From b89b4605df7b1582b1b1c96908c0a9e8c04699d1 Mon Sep 17 00:00:00 2001
From: Lexi Winter <lexi@le-fay.org>
Date: Wed, 4 Jun 2025 21:40:57 +0100
Subject: rename $ACME_* to $LFACME_*

for consistency with hook variables, and to avoid conflicts with
other applications.
---
 acme.conf.5.in       | 10 +++++-----
 acme.conf.sample.in  | 32 ++++++++++++++++----------------
 dns.sh.in            |  8 ++++----
 dnsutils.sh.in       |  4 ++--
 domains.conf.5.in    |  2 +-
 http.sh.in           | 10 +++++-----
 init.sh.in           | 28 ++++++++++++++--------------
 kerberos.sh.in       | 16 ++++++++--------
 lfacme-dns.7.in      |  8 ++++----
 lfacme-http.7.in     |  4 ++--
 lfacme-kerberos.7.in | 14 +++++++-------
 lfacme-ualpn.7.in    |  2 +-
 renew.sh.in          |  4 ++--
 ualpn.sh.in          |  2 +-
 14 files changed, 72 insertions(+), 72 deletions(-)

diff --git a/acme.conf.5.in b/acme.conf.5.in
index 6d342e7..a5f3c0a 100644
--- a/acme.conf.5.in
+++ b/acme.conf.5.in
@@ -25,28 +25,28 @@ file is not required.
 .Pp
 The following configuration options are supported:
 .Bl -tag -width indent
-.It Va ACME_URL
+.It Va LFACME_URL
 (Required.)
 The URL of the ACME server.
-.It Va ACME_DATADIR
+.It Va LFACME_DATADIR
 The path to the runtime data directory, where the ACME account key and any
 issued certificates will be stored.
 The default path is
 .Pa /var/db/lfacme .
-.It Va ACME_HOOKDIR
+.It Va LFACME_HOOKDIR
 The path to a directory containing hooks to invoke when issuing certificates
 (see
 .Xr domains.conf 5 ) .
 The default path is
 .Pa __CONFDIR__/hooks .
-.It Va ACME_OPENSSL
+.It Va LFACME_OPENSSL
 Path to the
 .Xr openssl 1
 program.
 If not specified,
 .Ev $PATH
 will be searched.
-.It Va ACME_UACME
+.It Va LFACME_UACME
 Path to the
 .Xr uacme 1
 program.
diff --git a/acme.conf.sample.in b/acme.conf.sample.in
index 3bf5df8..680ba11 100644
--- a/acme.conf.sample.in
+++ b/acme.conf.sample.in
@@ -9,31 +9,31 @@
 # These options are used by lfacme itself.
 
 
-### ACME_URL
+### LFACME_URL
 # The URL of the ACME server.
 # No default, you must set this.
 
 # Let's Encrypt production:
-#ACME_URL="https://acme-v02.api.letsencrypt.org/directory"
+#LFACME_URL="https://acme-v02.api.letsencrypt.org/directory"
 
 # Let's Encrypt staging:
-#ACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory"
+#LFACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory"
 
 
-### ACME_DATADIR
+### LFACME_DATADIR
 # Runtime data directory.
 # This is where the ACME account key and the issued certificates are stored.
 # The default is /var/db/lfacme.
 
-#ACME_DATADIR="/var/db/lfacme"
+#LFACME_DATADIR="/var/db/lfacme"
 
 
-### ACME_HOOKDIR
+### LFACME_HOOKDIR
 # The path to the directory containing certificate hooks.
 # The default is "__CONFDIR__/hooks".
 # There is usually no need to change this.
 
-#ACME_HOOKDIR="/some/directory"
+#LFACME_HOOKDIR="/some/directory"
 
 
 #######################################################################
@@ -42,13 +42,13 @@
 # These options are used for the "http" challenge.
 
 
-### ACME_HTTP_CHALLENGE_DIR
+### LFACME_HTTP_CHALLENGE_DIR
 # When using the "http" challenge handler, this is the directory which contains
 # ACME challenges.  This must be served at /.well-known/acme-challenge on any
 # domain using http validation.
 # No default; you must set this if you use the "http" handler.
 
