diff options
Diffstat (limited to 'docs/reference')
37 files changed, 0 insertions, 1432 deletions
diff --git a/docs/reference/cli.md b/docs/reference/cli.md deleted file mode 100644 index 8d418ec..0000000 --- a/docs/reference/cli.md +++ /dev/null @@ -1,421 +0,0 @@ ---- -sidebar: reference ---- - -# Command line arguments -Here are all the command line arguments the program accepts. - -#### Notes -- Make sure that you are familiar with the basics of [renewal management](/win-acme/manual/renewal-management) - before proceeding with unattended use. -- Arguments documented as such: `--foo [--bar baz|qux]` mean that `--foo` is only -applicable when `--bar` is set to `baz` or `qux`. - -## Main -``` - --baseuri - Address of the ACMEv2 server to use. The default endpoint - can be modified in settings.json. - - --import - Import scheduled renewals from version 1.9.x in unattended - mode. - - --importbaseuri - [--import] When importing scheduled renewals from version - 1.9.x, this argument can change the address of the ACMEv1 - server to import from. The default endpoint to import from - can be modified in settings.json. - - --test - Enables testing behaviours in the program which may help - with troubleshooting. By default this also switches the - --baseuri to the ACME test endpoint. The default endpoint - for test mode can be modified in settings.json. - - --verbose - Print additional log messages to console for - troubleshooting and bug reports. - - --help - Show information about all available command line options. - - --version - Show version information. - - --renew - Renew any certificates that are due. This argument is used - by the scheduled task. Note that it's not possible to - change certificate properties and renew at the same time. - - --force - Force renewal on all scheduled certificates when used - together with --renew. Otherwise just bypasses the - certificate cache on new certificate requests. - - --cancel - Cancel renewal specified by the --friendlyname or --id - arguments. - - --revoke - Revoke the most recently issued certificate for the renewal - specified by the --friendlyname or --id arguments. - - --list - List all created renewals in unattended mode. - - --id - [--target|--cancel|--renew|--revoke] Id of a new or existing - renewal, can be used to override the default when creating - a new renewal or to specify a specific renewal for other - commands. - - --friendlyname - [--target|--cancel|--renew|--revoke] Friendly name of a new or - existing renewal, can be used to override the default when - creating a new renewal or to specify a specific renewal - for other commands. In the latter case a pattern might be used. - You may use a `*` for a range of any characters and a `?` - for any single character. For example: the pattern `example.*` - will match `example.net` and `example.com` (but not `my.example.com`) - and the pattern `?.example.com` will match `a.example.com` and - `b.example.com` (but not `www.example.com`). Note that multiple patterns - can be combined by comma seperating them. - - --target - Specify which target plugin to run, bypassing the main - menu and triggering unattended mode. - - --validation - Specify which validation plugin to run. If none is - specified, SelfHosting validation will be chosen as the - default. - - --validationmode - Specify which validation mode to use. HTTP-01 is the - default. - - --csr - Specify which csr plugin to use. RSA is the default. - - --store - Specify which store plugin to use. CertificateStore is the - default. This may be a comma separated list. - - --installation - Specify which installation plugins to use. IIS is the - default. This may be a comma separated list. - - --closeonfinish - [--test] Close the application when complete, which - usually does not happen when test mode is active. Useful - to test unattended operation. - - --hidehttps - Hide sites that have existing https bindings from - interactive mode. - - --notaskscheduler - Do not create (or offer to update) the scheduled task. - - --usedefaulttaskuser - (Obsolete) Avoid the question about specifying the task - scheduler user, as such defaulting to the SYSTEM account. - - --accepttos - Accept the ACME terms of service. - - --emailaddress - Email address to use by ACME for renewal fail notices. - - --encrypt - Rewrites all renewal information using current - EncryptConfig setting - -``` -# CSR - -## Common -``` - --ocsp-must-staple - Enable OCSP Must Staple extension on certificate. - - --reuse-privatekey - Reuse the same private key for each renewal. - -``` -# Installation - -## IIS FTP plugin -``` [--installation iisftp] ``` -``` - --ftpsiteid - Site id to install certificate to. - -``` -## IIS Web plugin -``` [--installation iis] ``` -``` - --installationsiteid - Specify site to install new bindings to. Defaults to the - target if that is an IIS site. - - --sslport - Port number to use for newly created HTTPS bindings. - Defaults to 443. - - --sslipaddress - IP address to use for newly created HTTPS bindings. - Defaults to *. - -``` -## Script plugin -``` [--installation script] ``` -``` - --script - Path to script file to run after retrieving the - certificate. This may be a .exe or .bat. Refer to the Wiki - for instructions on how to run .ps1 files. - - --scriptparameters - Parameters for the script to run after retrieving the - certificate. Refer to the Wiki for further instructions. - -``` -# Store - -## Central Certificate Store plugin -``` [--store centralssl] ``` -``` - --centralsslstore - When using this setting, certificate files are stored to - the CCS and IIS bindings are configured to reflect that. - - --pfxpassword - Password to set for .pfx files exported to the IIS CSS. - -``` -## Certificate Store plugin -``` [--store certificatestore] ``` (default) -``` - --certificatestore - This setting can be used to save the certificate in a - specific store. By default it will go to 'WebHosting' - store on modern versions of Windows. - - --keepexisting - While renewing, do not remove the previous certificate. - - --acl-fullcontrol - List of additional principals (besides the owners of the - store) that should get full control permissions on the - private key of the certificate. - -``` -## PEM files plugin -``` [--store pemfiles] ``` -``` - --pemfilespath - .pem files are exported to this folder - -``` -# Target - -## CSR plugin -``` [--target csr] ``` -``` - --csrfile - Specify the location of a CSR file to make a certificate - for - - --pkfile - Specify the location of the private key corresponding to - the CSR - -``` -## IIS plugin -``` [--target iis] ``` -``` - --siteid - Identifiers of one or more sites to include. This may be a - comma seperated list. - - --host - Host name to filter. This parameter may be used to target - specific bindings. This may be a comma seperated list. - - --host-pattern - Pattern filter for host names. Can be used to dynamically - include bindings based on their match with the pattern. - You may use a `*` for a range of any characters and a `?` - for any single character. For example: the pattern - `example.