Document LE root CA download configuration options
This commit is contained in:
+55
-48
@@ -7,88 +7,95 @@
|
|||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Base directory of dynTLS configuration (defaults to script directory)
|
# Base directory of dynTLS configuration (defaults to script directory)
|
||||||
#set_var DYNTLS "${0%/*}"
|
#set_var DYNTLS "${0%/*}"
|
||||||
|
|
||||||
# Main ACME client program used for certificate operations
|
# Main ACME client program used for certificate operations
|
||||||
# You can set this to any compatible wrapper script or binary
|
# You can set this to any compatible wrapper script or binary
|
||||||
# https://github.com/bruncsak/ght-acme.sh
|
# https://github.com/bruncsak/ght-acme.sh
|
||||||
#DYNTLS_LE_PROGRAM="contrib/acme/letsencrypt.sh"
|
#set_var DYNTLS_LE_PROGRAM "contrib/acme/letsencrypt.sh"
|
||||||
|
|
||||||
# OpenSSL binary (path if not in $PATH)
|
# OpenSSL binary (path if not in $PATH)
|
||||||
#set_var DYNTLS_OPENSSL "openssl"
|
#set_var DYNTLS_OPENSSL "openssl"
|
||||||
|
|
||||||
# Productive mode:
|
# Productive mode:
|
||||||
# 0 = staging (test certs from Let's Encrypt staging server)
|
# 0 = staging (test certs from Let's Encrypt staging server)
|
||||||
# 1 = production (real certs)
|
# 1 = production (real certs)
|
||||||
#set_var DYNTLS_PRODUCTIVE 0
|
#set_var DYNTLS_PRODUCTIVE 0
|
||||||
|
|
||||||
# Use symlinks for server key: 1 = link all domains to base key
|
# Use symlinks for server key: 1 = link all domains to base key
|
||||||
#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key
|
#set_var DYNTLS_PKI_KEY_LNS 0 # 0=per-domain key, 1=symlink all to base server key
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# PKI DIRECTORIES
|
# PKI DIRECTORIES
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Root PKI folder (contains httpd structure /certs /private etc.)
|
# Directory where dynTLS stores downloaded root certificates
|
||||||
#set_var DYNTLS_PKI "/etc/pki"
|
#set_var DYNTLS_LE_CERT_DIR "$DYNTLS/certs"
|
||||||
|
|
||||||
# Temporary working dir
|
# Temporary working dir
|
||||||
#set_var DYNTLS_TMP "$DYNTLS/tmp"
|
#set_var DYNTLS_LE_TMP_DIR "$DYNTLS/tmp"
|
||||||
|
|
||||||
|
# Root PKI folder (contains httpd structure /certs /private etc.)
|
||||||
|
#set_var DYNTLS_PKI "/etc/pki"
|
||||||
|
|
||||||
# HTTP service PKI directories
|
# HTTP service PKI directories
|
||||||
#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd"
|
#set_var DYNTLS_PKI_HTTP_DIR "$DYNTLS_PKI/httpd"
|
||||||
#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs"
|
#set_var DYNTLS_PKI_HTTP_CERT_DIR "$DYNTLS_PKI_HTTP_DIR/certs"
|
||||||
#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private"
|
#set_var DYNTLS_PKI_HTTP_KEY_DIR "$DYNTLS_PKI_HTTP_DIR/private"
|
||||||
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"
|
#set_var DYNTLS_PKI_HTTP_CERT_BACKUP_DIR "$DYNTLS_PKI_HTTP_CERT_DIR/backup"
|
||||||
|
|
||||||
# Cert/key naming suffixes
|
# Cert/key naming suffixes
|
||||||
#set_var DYNTLS_PKI_CERT_SUFFIX "cert.pem"
|
#set_var DYNTLS_PKI_CERT_SUFFIX "cert.pem"
|
||||||
|
#set_var DYNTLS_PKI_TMP_CHAIN_SUFFIX "cert.pem_chain"
|
||||||
|
#set_var DYNTLS_PKI_CHAIN_SUFFIX "chain.pem"
|
||||||
#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX "fullchain.pem"
|
#set_var DYNTLS_PKI_FULLCHAIN_SUFFIX "fullchain.pem"
|
||||||
#set_var DYNTLS_PKI_KEY_SUFFIX "key.pem"
|
