| Both sides previous revision Previous revision Next revision | Previous revision |
| docs:guide-user:services:tls:acmesh [2024/12/16 09:39] – [See also] stokito | docs:guide-user:services:tls:acmesh [2024/12/16 10:15] (current) – [Using GUI] stokito |
|---|
| * "Domain names": add your domain ''example.com''. If you need a wildcard cert then also add ''*.example.com'' (needs for DNS challenge). | * "Domain names": add your domain ''example.com''. If you need a wildcard cert then also add ''*.example.com'' (needs for DNS challenge). |
| * Switch to "Challenge Validation" tab and select "Validation method": | * Switch to "Challenge Validation" tab and select "Validation method": |
| * If you have a public web server then select "Webroot". The default webroot path is ''/var/run/acme/challenge/''. See details below. | * If your web server is public then select "Webroot". The default webroot path is ''/var/run/acme/challenge/''. See details below. |
| * If you wish to get a wildcard cert e.g. ''*.example.com'' or you don't have a public webserver then the only option is the "DNS" validation and you must configure DNS API. | * If you wish to get a wildcard cert e.g. ''*.example.com'' or you don't have a public webserver then the only option is the "DNS" validation and you must configure DNS API. |
| * If you don't have any webserver or the it's not accessible from internet then you can may use the "Standalone" mode. | * If you don't have any webserver or the it's not accessible from internet then you can may use the "Standalone" mode. |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ |
| | ''enabled'' | boolean | no | //1// | Enabled issuing of certs for the domains | | | ''enabled'' | boolean | no | //1// | Enabled issuing of certs for the domains | |
| | ''staging'' | boolean | no | //0// | Get certificate from the Letsencrypt staging server (use for testing; the certificate won't be valid). | | | ''staging'' | boolean | no | //0// | Get certificate from the LetsEncrypt staging server (use for testing; the certificate won't be valid). | |
| | ''domains'' | list | yes | | Domain names to include in the certificate. The first name will be the subject name, subsequent names will be alt names. | | | ''domains'' | list | yes | | Domain names to include in the certificate. The first name will be the subject name, subsequent names will be alt names. | |
| | ''validation_method'' | string | yes | | Challenge validation mode: //dns//, //webroot// or //standalone//. Standalone mode will use the built-in webserver of acme.sh to issue a certificate. Webroot mode will use an existing webserver to issue a certificate. DNS mode will allow you to use the DNS API of your DNS provider to issue a certificate. | | | ''validation_method'' | string | yes | | Challenge validation mode: //dns//, //webroot// or //standalone//. Standalone mode will use the built-in webserver of acme.sh to issue a certificate. Webroot mode will use an existing webserver to issue a certificate. DNS mode will allow you to use the DNS API of your DNS provider to issue a certificate. | |
| | ''calias'' | string | no | | Challenge Alias. The challenge alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge alias per certificate. | | | ''calias'' | string | no | | Challenge Alias. The challenge alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge alias per certificate. | |
| | ''dalias'' | string | no | | Domain Alias. The domain alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge domain per certificate. | | | ''dalias'' | string | no | | Domain Alias. The domain alias to use for ALL domains. See [[https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode|acme.sh wiki: DNS Alias Mode]] for the details of this process. LUCI only supports one challenge domain per certificate. | |
| | ''webroot'' | string | no | ''/var/run/acme/challenge'' | Deprecated. Webserver root directory. Set this to the webserver document root to run Acme in webroot mode. The web server must be accessible from the internet on port 80. | | | ''webroot'' | string | no | ''/var/run/acme/challenge'' | **Deprecated.** Use the default folder and remove the option. Webserver root directory. Set this to the webserver document root to run Acme in ''webroot'' mode. The web server must be accessible from the internet on port 80. | |
| | ''key_type'' | string | no | //ec256// | Key size (and type) for the generated certificate. ''rsa2048'', ''rsa3072'', ''rsa4096'', ''ec256'', ''ec384'' | | | ''key_type'' | string | no | //ec256// | Key size (and type) for the generated certificate. ''rsa2048'', ''rsa3072'', ''rsa4096'', ''ec256'', ''ec384'' | |
| | ''keylength'' | string | no | | Deprecated, use key_type instead. The RSA key length in bits. | | | ''keylength'' | string | no | | **Deprecated**. Use the ''key_type'' instead. The RSA key length in bits. | |
| | ''acme_server'' | string | no | //letsencrypt// | A custom CA ACME server directory URL. See [[https://github.com/acmesh-official/acme.sh/wiki/Server|acme.sh wiki: servers]]. | | | ''acme_server'' | string | no | //letsencrypt// | A custom CA ACME server directory URL. See [[https://github.com/acmesh-official/acme.sh/wiki/Server|acme.sh wiki: servers]]. | |
| | ''standalone'' | boolean | no | //0// | Deprecated. Use ''option validation_method 'standalone''' instead. | | | ''standalone'' | boolean | no | //0// | **Deprecated.** Use ''option validation_method 'standalone''' instead. | |
| | ''days'' | integer | no | //60// | Days until renewal | | | ''days'' | integer | no | //60// | Days until renewal | |
| | ''update_uhttp'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the uhttpd UCI main section (e.g. Luci) to use the new cert. E.g. set UCI ''uhttpd.main.key'' and ''uhttpd.main.cert''. Then reload the uhttpd service. Update the uhttpd config with this certificate once issued (only select this for one certificate). It's also available the ''luci-app-uhttpd'' to configure uhttpd form the LuCI interface. | | | ''update_uhttp'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the uhttpd UCI main section (i.e. Luci) to use the new cert. I.e. set UCI ''uhttpd.main.key'' and ''uhttpd.main.cert''. Then reload the uhttpd service. Update the uhttpd config with this certificate once issued (only select this for one certificate). It's also available the ''luci-app-uhttpd'' to configure uhttpd form the LuCI interface. | |
| | ''update_nginx'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the Nginx to use the new cert. E.g. call the ''nginx-util add_ssl''. Then reload the nginx service. Update the nginx config with this certificate once issued (only select this for one certificate). Nginx must support ssl, if not it won't start as it needs to be compiled with ssl support to use cert options | | | ''update_nginx'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the Nginx to use the new cert. I.e. call the ''nginx-util add_ssl''. Then reload the nginx service. Update the nginx config with this certificate once issued (only select this for one certificate). Nginx must support ssl, if not it won't start as it needs to be compiled with ssl support to use cert options | |
| | ''update_haproxy'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the HAProxy to use the new cert. E.g. change the ''bind'' option in the ''''. Then reload the haproxy service. | | | ''update_haproxy'' | boolean | no | //0// | **Removed in acme v4.0.0**. After issuing a cert configure the HAProxy to use the new cert. I.e. change the ''bind'' option in the ''haproxy.cfg''. Then reload the haproxy service. | |
| | ''user_setup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided setup script | | | ''user_setup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided setup script | |
| | ''user_cleanup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided cleanup script | | | ''user_cleanup'' | path | no | //none// | **Removed in acme v4.0.0**. User-provided cleanup script | |