147 lines
4.2 KiB
Text
147 lines
4.2 KiB
Text
# This is the main config file for dehydrated.
|
|
# This file is looked for in the following locations:
|
|
# $SCRIPTDIR/config (next to this script)
|
|
# /usr/local/etc/dehydrated/config
|
|
# /etc/dehydrated/config
|
|
# ${PWD}/config (in current working-directory)
|
|
|
|
# Which user should dehydrated run as? This will be implictly enforced when running as root.
|
|
# Default: <unset>
|
|
#DEHYDRATED_USER=""
|
|
|
|
# Which group should dehydrated run as? This will be implictly enforced when running as root.
|
|
# Default: <unset>
|
|
#DEHYDRATED_GROUP=""
|
|
|
|
# Resolve names to addresses of IP version only, for curl.
|
|
# Supported values: 4, 6.
|
|
# Default: <unset>
|
|
#IP_VERSION=""
|
|
|
|
# Path to certificate authority.
|
|
# Default: https://acme-v02.api.letsencrypt.org/directory
|
|
#CA="https://acme-v02.api.letsencrypt.org/directory"
|
|
# Use staging server for testing:
|
|
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
|
|
# Path to old certificate authority.
|
|
# Set this value to your old CA when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
|
|
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
|
|
# instead of registering a new one.
|
|
# Default: https://acme-v01.api.letsencrypt.org/directory
|
|
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
|
|
|
|
# Which challenge should be used?
|
|
# Supported values: http-01, dns-01, tls-alpn-01.
|
|
# Default: http-01
|
|
#CHALLENGETYPE="http-01"
|
|
|
|
# Path to a directory containing additional config files.
|
|
# This allows overriding the defaults found in the main configuration file.
|
|
# Additional config files in this directory must be named with a '.sh' ending.
|
|
# Default: <unset>
|
|
#CONFIG_D=""
|
|
|
|
# Base directory for account key, generated certificates and list of domains.
|
|
# Default: $SCRIPTDIR
|
|
BASEDIR="/etc/dehydrated"
|
|
|
|
# File containing the list of domains for which to request certificates.
|
|
# Default: $BASEDIR/domains.txt
|
|
DOMAINS_TXT="${BASEDIR}/domains"
|
|
|
|
# Directory for per-domain configuration files.
|
|
# If not set, per-domain configurations are sourced from each certificates output directory.
|
|
# Default: <unset>
|
|
DOMAINS_D="${BASEDIR}/domains.d"
|
|
|
|
# Output directory for generated certificates.
|
|
# Default: ${BASEDIR}/certs
|
|
#CERTDIR="${BASEDIR}/certs"
|
|
|
|
# Output directory for alpn verification certificates.
|
|
# Default: ${BASEDIR}/alpn-certs
|
|
#ALPNCERTDIR="${BASEDIR}/alpn-certs"
|
|
|
|
# Directory for account keys and registration information.
|
|
# Default: ${BASEDIR}/accounts
|
|
#ACCOUNTDIR="${BASEDIR}/accounts"
|
|
|
|
# Output directory for challenge-tokens to be served by webserver, or deployed in $HOOK.
|
|
# Default: /var/www/dehydrated
|
|
WELLKNOWN="/srv/www/dehydrated"
|
|
|
|
# Default keysize for private keys.
|
|
# Default: 4096
|
|
#KEYSIZE="4096"
|
|
|
|
# Path to openssl config file.
|
|
# To try and figure out the system default, leave this unset.
|
|
# Default: <unset>
|
|
#OPENSSL_CNF=""
|
|
|
|
# Path to OpenSSL binary.
|
|
# Default: openssl
|
|
#OPENSSL="openssl"
|
|
|
|
# Extra options passed to the curl binary.
|
|
# Default: <unset>
|
|
#CURL_OPTS=""
|
|
|
|
# Program or function called at certain stages of processing.
|
|
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program.
|
|
# Default: <unset>
|
|
HOOK="${BASEDIR}/hooks/default.sh"
|
|
|
|
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate?
|
|
# Default: no
|
|
#HOOK_CHAIN="no"
|
|
|
|
# Minimum days before expiration to automatically renew certificate.
|
|
# Default: 30
|
|
#RENEW_DAYS="30"
|
|
|
|
# Regenerate private keys instead of just signing new certificates on renewal?
|
|
# Default: yes
|
|
#PRIVATE_KEY_RENEW="yes"
|
|
|
|
# Create an extra private key for rollover?
|
|
# Default: no
|
|
#PRIVATE_KEY_ROLLOVER="no"
|
|
|
|
# Which public key algorithm should be used?
|
|
# Supported: rsa, prime256v1, secp384r1.
|
|
# Default: rsa
|
|
#KEY_ALGO="rsa"
|
|
|
|
# E-mail to use during the registration.
|
|
# Default: <unset>
|
|
CONTACT_EMAIL="sysadmin@afterdark.org.uk"
|
|
|
|
# Lockfile location, to prevent concurrent execution.
|
|
# Default: $BASEDIR/lock
|
|
LOCKFILE="/run/dehydrated.lock"
|
|
|
|
# Option to add CSR-flag indicating OCSP stapling to be mandatory.
|
|
# Default: no
|
|
#OCSP_MUST_STAPLE="no"
|
|
|
|
# Fetch OCSP responses.
|
|
# Default: no
|
|
#OCSP_FETCH="no"
|
|
|
|
# OCSP refresh interval, in days.
|
|
# Default: 5
|
|
#OCSP_DAYS="5"
|
|
|
|
# Issuer chain cache directory.
|
|
# Default: $BASEDIR/chains
|
|
#CHAINCACHE="${BASEDIR}/chains"
|
|
|
|
# Automatic cleanup?
|
|
# Default: no
|
|
AUTO_CLEANUP="yes"
|
|
|
|
# ACME API version.
|
|
# Default: auto
|
|
#API=auto
|