#set_var DYNTLS_PKI_KEY_SUFFIX "key.pem"
|
||||||
|
|
||||||
# Base server key file and path
|
# Base server key file and path
|
||||||
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
|
#set_var DYNTLS_PKI_SERVER_BASEKEY_FILE "base.$DYNTLS_PKI_KEY_SUFFIX"
|
||||||
#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"
|
#set_var DYNTLS_PKI_SERVER_BASEKEY "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_PKI_SERVER_BASEKEY_FILE"
|
||||||
|
|
||||||
# Key algorithm and size
|
|
||||||
#set_var DYNTLS_PKI_KEY_ALGO rsa
|
|
||||||
#set_var DYNTLS_PKI_KEY_SIZE 2048
|
|
||||||
#set_var DYNTLS_PKI_KEY_CURVE secp384r1
|
|
||||||
|
|
||||||
# Certificate expiration threshold in days before renewal
|
|
||||||
#set_var DYNTLS_PKI_CERT_EXPIRE 30
|
|
||||||
|
|
||||||
# Force regenerating keys on renewal (0=no, 1=yes)
|
|
||||||
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0
|
|
||||||
|
|
||||||
# Days to keep backuped certificates before removal
|
|
||||||
# Set to 0 to disable automatic deletion of backups
|
|
||||||
#DYNTLS_BACKUP_EXPIRATION=720
|
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# LET'S ENCRYPT / ACME
|
# LET'S ENCRYPT / ACME
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Account key used to register with Let's Encrypt
|
# Account key used to register with Let's Encrypt
|
||||||
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"
|
#set_var DYNTLS_ENCRYPT_ACCOUNTKEY "$DYNTLS/private/letsencrypt_account.key"
|
||||||
|
|
||||||
# Token directory for http-01 challenges
|
# Token directory for http-01 challenges
|
||||||
#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default"
|
#set_var DYNTLS_HTTPD_DEFAULT_DIR "/var/www/public_html/default"
|
||||||
#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
|
#set_var DYNTLS_ENCRYPT_TOKEN_DIR "$DYNTLS_HTTPD_DEFAULT_DIR/.well-known/acme-challenge"
|
||||||
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache."
|
#set_var DYNTLS_HTTPD_DEFAULT_OWNER "apache:apache"
|
||||||
|
|
||||||
# Chain CA files for fullchains
|
# Chain CA files for fullchains
|
||||||
#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem"
|
#set_var DYNTLS_PKI_LECA_CHAIN_FILE "LE_CA.chain.pem"
|
||||||
#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
|
#set_var DYNTLS_PKI_LECA_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_CHAIN_FILE"
|
||||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
|
#set_var DYNTLS_PKI_LECA_R12_CHAIN_FILE "LE_CA-R12.chain.pem"
|
||||||
#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
|
#set_var DYNTLS_PKI_LECA_R12_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R12_CHAIN_FILE"
|
||||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
|
#set_var DYNTLS_PKI_LECA_R13_CHAIN_FILE "LE_CA-R13.chain.pem"
|
||||||
#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"
|
#set_var DYNTLS_PKI_LECA_R13_CHAIN "$DYNTLS_PKI_HTTP_CERT_DIR/$DYNTLS_PKI_LECA_R13_CHAIN_FILE"
|
||||||
|
|
||||||
|
# URL of the Let's Encrypt root certificate to download (default: ISRG Root X1)
|
||||||
|
#set_var DYNTLS_LE_ROOT_CERT_URL "https://letsencrypt.org/certs/isrgrootx1.pem"
|
||||||
|
|
||||||
|
# Local filename for the downloaded root certificate within DYNTLS_LE_CERT_DIR
|
||||||
|
#set_var DYNTLS_LE_ROOT_CERT_FILE "isrgrootx1.pem"
|
||||||
|
|
||||||
|
# Key algorithm and size
|
||||||
|
#set_var DYNTLS_PKI_KEY_ALGO rsa
|
||||||
|
#set_var DYNTLS_PKI_KEY_SIZE 2048
