lacme-accountd - ACME client written with process isolation and minimal privileges in mind (account key manager)
lacme-accountd is the account key manager component of
lacme(8), a small ACME client written with process isolation and minimal privileges in mind. No other
lacme(8) component needs access to the account key; in fact the account key could as well be stored on another host or a smartcard.
lacme-accountd binds to a UNIX-domain socket (specified with
--socket=), which ACME clients can connect to in order to request data signatures. As a consequence,
lacme-accountd needs to be up and running before using
lacme(8) to issue ACME commands. Also, the process does not automatically terminate after the last signature request: instead, one sends an
signal(7) to bring the server down.
Furthermore, one can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run
lacme(8) on different hosts. For instance one could store the account key on a machine that is not exposed to the internet. See the examples section below.
Use filename as configuration file instead of
%E/lacme/lacme-accountd.conf. The value is subject to %-specifier expansion.
--config=is used with a non-existent file, but a non-existent default location is treated as if it were an empty file.
See the configuration file section below for the configuration options.
Specify the (private) account key to use for signing requests. Currently supported values are:
file:FILE, for a private key in PEM format (optionally symmetrically encrypted)
gpg:FILE, for a
gpg(1)-encrypted private key
FILE is subject to %-specifier expansion.
genpkey(1ssl) command can be used to generate a new private (account) key:
$ install -vm0600 /dev/null /path/to/account.key $ openssl genpkey -algorithm RSA -out /path/to/account.key
lacme-accountdonly supports RSA account keys.
Use path as the UNIX-domain socket to bind to for signature requests from the ACME client. The value is subject to %-specifier expansion.
lacme-accountdaborts if path exists or if its parent directory is writable by other users. Default:
--socket=therefore yields an error when
lacme-accountddoesn’t run as and the
XDG_RUNTIME_DIRenvironment variable is unset or empty).
Read signature requests from the standard input and write signatures to the standard output, instead of using a UNIX-domain socket for communication with the ACME client. This internal flag should never be used by standalone
lacme-accountdinstances, only for those
Display a brief help and exit.
Turn on debug mode.
When given on the command line, the
--quiet options take precedence over their counterpart (without leading
--) in the configuration file. Valid settings are:
--privkey=. This setting is required when
--privkey=is not specified on the command line.
gpg(1)-encrypted private account key, specify the binary
gpg(1) to use, as well as some default options. Default:
An optional file where to log to. The value is subject to %-specifier expansion.
The “Key ID”, as shown by
`acme account`, to give the ACME client. With an empty keyid (the default) the client forwards the JSON Web Key (JWK) to the ACME server to retrieve the correct value. A non-empty value therefore saves a round-trip.
A non-empty value also causes
lacme-accountdto send an empty JWK, thereby revoking all account management access (status change, contact address updates etc.) from the client: any
`acme account`command (or any command from
lacme(8) before version 0.8.0) is bound to be rejected by the ACME server. This provides a safeguard against malicious clients.
Be quiet. Possible values:
The value the
--socket= CLI options (and also the privkey, socket and logfile settings from the configuration file) are subject to %-expansion for the following specifiers.
||Current group name.|
||Current group ID.|
||Home directory of the current user.|
||Current user name.|
||Current user ID.|
lacme-accountd in a first terminal:
$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme
lacme-accountd is running, execute locally
lacme(8) in another terminal:
$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder
Alternatively, use OpenSSH 6.7 or later to forward the socket and execute
$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme firstname.lastname@example.org \ sudo lacme --socket=/path/to/remote.sock newOrder
lacme(8) manual for a solution involving connecting to
lacme-accountd on a dedicated remote host. Doing so enables automatic renewal via