diff options
| -rw-r--r-- | acme.conf.sample | 2 | ||||
| -rw-r--r-- | domains.conf.5 | 20 | ||||
| -rw-r--r-- | domains.conf.sample | 5 | ||||
| -rw-r--r-- | lfacme-renew.sh | 4 |
4 files changed, 25 insertions, 6 deletions
diff --git a/acme.conf.sample b/acme.conf.sample index 257f7aa..5805a7d 100644 --- a/acme.conf.sample +++ b/acme.conf.sample @@ -22,7 +22,7 @@ ### ACME_HOOKDIR -#The path to the directory containing certificate hooks. +# The path to the directory containing certificate hooks. # The default is "/usr/local/etc/lfacme/hooks". # There is usually no need to change this. diff --git a/domains.conf.5 b/domains.conf.5 index 287d19d..0f587e7 100644 --- a/domains.conf.5 +++ b/domains.conf.5 @@ -62,6 +62,26 @@ and The challenge script is passed to .Xr uacme 1 ; see the uacme documentation for details on the calling convention. +.Pp +Two challenge scripts are provided with +.Nm lfacme : +.Bl -tag -width kerberos +.It Sy http +Use HTTP-based validation. +This requires +.Va ACME_HTTP_CHALLENGE_DIR +to be set in +.Xr acme.conf 5 . +This is the default challenge handler. +.It Sy kerberos +Use DNS-based validation with +.Xr nsupdate 1 +using Kerberos authentication. +This requires +.Va ACME_KERBEROS_PRINCIPAL +to be set in +.Xr acme.conf 5 . +.El .It Sy hook Ns Li = Ns Ar filename Invoke .Ar filename diff --git a/domains.conf.sample b/domains.conf.sample index 98422bc..5eb66d4 100644 --- a/domains.conf.sample +++ b/domains.conf.sample @@ -41,9 +41,8 @@ # The challenge handler is passed to uacme(1), so you can use # any uacme-compatible handler here. # -# One challenge handler is supplied with lfacme, "kerberos", -# which uses Kerberized nsupdate(1) to respond to dns-01 -# challenges. This is the default handler. +# Two handlers are supplied with lfacme: "http" and "kerberos". +# The default handler is "http". ## # A certificate name of "*" can be used to set the default options for any diff --git a/lfacme-renew.sh b/lfacme-renew.sh index 787d8da..b9ebb38 100644 --- a/lfacme-renew.sh +++ b/lfacme-renew.sh @@ -151,9 +151,9 @@ _docert() { keytype="ec" fi - # Default challenge is kerberos. + # Default challenge is http. if [ -z "$challenge" ]; then - challenge="kerberos" + challenge="http" fi # make sure the challenge is valid. |