|
||||||
|
#set_var DYNTLS_PKI_KEY_CURVE secp384r1
|
||||||
|
|
||||||
|
# Certificate expiration threshold in days before renewal
|
||||||
|
#set_var DYNTLS_PKI_CERT_EXPIRE 30
|
||||||
|
|
||||||
|
# Force regenerating keys on renewal (0=no, 1=yes)
|
||||||
|
#set_var DYNTLS_PKI_KEY_FORCE_RENEW 0
|
||||||
|
|
||||||
# DNS validation (dns-01 challenge): server address and TSIG key file name
|
# DNS validation (dns-01 challenge): server address and TSIG key file name
|
||||||
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
|
#set_var DYNTLS_DNS_SERVER "root-dns.example365.tld"
|
||||||
#set_var DYNTLS_DNS_TSIG "tsig.key"
|
#set_var DYNTLS_DNS_TSIG "tsig.key"
|
||||||
#set_var DYNTLS_DNS_ZONE ""
|
#set_var DYNTLS_DNS_ZONE ""
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# LOGGING
|
# LOGGING
|
||||||
@@ -107,7 +114,7 @@
|
|||||||
# Indicates areas that may require attention to prevent errors.
|
# Indicates areas that may require attention to prevent errors.
|
||||||
# 4 = error : Errors indicating failures that impact functionality and require investigation.
|
# 4 = error : Errors indicating failures that impact functionality and require investigation.
|
||||||
# 5 = critical : Severe, critical failures that cause system malfunction and need immediate action.
|
# 5 = critical : Severe, critical failures that cause system malfunction and need immediate action.
|
||||||
#set_var DYNTLS_LOG_LEVEL "3"
|
#set_var DYNTLS_LOG_LEVEL 3
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# DOMAIN LISTS (CN + SANs)
|
# DOMAIN LISTS (CN + SANs)
|
||||||
@@ -115,7 +122,7 @@
|
|||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Example multi-domain certificate (CN + SANs separated by :)
|
# Example multi-domain certificate (CN + SANs separated by :)
|
||||||
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"
|
#set_list DYNTLS_DOMAIN_LIST "example365.tld:sub1.example365.tld:sub2.example365.tld"
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# SERVICE LISTS (map CN to a service)
|
# SERVICE LISTS (map CN to a service)
|
||||||
@@ -134,17 +141,17 @@
|
|||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
|
# Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
|
||||||
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"
|
#set_list DYNTLS_DOMAINSERVICE_LIST "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# OPTIONAL COMMAND HOOKS
|
# OPTIONAL COMMAND HOOKS
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
# Commands to run before issuing/renewing a cert
|
# Commands to run before issuing/renewing a cert
|
||||||
#set_list DYNTLS_CMD_PRE_LIST ""
|
#set_list DYNTLS_CMD_PRE_LIST ""
|
||||||
|
|
||||||
# Commands to run after successfully issuing/renewing a cert
|
# Commands to run after successfully issuing/renewing a cert
|
||||||
#set_list DYNTLS_CMD_POST_LIST ""
|
#set_list DYNTLS_CMD_POST_LIST ""
|
||||||
|
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# BACKUP AND EXPIRATION
|
# BACKUP AND EXPIRATION
|
||||||
@@ -152,4 +159,4 @@
|
|||||||
|
|
||||||
# Days to keep backuped certificates before removal
|
# Days to keep backuped certificates before removal
|
||||||
# Set to 0 to disable automatic deletion of backups
|
# Set to 0 to disable automatic deletion of backups
|
||||||
#set_var DYNTLS_BACKUP_EXPIRATION 360
|
#set_var DYNTLS_BACKUP_EXPIRATION 360
|
||||||
|
|||||||
Reference in New Issue
Block a user