Skip to content

Configuration options for acme2certifier

grindsa edited this page Aug 6, 2024 · 9 revisions

acme_srv.cfg

configuration options for acme2certifier

Section Option Description Values default
DEFAULT debug Debug mode True/False False
DEFAULT proxy_server_list Proxy-server configuration {"bar.local$": "http​://10.0.0.1:3128", "foo.local$": "socks5://10.0.0.1:1080"} None
Account ecc_only mandates the usage of ECC for account key generation True/False False
Account inner_header_nonce_allow allow nonce header on inner JWS during key-rollover True/False False
Account tos_check_disable turn off "Terms of Service" acceptance check True/False False
Authorization expiry_check_disable Disable authorization expiration True/False False
Authorization validity authorization validity in seconds Integer 86400
CAhandler handler_file path and name of ca_handler file to be loaded. If not specified acme_srv/ca_handler.py will be loaded examples/ca_handler/openssl_handler.py acme_srv/ca_handler.py
Certificate revocation_reason_check_disable disable the check of revocation reason True/False False
Certificate cert_reusage_timeframe in case a csr will be resend within this timeframe (in seconds) the certificate already stored in the database will be returned and no enrollment will be triggered Integer 0 (disabled)
Certificate enrollment_timeout timeout in seconds for asynchronous ca_handler threat Integer 5
Challenge challenge_validation_disable disable challenge validation via http or dns. THIS IS A SEVERE SECURITY ISSUE! Please enable for testing/debugging purposes only. True/False False
Challenge challenge_validation_timeout Timeout in seconds for challenge validation Integer 10
Challenge dns_server_list Use own dns servers for name resolution during challenge verification ["ip1", "ip2"] []
Challenge dns_validation_pause_timer pause interval in seconds after failed validation of a dns challenge 10 0.5
Challenge sectigo_sim provide sectigo-email-01 challenges - Only for development and testing! True/False False
DBhandler dbfile path and name of database file. If not specified acme_srv/acme_srv.db will be used. Parameter is only available for a wsgi handler and will be ignored if django handler is getting used 'acme/database.db' acme_srv/acme_srv.db
Directory db_check check database connection compare schemes and report as OK/NOK in meta information True/False False
Directory home homepage string to be shown when fetching the directory ressource 'string' 'https://github.com/grindsa/acme2certifier'
Directory supress_product_information Do not show product name, author and version when fetching the directory resource True/False False
Directory supress_version Do not show version information when fetching the directory resource True/False False
Directory tos_url Terms of Service URL URL None
Directory url_prefix url prefix for acme2certifier resources '/foo' None
Helper log_format Format of logging information check the 'LogRecord attributes' Section of the python logging module %(message)s
Hooks hooks_file path and name of hooks (for pre- and post-enrollment hooks) file to be loaded None
Hooks ignore_pre_hook_failure True/False False
Hooks ignore_post_hook_failure True/False True
Hooks ignore_success_hook_failure True/False False
Message signature_check_disable disable signature check of incoming JWS messages. THIS IS A SEVERE SECURITY ISSUE bypassing security checks and allowing message manipulations during transit. Please enable for testing/debugging purposes only. True/False False
Nonce nonce_check_disable disable nonce check. THIS IS A SECURITY ISSUE as it exposes the API for replay attacks! Should be enabled for testing/debugging purposes only. True/False False
Order expiry_check_disable Disable order expiration True/False False
Order header_info_list HTTP header fields to be passed to ca handler ["HTTP_USER_AGENT", "FOO_BAR"] []
Order retry_after_timeout Retry-After value to be send to client in case a certificate enrollment request gets pending on CA server Integer 120
Order identifier_limit Maximum number of identifiers submitted in a single order request which translate later into SANs per certificate Integer 20
Order tnauthlist_support accept TNAuthList identifiers and challenges containing tkauth-01 type True/False False
Order validity Order validity in seconds Integer 86400

The options for the CAhandler section depend on the CA handler.

Further options for the Hooks section depend on the concrete hooks class.

Instructions for Insta Certifier

Instructions for NetGuard Certificate Lifecycle Manager

Instructions for Microsoft Certification Authority Web Enrollment Service

Instructions for the generic EST handler

Instructions for the generic CMPv2 handler

Instructions for XCA handler

Instructions for Openssl based CA handler

Clone this wiki locally