*` will match `example.net` and `example.com` - (but not `my.example.com`) and the pattern `?.example.com` - will match `a.example.com` and `b.example.com` (but not - `www.example.com`). Note that multiple patterns can be - combined by comma seperating them. - - --host-regex - Regex pattern filter for host names. Some people, when - confronted with a problem, think "I know, I'll use regular - expressions." Now they have two problems. - - --commonname - Specify the common name of the certificate that should be - requested for the target. By default this will be the - first binding that is enumerated. - - --excludebindings - Exclude host names from the certificate. This may be a - comma separated list. - -``` -## Manual plugin -``` [--target manual] ``` -``` - --commonname - Specify the common name of the certificate. If not - provided the first host name will be used. - - --host - A host name to get a certificate for. This may be a comma - separated list. - -``` -# Validation - -## SelfHosting plugin -``` [--validationmode tls-alpn-01 --validation selfhosting] ``` (default) -``` - --validationport - Port to use for listening to validation requests. Note - that the ACME server will always send requests to port - 443. This option is only useful in combination with a port - forwarding. - -``` -## FileSystem plugin -``` [--validation filesystem] ``` -``` - --validationsiteid - Specify IIS site to use for handling validation requests. - This will be used to choose the web root path. - -``` -## Common HTTP validation options -``` [--validation filesystem|ftp|sftp|webdav] ``` -``` - --webroot - Root path of the site that will serve the HTTP validation - requests. - - --warmup - Not used (warmup is the new default). - - --manualtargetisiis - Copy default web.config to the .well-known directory. - -``` -## SelfHosting plugin -``` [--validation selfhosting] ``` (default) -``` - --validationport - Port to use for listening to validation requests. Note - that the ACME server will always send requests to port 80. - This option is only useful in combination with a port - forwarding. - -``` -## AcmeDns -``` [--validationmode dns-01 --validation acme-dns] ``` -``` - --acmednsserver - Root URI of the acme-dns service - -``` -## Script -``` [--validationmode dns-01 --validation script] ``` -``` - --dnsscript - Path to script that creates and deletes validation - records, depending on its parameters. If this parameter is - provided then --dnscreatescript and --dnsdeletescript are - ignored. - - --dnscreatescript - Path to script that creates the validation TXT record. - - --dnscreatescriptarguments - Default parameters passed to the script are create - {Identifier} {RecordName} {Token}, but that can be - customized using this argument. - - --dnsdeletescript - Path to script to remove TXT record. - - --dnsdeletescriptarguments - Default parameters passed to the script are delete - {Identifier} {RecordName} {Token}, but that can be - customized using this argument. - -``` -## Credentials -``` [--validation ftp|sftp|webdav] ``` -``` - --username - User name for WebDav/(s)ftp server - - --password - Password for WebDav/(s)ftp server - -``` -## Azure -``` [--validationmode dns-01 --validation azure] ``` -``` - --azureusemsi - Use Managed Service Identity for authentication. - - --azuretenantid - Tenant ID to login into Microsoft Azure. - - --azureclientid - Client ID to login into Microsoft Azure. - - --azuresecret - Secret to login into Microsoft Azure. - - --azuresubscriptionid - Subscription ID to login into Microsoft Azure DNS. - - --azureresourcegroupname - The name of the resource group within Microsoft Azure DNS. - -``` -## Cloudflare -``` [--validationmode dns-01 --validation cloudflare] ``` -``` - --cloudflareapitoken - API Token for Cloudflare. - -``` -## Dreamhost -``` [--validationmode dns-01 --validation dreamhost] ``` -``` - --apiKey - Dreamhost API key. - -``` -## Route53 -``` [--validationmode dns-01 --validation route53] ``` -``` - --route53IAMRole - AWS IAM role for the current EC2 instance to login into - Amazon Route 53. - - --route53AccessKeyId - Access key ID to login into Amazon Route 53. - - --route53SecretAccessKey - Secret access key to login into Amazon Route 53. - -```
\ No newline at end of file diff --git a/docs/reference/index.md b/docs/reference/index.md deleted file mode 100644 index 34dffb1..0000000 --- a/docs/reference/index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -sidebar: reference ---- - -# Reference diff --git a/docs/reference/plugins/csr/ec.md b/docs/reference/plugins/csr/ec.md deleted file mode 100644 index f410074..0000000 --- a/docs/reference/plugins/csr/ec.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -sidebar: reference ---- - -# Elliptic Curve -Generates ECDSA keys based on the `secp384r1` curve. The curve to use can be -configured in [settings.json](/win-acme/reference/settings) but currently only -SEC named curves are supported by this program. The ACME server provider may -also have limitations. - -{% include csr-common.md %} - -## Unattended -`--csr ec`
\ No newline at end of file diff --git a/docs/reference/plugins/csr/index.md b/docs/reference/plugins/csr/index.md deleted file mode 100644 index 236a730..0000000 --- a/docs/reference/plugins/csr/index.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -sidebar: reference ---- - -# CSR plugins - -CSR plugins are responsible for providing certificate requests that the ACME server can sign. -They determine key properties such as the private key, applications and extensions. When -a CSR is used as [target](/win-acme/reference/plugins/target/csr), no CSR plugin can be chosen -and the third party application is expected to take care of the private key and extensions instead. - -## Default - -The default is an [RSA](/win-acme/reference/plugins/csr/rsa) private key.
\ No newline at end of file diff --git a/docs/reference/plugins/csr/rsa.md b/docs/reference/plugins/csr/rsa.md deleted file mode 100644 index bc2e24f..0000000 --- a/docs/reference/plugins/csr/rsa.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -sidebar: reference ---- - -# RSA -Default plugin, generates 3072 bits RSA key pairs. The number of bits can be configured in -[settings.json](/win-acme/reference/settings) but may not be less than 2048. For -improved compatiblitity with Microsoft Exchange, RSA keys are automatically converted to the -`Microsoft RSA SChannel Cryptographic Provider`. - -{% include csr-common.md %} - -## Unattended -`[--csr rsa]`
\ No newline at end of file diff --git a/docs/reference/plugins/development.md b/docs/reference/plugins/development.md deleted file mode 100644 index 9cbb12c..0000000 --- a/docs/reference/plugins/development.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -sidebar: reference ----
\ No newline at end of file diff --git a/docs/reference/plugins/index.md b/docs/reference/plugins/index.md deleted file mode 100644 index 1b0e617..0000000 --- a/docs/reference/plugins/index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -sidebar: reference ---- - -# Plugins - -Conceptually win-acme works by chaining together five components also known as plugins, which can be mixed and matched to support many use cases. - -- A [target plugin](/win-acme/reference/plugins/target/) provides information about (potential) certificates to create. -- A [validation plugin](/win-acme/reference/plugins/validation/) provides the ACME server with proof that you own the domain(s). -- A [CSR plugin](/win-acme/reference/plugins/csr/) determines the (type of) private key and extensions to use for the certificate. -- One or more [store plugins](/win-acme/reference/plugins/store/) place the certificate in a specific location and format. -- One or more [installation plugins](/win-acme/reference/plugins/installation/) make changes to your application(s) configuration.