-#ACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge"
+#LFACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge"
 
 
 #######################################################################
@@ -57,11 +57,11 @@
 # These options are used for the "dns" challenge.
 
 
-### ACME_DNS_KEYFILE
+### LFACME_DNS_KEYFILE
 # Path to the TSIG key nsupdate will use to authenticate the update.
 # No default; you must configure this when using the dns challenge.
 
-#ACME_DNS_KEYFILE="/path/to/key"
+#LFACME_DNS_KEYFILE="/path/to/key"
 
 
 #######################################################################
@@ -70,17 +70,17 @@
 # These options are used for the "kerberos" challenge.
 
 
-### ACME_KERBEROS_PRINCIPAL
+### LFACME_KERBEROS_PRINCIPAL
 # When using the "kerberos" challenge handler, this is the Kerberos principal
 # we use for nsupdate.  The default is "host/$(hostname)", which assumes a
 # default realm is configured in /etc/krb5.conf.
 
-#ACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG"
+#LFACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG"
 
 
-### ACME_KERBEROS_KEYTAB
+### LFACME_KERBEROS_KEYTAB
 # When using the "kerberos" challenge handler, this is the keytab used to
-# issue the ticket.  It must contain a key for $ACME_KERBEROS_PRINCIPAL.
+# issue the ticket.  It must contain a key for $LFACME_KERBEROS_PRINCIPAL.
 # The default is /etc/krb5.keytab.
 
-#ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
+#LFACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
diff --git a/dns.sh.in b/dns.sh.in
index e651cec..55a01d0 100644
--- a/dns.sh.in
+++ b/dns.sh.in
@@ -23,8 +23,8 @@ if [ "$METHOD" != "dns-01" ]; then
 	exit 1
 fi
 
-if [ -z "$ACME_DNS_KEYFILE" ]; then
-	_fatal "ACME_DNS_KEYFILE not configured"
+if [ -z "$LFACME_DNS_KEYFILE" ]; then
+	_fatal "LFACME_DNS_KEYFILE not configured"
 fi
 
 # Add a new record using nsupdate.
@@ -32,7 +32,7 @@ _add_record() {
 	local domain="$1"
 	local auth="$2"
 
-	$_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF
+	$_NSUPDATE -k "$LFACME_DNS_KEYFILE" <<EOF
 update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
@@ -44,7 +44,7 @@ _remove_record() {
 	local domain="$1"
 	local auth="$2"
 
-	$_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF
+	$_NSUPDATE -k "$LFACME_DNS_KEYFILE" <<EOF
 update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
diff --git a/dnsutils.sh.in b/dnsutils.sh.in
index 290f1e3..7f72c4a 100644
--- a/dnsutils.sh.in
+++ b/dnsutils.sh.in
@@ -2,8 +2,8 @@
 #
 # Utility functions for DNS-based authorizations.
 
-_DIG="$(_findbin dig $ACME_DNS_DIG)"
-_NSUPDATE="$(_findbin nsupdate $ACME_DNS_NSUPDATE)"
+_DIG="$(_findbin dig $LFACME_DNS_DIG)"
+_NSUPDATE="$(_findbin nsupdate $LFACME_DNS_NSUPDATE)"
 
 # Retrieve the nameservers for a given domain.  On failure, prints an error
 # message and exits.
diff --git a/domains.conf.5.in b/domains.conf.5.in
index 4ac27db..38c0035 100644
--- a/domains.conf.5.in
+++ b/domains.conf.5.in
@@ -93,7 +93,7 @@ begins with a
 .Sq /
 character, then it is assumed to be an absolute path,
 otherwise it is relative to the
-.Va ACME_HOOKDIR
+.Va LFACME_HOOKDIR
 configured in
 .Xr acme.conf 5 .
 This option may be specified multiple times.
diff --git a/http.sh.in b/http.sh.in
index 048870e..4c38aef 100644
--- a/http.sh.in
+++ b/http.sh.in
@@ -22,15 +22,15 @@ if [ "$METHOD" != "http-01" ]; then
 	exit 1
 fi
 
