lacme-accountd - ACME client written with process isolation and minimal privileges in mind (account key manager)


lacme-accountd [--config=FILENAME] [--privkey=ARG] [--socket=PATH] [--quiet]


lacme-accountd is the account key manager component of lacme(1), a small ACME client written with process isolation and minimal privileges in mind. No other lacme(1) component needs access to the account key; in fact the account key could as well be stored on another host or a smartcard.

lacme-accountd binds to a UNIX-domain socket (specified with --socket=), which ACME clients can connect to in order to request data signatures. As a consequence, lacme-accountd needs to be up and running before using lacme(1) to issue ACME commands. Also, the process does not automatically terminate after the last signature request: instead, one sends an INT or TERM signal(7) to bring the server down.

Furthermore, one can use the UNIX-domain socket forwarding facility of OpenSSH 6.7 and later to run lacme-accountd and lacme(1) on different hosts. For instance one could store the account key on a machine that is not exposed to the internet. See the examples section below.



Use filename as configuration file. See the configuration file section below for the configuration options.


Specify the (private) account key to use for signing requests. Currently supported arguments are:

  • file:FILE, to specify an encrypted private key (in PEM format); and
  • gpg:FILE, to specify a gpg(1)-encrypted private key (in PEM format).

The following command can be used to generate a new 4096-bits RSA key in PEM format with mode 0600:

openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/account.key

Use path as the UNIX-domain socket to bind against for signature requests from the ACME client. lacme-accountd aborts if path exists or if its parent directory is writable by other users.

-h, --help

Display a brief help and exit.

-q, --quiet

Be quiet.


Turn on debug mode.

Configuration file

If --config= is not given, lacme-accountd uses the first existing configuration file among ./lacme-accountd.conf, $XDG_CONFIG_HOME/lacme/lacme-accountd.conf (or ~/.config/lacme/lacme-accountd.conf if the XDG_CONFIG_HOME environment variable is not set), and /etc/lacme/lacme-accountd.conf.

When given on the command line, the --privkey=, --socket= and --quiet options take precedence over their counterpart (without leading --) in the configuration file. Valid options are:


See --privkey=. This option is required when --privkey= is not specified on the command line.


For a gpg(1)-encrypted private account key, specify the binary gpg(1) to use, as well as some default options. Default: gpg --quiet.


See --socket=. Default: $XDG_RUNTIME_DIR/S.lacme if the XDG_RUNTIME_DIR environment variable is set.


Be quiet. Possible values: Yes/No.


Run lacme-accountd in a first terminal:

~$ lacme-accountd --privkey=file:/path/to/account.key --socket=$XDG_RUNTIME_DIR/S.lacme

Then, while lacme-accountd is running, execute locally lacme(1) in another terminal:

~$ sudo lacme --socket=$XDG_RUNTIME_DIR/S.lacme newOrder

Alternatively, use OpenSSH 6.7 or later to forward the socket and execute lacme(1) remotely:

~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme \
   sudo lacme --socket=/path/to/remote.sock newOrder

See also

lacme(1), ssh(1)