Document LE root CA download configuration options
This commit is contained in:
+55
-48
@@ -7,88 +7,95 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Base directory of dynTLS configuration (defaults to script directory)
|
||||
#set_var DYNTLS "${0%/*}"
|
||||
#set_var DYNTLS "${0%/*}"
|
||||
|
||||
# Main ACME client program used for certificate operations
|
||||
# You can set this to any compatible wrapper script or binary
|
||||
# https://github.com/bruncsak/ght-acme.sh
|
||||
#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"
|
||||
#set_var DYNTLS_LE_PROGRAM "contrib/acme/letsencrypt.sh"
|
||||
|
||||
# OpenSSL binary (path if not in $PATH)
|
||||
#set_var DYNTLS_OPENSSL "openssl"
|
||||
#set_var DYNTLS_OPENSSL "openssl"
|
||||
|
||||
# Productive mode:
|
||||
# 0 = staging (test certs from Let's Encrypt staging server)
|
||||
# 1 = production (real certs)
|
||||
#set_var DYNTLS_PRODUCTIVE 0
|
||||
#set_var DYNTLS_PRODUCTIVE 0
|
||||
|
||||
# Use symlinks for server key: 1 = link all domains to base key
|
||||
#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key
|
||||
#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# PKI DIRECTORIES
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Root PKI folder (contains httpd structure /certs /private etc.)
|
||||
#set_var DYNTLS_PKI "/etc/pki"
|
||||
# Directory where dynTLS stores downloaded root certificates
|
||||
#set_var DYNTLS_LE_CERT_DIR "$DYNTLS/certs"
|
||||
|
||||
# Temporary working dir
|
||||
#set_var DYNTLS_TMP "$DYNTLS/tmp"
|
||||
#set_var DYNTLS_LE_TMP_DIR "$DYNTLS/tmp"
|
||||
|
||||
# Root PKI folder (contains httpd structure /certs /private etc.)
|
||||
#set_var DYNTLS_PKI "/etc/pki"
|
||||
|
||||
# HTTP service PKI directories
|
||||
#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd"
|
||||
#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs"
|
||||
#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private"
|
||||
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"
|
||||
#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd"
|
||||
#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs"
|
||||
#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private"
|
||||
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"
|
||||
|
||||
# Cert/key naming suffixes
|
||||
#set_var DYNTLS_PKI_CERT_SUFFIX "cert.pem"
|
||||
#set_var DYNTLS_PKI_TMP_CHAIN_SUFFIX "cert.pem_chain"
|
||||
#set_var DYNTLS_PKI_CHAIN_SUFFIX "chain.pem"
|
||||
#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX "fullchain.pem"
|
||||
#set_var DYNTLS_PKI_KEY_SUFFIX "key.pem"
|
||||
|
||||
# Base server key file and path
|
||||
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
|
||||
#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"
|
||||
|
||||
# Key algorithm and size
|
||||
#set_var DYNTLS_PKI_KEY_ALGO rsa
|
||||
#set_var DYNTLS_PKI_KEY_SIZE 2048
|
||||
#set_var DYNTLS_PKI_KEY_CURVE secp384r1
|
||||
|
||||
# Certificate expiration threshold in days before renewal
|
||||
#set_var DYNTLS_PKI_CERT_EXPIRE 30
|
||||
|
||||
# Force regenerating keys on renewal (0=no, 1=yes)
|
||||
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0
|
||||
|
||||
# Days to keep backuped certificates before removal
|
||||
# Set to 0 to disable automatic deletion of backups
|
||||
#DYNTLS_BACKUP_EXPIRATION=720
|
||||
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
|
||||
#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# LET'S ENCRYPT / ACME
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Account key used to register with Let's Encrypt
|
||||
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"
|
||||
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"
|
||||
|
||||
# Token directory for http-01 challenges
|
||||
#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default"
|
||||
#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
|
||||
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."
|
||||
#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default"
|
||||
#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
|
||||
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache:apache"
|
||||
|
||||
# Chain CA files for fullchains
|
||||
#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
|
||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
|
||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"
|
||||
#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
|
||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
|
||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
|
||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"
|
||||
|
||||
# URL of the Let's Encrypt root certificate to download (default: ISRG Root X1)
|
||||
#set_var DYNTLS_LE_ROOT_CERT_URL "https://letsencrypt.org/certs/isrgrootx1.pem"
|
||||
|
||||
# Local filename for the downloaded root certificate within DYNTLS_LE_CERT_DIR
|
||||
#set_var DYNTLS_LE_ROOT_CERT_FILE "isrgrootx1.pem"
|
||||
|
||||
# Key algorithm and size
|
||||
#set_var DYNTLS_PKI_KEY_ALGO rsa
|
||||
#set_var DYNTLS_PKI_KEY_SIZE 2048
|
||||
#set_var DYNTLS_PKI_KEY_CURVE secp384r1
|
||||
|
||||
# Certificate expiration threshold in days before renewal
|
||||
#set_var DYNTLS_PKI_CERT_EXPIRE 30
|
||||
|
||||
# Force regenerating keys on renewal (0=no, 1=yes)
|
||||
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0
|
||||
|
||||
# DNS validation (dns-01 challenge): server address and TSIG key file name
|
||||
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
|
||||
#set_var DYNTLS_DNS_TSIG "tsig.key"
|
||||
#set_var DYNTLS_DNS_ZONE ""
|
||||
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
|
||||
#set_var DYNTLS_DNS_TSIG "tsig.key"
|
||||
#set_var DYNTLS_DNS_ZONE ""
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# LOGGING
|
||||
@@ -107,7 +114,7 @@
|
||||
# Indicates areas that may require attention to prevent errors.
|
||||
# 4 = error : Errors indicating failures that impact functionality and require investigation.
|
||||
# 5 = critical : Severe, critical failures that cause system malfunction and need immediate action.
|
||||
#set_var DYNTLS_LOG_LEVEL "3"
|
||||
#set_var DYNTLS_LOG_LEVEL 3
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# DOMAIN LISTS (CN + SANs)
|
||||
@@ -115,7 +122,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Example multi-domain certificate (CN + SANs separated by :)
|
||||
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"
|
||||
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# SERVICE LISTS (map CN to a service)
|
||||
@@ -134,17 +141,17 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
|
||||
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"
|
||||
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# OPTIONAL COMMAND HOOKS
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Commands to run before issuing/renewing a cert
|
||||
#set_list DYNTLS_CMD_PRE_LIST ""
|
||||
#set_list DYNTLS_CMD_PRE_LIST ""
|
||||
|
||||
# Commands to run after successfully issuing/renewing a cert
|
||||
#set_list DYNTLS_CMD_POST_LIST ""
|
||||
#set_list DYNTLS_CMD_POST_LIST ""
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# BACKUP AND EXPIRATION
|
||||
@@ -152,4 +159,4 @@
|
||||
|
||||
# Days to keep backuped certificates before removal
|
||||
# Set to 0 to disable automatic deletion of backups
|
||||
#set_var DYNTLS_BACKUP_EXPIRATION 360
|
||||
#set_var DYNTLS_BACKUP_EXPIRATION 360
|
||||
|
||||
Reference in New Issue
Block a user