8.in @@ -3,16 +3,17 @@ .Dt LFACME-RENEW 8 .Os .Sh NAME -.Nm lfacme-renew +.Nm lfacme renew .Nd issue or renew ACME certificates .Sh SYNOPSIS -.Nm -.Op Fl fv -.Op Fl c Ar confdir +.Nm lfacme +.Op opts +.Cm renew +.Op Fl f .Sh DESCRIPTION The .Nm -utility examines the ACME certificates configured in +command examines the ACME certificates configured in .Xr domains.conf 5 . If a certificate was previously issued and is still valid for longer than 30 days, it will be ignored. @@ -26,18 +27,8 @@ before running .Pp The follow options are accepted: .Bl -tag -width indent -.It Fl c Ar confdir -Use -.Ar confdir -as the configuration directory instead of the default -.Pa __CONFDIR__ . .It Fl f -Force renewal of certificates, even if they're not going to expire soon. -.It Fl v -Produce more output when running. -This also passes the -.Fl v -option to uacme. +Force renewal of certificates, even if the normal renewal date hasn't arrived. .El .Sh ENVIRONMENT Refer to @@ -46,5 +37,5 @@ for a list of environment variables which affect the operation of .Nm . .Sh SEE ALSO .Xr domains.conf 5 , -.Xr lfacme 7 , +.Xr lfacme 8 , .Xr lfacme-setup 8 diff --git a/lfacme-setup.8.in b/lfacme-setup.8.in index 893c0b2..afd50c9 100644 --- a/lfacme-setup.8.in +++ b/lfacme-setup.8.in @@ -3,16 +3,17 @@ .Dt LFACME-SETUP 8 .Os .Sh NAME -.Nm lfacme-setup +.Nm lfacme setup .Nd create a new ACME account .Sh SYNOPSIS -.Nm -.Op Fl vy -.Op Fl c Ar confdir +.Nm lfacme +.Op opts +.Cm setup +.Op Fl y .Sh DESCRIPTION The .Nm -utility will register a new account with the ACME provider configured in +command will register a new account with the ACME provider configured in .Xr acme.conf 5 . If the provider requires accepting terms of service to create an account, the ToS URL will be printed and @@ -21,19 +22,8 @@ will prompt the user to accept them. .Pp The follow options are accepted: .Bl -tag -width indent -.It Fl c Ar confdir -Use -.Ar confdir -as the configuration directory instead of the default -.Pa __CONFDIR__ . -.It Fl v -Produce more output when running. -This also passes the -.Fl v -option to uacme. .It Fl y -If the ACME provider requires accepting terms of service, -accept the provided terms automatically. +Accept any required terms of service automatically. .El .Sh ENVIRONMENT Refer to @@ -42,4 +32,4 @@ for a list of environment variables which affect the operation of .Nm . .Sh SEE ALSO .Xr acme.conf 5 , -.Xr lfacme 7 +.Xr lfacme 8 diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in index dceaa8d..80efd2c 100644 --- a/lfacme-ualpn.7.in +++ b/lfacme-ualpn.7.in @@ -36,6 +36,5 @@ daemon must be configured and running for this challenge handler to work. .Sh SEE ALSO .Xr acme.conf 5 , .Xr domains.conf 5 , -.Xr lfacme 7 , .Xr lfacme-renew 8 , .Xr ualpn 1 diff --git a/lfacme.7.in b/lfacme.8.in index b6b9060..7dab735 100644 --- a/lfacme.7.in +++ b/lfacme.8.in @@ -6,16 +6,23 @@ .Nm lfacme .Nd issue, renew and manage ACME certificates .Sh SYNOPSIS -.Nm lfacme-setup -.Op opts -.Nm lfacme-renew -.Op opts +.Nm lfacme +.Op Fl v +.Op Fl c Ar confdir +.Cm setup +.Op Fl y +.Nm lfacme +.Op Fl v +.Op Fl c Ar confdir +.Cm renew +.Op Fl f .Sh DESCRIPTION The .Nm -software package supports management of TLS certificates using an ACME server. +command supports automated management of TLS certificates using an ACME server. Certificates can be automatically issued and renewed, and a hook system allows -software using those certificates to be automatically (re)configured. +software using those certificates to be automatically (re)configured with the +new certificate. .Pp Prior to using .Nm , @@ -31,28 +38,33 @@ and .Xr domains.conf 5 for more detailed documentation on these files. .Pp -To perform initial setup, run -.Xr lfacme-setup 8 . -This will register an account on the ACME server, and create any required -local data. -Running -.Xr lfacme-setup 8 -will not issue any certificates. +The following options are supported: +.Bl -tag -width Fl c Ar confdir +.It Fl c Ar confdir +Load the configuration from +.Ar confdir +instead of the default +.Pa __CONFDIR__ . +.It Fl v +Print more detailed output while running. +.El .Pp -To issue or renew certificates, run +The following commands are supported: +.Bl -tag -width Cm setup +.It Cm setup +Create a new account on the ACME server. +This must be run prior to issuing any certificates. +See +.Xr lfacme-setup 8 . +.It Cm renew +Issue or renew any certificates based on the +.Xr domains.conf 5 +configuration file. +See .Xr lfacme-renew 8 . -This will examine the certificates configured in -.Xr domains.conf 5 ; -new certificates will be issued, while existing certificates will be renewed -if necessary. -To ensure certificates are automatically renewed when required, -.Xr lfacme-renew 8 -should be run regularly, e.g. using -.Xr cron 8 . .Sh ENVIRONMENT -The following environment variables affect the executation of the -.Nm -utilities: +The following environment variables affect the executation of +.Nm : .Bl -tag -width LFACME_VERBOSE .It Ev LFACME_CONFDIR Override the default configuration directory. diff --git a/lfacme.sh.in b/lfacme.sh.in new file mode 100644 index 0000000..7047097 --- /dev/null +++ b/lfacme.sh.in @@ -0,0 +1,44 @@ +#! /bin/sh +# This source code is released into the public domain. + +# Parse command-line arguments. +args=$(getopt c:v $*) +if [ $? -ne 0 ]; then + exit 1 +fi +set -- $args + +_uacme_flags="" + +while :; do + case "$1" in + -c) + _CONFDIR="$2" + shift; shift;; + -v) + LFACME_VERBOSE=1 + shift;; + -y) + _uacme_flags="$_uacme_flags $1" + shift;; + --) + shift; break;; + esac +done + +# Initialise. +. __LIBDIR__/init.sh + +# Run the command. + +_command="$1"; shift +if [ -z "$command" ]; then + _fatal "missing command" +fi + +_cscript="__LIBDIR__/command/${_command}.sh" +if ! [ -x "$_cscript" ]; then + _fatal "unknown command: %s" "$_command" +fi + +. "$_cscript" diff --git a/lfacme-renew.sh.in b/renew.sh.in index 34d2c01..689f992 100644 --- a/lfacme-renew.sh.in +++ b/renew.sh.in @@ -2,7 +2,7 @@ # This source code is released into the public domain. # Parse command-line arguments. -args=$(getopt c:fv $*) +args=$(getopt f $*) if [ $? -ne 0 ]; then exit 1 fi @@ -13,25 +13,16 @@ _uacme_flags="--no-ari" while :; do case "$1" in - -c) - _CONFDIR="$2" - shift; shift;; -f) _uacme_flags="$_uacme_flags -f" shift;; - -v) - LFACME_VERBOSE=1 - shift;; --) shift; break;; esac done -# Initialise. -. __LIBDIR__/init.sh - if ! [ -f "$_UACME_DIR/private/key.pem" ]; then - _fatal "run lfacme-setup first" + _fatal "run 'lfacme setup' first" fi if ! [ -f "$_DOMAINS" ]; then diff --git a/lfacme-setup.sh.in b/setup.sh.in index 4b60263..a37a691 100644 --- a/lfacme-setup.sh.in +++ b/setup.sh.in @@ -2,7 +2,7 @@ # This source code is released into the public domain. # Parse command-line arguments. -args=$(getopt c:vy $*) +args=$(getopt y $*) if [ $? -ne 0 ]; then exit 1 fi @@ -12,12 +12,6 @@ _uacme_flags="" while :; do case "$1" in - -c) - _CONFDIR="$2" - shift; shift;; - -v) - LFACME_VERBOSE=1 - shift;; -y) _uacme_flags="$_uacme_flags $1" shift;; @@ -26,9 +20,6 @@ while :; do esac done -# Initialise. -. __LIBDIR__/init.sh - # Run uacme. mkdir -p "$_UACME_DIR" _uacme $_uacme_flags new |