diff options
| -rw-r--r-- | acme.conf.5.in | 10 | ||||
| -rw-r--r-- | acme.conf.sample.in | 32 | ||||
| -rw-r--r-- | dns.sh.in | 8 | ||||
| -rw-r--r-- | dnsutils.sh.in | 4 | ||||
| -rw-r--r-- | domains.conf.5.in | 2 | ||||
| -rw-r--r-- | http.sh.in | 10 | ||||
| -rw-r--r-- | init.sh.in | 28 | ||||
| -rw-r--r-- | kerberos.sh.in | 16 | ||||
| -rw-r--r-- | lfacme-dns.7.in | 8 | ||||
| -rw-r--r-- | lfacme-http.7.in | 4 | ||||
| -rw-r--r-- | lfacme-kerberos.7.in | 14 | ||||
| -rw-r--r-- | lfacme-ualpn.7.in | 2 | ||||
| -rw-r--r-- | renew.sh.in | 4 | ||||
| -rw-r--r-- | ualpn.sh.in | 2 |
14 files changed, 72 insertions, 72 deletions
diff --git a/acme.conf.5.in b/acme.conf.5.in index 6d342e7..a5f3c0a 100644 --- a/acme.conf.5.in +++ b/acme.conf.5.in @@ -25,28 +25,28 @@ file is not required. .Pp The following configuration options are supported: .Bl -tag -width indent -.It Va ACME_URL +.It Va LFACME_URL (Required.) The URL of the ACME server. -.It Va ACME_DATADIR +.It Va LFACME_DATADIR The path to the runtime data directory, where the ACME account key and any issued certificates will be stored. The default path is .Pa /var/db/lfacme . -.It Va ACME_HOOKDIR +.It Va LFACME_HOOKDIR The path to a directory containing hooks to invoke when issuing certificates (see .Xr domains.conf 5 ) . The default path is .Pa __CONFDIR__/hooks . -.It Va ACME_OPENSSL +.It Va LFACME_OPENSSL Path to the .Xr openssl 1 program. If not specified, .Ev $PATH will be searched. -.It Va ACME_UACME +.It Va LFACME_UACME Path to the .Xr uacme 1 program. diff --git a/acme.conf.sample.in b/acme.conf.sample.in index 3bf5df8..680ba11 100644 --- a/acme.conf.sample.in +++ b/acme.conf.sample.in @@ -9,31 +9,31 @@ # These options are used by lfacme itself. -### ACME_URL +### LFACME_URL # The URL of the ACME server. # No default, you must set this. # Let's Encrypt production: -#ACME_URL="https://acme-v02.api.letsencrypt.org/directory" +#LFACME_URL="https://acme-v02.api.letsencrypt.org/directory" # Let's Encrypt staging: -#ACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory" +#LFACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory" -### ACME_DATADIR +### LFACME_DATADIR # Runtime data directory. # This is where the ACME account key and the issued certificates are stored. # The default is /var/db/lfacme. -#ACME_DATADIR="/var/db/lfacme" +#LFACME_DATADIR="/var/db/lfacme" -### ACME_HOOKDIR +### LFACME_HOOKDIR # The path to the directory containing certificate hooks. # The default is "__CONFDIR__/hooks". # There is usually no need to change this. -#ACME_HOOKDIR="/some/directory" +#LFACME_HOOKDIR="/some/directory" ####################################################################### @@ -42,13 +42,13 @@ # These options are used for the "http" challenge. -### ACME_HTTP_CHALLENGE_DIR +### LFACME_HTTP_CHALLENGE_DIR # When using the "http" challenge handler, this is the directory which contains # ACME challenges. This must be served at /.well-known/acme-challenge on any # domain using http validation. # No default; you must set this if you use the "http" handler. -#ACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge" +#LFACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge" ####################################################################### @@ -57,11 +57,11 @@ # These options are used for the "dns" challenge. -### ACME_DNS_KEYFILE +### LFACME_DNS_KEYFILE # Path to the TSIG key nsupdate will use to authenticate the update. # No default; you must configure this