\ No newline at end of file diff --git a/docs/reference/plugins/installation/iisftp.md b/docs/reference/plugins/installation/iisftp.md deleted file mode 100644 index 393179c..0000000 --- a/docs/reference/plugins/installation/iisftp.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -sidebar: reference ---- - -# IIS FTP -Create or update FTP site bindings in IIS, according to the following logic: - -- Any existing FTP sites linked to the previous certificate are updated to use the new certificate. -- The target FTP site will be updated to use the new certificate. - -## Unattended -`--installation iisftp [--ftpsiteid x]`
\ No newline at end of file diff --git a/docs/reference/plugins/installation/iisweb.md b/docs/reference/plugins/installation/iisweb.md deleted file mode 100644 index c9d2cef..0000000 --- a/docs/reference/plugins/installation/iisweb.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -sidebar: reference ---- - -# IIS Web -Create or update website bindings in IIS, according to the following logic: - -- Existing https bindings in *any* site linked to the previous certificate are updated to use the new certificate. -- Hosts names which are determined to not yet have been covered by any existing binding, will be processed further. - - All existing https bindings in *target* site whose hostnames match with the new certificate are updated - to use the new certificate. This happens even if they are using certificates issued by other authorities. - (Note that if you want to prevent this from happening, you can use the `--excludebindings` switch). - - If no existing https binding can be found, a new binding is created. - - It will create bindings on the specified installation site and fall back to the target site if there is none. - - It will use port `443` on IP `*` unless different values are specified with the `--sslport` and/or - `--sslipaddress` switches. - - New bindings will be created or updated for matching host headers with the most specific match. E.g. if you - generate a certificate for `a.b.c.com`, the order of preference for the binding creation/change will be: - 1. `a.b.c.com` - 2. `*.b.c.com` - 3. `*.c.com` - 4. `*.com` - 5. `*` (Default/empty binding) - - If the certificate contains a wildcard domain, the order of preference will be: - 1. `*.a.b.c.com` - 2. `x.a.b.c.com` - - In both cases, the first preferred option will be created from scratch if none of the later options - are available. - - In some cases the plugin will not be able to (safely) add a new binding on older versions of IIS, e.g. due to - lack of support for SNI and/or wildcard bindings. In that case the user will have to create them manually. - Renewals will still be automatic after this initial manual setup. - -## Unattended -`--installation iis [--installationsiteid x] [-sslport x] [--sslipaddress x]`
\ No newline at end of file diff --git a/docs/reference/plugins/installation/index.md b/docs/reference/plugins/installation/index.md deleted file mode 100644 index a031317..0000000 --- a/docs/reference/plugins/installation/index.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -sidebar: reference ---- - -# Installation plugins -Installation plugins are responsible for making the necessary changes to your -application(s) after successfully creating or renewing a certificate. Currently -there are three of these plugins. - -## Multiple -More than one plugin can run by choosing them in order of execution. In interactive -mode you will be asked, for unattended mode you can provide a comma seperated list, -e.g. `--installation certificatestore,pemfiles` - -## Default (simple mode) -In simple mode the default installation plugin is [IIS Web](/win-acme/reference/plugins/installation/iisweb). - -## Default (full options / unattended) -In full options and unattended modes there are **no** default installation steps, -which is equivalent to `--installation none`. You can to explicitly choose them -from the interface or using the `--installation` switch.
\ No newline at end of file diff --git a/docs/reference/plugins/installation/script.md b/docs/reference/plugins/installation/script.md deleted file mode 100644 index 561a52a..0000000 --- a/docs/reference/plugins/installation/script.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -sidebar: reference ---- - -# Script -Runs an external script or executable after a succesful renewal. This may be a `.bat`, `.ps1` or even `.exe`. -You provide the program with the path to the script and it will run automatically. - -## Parameters -The following variables can be provided from the program to the script as command line arguments. - -| Value | Replaced with | -|----------------|----------------| -| `{0}` or `{CertCommonName}` | Common name (primary domain name) | -| `{1}` or `{CachePassword}` | The .pfx password (generated randomly for each renewal) | -| `{2}` or `{CacheFile}` | Full path of the cached.pfx file | -| `{4}` or `{CertFriendlyName}` | Friendly name of the generated certificate | -| `{5}` or `{CertThumbprint}` | Thumbprint of the generated certificate | -| `{7}` or `{RenewalId}` | Id of the renewal | -| `{3}` or `{6}` or `{StorePath}` | Path or store name used by the (first) store plugin | -| `{StoreType}` | Name of the plugin (CentralSsl, CertificateStore or PemFiles) | - -## Example -If you need your scripts parameters to look something like this: - -`action=import file=C:\mydomain.pfx password=*****` - -Then your argument string should look like this: - -`action=import file={CacheFile} password={CachePassword}` - -## Unattended -`--installation script --script C:\script.bat [--scriptparameters x]` - -### Parameter escaping -If you need to put double quotes around your parameters from the command line, you have to escape them with a slash, for example: - -`--scriptparameters "action=import file=\"{CacheFile}\" password=\"{CachePassword}\""` - -For **Powershell** scripts, string parameters can also be delimited with single quotes, for example: - -`--scriptparameters "action=import file='{CacheFile}' password='{CachePassword}'"`
\ No newline at end of file diff --git a/docs/reference/plugins/store/centralssl.md b/docs/reference/plugins/store/centralssl.md deleted file mode 100644 index c7d2fdd..0000000 --- a/docs/reference/plugins/store/centralssl.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -sidebar: reference ---- - -# IIS Central Certificate Store (CSS) -Designed for the [Central Certificate Store](https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/) -introduced in Windows 2012. Creates a separate copy of the `.pfx` file for each hostname and places -it in the path provided by the `--centralsslstore` parameter, or the `DefaultCentralSslStore` setting -in [settings.json](/win-acme/reference/settings). Using this store also triggers any created or -updated IIS bindings to get the `CentralSSL` flag. - -## Unattended -`--store centralssl [--centralsslstore C:\CentralSSL\] [--pfxpassword *****]`
