view release on metacpan or  search on metacpan

acmeman  view on Meta::CPAN

static files, such as B<fileserv> (L<https://www.gnu.org.ua/projects/fileserv>),
for example.

Then, configure HTTPS section to use certificates from the certificate file
directory:

    frontend https-in
	mode http
	bind :::443 v4v6 ssl crt /etc/ssl/acme/crt
	# Direct each group of domain names to the corresponding
	# backend.
	use_backend d1 if { hdr(host) -f /etc/haproxy/hosts/d1 }
	use_backend d2 if { hdr(host) -f /etc/haproxy/hosts/d2 }
	...

Finally, define the backends.

=back

=head2 Pound

B<Pound> is a light-weight proxy server available from L<https://github.com/graygnuorg/pound>.  It is supported by the B<acmeman> source B<pound>, which
scans the B<pound> configuration file F</etc/pound.cfg>, and extracts domain
names from the B<Host> directives in B<ListenHTTP> sections that contain
the B<ACME> statement.  Below is a short usage instruction for this source
module.  For a detailed discussion, refer to the section B<SOURCE>, subsection
B<pound>.

=over 4

=item 1. Add the B<ACME> directive to the B<ListenHTTP> section of your
F</etc/pound.cfg> file.  Its argument is a directory on local file system
where ACME challenge files will be stored.  Make sure that this directory
is the F<.well-known/acme-challenge> subdirectory of the B<rootdir> in your
B<acmeman> configuration file.

=item 2. In the same B<ListenHTTP> section, define hostnames which will obtain
ACME certificates.  Make sure to use B<Host> statements with exact string
matching algorithm.  If serving several host names, use the B<Match OR> block.

=back

After these two steps, your listener section will look like:

    ListenHTTP
	Address 0.0.0.0
	Port 80
	ACME "/var/lib/pound/acme/.well-known/acme-challenge"
	Service
	    Match OR
		Host "www.example.org"
		Host "example.org"
	    End
	    ...
	End
    End

=over 4

=item 3. Configure B<acmeman>.  Use the B<pound> source and make sure
B<rootdir> is synchronized with the B<ACME> statement in F<pound.cfg>, as
described in point 1.  E.g.:

    [core]
	source = pound
	rootdir = /var/lib/pound/acme
	postrenew = /usr/bin/systemctl restart pound

=back

=head2 Direct configuration

Use direct configuration if none of the provided source types can
be used.  In this case, you define each domain which needs a
certificate in the F</etc/acmeman.conf> file.  First, instruct
B<acmeman> that no external source of domain names will be used:

    [core]
	source = null

Then, for each domain name use the B<domain> section, as shown in the
example below:

    [domain example.com]
	alt = www.example.com
	files = default

This section instructs B<acmeman> that a certificate is needed for
domain B<example.com>, using B<www.example.com> as its alternative name,
The B<files> statement identifies the name of a B<files> section containing
rules for creating certificate files for that domain. This section must be
defined elsewhere in the configuration file. For example:

    [files default]
	type = split
	certificate-file = /etc/ssl/acme/$domain/cert.pem
	key-file = /etc/ssl/acme/$domain/privkey.pem
	ca-file = /etc/ssl/acme/$domain/ca.pem
	argument = $domain

This definition tells B<acmeman> that it should store certificate, certificate
key, and certificate authority chain in three separate files. Names of these
files will be created by replacing the B<$domain> string in the corresponding
definition with the domain name from the B<domain> section.

Several B<[domain]> section can share the same B<[files]> definition, or
they can have their one, depending on your needs.

=head1 CONFIGURATION

Configuration file controls the operation of B<acmeman>. By default,
its name is B</etc/acmeman.conf>. If it is absent, B<acmeman> falls
back to the legacy operation mode, scanning Apache configuration files
for domains that use LetsEncrypt SSL certificates. See the B<APACHE>
section below for a detailed description.

The configuration file has a traditional line-oriented syntax. Comments
are introduced with a hash sign. Empty lines are ignored. Leading and
trailing whitespace is removed prior to parsing. Long statements can be
split over several physical lines by ending each line excepting the last
one with a backslash immediately followed by a newline character.