From ec720c482d125cf77b11c5b1dc703dd19c3d1003 Mon Sep 17 00:00:00 2001 From: Lexi Winter Date: Tue, 3 Jun 2025 12:39:02 +0100 Subject: README: mention the new "http" handler --- README | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/README b/README index cc7d9de..2e39fd4 100644 --- a/README +++ b/README @@ -4,10 +4,9 @@ lfacme: a simple ACME client based on uacme lfacme is a wrapper around uacme to make it a bit more flexible. i wrote it primarily for my own use, but you're welcome to use it too. -currently, there is one major limitation: the only supported domain validation -method is dns-01 with Kerberized nsupdate. patches to improve this would be -welcome. if you don't want to use Kerberos, you can provide your own -uacme-compatible challenge handler, or just use one from uacme itself. +lfacme comes with challenge handlers for basic HTTP validation (http-01) and +for DNS (dns-01) validation using Kerberized nsupdate. it can also be used +with any uacme-compatible challenge handler. it's only tested on FreeBSD and may or may not work on other platforms. if it doesn't work, it shouldn't be difficult to port. @@ -18,6 +17,13 @@ requirements + POSIX-compatible /bin/sh + uacme (in FreeBSD: security/uacme) + OpenSSL command-line tool + +if you want to use the HTTP challenge handler: + ++ a web server installed on the host + +if you want to use the Kerberized nsupdate challenge handler: + + BIND's "dig" and "nsupdate" (in FreeBSD: dns/bind-tools) + Kerberos kinit (either MIT or Heimdal should work) @@ -29,9 +35,6 @@ install usage ----- -+ if you're using the provided "kerberos" challenge handler, make sure - /etc/krb5.keytab exists since this will be used to issue the Kerberos - ticket for domain validation. + create the config files (see below): /usr/local/etc/uacme/acme.conf and /usr/local/etc/uacme/domains.conf @@ -66,8 +69,8 @@ and sample configs are provided. BIND + Kerberos configuration ----------------------------- -if you want to use the default (and only) Kerberos dns-01 challenge, you must -configure your DNS server to accept Kerberos-authenticated dynamic updates. +if you want to use the provided Kerberos dns-01 challenge, you must configure +your DNS server to accept Kerberos-authenticated dynamic updates. first, tell BIND where to load its Kerberos keytab from: -- cgit v1.2.3