view release on metacpan or  search on metacpan

acmeman  view on Meta::CPAN

The B<null> module is an empty source. It takes no additional arguments.
Use this source if all domains are described in the configuration file
using one or more B<domain> sections.

The B<apache> source module is the default. It scans B<httpd> configuration
files as described in section B<apache>. One argument is allowed. If supplied,
it defines the apache configuration layout. Allowed values are: B<debian>,
B<slackware>, B<suse> and B<rh> (for Red Hat). Without arguments, the layout
will be autodetected.

The B<pound> source gathers host names from B<pound> configuration file.

The B<file> source reads domain names from one or more disk files. A
mandatory argument specifies the name of the directory where the files
are located. This mode is suitable for use with B<haproxy> pattern files.

Multiple B<source> statements can be defined. They will be processed
sequentially.

=item B<files=>I<NAME>

Identifies the B<[files]> section which describes how to create certificate
files for domains which lack explicit B<files> keyword. Default I<NAME> is
B<default>. See the description of the B<files> statement in B<domain>
section.

=item B<check-alt-names=>I<BOOL>

When set to B<true>, it instructs the program to compare the list of
alternative names of each certificate with the one gathered from the
Apache configuration, and reissue the certificate if the two lists
don't match.  This uses an ad-hoc logic, due to the deficiency of the
underlying X509 module, and therefore is not enabled by default.

Valid values for I<BOOL> are: B<1>, B<on>, B<true>, or B<yes>, for
true, and B<0>, B<off>, B<false>, or B<no> for false.

=item B<check-dns=>I<BOOL>

When set to B<true> (the default), the program will check whether each
host name has an A DNS record pointing back to one of the IP addresses
of the server. Hostnames which don't satisfy this condition will be ignored.
The IP of the server is determined by looking up the A record for its
hostname. This can be overridden using the B<my-ip> configuration statement.

=item B<key-size=>I<N>

Size of the RSA key to use, in bits. Default is 4096.

=item B<my-ip>=I<IP> [I<IP>...]

Declares IP address (or addresses) of this server. Use this keyword if
the server IP cannot be reliably determined by resolving its hostname.
Special I<IP> B<$hostip> stands for the IP retrieved by resolving the
hostname.

=back

=head2 B<[account]>

Configures where to store ACME account credentials: account key ID and
account private key.  Both values are stored in separate files on disk.
If the files do not exist B<acmeman> will initiate creation of a new
account and will save its credentials for further use.

=over 4

=item B<directory=>I<DIR>

Directory where to store credential files.  Defaults to
F</etc/ssl/acme>.

=item B<id=>I<FILE>

Name of the file with account key ID.  Unless I<FILE> begins with a
directory separator, it is taken relative to B<account.directory>.

Default: F</etc/ssl/acme/key.id>.

=item B<key=>I<FILE>

Name of the file with account key.  Unless I<FILE> begins with a
directory separator, it is taken relative to B<account.directory>.

Default: F</etc/ssl/acme/key.pem>.

=back

=head2 B<[domain I<CN>]>

Declares the domain for which a certificate should be maintained. I<CN> is
the canonical name for the domain. Alternative names can be specified using
the B<alt> setting within the section.

=over 4

=item B<files=>I<ID>

Identifies the B<[files]> section which describes how to create certificate
files for this domain. In the absence of this statement, the B<files>
statement from the B<[core]> section will be used.

=item B<alt=>I<NAME>

Defines alternative name for the certificate. Multiple B<alt> statements
are allowed.

=item B<key-size=>I<N>

Size of the RSA key to use, in bits. If not set, the B<core.key-size>
setting is used.

=item B<postrenew=>I<CMD>

Run I<CMD> after successful update. If not given, the B<core.postrenew>
commands will be run.

If more than one B<postrenew> statements are defined, they will be run in
sequence, in the same order as they appeared in the configuration file.

I<CMD> is run in the environment inherited from the calling B<acmeman>
process with the following additional variables defined:

=over 8