docs: Update examples and README for ACMEv2 API and other changes

README.md

@@ -33,10 +33,10 @@ You should decide which challenge mode you want to use with acertmgr:
   * dns.nsupdate: Updates the TXT record using RFC2136 (with dnspython)
 
 You can optionally provide the key files for the ACME protocol, if you do not they will be automatically created:
-  * The account key is expected at `/etc/acme/account.key`
-  * The domain key is expected at `/etc/acme/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
-  * If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acme/account.key` and `openssl genrsa 4096 > /etc/acme/server.key` respectively
-  * Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acme/*.key`
+  * The account key is expected at `/etc/acertmgr/account.key`
+  * The domain key is expected at `/etc/acertmgr/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
+  * If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acertmgr/account.key` and `openssl genrsa 4096 > /etc/acertmgr/server.key` respectively
+  * Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acertmgr/*.key`
 
 Finally, you need to setup the configuration files, as shown in the next section.
 While testing, you can use the acme-staging authority instead, in order to avoid issuing too many certificates.
@@ -45,7 +45,7 @@ Configuration
 -------------
 
 Unless specified with a commandline parameter (see acertmgr.py --help) the optional global configuration is read from '/etc/acertmgr/acertmgr.conf'.
-Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is automatically excluded if it is in the same directory).
+Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is always excluded if it is in the same directory).
 
 All configuration files can use yaml (requires PyYAML) or json syntax.
 
@@ -53,15 +53,27 @@ All configuration files can use yaml (requires PyYAML) or json syntax.
 
 ```yaml
 ---
-# Required: Authority API endpoint to use
-authority: "https://acme-v01.api.letsencrypt.org"
+# Optional: Authority API endpoint to use
+# Legacy ACME v1 API with options:
+#api: v1
+#authority: "https://acme-v01.api.letsencrypt.org"
 #authority: "https://acme-staging.api.letsencrypt.org"
+#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
+# Current (default) ACME v2 API with options:
+#api: v2
+#authority: "https://acme-v02.api.letsencrypt.org"
+#authority: "https://acme-staging-v02.api.letsencrypt.org"
+#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
+#authority_contact_email: "foo@b.ar" # For single addresses
+#authority_contact_email:            # For multiple addresses
+#  - "foo@b.ar"
+#  - "c4f3@b.ar"
 
-# Optional: account_key location. This defaults to "/etc/acme/account.key"
-account_key: "/etc/acme/acc.key"
+# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
+#account_key: "/etc/acertmgr/account.key"
 
 # Optional: global server_key location. Otherwise separate key per server
-#server_key: "/etc/acme/serv.key"
+#server_key: "/etc/acertmgr/server.key"
 
 # Optional: global challenge handling mode with parameters
 #mode: webdir
@@ -114,7 +126,8 @@ www.example.com example.com:
 
 # this will create a certificate with subject alternative names
 # using a different challenge handler for one domain
-mail.example.com smtp.example.com webmail.example.net:
+# wildcards are possible with api v2 and dns challenge modes only!
+mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
 - mode: dns.nsupdate
   nsupdate_server: ns1.example.com
   nsupdate_keyname: mail
@@ -148,8 +161,8 @@ mail.example.com smtp.example.com webmail.example.net:
 "mode": "standalone",
 "port": "80",
 
-"account_key": "/etc/acme/acc.key",
-"server_key": "/etc/acme/serv.key",
+"account_key": "/etc/acertmgr/acc.key",
+"server_key": "/etc/acertmgr/serv.key",
 
 "webdir": "/var/www/acme-challenge/",
 "authority": "https://acme-v01.api.letsencrypt.org",

docs/acertmgr.conf

@@ -1,16 +1,28 @@
 ---
-# Required: Authority API endpoint to use
+# Optional: Authority API endpoint to use
+# Legacy ACME v1 API with options:
+#api: v1
 #authority: "https://acme-v01.api.letsencrypt.org"
 #authority: "https://acme-staging.api.letsencrypt.org"
+#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
+# Current (default) ACME v2 API with options:
+#api: v2
+#authority: "https://acme-v02.api.letsencrypt.org"
+#authority: "https://acme-staging-v02.api.letsencrypt.org"
+#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
+#authority_contact_email: "foo@b.ar" # For single addresses
+#authority_contact_email:            # For multiple addresses
+#  - "foo@b.ar"
+#  - "c4f3@b.ar"
 
-# Optional: account_key location. This defaults to "/etc/acme/account.key"
-#account_key: "/etc/acme/acc.key"
+# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
+#account_key: "/etc/acertmgr/account.key"
 
 # Optional: global server_key location. Otherwise separate key per server
-#server_key: "/etc/acme/serv.key"
+#server_key: "/etc/acertmgr/server.key"
 
 # Optional: global challenge handling mode with parameters
 #mode: webdir
 #webdir: /var/www/acme-challenge/
 #mode: standalone
-#port: 13135
+#port: 13135

docs/domain.conf

@@ -38,7 +38,8 @@ www.example.com example.com:
 
 # this will create a certificate with subject alternative names
 # using a different challenge handler for one domain
-mail.example.com smtp.example.com webmail.example.net:
+# wildcards are possible with api v2 and dns challenge modes only!
+mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
 - mode: dns.nsupdate
   nsupdate_server: ns1.example.com
   nsupdate_keyname: mail