\ No newline at end of file diff --git a/docs/reference/plugins/store/certificatestore.md b/docs/reference/plugins/store/certificatestore.md deleted file mode 100644 index 970d7af..0000000 --- a/docs/reference/plugins/store/certificatestore.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -sidebar: reference ---- - -# Windows Certificate Store -Default plugin, saves certificates to the Windows Certificate store. Which store is used is based on the following priorities: - -- Store configured for the specific renewal -- Global default is configured in [settings.json](/win-acme/reference/settings) -- `WebHosting` store (if it exists, i.e. Windows 2012+ with IIS) -- The machine-level `My` store (better known as Personal) - -## Keep existing -The `--keepexisting` switch can be used to prevent the program from deleting older -versions of the certificate from the store. - -## Private key ACL -The `--acl-fullcontrol` parameter can be used to grant principals other than the -defaults for a specific store full control access to the private key. - -## Unattended -`[--store certificatestore] [--certificatestore My] [--keepexisting] [--acl-fullcontrol "network service,administrators"]`
\ No newline at end of file diff --git a/docs/reference/plugins/store/index.md b/docs/reference/plugins/store/index.md deleted file mode 100644 index 17988a1..0000000 --- a/docs/reference/plugins/store/index.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -sidebar: reference ---- - -# Store plugins -Store plugins are responsible for storing issued certificates in their permanent -location(s). The program will cache the certificate in a `.pfx` file in its -CertificatePath (which defaults to `%programdata%\win-acme\[baseuri]certificates`) but -these files are protected by random passwords to prevent local non-administrators -from obtaining keys. Store plugins are responsible for making the certificates -accessible to the application(s) that need them. - -## Multiple -More than one plugin can run by choosing them in order of execution. In interactive -mode you will be asked, for unattended mode you can provide a comma seperated list, -e.g. `--store certificatestore,pemfiles` - -## Default -The default is the [Windows Certificate Store](/win-acme/reference/plugins/store/certificatestore). - -## None -To instruct the program not to use any store, for example when your installation -script handles it, you may specify `--store none`
\ No newline at end of file diff --git a/docs/reference/plugins/store/pemfiles.md b/docs/reference/plugins/store/pemfiles.md deleted file mode 100644 index 86fbfe4..0000000 --- a/docs/reference/plugins/store/pemfiles.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -sidebar: reference ---- - -# PemFiles -Designed for [Apache](/win-acme/manual/advanced-use/examples/apache), nginx and other web servers. -Exports a `.pem` file for the certificate and private key and places them in -the path provided by the `--pemfilespath` parameter, or the `DefaultPemFilesPath` -setting in [settings.json](/win-acme/reference/settings). - -## Unattended -`--store pemfiles [--pemfilespath C:\Certificates\]`
\ No newline at end of file diff --git a/docs/reference/plugins/target/csr.md b/docs/reference/plugins/target/csr.md deleted file mode 100644 index ddc716f..0000000 --- a/docs/reference/plugins/target/csr.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -sidebar: reference ---- - -# CSR -Use a certificate signing request generated by third party software. -When this target plugin is chosen, you will obviously not be able to select -a [CSR plugin](/win-acme/reference/plugins/csr/) as well, meaning that any -customization and key selection requirements should already be met. - -Note that it's possible though not required to provide the private key to -the program as well. If you do not provide the private key, the certificate -as stored by the [store plugins](/win-acme/reference/plugins/store/) will -have limited use. - -## Unattended -`--target csr --csrfile C:\csr.txt [--pkfile C:\key.txt]`
\ No newline at end of file diff --git a/docs/reference/plugins/target/iis.md b/docs/reference/plugins/target/iis.md deleted file mode 100644 index b93e3ea..0000000 --- a/docs/reference/plugins/target/iis.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar: reference ---- - -# IIS -Create target based on bindings configured in IIS. -- Automatically updates webroot path (useful for [FileSystem validation](/win-acme/reference/plugins/validation/http/filesystem)) - -# Filtering bindings -While it's possible to create a certificate for all bindings in all sites, typically you will want to select some -specific bindings to create a certificate for. There are several filters available, that in some cases can also be -combined with eachother. - -## Site filters -You can choose to limit the certificate to specific websites by specifying a site identifier, or a comma seperated list -of them. The magic value `s` will dynamically target all current and future websites created on the server. - -## Binding filters -You can filter bindings by host name by specifically typing them out. It's also be possible to filter hosts by a pattern -or by a regular expression. - -### Pattern -You may use a `*` for a range of any characters and a `?` for any single character. For example: the pattern `example.*` -will match `example.net` and `example.com` (but not `my.example.com`). The pattern `?.example.com` will match -`a.example.com` and `b.example.com` (but not `www.example.com`). Note that multiple patterns can be combined by -comma seperating them. - -### Regex -If a pattern is not powerful enough for you, there is the ultimate solution of applying a regular expression to the -problem. [regex101.com](https://regex101.com/) is a nice tool to help test your regular expression. - -## Unattended -- ##### Single binding -`--target iis --host example.com [--siteid 1]` -- ##### Multiple bindings -`--target iis --host example.com,www.example.com [--siteid 1,2,3] [--commonname common.example.com]` -- ##### All bindings of a site -`--target iis --siteid 1 [--commonname common.example.com] [--excludebindings exclude.example.com]` -- ##### All bindings of multiple sites -`--target iis --siteid 1,2,3 [--commonname common.example.com] [--excludebindings exclude.example.com]` -- ##### All bindings of all sites -`--target iis --siteid s [--commonname common.example.com] [--excludebindings exclude.example.com]` -- ##### Binding pattern -`--target iis --host-pattern *.example.??? [--siteid 1,2,3] [--commonname common.example.com] [--excludebindings exclude.example.com]` -- ##### Binging regex -`--target iis --host-regex [a-z]{3}\.example(\.com|\.net) [--siteid 1,2,3] [--commonname common.example.com] [--excludebindings exclude.example.com]`
\ No newline at end of file diff --git a/docs/reference/plugins/target/index.md b/docs/reference/plugins/target/index.md deleted file mode 100644 index af4e5ac..0000000 --- a/docs/reference/plugins/target/index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -sidebar: reference ---- - -# Target plugins - -A target plugin is responsible for providing information about a (potential) certificate to the rest of the program. -Its primary purpose is to determine which host names should be included in the SAN list, but can also provide extra -information such as the preferred common name or bindings to exclude. - -## Default - -There is no default target plugin, it always has to be chosen by the user.
