diff --git a/vars.example b/vars.example index 17d1bb6..59973f6 100644 --- a/vars.example +++ b/vars.example @@ -7,88 +7,95 @@ # ------------------------------------------------------------------ # Base directory of dynTLS configuration (defaults to script directory) -#set_var DYNTLS "${0%/*}" +#set_var DYNTLS "${0%/*}" # Main ACME client program used for certificate operations # You can set this to any compatible wrapper script or binary # https://github.com/bruncsak/ght-acme.sh -#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh" +#set_var DYNTLS_LE_PROGRAM "contrib/acme/letsencrypt.sh" # OpenSSL binary (path if not in $PATH) -#set_var DYNTLS_OPENSSL "openssl" +#set_var DYNTLS_OPENSSL "openssl" # Productive mode: # 0 = staging (test certs from Let's Encrypt staging server) # 1 = production (real certs) -#set_var DYNTLS_PRODUCTIVE 0 +#set_var DYNTLS_PRODUCTIVE 0 # Use symlinks for server key: 1 = link all domains to base key -#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key +#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key # ------------------------------------------------------------------ # PKI DIRECTORIES # ------------------------------------------------------------------ -# Root PKI folder (contains httpd structure /certs /private etc.) -#set_var DYNTLS_PKI "/etc/pki" +# Directory where dynTLS stores downloaded root certificates +#set_var DYNTLS_LE_CERT_DIR "$DYNTLS/certs" # Temporary working dir -#set_var DYNTLS_TMP "$DYNTLS/tmp" +#set_var DYNTLS_LE_TMP_DIR "$DYNTLS/tmp" + +# Root PKI folder (contains httpd structure /certs /private etc.) +#set_var DYNTLS_PKI "/etc/pki" # HTTP service PKI directories -#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd" -#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs" -#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private" -#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup" +#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd" +#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs" +#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private" +#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup" # Cert/key naming suffixes #set_var DYNTLS_PKI_CERT_SUFFIX "cert.pem" +#set_var DYNTLS_PKI_TMP_CHAIN_SUFFIX "cert.pem_chain" +#set_var DYNTLS_PKI_CHAIN_SUFFIX "chain.pem" #set_var DYNTLS_PKI_FULLCHAIN_SUFFIX "fullchain.pem" #set_var DYNTLS_PKI_KEY_SUFFIX "key.pem" # Base server key file and path -#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX" -#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE" - -# Key algorithm and size -#set_var DYNTLS_PKI_KEY_ALGO rsa -#set_var DYNTLS_PKI_KEY_SIZE 2048 -#set_var DYNTLS_PKI_KEY_CURVE secp384r1 - -# Certificate expiration threshold in days before renewal -#set_var DYNTLS_PKI_CERT_EXPIRE 30 - -# Force regenerating keys on renewal (0=no, 1=yes) -#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0 - -# Days to keep backuped certificates before removal -# Set to 0 to disable automatic deletion of backups -#DYNTLS_BACKUP_EXPIRATION=720 +#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX" +#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE" # ------------------------------------------------------------------ # LET'S ENCRYPT / ACME # ------------------------------------------------------------------ # Account key used to register with Let's Encrypt -#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key" +#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key" # Token directory for http-01 challenges -#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default" -#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge" -#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache." +#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default" +#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge" +#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache:apache" # Chain CA files for fullchains -#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem" -#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE" -#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem" -#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE" -#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem" -#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE" +#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem" +#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE" +#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem" +#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE" +#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem" +#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE" + +# URL of the Let's Encrypt root certificate to download (default: ISRG Root X1) +#set_var DYNTLS_LE_ROOT_CERT_URL "https://letsencrypt.org/certs/isrgrootx1.pem" + +# Local filename for the downloaded root certificate within DYNTLS_LE_CERT_DIR +#set_var DYNTLS_LE_ROOT_CERT_FILE "isrgrootx1.pem" + +# Key algorithm and size +#set_var DYNTLS_PKI_KEY_ALGO rsa +#set_var DYNTLS_PKI_KEY_SIZE 2048 +#set_var DYNTLS_PKI_KEY_CURVE secp384r1 + +# Certificate expiration threshold in days before renewal +#set_var DYNTLS_PKI_CERT_EXPIRE 30 + +# Force regenerating keys on renewal (0=no, 1=yes) +#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0 # DNS validation (dns-01 challenge): server address and TSIG key file name -#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld" -#set_var DYNTLS_DNS_TSIG "tsig.key" -#set_var DYNTLS_DNS_ZONE "" +#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld" +#set_var DYNTLS_DNS_TSIG "tsig.key" +#set_var DYNTLS_DNS_ZONE "" # ------------------------------------------------------------------ # LOGGING @@ -107,7 +114,7 @@ # Indicates areas that may require attention to prevent errors. # 4 = error : Errors indicating failures that impact functionality and require investigation. # 5 = critical : Severe, critical failures that cause system malfunction and need immediate action. -#set_var DYNTLS_LOG_LEVEL "3" +#set_var DYNTLS_LOG_LEVEL 3 # ------------------------------------------------------------------ # DOMAIN LISTS (CN + SANs) @@ -115,7 +122,7 @@ # ------------------------------------------------------------------ # Example multi-domain certificate (CN + SANs separated by :) -#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld" +#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld" # ------------------------------------------------------------------ # SERVICE LISTS (map CN to a service) @@ -134,17 +141,17 @@ # ------------------------------------------------------------------ # Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname) -#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix" +#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix" # ------------------------------------------------------------------ # OPTIONAL COMMAND HOOKS # ------------------------------------------------------------------ # Commands to run before issuing/renewing a cert -#set_list DYNTLS_CMD_PRE_LIST "" +#set_list DYNTLS_CMD_PRE_LIST "" # Commands to run after successfully issuing/renewing a cert -#set_list DYNTLS_CMD_POST_LIST "" +#set_list DYNTLS_CMD_POST_LIST "" # ------------------------------------------------------------------ # BACKUP AND EXPIRATION @@ -152,4 +159,4 @@ # Days to keep backuped certificates before removal # Set to 0 to disable automatic deletion of backups -#set_var DYNTLS_BACKUP_EXPIRATION 360 +#set_var DYNTLS_BACKUP_EXPIRATION 360