mirror of
https://github.com/moepman/acertmgr.git
synced 2024-11-14 06:55:29 +01:00
docs: Update examples and README for ACMEv2 API and other changes
This commit is contained in:
parent
f2567da7fa
commit
784badf54b
39
README.md
39
README.md
@ -33,10 +33,10 @@ You should decide which challenge mode you want to use with acertmgr:
|
||||
* dns.nsupdate: Updates the TXT record using RFC2136 (with dnspython)
|
||||
|
||||
You can optionally provide the key files for the ACME protocol, if you do not they will be automatically created:
|
||||
* The account key is expected at `/etc/acme/account.key`
|
||||
* The domain key is expected at `/etc/acme/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
|
||||
* If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acme/account.key` and `openssl genrsa 4096 > /etc/acme/server.key` respectively
|
||||
* Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acme/*.key`
|
||||
* The account key is expected at `/etc/acertmgr/account.key`
|
||||
* The domain key is expected at `/etc/acertmgr/server.key` (Note: only one domain key is required for all domains used in the same instance of acertmgr)
|
||||
* If you are missing these keys, they will be created for you or you can create them using `openssl genrsa 4096 > /etc/acertmgr/account.key` and `openssl genrsa 4096 > /etc/acertmgr/server.key` respectively
|
||||
* Do not forget to set proper permissions of the keys using `chmod 0400 /etc/acertmgr/*.key`
|
||||
|
||||
Finally, you need to setup the configuration files, as shown in the next section.
|
||||
While testing, you can use the acme-staging authority instead, in order to avoid issuing too many certificates.
|
||||
@ -45,7 +45,7 @@ Configuration
|
||||
-------------
|
||||
|
||||
Unless specified with a commandline parameter (see acertmgr.py --help) the optional global configuration is read from '/etc/acertmgr/acertmgr.conf'.
|
||||
Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is automatically excluded if it is in the same directory).
|
||||
Domains for which certificates should be obtained/renewed should be configured in `/etc/acertmgr/*.conf` (the global configuration is always excluded if it is in the same directory).
|
||||
|
||||
All configuration files can use yaml (requires PyYAML) or json syntax.
|
||||
|
||||
@ -53,15 +53,27 @@ All configuration files can use yaml (requires PyYAML) or json syntax.
|
||||
|
||||
```yaml
|
||||
---
|
||||
# Required: Authority API endpoint to use
|
||||
authority: "https://acme-v01.api.letsencrypt.org"
|
||||
# Optional: Authority API endpoint to use
|
||||
# Legacy ACME v1 API with options:
|
||||
#api: v1
|
||||
#authority: "https://acme-v01.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging.api.letsencrypt.org"
|
||||
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
# Current (default) ACME v2 API with options:
|
||||
#api: v2
|
||||
#authority: "https://acme-v02.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging-v02.api.letsencrypt.org"
|
||||
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
|
||||
#authority_contact_email: "foo@b.ar" # For single addresses
|
||||
#authority_contact_email: # For multiple addresses
|
||||
# - "foo@b.ar"
|
||||
# - "c4f3@b.ar"
|
||||
|
||||
# Optional: account_key location. This defaults to "/etc/acme/account.key"
|
||||
account_key: "/etc/acme/acc.key"
|
||||
# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
|
||||
#account_key: "/etc/acertmgr/account.key"
|
||||
|
||||
# Optional: global server_key location. Otherwise separate key per server
|
||||
#server_key: "/etc/acme/serv.key"
|
||||
#server_key: "/etc/acertmgr/server.key"
|
||||
|
||||
# Optional: global challenge handling mode with parameters
|
||||
#mode: webdir
|
||||
@ -114,7 +126,8 @@ www.example.com example.com:
|
||||
|
||||
# this will create a certificate with subject alternative names
|
||||
# using a different challenge handler for one domain
|
||||
mail.example.com smtp.example.com webmail.example.net:
|
||||
# wildcards are possible with api v2 and dns challenge modes only!
|
||||
mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: ns1.example.com
|
||||
nsupdate_keyname: mail
|
||||
@ -148,8 +161,8 @@ mail.example.com smtp.example.com webmail.example.net:
|
||||
"mode": "standalone",
|
||||
"port": "80",
|
||||
|
||||
"account_key": "/etc/acme/acc.key",
|
||||
"server_key": "/etc/acme/serv.key",
|
||||
"account_key": "/etc/acertmgr/acc.key",
|
||||
"server_key": "/etc/acertmgr/serv.key",
|
||||
|
||||
"webdir": "/var/www/acme-challenge/",
|
||||
"authority": "https://acme-v01.api.letsencrypt.org",
|
||||
|
@ -1,13 +1,25 @@
|
||||
---
|
||||
# Required: Authority API endpoint to use
|
||||
# Optional: Authority API endpoint to use
|
||||
# Legacy ACME v1 API with options:
|
||||
#api: v1
|
||||
#authority: "https://acme-v01.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging.api.letsencrypt.org"
|
||||
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
# Current (default) ACME v2 API with options:
|
||||
#api: v2
|
||||
#authority: "https://acme-v02.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging-v02.api.letsencrypt.org"
|
||||
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
|
||||
#authority_contact_email: "foo@b.ar" # For single addresses
|
||||
#authority_contact_email: # For multiple addresses
|
||||
# - "foo@b.ar"
|
||||
# - "c4f3@b.ar"
|
||||
|
||||
# Optional: account_key location. This defaults to "/etc/acme/account.key"
|
||||
#account_key: "/etc/acme/acc.key"
|
||||
# Optional: account_key location. This defaults to "/etc/acertmgr/account.key"
|
||||
#account_key: "/etc/acertmgr/account.key"
|
||||
|
||||
# Optional: global server_key location. Otherwise separate key per server
|
||||
#server_key: "/etc/acme/serv.key"
|
||||
#server_key: "/etc/acertmgr/server.key"
|
||||
|
||||
# Optional: global challenge handling mode with parameters
|
||||
#mode: webdir
|
||||
|
@ -38,7 +38,8 @@ www.example.com example.com:
|
||||
|
||||
# this will create a certificate with subject alternative names
|
||||
# using a different challenge handler for one domain
|
||||
mail.example.com smtp.example.com webmail.example.net:
|
||||
# wildcards are possible with api v2 and dns challenge modes only!
|
||||
mail.example.com smtp.example.com webmail.example.net *.intra.example.com:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: ns1.example.com
|
||||
nsupdate_keyname: mail
|
||||
|
Loading…
Reference in New Issue
Block a user