\ No newline at end of file diff --git a/docs/reference/plugins/target/manual.md b/docs/reference/plugins/target/manual.md deleted file mode 100644 index 4422c40..0000000 --- a/docs/reference/plugins/target/manual.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -sidebar: reference ---- - -# Manual -Manually input host names. The first name will be the common name of the certificate, the other will only be in the SAN list. - -## Unattended -`--target manual --host a.example.com,b.example.com`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/acme-dns.md b/docs/reference/plugins/validation/dns/acme-dns.md deleted file mode 100644 index 18f7f6a..0000000 --- a/docs/reference/plugins/validation/dns/acme-dns.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -sidebar: reference ---- - -# acme-dns -Use an [acme-dns](https://github.com/joohoi/acme-dns) server to handle the validation records. -The plugin will ask you to choose an endpoint to use. For testing the `https://auth.acme-dns.io/` -endpoint is useful, but it is a security concern. As the readme of that project clearly states: - -> "You are encouraged to run your own acme-dns instance." - -It's possible to use basic authentication for your acme-dns service by specifying a url with -the format `https://user:password@acme-dns.example.com/` - -## Unattended -Not supported, unless there is a pre-existing acme-dns registration for all the domains. -The reason for this is that acme-dns requires you to create CNAME records. In the future this -might be scripted the same way we can script DNS validation itself, but so far there hasn't been -enough demand for that feature to make it worth developing.
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/azure.md b/docs/reference/plugins/validation/dns/azure.md deleted file mode 100644 index 6518557..0000000 --- a/docs/reference/plugins/validation/dns/azure.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar: reference ---- - -# Azure DNS -Create the record in Azure DNS. - -{% include plugin-seperate.md %} - -## Setup -This assumes you already have your DNS managed in Azure; if not, you'll need to set that up first. If you are -using the Azure DNS option for validation, you'll need to get certain info from your Azure Tenant, and create -a service principal for win-acme to use (you'll only need to create on of these - it's basically an account that has authority to create DNS records). -There are two ways to authenticate with Azure: - -#### Create Azure AD Service Principal Account -Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest) -to create an [Azure service principal](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) - -You then need to give this Service Principal access to change DNS entries. In the Azure Portal: -* Go to `DNS Zones` > `sub.example.com` > `Access Control (IAM)` -* Click `Add` -* For Role, choose `DNS Zone Contributor` -* Assign access to `Azure AD user, group, or application` -* Select your Service Principal -* Click `Save` - -#### Use a Managed Service Identity -More information [here](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) - -### Configuring the plugin -During setup of the validation the program will ask several questions. -Here is to answer them with information from the Azure Portal. - -* `DNS Subscription ID`: DNS Zones > `sub.example.com` > `Subscription ID` -* `DNS Resource Group Name`: DNS zones > `sub.example.com` > `Resource Group`) - -Only when authenticating Service Principal Account: - -* `Directory/tenant id`: Azure Active Directory > Properties > `Directory ID`. -* `Application client id`: Azure Active Directory > App registrations > [Service Principal] > `Application ID`. -* `Application client secret`: The password that was generated when you created the Service Principal Account. - -### Resources -- [How to: Use Azure PowerShell to create a service principal with a certificate](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell) -- [DNS SDK](https://docs.microsoft.com/en-us/azure/dns/dns-sdk) - -## Unattended -#### Service Principal Account -`--validationmode dns-01 --validation azure --azuretenantid x --azureclientid x --azuresecret *** --azuresubscriptionid x --azureresourcegroupname x` -#### Managaged Resource Identity -`--validationmode dns-01 --validation azure --azureusemsi --azuresubscriptionid x --azureresourcegroupname x`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/cloudflare.md b/docs/reference/plugins/validation/dns/cloudflare.md deleted file mode 100644 index 7c934d9..0000000 --- a/docs/reference/plugins/validation/dns/cloudflare.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -sidebar: reference ---- - -# Cloudflare -Create the record in Cloudflare DNS. - -{% include plugin-seperate.md %} - -## Setup -This assumes you already have your DNS managed in Cloudflare; if not, you'll need to set that up first. If you are -using the Cloudflare DNS option for validation, you'll need to obtain a Cloudflare API Token (not Key) that is allowed -to read and write the DNS records of the zone your domain belongs to. - -### Create an appropriate API Token -1. Navigate here: https://dash.cloudflare.com/profile/api-tokens -2. Click *Create Token* -3. Choose a name -4. Under *Permissions*, select "Zone", "DNS", "Edit"; Click *Add More*, select "Zone", "Zone", "Read" -5. Under *Zone Resources*, select "Include", "All zones" (or "All zones from an account" and select the relevant account). - * Note that restricting access to the single target zone does not work, as we can not get the zone's id by its domain name then. You might be able to exclude other zones specifically. If this is a show stopper for you please open an issue to discuss how to proceed. -6. Finish creating the token, store it in a safe place or, better, paste it directly into win-acme. - -## Unattended -`--validationmode dns-01 --validation cloudflare --cloudflareapitoken ***` diff --git a/docs/reference/plugins/validation/dns/dreamhost.md b/docs/reference/plugins/validation/dns/dreamhost.md deleted file mode 100644 index 22c73be..0000000 --- a/docs/reference/plugins/validation/dns/dreamhost.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -sidebar: reference ---- - -# Dreamhost -Update record for [Dreamhost](https://www.dreamhost.com/) - -{% include plugin-seperate.md %} - -## Setup -Requires an API key - -## Unattended -`--validation dreamhost --validationmode dns-01 --apikey x`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/index.md b/docs/reference/plugins/validation/dns/index.md deleted file mode 100644 index 84251f5..0000000 --- a/docs/reference/plugins/validation/dns/index.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -sidebar: reference ---- - -# DNS validation -DNS validation works as follows: -- For each domain, e.g. `sub.example.com`, the ACME server provides a -challenge consisting of an `x` and `y` value. The truth is actually a little -more complicated than that, but for the sake of this explanation it will suffice. -- The client has to make sure that when the ACME server requests the TXT -records for `_acme-challenge.sub.example.com`, -there should be at least one record called `x` with content `"y"`. -- There may be more than one validation lookup for the same token, e.g. from -different locations or different protocols (IPv4/IPv6). -- Let's Encrypt validates the DNSSEC chain. -- Let's Encrypt follows CNAME records and respects delegated autority. -- Let's Encrypt does *not* disclose the source locations of these lookups, which -effectively means that the DNS records have to be public, at least for the duration of -the validation.
