upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-06 23:32:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

update cert to certificate

Browse source
This commit is contained in:
Noah Swartz 2017-04-27 14:53:30 -07:00
parent 72fa27514e
commit a701419ce9
2 changed files with 70 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
docs/cli-help.txt
View file

@ -3,26 +3,26 @@ usage:
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. The most common SUBCOMMANDS and flags are:
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a cert in your current webserver
certonly Obtain or renew a cert, but do not install it
renew Renew all previously obtained certs that are near expiry
-d DOMAINS Comma-separated list of domains to obtain a cert for
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near expiry
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certs interactively, or using shell script hooks
--manual Obtain certificates interactively, or using shell script hooks
-n Run non-interactively
--test-cert Obtain a test cert from a staging server
--dry-run Test "renew" or "certonly" without saving any certs to disk
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates to disk
manage certificates:
certificates Display information about certs you have from Certbot
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path)
delete Delete a certificate
@ -57,14 +57,14 @@ optional arguments:
certificate, specifies the new certificate's name.
(default: None)
--dry-run Perform a test run of the client, obtaining test
(invalid) certs but not saving them to disk. This can
(invalid) certificates but not saving them to disk. This can
currently only be used with the 'certonly' and 'renew'
subcommands. Note: Although --dry-run tries to avoid
making any persistent changes on a system, it is not
completely side-effect free: if used with webserver
authenticator plugins like apache and nginx, it makes
and then reverts temporary config changes in order to
obtain test certs, and reloads webservers to deploy
obtain test certificates, and reloads webservers to deploy
and then roll back those changes. It also calls --pre-
hook and --post-hook commands if they are defined
because they may be necessary to accurately simulate
@ -95,11 +95,11 @@ automation:
Arguments for automating execution & other tweaks
--keep-until-expiring, --keep, --reinstall
If the requested cert matches an existing cert, always
keep the existing one until it is due for renewal (for
the 'run' subcommand this means reinstall the existing
cert). (default: Ask)
--expand If an existing cert is a strict subset of the
If the requested certificate matches an existing
certificate, always keep the existing one until it is
due for renewal (for the 'run' subcommand this means
reinstall the existing certificate). (default: Ask)
--expand If an existing certificate is a strict subset of the
requested names, always expand and replace it with the
additional names. (default: Ask)
--version show program's version number and exit
@ -171,8 +171,9 @@ testing:
--test-cert, --staging
Use the staging server to obtain or revoke test
(invalid) certs; equivalent to --server https://acme-
staging.api.letsencrypt.org/directory (default: False)
(invalid) certificates; equivalent to --server
https://acme-staging.api.letsencrypt.org/directory
(default: False)
--debug Show tracebacks in case of errors, and allow certbot-
auto execution on experimental platforms (default:
False)
@ -188,20 +189,20 @@ testing:
the port Certbot listens on. A conforming ACME server
will still attempt to connect on port 80. (default:
80)
--break-my-certs Be willing to replace or renew valid certs with
invalid (testing/staging) certs (default: False)
--break-my-certs Be willing to replace or renew valid certificates with
invalid (testing/staging) certificates (default: False)
paths:
Arguments changing execution paths & servers
--cert-path CERT_PATH
Path to where cert is saved (with auth --csr),
Path to where certificate is saved (with auth --csr),
installed from, or revoked. (default: None)
--key-path KEY_PATH Path to private key for cert installation or
--key-path KEY_PATH Path to private key for certificate installation or
revocation (if account key is missing) (default: None)
--fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain (cert
plus chain). (default: None)
Accompanying path to a full certificate chain
(certificate plus chain). (default: None)
--chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default:
None)
@ -225,10 +226,10 @@ manage:
directory
run:
Options for obtaining & installing certs
Options for obtaining & installing certificates
certonly:
Options for modifying how a cert is obtained
Options for modifying how a certificate is obtained
--csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
@ -267,9 +268,9 @@ renew:
the shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certs and keys; the shell variable
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed cert domains (for example,
of renewed certificate domains (for example,
"example.com www.example.com") (default: None)
--disable-hook-validation
Ordinarily the commands specified for --pre-hook
@ -288,7 +289,7 @@ delete:
Options for deleting a certificate
revoke:
Options for revocation of certs
Options for revocation of certificates
--reason {keycompromise,affiliationchanged,superseded,unspecified,cessationofoperation}
Specify reason for revoking certificate. (default: 0)
@ -324,7 +325,7 @@ unregister:
--account ACCOUNT_ID Account ID to use (default: None)
install:
Options for modifying how a cert is deployed
Options for modifying how a certificate is deployed
config_changes:
Options for controlling which changes are displayed
@ -347,7 +348,7 @@ plugins:
--installers Limit to installer plugins only. (default: None)
update_symlinks:
Recreates cert and key symlinks in /etc/letsencrypt/live, if you changed
Recreates certificate and key symlinks in /etc/letsencrypt/live, if you changed
them by hand or edited a renewal configuration file
plugins:
@ -366,13 +367,13 @@ plugins:
-i INSTALLER, --installer INSTALLER
Installer plugin name (also used to find domains).
(default: None)
--apache Obtain and install certs using Apache (default: False)
--nginx Obtain and install certs using Nginx (default: False)
--standalone Obtain certs using a "standalone" webserver. (default:
--apache Obtain and install certificates using Apache (default: False)
--nginx Obtain and install certificates using Nginx (default: False)
--standalone Obtain certificates using a "standalone" webserver. (default:
False)
--manual Provide laborious manual instructions for obtaining a
cert (default: False)
--webroot Obtain certs by placing files in a webroot directory.
certificate (default: False)
--webroot Obtain certificates by placing files in a webroot directory.
(default: False)
nginx:

66
docs/using.rst
View file

@ -24,16 +24,16 @@ Getting certificates (and choosing plugins)
The Certbot client supports two types of plugins for
obtaining and installing certificates: authenticators and installers.
Authenticators are plugins used with the ``certonly`` command to obtain a cert.
Authenticators are plugins used with the ``certonly`` command to obtain a certificate.
The authenticator validates that you
control the domain(s) you are requesting a cert for, obtains a cert for the specified
domain(s), and places the cert in the ``/etc/letsencrypt`` directory on your
machine. The authenticator does not install the cert (it does not edit any of your server's configuration files to serve the
control the domain(s) you are requesting a certificate for, obtains a certificate for the specified
domain(s), and places the certificate in the ``/etc/letsencrypt`` directory on your
machine. The authenticator does not install the certificate (it does not edit any of your server's configuration files to serve the
obtained certificate). If you specify multiple domains to authenticate, they will
all be listed in a single certificate. To obtain multiple separate certificates
you will need to run Certbot multiple times.
Installers are Plugins used with the ``install`` command to install a cert.
Installers are Plugins used with the ``install`` command to install a certificate.
These plugins can modify your webserver's configuration to
serve your website over HTTPS using certificates obtained by certbot.
@ -44,19 +44,19 @@ a combination of distinct authenticator and installer plugins.
=========== ==== ==== =============================================================== =============================
Plugin Auth Inst Notes Challenge types (and port)
=========== ==== ==== =============================================================== =============================
apache_ Y Y | Automates obtaining and installing a cert with Apache 2.4 on tls-sni-01_ (443)
| Debian-based distributions with ``libaugeas0`` 1.0+.
webroot_ Y N | Obtains a cert by writing to the webroot directory of an http-01_ (80)
| already running webserver.
nginx_ Y Y | Automates obtaining and installing a cert with Nginx. Alpha tls-sni-01_ (443)
| release shipped with Certbot 0.9.0.
standalone_ Y N | Uses a "standalone" webserver to obtain a cert. Requires http-01_ (80) or
| port 80 or 443 to be available. This is useful on systems tls-sni-01_ (443)
| with no webserver, or when direct integration with the local
| webserver is not supported or not desired.
manual_ Y N | Helps you obtain a cert by giving you instructions to perform http-01_ (80) or
| domain validation yourself. Additionally allows you to dns-01_ (53)
| specify scripts to automate the validation task in a
apache_ Y Y | Automates obtaining and installing a certificate with Apache tls-sni-01_ (443)
| 2.4 on Debian-based distributions with ``libaugeas0`` 1.0+.
webroot_ Y N | Obtains a certificate by writing to the webroot directory of http-01_ (80)
| an already running webserver.
nginx_ Y Y | Automates obtaining and installing a certificate with Nginx. tls-sni-01_ (443)
| Alpha release shipped with Certbot 0.9.0.
standalone_ Y N | Uses a "standalone" webserver to obtain a certificate. http-01_ (80) or
| Requires port 80 or 443 to be available. This is useful on tls-sni-01_ (443)
| systems with no webserver, or when direct integration with
| the local webserver is not supported or not desired.
manual_ Y N | Helps you obtain a certificate by giving you instructions to http-01_ (80) or
| perform domain validation yourself. Additionally allows you dns-01_ (53)
| to specify scripts to automate the validation task in a
| customized way.
=========== ==== ==== =============================================================== =============================
@ -82,7 +82,7 @@ The Apache plugin currently requires an OS with augeas version 1.0; currently `i
supports
<https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/constants.py>`_
modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin.
This automates both obtaining *and* installing certs on an Apache
This automates both obtaining *and* installing certificates on an Apache
webserver. To specify this plugin on the command line, simply include
``--apache``.
@ -92,7 +92,7 @@ Webroot
If you're running a local webserver for which you have the ability
to modify the content being served, and you'd prefer not to stop the
webserver during the certificate issuance process, you can use the webroot
plugin to obtain a cert by including ``certonly`` and ``--webroot`` on
plugin to obtain a certificate by including ``certonly`` and ``--webroot`` on