when using the dns challenge. -#ACME_DNS_KEYFILE="/path/to/key" +#LFACME_DNS_KEYFILE="/path/to/key" ####################################################################### @@ -70,17 +70,17 @@ # These options are used for the "kerberos" challenge. -### ACME_KERBEROS_PRINCIPAL +### LFACME_KERBEROS_PRINCIPAL # When using the "kerberos" challenge handler, this is the Kerberos principal # we use for nsupdate. The default is "host/$(hostname)", which assumes a # default realm is configured in /etc/krb5.conf. -#ACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG" +#LFACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG" -### ACME_KERBEROS_KEYTAB +### LFACME_KERBEROS_KEYTAB # When using the "kerberos" challenge handler, this is the keytab used to -# issue the ticket. It must contain a key for $ACME_KERBEROS_PRINCIPAL. +# issue the ticket. It must contain a key for $LFACME_KERBEROS_PRINCIPAL. # The default is /etc/krb5.keytab. -#ACME_KERBEROS_KEYTAB="/etc/krb5.keytab" +#LFACME_KERBEROS_KEYTAB="/etc/krb5.keytab" @@ -23,8 +23,8 @@ if [ "$METHOD" != "dns-01" ]; then exit 1 fi -if [ -z "$ACME_DNS_KEYFILE" ]; then - _fatal "ACME_DNS_KEYFILE not configured" +if [ -z "$LFACME_DNS_KEYFILE" ]; then + _fatal "LFACME_DNS_KEYFILE not configured" fi # Add a new record using nsupdate. @@ -32,7 +32,7 @@ _add_record() { local domain="$1" local auth="$2" - $_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF + $_NSUPDATE -k "$LFACME_DNS_KEYFILE" <<EOF update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF @@ -44,7 +44,7 @@ _remove_record() { local domain="$1" local auth="$2" - $_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF + $_NSUPDATE -k "$LFACME_DNS_KEYFILE" <<EOF update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF diff --git a/dnsutils.sh.in b/dnsutils.sh.in index 290f1e3..7f72c4a 100644 --- a/dnsutils.sh.in +++ b/dnsutils.sh.in @@ -2,8 +2,8 @@ # # Utility functions for DNS-based authorizations. -_DIG="$(_findbin dig $ACME_DNS_DIG)" -_NSUPDATE="$(_findbin nsupdate $ACME_DNS_NSUPDATE)" +_DIG="$(_findbin dig $LFACME_DNS_DIG)" +_NSUPDATE="$(_findbin nsupdate $LFACME_DNS_NSUPDATE)" # Retrieve the nameservers for a given domain. On failure, prints an error # message and exits. diff --git a/domains.conf.5.in b/domains.conf.5.in index 4ac27db..38c0035 100644 --- a/domains.conf.5.in +++ b/domains.conf.5.in @@ -93,7 +93,7 @@ begins with a .Sq / character, then it is assumed to be an absolute path, otherwise it is relative to the -.Va ACME_HOOKDIR +.Va LFACME_HOOKDIR configured in .Xr acme.conf 5 . This option may be specified multiple times. @@ -22,15 +22,15 @@ if [ "$METHOD" != "http-01" ]; then exit 1 fi -if [ -z "$ACME_HTTP_CHALLENGE_DIR" ]; then - _fatal "must set ACME_HTTP_CHALLENGE_DIR" +if [ -z "$LFACME_HTTP_CHALLENGE_DIR" ]; then + _fatal "must set LFACME_HTTP_CHALLENGE_DIR" fi -if ! [ -d "$ACME_HTTP_CHALLENGE_DIR" ]; then - _fatal "missing $ACME_HTTP_CHALLENGE_DIR" +if ! [ -d "$LFACME_HTTP_CHALLENGE_DIR" ]; then + _fatal "missing $LFACME_HTTP_CHALLENGE_DIR" fi -_file="${ACME_HTTP_CHALLENGE_DIR}/${TOKEN}" +_file="${LFACME_HTTP_CHALLENGE_DIR}/${TOKEN}" case "$ACTION" in begin) @@ -66,22 +66,22 @@ if [ -f "$_CONFIG" ]; then . "$_CONFIG" fi -if [ -z "$ACME_URL" ]; then - _fatal "missing configuration setting: ACME_URL" +if [ -z "$LFACME_URL" ]; then + _fatal "missing configuration setting: LFACME_URL" fi -if [ -z "$ACME_DATADIR" ]; then - ACME_DATADIR="/var/db/lfacme" +if [ -z "$LFACME_DATADIR" ]; then + LFACME_DATADIR="/var/db/lfacme" fi -if [ -z "$ACME_HOOKDIR" ]; then - ACME_HOOKDIR="${_CONFDIR}/hooks" +if [ -z "$LFACME_HOOKDIR" ]; then + LFACME_HOOKDIR="${_CONFDIR}/hooks" fi # Create our data directory. -if [ ! -d "$ACME_DATADIR" ]; then - _info "creating directory %s" "$ACME_DATADIR" - mkdir -p "$ACME_DATADIR" +if [ ! -d "$LFACME_DATADIR" ]; then + _info "creating directory %s" "$LFACME_DATADIR" + mkdir -p "$LFACME_DATADIR" if [ "$?" -ne 0 ]; then exit 1 fi @@ -123,10 +123,10 @@ _findbin() { } # uacme's base directory; this is where it puts certificates. -_UACME_DIR="${ACME_DATADIR}/certs" +_UACME_DIR="${LFACME_DATADIR}/certs" # The uacme executable. -_UACME="$(_findbin uacme $ACME_UACME)" +_UACME="$(_findbin uacme $LFACME_UACME)" _LFACME_UACME_FLAGS="" if ! [ -z "$LFACME_VERBOSE" ]; then @@ -137,7 +137,7 @@ _uacme() { env "LFACME_CONFDIR=${_CONFDIR}" \ "LFACME_VERBOSE=${LFACME_VERBOSE}" \ "$_UACME" $_LFACME_UACME_FLAGS \ - -a "$ACME_URL" -c "$_UACME_DIR" "$@" + -a "$LFACME_URL" -c "$_UACME_DIR" "$@" } # Find a challenge script and make sure it's valid. If the challenge name @@ -170,13 +170,13 @@ _findchallenge() { } # Find a hook script and make sure it's valid. If the hook name begins with a -# '/' it's a full path, otherwise it's relative to ACME_HOOKDIR. +# '/' it's a full path, otherwise it's relative to LFACME_HOOKDIR. _findhook() { local identifier="$1" local hook="$2" if [ "${hook#/*}" = "$hook" ]; then - hook="${ACME_HOOKDIR}/$hook" + hook="${LFACME_HOOKDIR}/$hook" fi if ! [ -f "$hook" ]; then diff --git a/kerberos.sh.in b/kerberos.sh.in index e29f9c3..7cbaa51 100644 --- a/kerberos.sh.in +++ b/kerberos.sh.in @@ -15,7 +15,7 @@ TOKEN=$4 # The token value we need to create. AUTH=$5 -_KINIT="$(_findbin kinit $ACME_KERBEROS_KINIT)" +_KINIT="$(_findbin kinit $LFACME_KERBEROS_KINIT)" if [ "$#" -ne 5 ]; then _fatal "missing arguments" @@ -25,20 +25,20 @@ if [ "$METHOD" != "dns-01" ]; then exit 1 fi -if [ -z "$ACME_KERBEROS_PRINCIPAL" ]; then - ACME_KERBEROS_PRINCIPAL="host/$(hostname)" +if [ -z "$LFACME_KERBEROS_PRINCIPAL" ]; then + LFACME_KERBEROS_PRINCIPAL="host/$(hostname)" fi -if [ -z "$ACME_KERBEROS_KEYTAB" ]; then - ACME_KERBEROS_KEYTAB="/etc/krb5.keytab" +if [ -z "$LFACME_KERBEROS_KEYTAB" ]; then + LFACME_KERBEROS_KEYTAB="/etc/krb5.keytab" fi -if ! [ -r "$ACME_KERBEROS_KEYTAB" ]; then +if ! [ -r "$LFACME_KERBEROS_KEYTAB" ]; then _fatal "keytab does not exist (or is not readable): %s" \ - "$ACME_KERBEROS_KEYTAB" + "$LFACME_KERBEROS_KEYTAB" fi -if ! $_KINIT -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then +if ! $_KINIT -k -t "$LFACME_KERBEROS_KEYTAB" "$LFACME_KERBEROS_PRINCIPAL"; then _fatal "failed to obtain a Kerberos ticket" fi diff --git a/lfacme-dns.7.in b/lfacme-dns.7.in index 4d25031..64cf59e 100644 --- a/lfacme-dns.7.in +++ b/lfacme-dns.7.in @@ -36,7 +36,7 @@ to create this record. The DNS update will be sent to the zone's master server (determined by the MNAME field in the SOA record), and will be authenticated using the TSIG key file configured by -.Ar ACME_DNS_KEYFILE +.Ar LFACME_DNS_KEYFILE in .Xr acme.conf 5 . .Pp @@ -47,19 +47,19 @@ The challenge hook supports the following configuration options in .Xr acme.conf 5 : .Bl -tag -width indent -.It Va ACME_DNS_KEYFILE +.It Va LFACME_DNS_KEYFILE (Required.) The key file that will be passed to .Xr nsupdate 1 to authenticate the DNS update. -.It Va ACME_DNS_DIG +.It Va LFACME_DNS_DIG Path to the .Xr dig 1 program. If not specified, .Ev $PATH will be