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/manual.md b/docs/reference/plugins/validation/dns/manual.md deleted file mode 100644 index 2ab0dcd..0000000 --- a/docs/reference/plugins/validation/dns/manual.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -sidebar: reference ---- - -# Manual -The client will show the record that is supposed to be created on screen and it will have -to be created manually by whatever means necessary. Obviously not good for unattended operation -but it is a good way to get started as a proof of concept, before investing in further -automation. - -## Unattended -Not supported (obviously)
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/route53.md b/docs/reference/plugins/validation/dns/route53.md deleted file mode 100644 index ba59836..0000000 --- a/docs/reference/plugins/validation/dns/route53.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -sidebar: reference ---- - -# Route 53 -Create the record in Amazon Route53 - -{% include plugin-seperate.md %} - -## Setup -This requires either a user or an IAM role with the following permissions on the zone: -`route53:GetChange`, `route53:ListHostedZones` and `route53:ChangeResourceRecordSets` - -## Unattended -- User: -`--validation route53 --validationmode dns-01 --route53accesskeyid x --route53secretaccesskey ***` -- IAM role: -`--validation route53 --validationmode dns-01 --route53iamrole x`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/dns/script.md b/docs/reference/plugins/validation/dns/script.md deleted file mode 100644 index 467fb49..0000000 --- a/docs/reference/plugins/validation/dns/script.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar: reference ---- - -# Script -Run an external script or program to create or update the validation records. - -## Create -A script to create the DNS record must be provided. The arguments passed to the -script will be `create {Identifier} {RecordName} {Token}` by default, where the -following replacements are made by win-acme: - -| Value | Replaced with | -|----------------|----------------| -| `{Identifier}` | host name that's being validated, e.g. `sub.example.com` | -| `{RecordName}` | full name of the TXT record that is being expected, e.g. `_acme-challenge.sub.example.com` | -| `{Token}` | content of the TXT record, e.g. `DGyRejmCefe7v4NfDGDKfA` | - -The order and format of arguments may be customized by providing a diffent argument string. -For example if your script needs arguments like: - -`--host _acme-challenge.example.com --token DGyRejmCefe7v4NfDGDKfA` - -...your argument string should like like this: - -`--host {RecordName} --token {Token}` - -## Delete -Optionally, another script may be provided to delete the record after validation. The arguments passed to the -script will be `delete {Identifier} {RecordName} {Token}` by default. The order and format of arguments may be -customized by providing a diffent argument string, just like for the create script. You can also choose to use -the same script for create and delete, with each their own argument string. - -## Resources -A lot of good example scripts are available from the -[POSH-ACME](https://github.com/rmbolger/Posh-ACME/tree/master/Posh-ACME/DnsPlugins) -project. - -## Unattended -- ##### Create script only -`-validationmode dns-01 --validation script --dnscreatescript c:\create.ps1 [--dnscreatescriptarguments {args}]` -- ##### Create and delete scripts seperate -`-validationmode dns-01 --validation script --dnscreatescript c:\create.ps1 --dnsdeletescript c:\delete.ps1 [--dnscreatescriptarguments {args}] [--dnsdeletescriptarguments {args}]` -- ##### Create-delete script (integrated) -`-validationmode dns-01 --validation script --dnsscript c:\create-and-delete.ps1 [--dnscreatescriptarguments {args}] [--dnsdeletescriptarguments {args}]`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/filesystem.md b/docs/reference/plugins/validation/http/filesystem.md deleted file mode 100644 index 4ae8996..0000000 --- a/docs/reference/plugins/validation/http/filesystem.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -sidebar: reference ---- - -# Filesystem -This plugin saves the validation challenge to a local path, which may of course also be a network path. - -{% include validation-http-common.md %} - -## Unattended -`--validation filesystem [--validationsiteid x] [--webroot c:\httpdocs\]`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/ftps.md b/docs/reference/plugins/validation/http/ftps.md deleted file mode 100644 index 01369a4..0000000 --- a/docs/reference/plugins/validation/http/ftps.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -sidebar: reference ---- - -# FTP(S) -This plugin uploads the validation challenge to a (secure) FTP server. - -{% include validation-http-common.md %} - -## Unattended -`--validation ftp --webroot ftps://x/ --username admin --password ******`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/index.md b/docs/reference/plugins/validation/http/index.md deleted file mode 100644 index 25c8164..0000000 --- a/docs/reference/plugins/validation/http/index.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -sidebar: reference ---- - -# HTTP validation -HTTP validation works as follows: -- For each domain (e.g. `sub.example.com`), the ACME server sends a -challenge consisting of an `x` and `y` value. The truth is actually a little -more complicated than that, but for the sake of this explanation it will suffice. -- The client has to make sure that when the ACME server makes a request -to `http://sub.example.com/.well-known/acme-challenge/x`, the content of the HTTP -response will be `y` with some specific headers set as well. -- The validation request is *always* made to port 80, that cannot be changed. -- The ACME server **does** follow 301/302 redirects. -- There may be more than one validation request for the same token, e.g. from -different locations or different protocols (IPv4/IPv6). -- Let's Encrypt does **not** disclose the source locations of these requests, which -effectively means that the domain has to be accessible for the public, -at least for the duration of the validation.