the command line. In addition, you'll need to specify ``--webroot-path``
or ``-w`` with the top-level directory ("web root") containing the files
served by your webserver. For example, ``--webroot-path /var/www/html``
@ -144,11 +144,11 @@ the ``--nginx`` flag on the commandline.
Standalone
----------
Use standalone mode to obtain a cert if you don't want to use (or don't currently have)
Use standalone mode to obtain a certificate if you don't want to use (or don't currently have)
existing server software. The standalone plugin does not rely on any other server
software running on the machine where you obtain the cert.
software running on the machine where you obtain the certificate.
To obtain a cert using a "standalone" webserver, you can use the
To obtain a certificate using a "standalone" webserver, you can use the
standalone plugin by including ``certonly`` and ``--standalone``
on the command line. This plugin needs to bind to port 80 or 443 in
order to perform domain validation, so you may need to stop your
@ -167,10 +167,10 @@ the Internet on the specified port using each requested domain name.
Manual
------
If you'd like to obtain a cert running ``certbot`` on a machine
If you'd like to obtain a certificate running ``certbot`` on a machine
other than your target webserver or perform the steps for domain
validation yourself, you can use the manual plugin. While hidden from
the UI, you can use the plugin to obtain a cert by specifying
the UI, you can use the plugin to obtain a certificate by specifying
``certonly`` and ``--manual`` on the command line. This requires you
to copy and paste commands into another terminal session, which may
be on a different computer.
@ -213,11 +213,11 @@ plesk_ Y Y Integration with the Plesk web hosting tool
haproxy_ Y Y Integration with the HAProxy load balancer
s3front_ Y Y Integration with Amazon CloudFront distribution of S3 buckets
gandi_ Y Y Integration with Gandi's hosting products and API
varnish_ Y N Obtain certs via a Varnish server
varnish_ Y N Obtain certificates via a Varnish server
external_ Y N A plugin for convenient scripting (See also ticket 2782_)
icecast_ N Y Deploy certs to Icecast 2 streaming media servers
pritunl_ N Y Install certs in pritunl distributed OpenVPN servers
proxmox_ N Y Install certs in Proxmox Virtualization servers
icecast_ N Y Deploy certificates to Icecast 2 streaming media servers
pritunl_ N Y Install certificates in pritunl distributed OpenVPN servers
proxmox_ N Y Install certificates in Proxmox Virtualization servers
postfix_ N Y STARTTLS Everywhere is becoming a Certbot Postfix/Exim plugin
heroku_ Y Y Integration with Heroku SSL
=========== ==== ==== ===============================================================
@ -336,9 +336,9 @@ use the ``revoke`` command to do so. Note that the ``revoke`` command takes the
certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem
Additionally, if a certificate
is a test cert obtained via the ``--staging`` or ``--test-cert`` flag, that flag must be passed to the
is a test certificate obtained via the ``--staging`` or ``--test-cert`` flag, that flag must be passed to the
``revoke`` subcommand.
Once a certificate is revoked (or for other cert management tasks), all of a certificate's
Once a certificate is revoked (or for other certificate management tasks), all of a certificate's
relevant files can be removed from the system with the ``delete`` subcommand::
certbot delete --cert-name example.com
@ -371,7 +371,7 @@ Since ``renew`` only renews certificates that are near expiry it can be
run as frequently as you want - since it will usually take no action.
The ``renew`` command includes hooks for running commands or scripts before or after a certificate is
renewed. For example, if you have a single cert obtained using
renewed. For example, if you have a single certificate obtained using
the standalone_ plugin, you might need to stop the webserver
before renewing so standalone can bind to the necessary ports, and
then restart it after the plugin is finished. Example::
@ -497,7 +497,7 @@ renewal configuration file, located at ``/etc/letsencrypt/renewal/CERTNAME``.
For most tasks, it is safest to limit yourself to pointing symlinks at the files there, or using
``--renew-hook`` to copy / make new files based upon those files, if your operational situation requires it
(for instance, combining certs and keys in different way, or having copies of things with different
(for instance, combining certificates and keys in different way, or having copies of things with different
specific permissions that are demanded by other programs).
If the contents of ``/etc/letsencrypt/archive/CERTNAME`` are moved to a new folder, first specify