| Both sides previous revision Previous revision | Next revisionBoth sides next revision |
| docs:guide-user:services:tls:acmesh [2024/12/16 09:39] – [See also] stokito | docs:guide-user:services:tls:acmesh [2024/12/16 10:02] – [UCI config options] stokito |
|---|
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''enabled'' | boolean | no | //1// | Enabled issuing of certs for the domains | | | ''enabled'' | boolean | no | //1// | Enabled issuing of certs for the domains | |
| | ''staging'' | boolean | no | //0// | Get certificate from the Letsencrypt staging server (use for testing; the certificate won't be valid). | | | ''staging'' | boolean | no | //0// | Get certificate from the LetsEncrypt staging server (use for testing; the certificate won't be valid). | |
| | ''domains'' | list | yes | | Domain names to include in the certificate. The first name will be the subject name, subsequent names will be alt names. | | | ''domains'' | list | yes | | Domain names to include in the certificate. The first name will be the subject name, subsequent names will be alt names. | |
| | ''validation_method'' | string | yes | | Challenge validation mode: //dns//, //webroot// or //standalone//. Standalone mode will use the built-in webserver of acme.sh to issue a certificate. Webroot mode will use an existing webserver to issue a certificate. DNS mode will allow you to use the DNS API of your DNS provider to issue a certificate. | | | ''validation_method'' | string | yes | | Challenge validation mode: //dns//, //webroot// or //standalone//. Standalone mode will use the built-in webserver of acme.sh to issue a certificate. Webroot mode will use an existing webserver to issue a certificate. DNS mode will allow you to use the DNS API of your DNS provider to issue a certificate. | |
| | ''calias'' | string | no | | Challenge Alias. The challenge alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge alias per certificate. | | | ''calias'' | string | no | | Challenge Alias. The challenge alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge alias per certificate. | |
| | ''dalias'' | string | no | | Domain Alias. The domain alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge domain per certificate. | | | ''dalias'' | string | no | | Domain Alias. The domain alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge domain per certificate. | |
| | ''webroot'' | string | no | ''/var/run/acme/challenge'' | Deprecated. Webserver root directory. Set this to the webserver document root to run Acme in webroot mode. The web server must be accessible from the internet on port 80. | | | ''webroot'' | string | no | ''/var/run/acme/challenge'' | **Deprecated.** Use the default folder and remove the option. Webserver root directory. Set this to the webserver document root to run Acme in ''webroot'' mode. The web server must be accessible from the internet on port 80. | |
| | ''key_type'' | string | no | //ec256// | Key size (and type) for the generated certificate. ''rsa2048'', ''rsa3072'', ''rsa4096'', ''ec256'', ''ec384'' | | | ''key_type'' | string | no | //ec256// | Key size (and type) for the generated certificate. ''rsa2048'', ''rsa3072'', ''rsa4096'', ''ec256'', ''ec384'' | |
| | ''keylength'' | string | no | | Deprecated, use key_type instead. The RSA key length in bits. | | | ''keylength'' | string | no | | **Deprecated**. Use key_type instead. The RSA key length in bits. | |
| | ''acme_server'' | string | no | //letsencrypt// | A custom CA ACME server directory URL. See [[https://github.com/acmesh-official/acme.sh/wiki/Server|acme.sh wiki: servers]]. | | | ''acme_server'' | string | no | //letsencrypt// | A custom CA ACME server directory URL. See [[https://github.com/acmesh-official/acme.sh/wiki/Server|acme.sh wiki: servers]]. | |
| | ''standalone'' | boolean | no | //0// | Deprecated. Use ''option validation_method 'standalone''' instead. | | | ''standalone'' | boolean | no | //0// | **Deprecated.** Use ''option validation_method 'standalone''' instead. | |
| | ''days'' | integer | no | //60// | Days until renewal | | | ''days'' | integer | no | //60// | Days until renewal | |
| | ''update_uhttp'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the uhttpd UCI main section (e.g. Luci) to use the new cert. E.g. set UCI ''uhttpd.main.key'' and ''uhttpd.main.cert''. Then reload the uhttpd service. Update the uhttpd config with this certificate once issued (only select this for one certificate). It's also available the ''luci-app-uhttpd'' to configure uhttpd form the LuCI interface. | | | ''update_uhttp'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the uhttpd UCI main section (e.g. Luci) to use the new cert. E.g. set UCI ''uhttpd.main.key'' and ''uhttpd.main.cert''. Then reload the uhttpd service. Update the uhttpd config with this certificate once issued (only select this for one certificate). It's also available the ''luci-app-uhttpd'' to configure uhttpd form the LuCI interface. | |
| | ''update_nginx'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the Nginx to use the new cert. E.g. call the ''nginx-util add_ssl''. Then reload the nginx service. Update the nginx config with this certificate once issued (only select this for one certificate). Nginx must support ssl, if not it won't start as it needs to be compiled with ssl support to use cert options | | | ''update_nginx'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the Nginx to use the new cert. E.g. call the ''nginx-util add_ssl''. Then reload the nginx service. Update the nginx config with this certificate once issued (only select this for one certificate). Nginx must support ssl, if not it won't start as it needs to be compiled with ssl support to use cert options | |
| | ''update_haproxy'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the HAProxy to use the new cert. E.g. change the ''bind'' option in the ''''. Then reload the haproxy service. | | | ''update_haproxy'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the HAProxy to use the new cert. I.e. change the ''bind'' option in the ''haproxy.cfg''. Then reload the haproxy service. | |
| | ''user_setup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided setup script | | | ''user_setup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided setup script | |
| | ''user_cleanup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided cleanup script | | | ''user_cleanup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided cleanup script | |