searched. -.It Va ACME_DNS_NSUPDATE +.It Va LFACME_DNS_NSUPDATE Path to the .Xr nsupdate 1 program. diff --git a/lfacme-http.7.in b/lfacme-http.7.in index 4e853d5..781998f 100644 --- a/lfacme-http.7.in +++ b/lfacme-http.7.in @@ -32,7 +32,7 @@ When .Nm responds to the challenge, it will place the token in the directory configured by -.Ar ACME_HTTP_CHALLENGE_DIR +.Ar LFACME_HTTP_CHALLENGE_DIR in .Xr acme.conf 5 . This directory must be mapped to the appropriate path on the web server for @@ -43,7 +43,7 @@ The challenge hook supports the following configuration options in .Xr acme.conf 5 : .Bl -tag -width indent -.It Va ACME_HTTP_CHALLENGE_DIR +.It Va LFACME_HTTP_CHALLENGE_DIR (Required.) The directory to place the challenge tokens in. The contents of this directory should be served at the path diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in index ae96109..0a28535 100644 --- a/lfacme-kerberos.7.in +++ b/lfacme-kerberos.7.in @@ -43,7 +43,7 @@ Before sending the update, will retrieve a Kerberos ticket using .Xr kinit 1 for the principal configured by -.Ar ACME_KERBEROS_PRINCIPAL +.Ar LFACME_KERBEROS_PRINCIPAL in .Xr acme.conf 5 . .Sh CONFIGURATION @@ -52,34 +52,34 @@ The challenge hook supports the following configuration options in .Xr acme.conf 5 : .Bl -tag -width indent -.It Va ACME_KERBEROS_PRINCIPAL +.It Va LFACME_KERBEROS_PRINCIPAL The Kerberos principal to authenticate as when sending the DNS update. The default value is .Dq host/$(hostname) , which assumes a default realm has been configured in .Pa /etc/krb5.conf . Explicitly configuring the principal is recommended, but not required. -.It Va ACME_KERBEROS_KEYTAB +.It Va LFACME_KERBEROS_KEYTAB The keytab used to issue the Kerberos ticket. This must contain a key for the principal configured by -.Va ACME_KERBEROS_PRINCIPAL . +.Va LFACME_KERBEROS_PRINCIPAL . The default value is .Pa /etc/krb5.keytab . -.It Va ACME_KERBEROS_KINIT +.It Va LFACME_KERBEROS_KINIT Path to the .Xr kinit 1 program. If not specified, .Ev $PATH will be searched. -.It Va ACME_DNS_DIG +.It Va LFACME_DNS_DIG Path to the .Xr dig 1 program. If not specified, .Ev $PATH will be searched. -.It Va ACME_DNS_NSUPDATE +.It Va LFACME_DNS_NSUPDATE Path to the .Xr nsupdate 1 program. diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in index 2762f0f..cf5a420 100644 --- a/lfacme-ualpn.7.in +++ b/lfacme-ualpn.7.in @@ -39,7 +39,7 @@ The challenge hook supports the following configuration options in .Xr acme.conf 5 : .Bl -tag -width indent -.It Va ACME_UALPN +.It Va LFACME_UALPN Path to the .Xr ualpn 1 program. diff --git a/renew.sh.in b/renew.sh.in index e1d2c6c..c0d9121 100644 --- a/renew.sh.in +++ b/renew.sh.in @@ -1,7 +1,7 @@ #! /bin/sh # This source code is released into the public domain. -_OPENSSL="$(_findbin openssl $ACME_OPENSSL)" +_OPENSSL="$(_findbin openssl $LFACME_OPENSSL)" # Parse command-line arguments. args=$(getopt f $*) @@ -175,7 +175,7 @@ _docert() { # make sure all the hook scripts are valid. if the hook name # begins with a '/' it's a full path, otherwise it's relative - # to ACME_HOOKDIR. + # to LFACME_HOOKDIR. local _rhooks="" for hook in $hooks; do local _hookpath="$(_findhook "$identifier" "$hook")" diff --git a/ualpn.sh.in b/ualpn.sh.in index 80855c0..0642ac7 100644 --- a/ualpn.sh.in +++ b/ualpn.sh.in @@ -22,7 +22,7 @@ if [ "$METHOD" != "tls-alpn-01" ]; then exit 1 fi -_UALPN="$(_findbin ualpn $ACME_UALPN)" +_UALPN="$(_findbin ualpn $LFACME_UALPN)" case "$ACTION" in begin) |