# This is the main config file for dehydrated. # This file is looked for in the following locations: # $SCRIPTDIR/config (next to this script) # /usr/local/etc/dehydrated/config # /etc/dehydrated/config # ${PWD}/config (in current working-directory) # Which user should dehydrated run as? This will be implictly enforced when running as root. # Default: #DEHYDRATED_USER="" # Which group should dehydrated run as? This will be implictly enforced when running as root. # Default: #DEHYDRATED_GROUP="" # Resolve names to addresses of IP version only, for curl. # Supported values: 4, 6. # Default: #IP_VERSION="" # Path to certificate authority. # Default: https://acme-v02.api.letsencrypt.org/directory #CA="https://acme-v02.api.letsencrypt.org/directory" # Use staging server for testing: #CA="https://acme-staging-v02.api.letsencrypt.org/directory" # Path to old certificate authority. # Set this value to your old CA when upgrading from ACMEv1 to ACMEv2 under a different endpoint. # If dehydrated detects an account-key for the old CA it will automatically reuse that key # instead of registering a new one. # Default: https://acme-v01.api.letsencrypt.org/directory #OLDCA="https://acme-v01.api.letsencrypt.org/directory" # Which challenge should be used? # Supported values: http-01, dns-01, tls-alpn-01. # Default: http-01 #CHALLENGETYPE="http-01" # Path to a directory containing additional config files. # This allows overriding the defaults found in the main configuration file. # Additional config files in this directory must be named with a '.sh' ending. # Default: #CONFIG_D="" # Base directory for account key, generated certificates and list of domains. # Default: $SCRIPTDIR BASEDIR="/etc/dehydrated" # File containing the list of domains for which to request certificates. # Default: $BASEDIR/domains.txt DOMAINS_TXT="${BASEDIR}/domains" # Directory for per-domain configuration files. # If not set, per-domain configurations are sourced from each certificates output directory. # Default: DOMAINS_D="${BASEDIR}/domains.d" # Output directory for generated certificates. # Default: ${BASEDIR}/certs #CERTDIR="${BASEDIR}/certs" # Output directory for alpn verification certificates. # Default: ${BASEDIR}/alpn-certs #ALPNCERTDIR="${BASEDIR}/alpn-certs" # Directory for account keys and registration information. # Default: ${BASEDIR}/accounts #ACCOUNTDIR="${BASEDIR}/accounts" # Output directory for challenge-tokens to be served by webserver, or deployed in $HOOK. # Default: /var/www/dehydrated WELLKNOWN="/srv/www/dehydrated" # Default keysize for private keys. # Default: 4096 #KEYSIZE="4096" # Path to openssl config file. # To try and figure out the system default, leave this unset. # Default: #OPENSSL_CNF="" # Path to OpenSSL binary. # Default: openssl #OPENSSL="openssl" # Extra options passed to the curl binary. # Default: #CURL_OPTS="" # Program or function called at certain stages of processing. # BASEDIR and WELLKNOWN variables are exported and can be used in an external program. # Default: HOOK="${BASEDIR}/hooks/default.sh" # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate? # Default: no #HOOK_CHAIN="no" # Minimum days before expiration to automatically renew certificate. # Default: 30 #RENEW_DAYS="30" # Regenerate private keys instead of just signing new certificates on renewal? # Default: yes #PRIVATE_KEY_RENEW="yes" # Create an extra private key for rollover? # Default: no #PRIVATE_KEY_ROLLOVER="no" # Which public key algorithm should be used? # Supported: rsa, prime256v1, secp384r1. # Default: rsa #KEY_ALGO="rsa" # E-mail to use during the registration. # Default: CONTACT_EMAIL="sysadmin@afterdark.org.uk" # Lockfile location, to prevent concurrent execution. # Default: $BASEDIR/lock LOCKFILE="/run/dehydrated.lock" # Option to add CSR-flag indicating OCSP stapling to be mandatory. # Default: no #OCSP_MUST_STAPLE="no" # Fetch OCSP responses. # Default: no #OCSP_FETCH="no" # OCSP refresh interval, in days. # Default: 5 #OCSP_DAYS="5" # Issuer chain cache directory. # Default: $BASEDIR/chains #CHAINCACHE="${BASEDIR}/chains" # Automatic cleanup? # Default: no AUTO_CLEANUP="yes" # ACME API version. # Default: auto #API=auto