-
Notifications
You must be signed in to change notification settings - Fork 378
Config variables
All the variables can be set at both the "account" level and the "domain" level. Anything set at the domain level will overwrite account level settings. In this way the top level is essentially your defaults, which you can modify for any particular domain.
The "certification authority" where you are getting the certificates from. The above (staging) server is the default, and is good for testing as there are no real rate limits, so you are not likely to get blocked whilst testing. Change to a valid server ( CA="https://acme-v01.api.letsencrypt.org\" ) to obtain a fully signed certificate one you have tested. I personally leave the default as the staging, so any new domain I want to get certificates for is initially provided only a test cert ( from Happy Hacker) until I know I have all the variables correct, then change to the valid server.
The agreement that has to be signed with the CA
Account key length. 4096 is the default, and max currently supported by LetsEncrypt.
ACCOUNT_EMAIL="[email protected]"
Account email, if you need to be contacted by the CA ( for example as a reminder of certificate expiry )
By default, once a domain has been authorised then, for your private account key, ACME remembers this for a period of time so that you don't need to authorise again to obtain a new certificate. If you wish to remove this authorisation then set to the value to true, and you will need to re-authorise next time you need a certificate for this domain.
The directory below which all domain config and certificates etc are stored. Each certificate will have a folder based on it's primary domain within this directory.
Domain key length. 4096 is the default, and max currently supported by LetsEncrypt.
The algorithm used for the domain key. "rsa", "prime256v1", "secp384r1" and "secp521r1" are supported by GetSSL.
By default private keys are kept, this can make it easier for those using Key pinning security measures. You can set REUSE_PRIVATE_KEY="false" to renew the key for every certificate if you prefer though.
If DUAL_RSA_ECDSA is set to "true" then two certificates will be obtained. One using an RSA key, and the other using whatever key is defined by PRIVATE_KEY_ALG. You can then have a web server which uses both an RSA and Elliptic curve certificate.
used by openssl when generating keys etc. The default should generally be fine.
###RELOAD_CMD="" The command required to reload or restart services once a certificate has been issued and copied to the correct location. Typically this would be something like "service apache2 reload" but could also include a remote server such as "ssh:server5:service apache2 reload" which will connect to server5 via SSH and issue the reload command. You can add a user if required "ssh:user@server5:service apache2 reload"
###RENEW_ALLOW="30" The number of days left on a certificate before the script will allow you to renew. Keeping this at something likes 30 days helps prevent you asking for certificates repeatedly ( due to an error somewhere) and hitting rate limits. 30 days also gives plenty of time to still renew if there are any issues.
###SANS="" Subject Alternative Name: The default is blank, but can be any list of alternate domains you want on the same certificate e.g. SANS="www.example.com, sub.example.com, www.sub.example.com" You should not include the primary domain in the SANS list ( you would typically just have www.domain.com in the SANS list).
###ACL= The ACME Challenge Location for the domain and each SAN. These are included in quotes, so for a main domain and a single SAN it would look like;
ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge')
These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
You can use "ssh:servername:" or "ssh:user@servername:" at the start of any remote server location that you have ssh access to.
If a location for a file starts with ftp: or sftp: then the next variables are userid:password:servername:path
sftp requires sshpass and can be used for copying certificates and keys.
####USE_SINGLE_ACL="true" If USE_SINGLE_ACL is set to true (the default is false), then only the first ACL is used for all domains
Whilst all the certificates will be stored in a folder ( of the main domain name) within the working directory, copies will be placed in the location that they are required by apache / nginx etc. these can be listed as local or remote (ssh:servername:) locations
If a location for a file starts with sftp: then the next variables are userid:password:servername:path Note. sftp requires sshpass and can be used for copying certificates and keys.
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.key"
- If blank, then no file is copied, the original will be stored in ~/.getssl/example.com/example.com.crt by default (where example.com is the main domain for this certificate)
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
- If blank, then no file is copied, the original will be stored in ~/.getssl/example.com/example.com.key by default (where example.com is the main domain for this certificate)
CA_CERT_LOCATION="/etc/ssl/chain.crt"
- If blank, then no file is copied, the original will be stored in ~/.getssl/example.com/chain.crt by default (where example.com is the main domain for this certificate)
DOMAIN_CHAIN_LOCATION=""
- This is a single file containing both the domain certificate and the CA certificate
- If blank, then no file is created / copied
DOMAIN_KEY_CERT_LOCATION=""
- This is a single file with both the private key and domain certificate
- If blank, then no file is created / copied
DOMAIN_PEM_LOCATION=""
- This is a single file with all three certificates in it
- If blank, then no file is created / copied
###VALIDATE_VIA_DNS="" The default is to use HTTP / HTTPS to challenge / validate ownership. setting this variable to true will use DNS
###DNS_ADD_COMMAND="" The script of command used to remove a DNS challenge ( it will be passed the domain name and the challenge text as two arguments)
###DNS_DEL_COMMAND="" The script of command used to remove a DNS challenge ( it will be passed the domain name as a single argument)
###DNS_WAIT= The time period in seconds the systems waits before rechecking the DNS token. Default=10
###DNS_EXTRA_WAIT= The time period to wait, after the internal checks of DNS server have returned the correct value, before asking the ACME server to verify the tokens are correct. Default=0
###PUBLIC_DNS_SERVER="" The DNS server to be used, if you want anything other than the computers default DNS server to be used. If your default DNS server is internal to the network, and you need to force usage of an external DNS server ( such as 8.8.8.8) then it can be specified here.
###AUTH_DNS_SERVER="" The authoritative DNS server for the domain, for use where you want to force it to a specific value rather than for nslookup try to determine the authoritative nameserver for the domain. If more than one, specify them as a space limited list.
By default the script checks one authoritative DNS server, and assumes that all are in sync. If you want it to check all the DNS servers ( for the DNS challenge, to check the tokens are correct at every server ) then set the value to "true".
The time in seconds after running the RELOAD_CMD before checking the certs. Normally the pause, or check that the reload / restart of any services would be included in the RELOAD_CMD statement, this wait period is added as an alternative method.
###TOKEN_USER_ID="" When adding a token to your webroot/.well-known/acme-challenge and your web-server requires that to be a specific user ( different to the user running getssl) then it can be specified here. if you require a specific user and group then just specify them both in the same command, separated by a period ( TOKEN_USER_ID="user.group" )