Skip to content
Snippets Groups Projects

update docs

Merged update docs
add-http-challenge into master
Merged Hahn Axel (hahn) requested to merge add-http-challenge into master
Compare
and
1 file
+ 81
11
Compare changes
  • Side-by-side
  • Inline
docs/30_Usage.md
+ 81
11
@@ -118,23 +118,101 @@ other ACTIONs
@@ -118,23 +118,101 @@ other ACTIONs
## CRUD actions for a certificate
## CRUD actions for a certificate
 
### Create (Issue)
 
With parameter `add` you need to add all domains that should be included in a new certificate.
With parameter `add` you need to add all domains that should be included in a new certificate.
`[APPPATH]/cm.sh add www.example.com mail.example.com`
`[APPPATH]/cm.sh add www.example.com mail.example.com`
 
#### Mehtod: DNS auth
 
 
By default the cert manager tries to use the DNS challenge
 
 
`[APPPATH]/cm.sh add www.example.com mail.example.com`
 
 
In the configuration you need these variables:
 
 
* CM_certmatch defines the domains that are allowed to use DNS auth.<br>to allow all: `export CM_certmatch="."`<br>To allow a specific subdomain: `export CM_certmatch="\.org\.example\.com"`
 
* CM_challenge_alias is the domain you can manage via DNS api. <br>All hosts of this domain will be issued by a TXT record.<br>External domains need a CNAME. See <https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode>
 
 
#### Mehtod: Http - using webroot
 
 
If you have a http website of a domain you can authorize with a written challenge file. The file will be written below webroot.
 
The SSL provider will make an http request `http://www.example.com/.well-known/acme-challenge/<generated-challenge-file>`
 
 
The parameter --webroot is used to define the webroot of the existing web (without /.well-known/acme-challenge).
 
 
Example:
 
 
`[APPPATH]/cm.sh --webroot <webroot> add www.example.com mail.example.com`
 
 
#### Mehtod: Http - using alias
 
 
You can use an alias to place the generated challenge file outside webroot.
 
The SSL provider will make an http request `http://www.example.com/.well-known/acme-challenge/<generated-challenge-file>` - this url must fit here too.
 
 
(1) Create a .well-known directory
 
 
Remark: this path is hardcoded :-/
 
 
The directory is ../alias-dir/ - one directory outside the cm.sh.
 
If your installation is in `/opt/letsencrypt/iml-certman/` then you need to create this directory: `/opt/letsencrypt/alias-dir/.well-known`
 
 
(2) In Webserver enable mod_alias
 
 
eg. on Debian /etc/apache2/mods-enabled/alias.load
 
 
```
 
LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
 
```
 
 
(3) In Webserver create an alias pointing to your .well-known directory
 
 
In your vhost (or global apache config) define an alias.
 
 
```text
 
Alias /.well-known "/opt/letsencrypt/alias-dir/.well-known"
 
```
 
 
If you have rewrite rules or proxy rules in the webroot keep in mind to have an exclude to allow file access on challenge files.
 
 
```text
 
RewriteEngine On
 
RewriteCond %{REQUEST_URI} !^/.well-known
 
RewriteRule ^(.*)$ index.php [QSA,L]
 
```
 
 
(4) Issue the cert
 
 
use the parameter --alias without any value to create the challenge file in ../alias-dir/.
 
 
Example:
 
 
`[APPPATH]/cm.sh --alias add www.example.com mail.example.com`
 
All other actions need the first domain only.
All other actions need the first domain only.
The parameter **show** shows details.
### Read
 
 
Use the parameter **list** to show all certificates, aliases and dates.
 
 
`[APPPATH]/cm.sh list`
 
 
The parameter **show** shows details of a single certificate.
`[APPPATH]/cm.sh show www.example.com`
`[APPPATH]/cm.sh show www.example.com`
If a certificate reaches the time for renewing (i.e. 4 weeks before expiration) you can renew it with **renew**.
### Update (renew)
 
 
If a certificate reaches the time for renewing (i.e. 4 weeks before expiration) you can renew it with **renew**.
Remark: if you try to renew before renewing date this results in a skip message (and exitcode 0).
Remark: if you try to renew before renewing date this results in a skip message (and exitcode 0).
`[APPPATH]/cm.sh renew www.example.com`
`[APPPATH]/cm.sh renew www.example.com`
With a delete command the certificate will be revoked and the local files will be deleted.
With a delete command the certificate will be revoked and the local files will be deleted.
 
 
### Delete
`[APPPATH]/cm.sh delete www.example.com`
`[APPPATH]/cm.sh delete www.example.com`
@@ -156,14 +234,6 @@ This ensure action handles the logic if a certificate must be
@@ -156,14 +234,6 @@ This ensure action handles the logic if a certificate must be
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
## Show certificate data
Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`
to get a list of existing certs an then use the hostname in the 1st column to show details:
`[APPPATH]/cm.sh show mail.example.com`
## Renew all certificates
## Renew all certificates
`[APPPATH]/cm.sh renew-all`
`[APPPATH]/cm.sh renew-all`