-if [ -z "$ACME_HTTP_CHALLENGE_DIR" ]; then
-	_fatal "must set ACME_HTTP_CHALLENGE_DIR"
+if [ -z "$LFACME_HTTP_CHALLENGE_DIR" ]; then
+	_fatal "must set LFACME_HTTP_CHALLENGE_DIR"
 fi
 
-if ! [ -d "$ACME_HTTP_CHALLENGE_DIR" ]; then
-	_fatal "missing $ACME_HTTP_CHALLENGE_DIR"
+if ! [ -d "$LFACME_HTTP_CHALLENGE_DIR" ]; then
+	_fatal "missing $LFACME_HTTP_CHALLENGE_DIR"
 fi
 
-_file="${ACME_HTTP_CHALLENGE_DIR}/${TOKEN}"
+_file="${LFACME_HTTP_CHALLENGE_DIR}/${TOKEN}"
 
 case "$ACTION" in
 	begin)
diff --git a/init.sh.in b/init.sh.in
index e21b1e4..f8a8474 100644
--- a/init.sh.in
+++ b/init.sh.in
@@ -66,22 +66,22 @@ if [ -f "$_CONFIG" ]; then
 	. "$_CONFIG"
 fi
 
-if [ -z "$ACME_URL" ]; then
-	_fatal "missing configuration setting: ACME_URL"
+if [ -z "$LFACME_URL" ]; then
+	_fatal "missing configuration setting: LFACME_URL"
 fi
 
-if [ -z "$ACME_DATADIR" ]; then
-	ACME_DATADIR="/var/db/lfacme"
+if [ -z "$LFACME_DATADIR" ]; then
+	LFACME_DATADIR="/var/db/lfacme"
 fi
 
-if [ -z "$ACME_HOOKDIR" ]; then
-	ACME_HOOKDIR="${_CONFDIR}/hooks"
+if [ -z "$LFACME_HOOKDIR" ]; then
+	LFACME_HOOKDIR="${_CONFDIR}/hooks"
 fi
 
 # Create our data directory.
-if [ ! -d "$ACME_DATADIR" ]; then
-	_info "creating directory %s" "$ACME_DATADIR"
-	mkdir -p "$ACME_DATADIR"
+if [ ! -d "$LFACME_DATADIR" ]; then
+	_info "creating directory %s" "$LFACME_DATADIR"
+	mkdir -p "$LFACME_DATADIR"
 	if [ "$?" -ne 0 ]; then
 		exit 1
 	fi
@@ -123,10 +123,10 @@ _findbin() {
 }
 
 # uacme's base directory; this is where it puts certificates.
-_UACME_DIR="${ACME_DATADIR}/certs"
+_UACME_DIR="${LFACME_DATADIR}/certs"
 
 # The uacme executable.
-_UACME="$(_findbin uacme $ACME_UACME)"
+_UACME="$(_findbin uacme $LFACME_UACME)"
 
 _LFACME_UACME_FLAGS=""
 if ! [ -z "$LFACME_VERBOSE" ]; then
@@ -137,7 +137,7 @@ _uacme() {
 	env	"LFACME_CONFDIR=${_CONFDIR}"		\
 		"LFACME_VERBOSE=${LFACME_VERBOSE}"	\
 		"$_UACME" $_LFACME_UACME_FLAGS 		\
-		-a "$ACME_URL" -c "$_UACME_DIR" "$@"
+		-a "$LFACME_URL" -c "$_UACME_DIR" "$@"
 }
 
