1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
##
# Domains configuration file for lfacme.
#
# This is NOT a shell script (unlike acme.conf) so you cannot use shell
# syntax here.
#
# Empty lines and lines beginning with a '#' character are ignored.
##
# Each line specifies one certificate as a series of whitespace-separated
# fields. The first field is the certificate name, which is used internally
# by lfacme in the certificate filename, but is not part of the certificate
# itself.
#
# The remaining fields are either certificate options or subject alt names for
# the certificate.
#
# If no subject alt names are provided, then the certificate name is used as
# the common name and subject alt name. Otherwise, the first subject alt name
# is used as the common name.
##
# Supported options:
#
# type=ec Generate a secp384r1 ECDSA private key.
# (This is the default.)
#
# type=rsa Generate a 3072-bit RSA private key.
#
# hook=<name> Run the hook '<name>' after (re)issuing this certificate.
# If <name> begins with a '/' then it is an absolute path,
# otherwise it is relative to $ACME_HOOKDIR.
# This option may be given multiple times.
#
# challenge=<name>
# Use <name> as the challenge handler. If <name> begins
# with '/' then it is an absolute path, otherwise it will
# be searched for in /usr/local/share/lfacme/challenge/,
# then /usr/local/etc/lfacme/challenge/.
#
# The challenge handler is passed to uacme(1), so you can use
# any uacme-compatible handler here.
#
# One challenge handler is supplied with lfacme, "kerberos",
# which uses Kerberized nsupdate(1) to respond to dns-01
# challenges. This is the default handler.
##
# A certificate name of "*" can be used to set the default options for any
# following certificates. Each "*" line replaces the previous default
# options. You can specify subject alt names here as well.
#
# For example, to use RSA (instead of the default ECDSA) for all certificates:
* type=rsa
# To use HTTP for all challenges:
* challenge=http
# Issue a cert for example.org using the default options.
# We don't provide any SANs, so the certificate name is used as the domain.
example.org
# Issue a cert for example.org with some SANs.
# Notice that because we specify one SAN, we now have to specify all of them.
example.org example.org www.example.org
# Issue two certs for an SMTP server, one EC and one RSA.
# Some older SMTP clients still don't like EC certs.
# Run a hook after the certificate is (re)issued.
smtp-ec smtp.example.org type=ec hook=install-smtp-cert
smtp-rsa smtp.example.org type=rsa hook=install-smtp-cert
# Issue a certificate for a server and run multiple hooks.
server.example.org hook=nginx hook=postfix hook=node-exporter
|