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/selfhosting.md b/docs/reference/plugins/validation/http/selfhosting.md deleted file mode 100644 index a1b4c31..0000000 --- a/docs/reference/plugins/validation/http/selfhosting.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -sidebar: reference ---- - -# Self-hosting -This plugin launches a temporary built-in web listener that stores the validation -response in memory. It can share port 80 with IIS and other (Microsoft) software -so this doesn't interfere with regular traffic. Not all software supports this -port sharing feature though. If you get errors telling you that the listener -cannot be started, try to (temporarely) shut down other processes using the -port, or look for another validation method. - -## Non-default port -Even though Let's Encrypt will always send validation requests to port 80, -you may internally proxy, NAT or redirect that to another port. Using the -`--validationport` switch you can tell the plugin to listen to a specific port. - -## Firewall exemption -Obviously, whichever port is used will have to be accessible from outside, meaning -your firewall(s) will have to permit access. Unfortunately due to the use of the -port sharing mechanism, it's not possible to configure the Windows Firewall with -a rule for a specific application (i.e. `wacs.exe`), so you will have to open the -port to `System`. If you feel that is too generous, you could automate enabling/ -disabling this rule by running a script before and after `wacs.exe`. Make sure to -also add that script as steps in the scheduled task. - -## Unattended -`[--validation selfhosting] [--validationport 8080]`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/sftp.md b/docs/reference/plugins/validation/http/sftp.md deleted file mode 100644 index 62d59cc..0000000 --- a/docs/reference/plugins/validation/http/sftp.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -sidebar: reference ---- - -# SFTP -This plugin uploads the validation challenge to a SSH FTP, also known as SFTP, server. - -{% include validation-http-common.md %} - -## Unattended -`--validation sftp --webroot ftps://x/ --username admin --password ******`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/http/webdav.md b/docs/reference/plugins/validation/http/webdav.md deleted file mode 100644 index 94bfeaf..0000000 --- a/docs/reference/plugins/validation/http/webdav.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -sidebar: reference ---- - -# SFTP -This plugin pushes the validation challenge to a WebDav path. - -{% include validation-http-common.md %} - -## Unattended -`--validation webdav --webroot ftps://x/ --username admin --password ******`
\ No newline at end of file diff --git a/docs/reference/plugins/validation/index.md b/docs/reference/plugins/validation/index.md deleted file mode 100644 index bfb133d..0000000 --- a/docs/reference/plugins/validation/index.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -sidebar: reference ---- - -# Validation plugins - -A validation plugin is responsible for providing the ACME server with proof that you own the identifiers -(host names) that you want to create a certificate for. The -[ACMEv2 protocol](https://tools.ietf.org/html/draft-ietf-acme-acme-18) defines different -challenge types, three of which are supported by win-acme, namely -[HTTP-01](/win-acme/reference/plugins/validation/http/), -[DNS-01](/win-acme/reference/plugins/validation/dns/) and -[TLS-ALPN-01](/win-acme/reference/plugins/validation/tls-alpn/). - -For wildcard identifiers, only DNS-01 validation is accepted by Let's Encrypt. - -Several other challenge types are not supported for various reasons: -- `TLS-SNI-01/-02` - deprecated and removed -- `PROOFOFPOSSESSION-01` - unknown - -## Default - -By default, the [self-hosting plugin](/win-acme/reference/plugins/validation/http/selfhosting) is used.
\ No newline at end of file diff --git a/docs/reference/plugins/validation/tls-alpn/index.md b/docs/reference/plugins/validation/tls-alpn/index.md deleted file mode 100644 index d1b6aa9..0000000 --- a/docs/reference/plugins/validation/tls-alpn/index.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -sidebar: reference ---- - -# TLS-ALPN validation -TLS-ALPN validation works as follows: -- For each domain (e.g. `sub.example.com`), the ACME server sends a -challenge consisting of an `x` and `y` value. The truth is actually a little -more complicated than that, but for the sake of this explanation it will suffice. -- The client has to make sure that when the ACME server sets up a TLS connection -to `sub.example.com`, a specifically crafted negotiation response with a -self-signed certificate containing the `y` value as extension is presented. -- The validation request is *always* made to port 443, that cannot be changed. -- There may be more than one validation connection for the same token, e.g. -for different IP addresses (in case of multiple A/AAAA records). -- Let's Encrypt does **not** disclose the source locations of these requests, which -effectively means that the domain has to be accessible for the public, -at least for the duration of the validation.
\ No newline at end of file diff --git a/docs/reference/plugins/validation/tls-alpn/selfhosting.md b/docs/reference/plugins/validation/tls-alpn/selfhosting.md deleted file mode 100644 index 836c591..0000000 --- a/docs/reference/plugins/validation/tls-alpn/selfhosting.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -sidebar: reference ---- - -# Self-hosting -This plugin launches a temporary built-in TCP listener that stores the -validation response in memory. There for share port 80 with IIS and -other (Microsoft) software so this doesn't interfere with regular traffic. -Not all software supports this port sharing feature though. If you get errors -telling you that the listener cannot be started, please look for another -validation method. - -## Non-default port -Even though Let's Encrypt will always try to open the validation connection -on port 443, you may internally NAT that to another port. Using the -`--validationport` switch you can tell the plugin to listen to a specific port. - -## Unattended -`--validationmode tls-alpn-01 --validation selfhosting [--validationport 4330]`
\ No newline at end of file diff --git a/docs/reference/settings.md b/docs/reference/settings.md deleted file mode 100644 index 96cbb51..0000000 --- a/docs/reference/settings.md +++ /dev/null @@ -1,329 +0,0 @@ ---- -sidebar: reference ---- - -# Settings.json -Some of the applications' settings can be modified in a file called `settings.json`. -If this file is not present when the program starts it will be automatically -created on first run, copied from `settings_default.json`. This allows you to -xcopy new releases without worrying about overwriting your previously customized -settings. - -## Client - -### `ClientNames` -Default: `[ "win-acme" ]` - -The name of the client, which comes back in the scheduled task and the -`ConfigurationPath`. If more than one value is provided the first one will -be used. - -### `ConfigurationPath` -Default: `null` - -Change the location where the program stores its (temporary) files. If not specified -this resolves to `%programdata%\{ClientName}\{BaseUri}`. Values should be JSON-encoded, -e.g. `"C:\\"` (note the double backslash). - -### `LogPath` -Default: `null` - -The path where log files for the past 31 days are stored. If not -specified or invalid, this defaults to `{ConfigurationPath}\Log`. - -## UI - -### `DateFormat` -Default: `"yyyy/M/d H:mm:ss"` - -A string that is used to format the date of the pfx file friendly -name. [Documentation](https://msdn.microsoft.com/en-us/library/8kb3ddd4(v=vs.110).aspx) -for possibilities is available from Microsoft. - -### `PageSize` -Default: `50` - -The number of items to display per page in list views. - -### `TextEncoding` -Default: `"utf8"` - -Encoding to use for the console output. A list of possible values can be -found [here](https://docs.microsoft.com/en-us/dotnet/api/system.text.encoding?view=netcore-3.0). -For certain languages `"unicode"` might give better results displaying the characters, -but note that this reduces compatibility with other programs processing the output. - -## ACME - -### `DefaultBaseUri` -Default: `"https://acme-v02.api.letsencrypt.org/"` - -Default ACMEv2 endpoint to use when none is specified with -the command line. - -### `DefaultBaseUriTest` -Default: `"https://acme-staging-v02.api.letsencrypt.org/"` - -Default ACMEv2 endpoint to use when none is specified with -the command line and the `--test` switch is activated. - -### `DefaultBaseUriImport` -Default: `"https://acme-v01.api.letsencrypt.org/"` - -Default ACMEv1 endpoint to import renewal settings from. - -### `PostAsGet` -Default: `true` - -Use [POST-as-GET] mode as defined in -[RFC8555](https://tools.ietf.org/html/rfc8555#section-6.3), -will be required by Let's Encrypt in production from November 2020, -and in test from November 2019. - -### `RetryCount` -Default: `5` - -Maximum numbers of times to refresh validation and order status, while -waiting for the ACME server to complete its tasks. - -### `RetryInterval` -Default: `5` - -Amount of time in seconds to wait for each retry. - -## Proxy - -### `Url` -Default: `"[System]"` - -Configures a proxy server to use for communication with the ACME server and -other HTTP requests done by the program. The default setting uses the -system proxy. Passing an empty string will try to bypass the system proxy. - -### `Username` -Default: `null` - -Username used to access the proxy server. - -### `Password` -Default: `null` - -Password used to access the proxy server. - -## Cache - -### `Path` -Default: `null` - -The path where certificates and request files are cached. If not specified or invalid, -this defaults to `{ConfigurationPath}\Certificates`. If you are using -[Central SSL](//win-acme/reference/plugins/store/centralssl), this can **not** -be set to the same path. Values should be JSON-encoded, e.g. `"C:\\"` -(note the double backslash). - -### `ReuseDays` -Default: `1` - -When renewing or re-creating a previously requested certificate that -has the exact same set of domain names, the program will used a cached -version for this many days, to prevent users from running into -[rate limits](https://letsencrypt.org/docs/rate-limits/) while experimenting. -Set this to a high value if you regularly re-request the same certificates, -e.g. for a Continuous Deployment scenario. - -### `DeleteStaleFiles` -Default: `false` - -Automatically delete files older than 120 days from the `CertificatePath` -folder. Running with default settings, these should only be long-expired -certificates, generated for abandoned renewals. However we do advise caution. - -## Scheduled task - -### `RenewalDays` -Default: `55` - -The number of days to renew a certificate after. Let's Encrypt certificates are -currently for a max of 90 days so it is advised to not increase the days much. -If you increase the days, please note that you will have less time to fix any -issues if the certificate doesn't renew correctly. - -### `StartBoundary` -Default: `"09:00:00"` (9:00 am) - -Configures start time for the scheduled task. - -### `ExecutionTimeLimit` -Default: `"02:00:00"` (2 hours) - -Configures time after which the scheduled task will be -terminated if it hangs for whatever reason. - -### `RandomDelay` -Default: `"00:00:00"` - -Configures random time to wait for starting the scheduled task. - -## Notifications - -### `SmtpServer` -Default: `null` - -SMTP server to use for sending email notifications. -Required to receive renewal failure notifications. - -### `SmtpPort` -Default: `25` - -SMTP server port number. - -### `SmtpUser` -Default: `null` - -User name for the SMTP server, in case of authenticated SMTP. - -### `SmtpPassword` -Default: `null` - -Password for the SMTP server, in case of authenticated SMTP. - -### `SmtpSecure` -Default: `false` - -Change to `true` to enable SMTPS. - -### `SmtpSenderName` -Default: `null` - -Display name to use as the sender of notification emails. -Defaults to the `ClientNames[0]` setting when empty. - -### `SenderAddress` -Default: `null` - -Email address to use as the sender of notification emails. -Required to receive renewal failure notifications. - -### `ReceiverAddresses` -Default: `[]` - -Email address to receive notification emails. Required to -receive renewal failure notifications. The correct format -for the receiver is `["example@example.com"]` for a single -address and `["example1@example.com", "example2@example.com"]` -for multiple addresses. - -### `EmailOnSuccess` -Default: `false` - -Send an email notification when a certificate has been successfully renewed, -as opposed to the default behavior that only send failure notifications. -Only works if at least `SmtpServer`, `SmtpSenderAddress`and `SmtpReceiverAddress` -have been configured. - -## Security - -### `RSAKeyBits` -Default: `3072` - -The key size to sign the certificate with. Minimum is 2048. - -### `ECCurve` -Default: `"secp384r1"` - -The curve to use for EC certificates. - -### `PrivateKeyExportable` -Default: `false` - -If set to `true`, it will be possible to export the generated certificates from -the certificate store, for example to move them to another server. - -### `EncryptConfig` -Default: `true` - -Uses Microsoft Data Protection API to encrypt sensitive parts of -the configuration, e.g. passwords. This may be disabled to share -the configuration across a cluster of machines. - -## Script - -### `Timeout` -Default: `600` - -Time in seconds to allow installation and DNS scripts to run before -terminating them forcefully. - -## Validation - -### `CleanupFolders` -Default: `true` - -If set to `true`, it will cleanup the folder structure and files it creates -under the site for authorization. - -### `PreValidateDns` -Default: `true` - -If set to `true`, it will wait until it can verify that the validation record -has been created and is available before beginning DNS validation. - -### `PreValidateDnsRetryCount` -Default: `5` - -Maximum numbers of times to retry DNS pre-validation, while -waiting for the name servers to start providing the expected answer. - -### `PreValidateDnsRetryInterval` -Default: `30` - -Amount of time in seconds to wait between each retry. - -### `DnsServers` -Default: `[ "8.8.8.8", "1.1.1.1", "8.8.4.4" ]` - -A list of servers to query during DNS prevalidation checks to verify whether -or not the validation record has been properly created and is visible for the -world. These servers will be used to located the actual authoritative name -servers for the domain. You can use the string `[System]` to have the -program query your servers default, but note that this can lead to -prevalidation failures when your Active Directory is hosting a private -version of the DNS zone for internal use. - -## Store - -### `DefaultCertificateStore` -Default: `null` - -The certificate store to save the certificates in. If left empty, certificates will -be installed either in the `WebHosting` store, or if that is not available, -the `My` store (better known as `Personal`). - -### `DefaultCentralSslStore` -Default: `null` - -When using `--store centralssl` this path is used by default, saving you the -effort from providing it manually. Filling this out makes the `--centralsslstore` -parameter unnecessary in most cases. Renewals created with the default path will -automatically change to any future default value, meaning this is also a good -practice for maintainability. Values should be JSON-encoded, e.g. `"C:\\"` -(note the double backslash). - -### `DefaultCentralSslPfxPassword` -Default: `null` - -When using `--store centralssl` this password is used by default for the pfx -files, saving you the effort from providing it manually. Filling this out makes -the `--pfxpassword` parameter unnecessary in most cases. Renewals created with -the default password will automatically change to any future default value, -meaning this is also a good practice for maintainability. - -### `DefaultPemFilesPath` -Default: `null` - -When using `--store pemfiles` this path is used by default, saving you the effort -from providing it manually. Filling this out makes the `--pemfilespath` parameter -unnecessary in most cases. Renewals created with the default path will automatically -change to any future default value, meaning this is also a good practice for -maintainability. Values should be JSON-encoded, e.g. `"C:\\"` -(note the double backslash).
\ No newline at end of file |