 # Find a challenge script and make sure it's valid.  If the challenge name
@@ -170,13 +170,13 @@ _findchallenge() {
 }
 
 # Find a hook script and make sure it's valid.  If the hook name begins with a
-# '/' it's a full path, otherwise it's relative to ACME_HOOKDIR.
+# '/' it's a full path, otherwise it's relative to LFACME_HOOKDIR.
 _findhook() {
 	local identifier="$1"
 	local hook="$2"
 
 	if [ "${hook#/*}" = "$hook" ]; then
-		hook="${ACME_HOOKDIR}/$hook"
+		hook="${LFACME_HOOKDIR}/$hook"
 	fi
 
 	if ! [ -f "$hook" ]; then
diff --git a/kerberos.sh.in b/kerberos.sh.in
index e29f9c3..7cbaa51 100644
--- a/kerberos.sh.in
+++ b/kerberos.sh.in
@@ -15,7 +15,7 @@ TOKEN=$4
 # The token value we need to create.
 AUTH=$5
 
-_KINIT="$(_findbin kinit $ACME_KERBEROS_KINIT)"
+_KINIT="$(_findbin kinit $LFACME_KERBEROS_KINIT)"
 
 if [ "$#" -ne 5 ]; then
 	_fatal "missing arguments"
@@ -25,20 +25,20 @@ if [ "$METHOD" != "dns-01" ]; then
 	exit 1
 fi
 
-if [ -z "$ACME_KERBEROS_PRINCIPAL" ]; then
-	ACME_KERBEROS_PRINCIPAL="host/$(hostname)"
+if [ -z "$LFACME_KERBEROS_PRINCIPAL" ]; then
+	LFACME_KERBEROS_PRINCIPAL="host/$(hostname)"
 fi
 
-if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
-	ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
+if [ -z "$LFACME_KERBEROS_KEYTAB" ]; then
+	LFACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
 fi
 
-if ! [ -r "$ACME_KERBEROS_KEYTAB" ]; then
+if ! [ -r "$LFACME_KERBEROS_KEYTAB" ]; then
 	_fatal "keytab does not exist (or is not readable): %s" \
-		"$ACME_KERBEROS_KEYTAB"
+		"$LFACME_KERBEROS_KEYTAB"
 fi
 
-if ! $_KINIT -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
+if ! $_KINIT -k -t "$LFACME_KERBEROS_KEYTAB" "$LFACME_KERBEROS_PRINCIPAL"; then
 	_fatal "failed to obtain a Kerberos ticket"
 fi
 
