1
0
mirror of https://github.com/moepman/acertmgr.git synced 2024-11-14 06:55:29 +01:00

docs: Update examples and README for ACMEv2 API and other changes

This commit is contained in:
Kishi85 2019-03-19 10:45:36 +01:00
parent f2567da7fa
commit 784badf54b
3 changed files with 45 additions and 19 deletions

View File

@ -33,10 +33,10 @@ You should decide which challenge mode you want to use with acertmgr:
* dns.nsupdate: Updates the TXT record using RFC2136 (with dnspython)
You can optionally provide the key files for the ACME protocol, if you do not they will be automatically created:
* The account key is expected at `/etc/acme/account.key`
* The domain key is expected at `/etc/acme/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
* If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acme/account.key` and `openssl genrsa 4096 > /etc/acme/server.key` respectively
* Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acme/*.key`
* The account key is expected at `/etc/acertmgr/account.key`
* The domain key is expected at `/etc/acertmgr/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
* If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acertmgr/account.key` and `openssl genrsa 4096 > /etc/acertmgr/server.key` respectively
* Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acertmgr/*.key`
Finally, you need to setup the configuration files, as shown in the next section.
While testing, you can use the acme-staging authority instead, in order to avoid issuing too many certificates.
@ -45,7 +45,7 @@ Configuration
-------------
Unless specified with a commandline parameter (see acertmgr.py --help) the optional global configuration is read from '/etc/acertmgr/acertmgr.conf'.
Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is automatically excluded if it is in the same directory).
Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is always excluded if it is in the same directory).
All configuration files can use yaml (requires PyYAML) or json syntax.
@ -53,15 +53,27 @@ All configuration files can use yaml (requires PyYAML) or json syntax.
```yaml
---
# Required: Authority API endpoint to use
authority: "https://acme-v01.api.letsencrypt.org"
# Optional: Authority API endpoint to use
# Legacy ACME v1 API with options:
#api: v1
#authority: "https://acme-v01.api.letsencrypt.org"
#authority: "https://acme-staging.api.letsencrypt.org"
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
# Current (default) ACME v2 API with options:
#api: v2
#authority: "https://acme-v02.api.letsencrypt.org"
#authority: "https://acme-staging-v02.api.letsencrypt.org"
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
#authority_contact_email: "foo@b.ar" # For single addresses
#authority_contact_email: # For multiple addresses
# - "foo@b.ar"
# - "c4f3@b.ar"
# Optional: account_key location. This defaults to "/etc/acme/account.key"
account_key: "/etc/acme/acc.key"
# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
#account_key: "/etc/acertmgr/account.key"
# Optional: global server_key location. Otherwise separate key per server
#server_key: "/etc/acme/serv.key"
#server_key: "/etc/acertmgr/server.key"
# Optional: global challenge handling mode with parameters
#mode: webdir
@ -114,7 +126,8 @@ www.example.com example.com:
# this will create a certificate with subject alternative names
# using a different challenge handler for one domain
mail.example.com smtp.example.com webmail.example.net:
# wildcards are possible with api v2 and dns challenge modes only!
mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
- mode: dns.nsupdate
nsupdate_server: ns1.example.com
nsupdate_keyname: mail
@ -148,8 +161,8 @@ mail.example.com smtp.example.com webmail.example.net:
"mode": "standalone",
"port": "80",
"account_key": "/etc/acme/acc.key",
"server_key": "/etc/acme/serv.key",
"account_key": "/etc/acertmgr/acc.key",
"server_key": "/etc/acertmgr/serv.key",
"webdir": "/var/www/acme-challenge/",
"authority": "https://acme-v01.api.letsencrypt.org",

View File

@ -1,13 +1,25 @@
---
# Required: Authority API endpoint to use
# Optional: Authority API endpoint to use
# Legacy ACME v1 API with options:
#api: v1
#authority: "https://acme-v01.api.letsencrypt.org"
#authority: "https://acme-staging.api.letsencrypt.org"
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
# Current (default) ACME v2 API with options:
#api: v2
#authority: "https://acme-v02.api.letsencrypt.org"
#authority: "https://acme-staging-v02.api.letsencrypt.org"
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
#authority_contact_email: "foo@b.ar" # For single addresses
#authority_contact_email: # For multiple addresses
# - "foo@b.ar"
# - "c4f3@b.ar"
# Optional: account_key location. This defaults to "/etc/acme/account.key"
#account_key: "/etc/acme/acc.key"
# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
#account_key: "/etc/acertmgr/account.key"
# Optional: global server_key location. Otherwise separate key per server
#server_key: "/etc/acme/serv.key"
#server_key: "/etc/acertmgr/server.key"
# Optional: global challenge handling mode with parameters
#mode: webdir

View File

@ -38,7 +38,8 @@ www.example.com example.com:
# this will create a certificate with subject alternative names
# using a different challenge handler for one domain
mail.example.com smtp.example.com webmail.example.net:
# wildcards are possible with api v2 and dns challenge modes only!
mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
- mode: dns.nsupdate
nsupdate_server: ns1.example.com
nsupdate_keyname: mail