Document LE root CA download configuration options

vars.example

@@ -12,7 +12,7 @@
 # Main ACME client program used for certificate operations
 # You can set this to any compatible wrapper script or binary
 # https://github.com/bruncsak/ght-acme.sh
-#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"
+#set_var DYNTLS_LE_PROGRAM  "contrib/acme/letsencrypt.sh"
 
 # OpenSSL binary (path if not in $PATH)
 #set_var DYNTLS_OPENSSL  "openssl"
@@ -29,11 +29,14 @@
 # PKI DIRECTORIES
 # ------------------------------------------------------------------
 
-# Root PKI folder (contains httpd structure /certs /private etc.)
+# Directory where dynTLS stores downloaded root certificates
-#set_var DYNTLS_PKI "/etc/pki"
+#set_var DYNTLS_LE_CERT_DIR       "$DYNTLS/certs"
 
 # Temporary working dir
-#set_var DYNTLS_TMP "$DYNTLS/tmp"
+#set_var DYNTLS_LE_TMP_DIR  "$DYNTLS/tmp"
+
+# Root PKI folder (contains httpd structure /certs /private etc.)
+#set_var DYNTLS_PKI  "/etc/pki"
 
 # HTTP service PKI directories
 #set_var DYNTLS_PKI_HTTP_DIR              "$DYNTLS_PKI/httpd"
@@ -43,6 +46,8 @@
 
 # Cert/key naming suffixes
 #set_var DYNTLS_PKI_CERT_SUFFIX       "cert.pem"
+#set_var DYNTLS_PKI_TMP_CHAIN_SUFFIX  "cert.pem_chain"
+#set_var DYNTLS_PKI_CHAIN_SUFFIX      "chain.pem"
 #set_var DYNTLS_PKI_FULLCHAIN_SUFFIX  "fullchain.pem"
 #set_var DYNTLS_PKI_KEY_SUFFIX        "key.pem"
 
@@ -50,21 +55,6 @@
 #set_var DYNTLS_PKI_SERVER_BASEKEY_FILE  "base.$DYNTLS_PKI_KEY_SUFFIX"
 #set_var DYNTLS_PKI_SERVER_BASEKEY       "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"
 
-# Key algorithm and size
-#set_var DYNTLS_PKI_KEY_ALGO rsa
-#set_var DYNTLS_PKI_KEY_SIZE 2048
-#set_var DYNTLS_PKI_KEY_CURVE secp384r1
-
-# Certificate expiration threshold in days before renewal
-#set_var DYNTLS_PKI_CERT_EXPIRE 30
-
-# Force regenerating keys on renewal (0=no, 1=yes)
-#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0
-
-# Days to keep backuped certificates before removal
-# Set to 0 to disable automatic deletion of backups
-#DYNTLS_BACKUP_EXPIRATION=720
-
 # ------------------------------------------------------------------
 # LET'S ENCRYPT / ACME
 # ------------------------------------------------------------------
@@ -75,7 +65,7 @@
 # Token directory for http-01 challenges
 #set_var DYNTLS_HTTPD_DEFAULT_DIR    "/var/www/public_html/default"
 #set_var DYNTLS_ENCRYPT_TOKEN_DIR    "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
-#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."
+#set_var DYNTLS_HTTPD_DEFAULT_OWNER  "apache:apache"
 
 # Chain CA files for fullchains
 #set_var DYNTLS_PKI_LECA_CHAIN_FILE      "LE_CA.chain.pem"
@@ -85,6 +75,23 @@
 #set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE  "LE_CA-R13.chain.pem"
 #set_var DYNTLS_PKI_LECA_R13_CHAIN       "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"
 
+# URL of the Let's Encrypt root certificate to download (default: ISRG Root X1)
+#set_var DYNTLS_LE_ROOT_CERT_URL  "https://letsencrypt.org/certs/isrgrootx1.pem"
+
+# Local filename for the downloaded root certificate within DYNTLS_LE_CERT_DIR
+#set_var DYNTLS_LE_ROOT_CERT_FILE  "isrgrootx1.pem"
+
+# Key algorithm and size
+#set_var DYNTLS_PKI_KEY_ALGO   rsa
+#set_var DYNTLS_PKI_KEY_SIZE   2048
+#set_var DYNTLS_PKI_KEY_CURVE  secp384r1
+
+# Certificate expiration threshold in days before renewal
+#set_var DYNTLS_PKI_CERT_EXPIRE  30
+
+# Force regenerating keys on renewal (0=no, 1=yes)
+#set_var DYNTLS_PKI_KEY_FORCE_RENEW  0
+
 # DNS validation (dns-01 challenge): server address and TSIG key file name
 #set_var DYNTLS_DNS_SERVER  "root-dns.example365.tld"
 #set_var DYNTLS_DNS_TSIG    "tsig.key"
@@ -107,7 +114,7 @@
 #                 Indicates areas that may require attention to prevent errors.
 # 4 = error     : Errors indicating failures that impact functionality and require investigation.
 # 5 = critical  : Severe, critical failures that cause system malfunction and need immediate action.
-#set_var DYNTLS_LOG_LEVEL "3"
+#set_var DYNTLS_LOG_LEVEL  3
 
 # ------------------------------------------------------------------
 # DOMAIN LISTS (CN + SANs)