diff --git a/lfacme-dns.7.in b/lfacme-dns.7.in
index 4d25031..64cf59e 100644
--- a/lfacme-dns.7.in
+++ b/lfacme-dns.7.in
@@ -36,7 +36,7 @@ to create this record.
 The DNS update will be sent to the zone's master server (determined by the
 MNAME field in the SOA record), and will be authenticated using the TSIG
 key file configured by
-.Ar ACME_DNS_KEYFILE
+.Ar LFACME_DNS_KEYFILE
 in
 .Xr acme.conf 5 .
 .Pp
@@ -47,19 +47,19 @@ The
 challenge hook supports the following configuration options in
 .Xr acme.conf 5 :
 .Bl -tag -width indent
-.It Va ACME_DNS_KEYFILE
+.It Va LFACME_DNS_KEYFILE
 (Required.)
 The key file that will be passed to
 .Xr nsupdate 1
 to authenticate the DNS update.
-.It Va ACME_DNS_DIG
+.It Va LFACME_DNS_DIG
 Path to the
 .Xr dig 1
 program.
 If not specified,
 .Ev $PATH
 will be searched.
-.It Va ACME_DNS_NSUPDATE
+.It Va LFACME_DNS_NSUPDATE
 Path to the
 .Xr nsupdate 1
 program.
diff --git a/lfacme-http.7.in b/lfacme-http.7.in
index 4e853d5..781998f 100644
--- a/lfacme-http.7.in
+++ b/lfacme-http.7.in
@@ -32,7 +32,7 @@ When
 .Nm
 responds to the challenge, it will place the token in the directory configured
 by
-.Ar ACME_HTTP_CHALLENGE_DIR
+.Ar LFACME_HTTP_CHALLENGE_DIR
 in
 .Xr acme.conf 5 .
 This directory must be mapped to the appropriate path on the web server for
@@ -43,7 +43,7 @@ The
 challenge hook supports the following configuration options in
 .Xr acme.conf 5 :
 .Bl -tag -width indent
-.It Va ACME_HTTP_CHALLENGE_DIR
+.It Va LFACME_HTTP_CHALLENGE_DIR
 (Required.)
 The directory to place the challenge tokens in.
 The contents of this directory should be served at the path
diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in
index ae96109..0a28535 100644
--- a/lfacme-kerberos.7.in
+++ b/lfacme-kerberos.7.in
@@ -43,7 +43,7 @@ Before sending the update,
 will retrieve a Kerberos ticket using
 .Xr kinit 1
 for the principal configured by
-.Ar ACME_KERBEROS_PRINCIPAL
+.Ar LFACME_KERBEROS_PRINCIPAL
 in
 .Xr acme.conf 5 .
 .Sh CONFIGURATION
@@ -52,34 +52,34 @@ The
 challenge hook supports the following configuration options in
 .Xr acme.conf 5 :
 .Bl -tag -width indent
-.It Va ACME_KERBEROS_PRINCIPAL
+.It Va LFACME_KERBEROS_PRINCIPAL
 The Kerberos principal to authenticate as when sending the DNS update.
 The default value is
 .Dq host/$(hostname) ,
 which assumes a default realm has been configured in
 .Pa /etc/krb5.conf .
 Explicitly configuring the principal is recommended, but not required.
-.It Va ACME_KERBEROS_KEYTAB
+.It Va LFACME_KERBEROS_KEYTAB
 The keytab used to issue the Kerberos ticket.
 This must contain a key for the principal configured by
-.Va ACME_KERBEROS_PRINCIPAL .
+.Va LFACME_KERBEROS_PRINCIPAL .
 The default value is
 .Pa /etc/krb5.keytab .
-.It Va ACME_KERBEROS_KINIT
+.It Va LFACME_KERBEROS_KINIT
 Path to the
 .Xr kinit 1
 program.
 If not specified,
 .Ev $PATH
 will be searched.
-.It Va ACME_DNS_DIG
+.It Va LFACME_DNS_DIG
 Path to the
 .Xr dig 1
 program.
 If not specified,
 .Ev $PATH
 will be searched.
-.It Va ACME_DNS_NSUPDATE
+.It Va LFACME_DNS_NSUPDATE
 Path to the
 .Xr nsupdate 1
 program.
diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in
index 2762f0f..cf5a420 100644
--- a/lfacme-ualpn.7.in
+++ b/lfacme-ualpn.7.in
@@ -39,7 +39,7 @@ The
 challenge hook supports the following configuration options in
 .Xr acme.conf 5 :
 .Bl -tag -width indent
-.It Va ACME_UALPN
+.It Va LFACME_UALPN
 Path to the
 .Xr ualpn 1
 program.
diff --git a/renew.sh.in b/renew.sh.in
index e1d2c6c..c0d9121 100644
--- a/renew.sh.in
+++ b/renew.sh.in
@@ -1,7 +1,7 @@
 #! /bin/sh
 # This source code is released into the public domain.
 
-_OPENSSL="$(_findbin openssl $ACME_OPENSSL)"
+_OPENSSL="$(_findbin openssl $LFACME_OPENSSL)"
 
 # Parse command-line arguments.
 args=$(getopt f $*)
@@ -175,7 +175,7 @@ _docert() {
 
 	# make sure all the hook scripts are valid.  if the hook name
 	# begins with a '/' it's a full path, otherwise it's relative
-	# to ACME_HOOKDIR.
+	# to LFACME_HOOKDIR.
 	local _rhooks=""
 	for hook in $hooks; do
 		local _hookpath="$(_findhook "$identifier" "$hook")"
diff --git a/ualpn.sh.in b/ualpn.sh.in
index 80855c0..0642ac7 100644
--- a/ualpn.sh.in
+++ b/ualpn.sh.in
@@ -22,7 +22,7 @@ if [ "$METHOD" != "tls-alpn-01" ]; then
 	exit 1
 fi
 
-_UALPN="$(_findbin ualpn $ACME_UALPN)"
+_UALPN="$(_findbin ualpn $LFACME_UALPN)"
 
 case "$ACTION" in
 	begin)
-- 
cgit v1.2.3