From a701419ce988ac67ab39bea3534348cd5b974494 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 27 Apr 2017 14:53:30 -0700 Subject: [PATCH] update cert to certificate --- docs/cli-help.txt | 73 ++++++++++++++++++++++++----------------------- docs/using.rst | 66 +++++++++++++++++++++--------------------- 2 files changed, 70 insertions(+), 69 deletions(-) diff --git a/docs/cli-help.txt b/docs/cli-help.txt index 3154bbda6..a5607c70e 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -3,26 +3,26 @@ usage: Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the -cert. The most common SUBCOMMANDS and flags are: +certificate. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: - (default) run Obtain & install a cert in your current webserver - certonly Obtain or renew a cert, but do not install it - renew Renew all previously obtained certs that are near expiry - -d DOMAINS Comma-separated list of domains to obtain a cert for + (default) run Obtain & install a certificate in your current webserver + certonly Obtain or renew a certificate, but do not install it + renew Renew all previously obtained certificates that are near expiry + -d DOMAINS Comma-separated list of domains to obtain a certificate for --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication - --manual Obtain certs interactively, or using shell script hooks + --manual Obtain certificates interactively, or using shell script hooks -n Run non-interactively - --test-cert Obtain a test cert from a staging server - --dry-run Test "renew" or "certonly" without saving any certs to disk + --test-cert Obtain a test certificate from a staging server + --dry-run Test "renew" or "certonly" without saving any certificates to disk manage certificates: - certificates Display information about certs you have from Certbot + certificates Display information about certificates you have from Certbot revoke Revoke a certificate (supply --cert-path) delete Delete a certificate @@ -57,14 +57,14 @@ optional arguments: certificate, specifies the new certificate's name. (default: None) --dry-run Perform a test run of the client, obtaining test - (invalid) certs but not saving them to disk. This can + (invalid) certificates but not saving them to disk. This can currently only be used with the 'certonly' and 'renew' subcommands. Note: Although --dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to - obtain test certs, and reloads webservers to deploy + obtain test certificates, and reloads webservers to deploy and then roll back those changes. It also calls --pre- hook and --post-hook commands if they are defined because they may be necessary to accurately simulate @@ -95,11 +95,11 @@ automation: Arguments for automating execution & other tweaks --keep-until-expiring, --keep, --reinstall - If the requested cert matches an existing cert, always - keep the existing one until it is due for renewal (for - the 'run' subcommand this means reinstall the existing - cert). (default: Ask) - --expand If an existing cert is a strict subset of the + If the requested certificate matches an existing + certificate, always keep the existing one until it is + due for renewal (for the 'run' subcommand this means + reinstall the existing certificate). (default: Ask) + --expand If an existing certificate is a strict subset of the requested names, always expand and replace it with the additional names. (default: Ask) --version show program's version number and exit @@ -171,8 +171,9 @@ testing: --test-cert, --staging Use the staging server to obtain or revoke test - (invalid) certs; equivalent to --server https://acme- - staging.api.letsencrypt.org/directory (default: False) + (invalid) certificates; equivalent to --server + https://acme-staging.api.letsencrypt.org/directory + (default: False) --debug Show tracebacks in case of errors, and allow certbot- auto execution on experimental platforms (default: False) @@ -188,20 +189,20 @@ testing: the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80. (default: 80) - --break-my-certs Be willing to replace or renew valid certs with - invalid (testing/staging) certs (default: False) + --break-my-certs Be willing to replace or renew valid certificates with + invalid (testing/staging) certificates (default: False) paths: Arguments changing execution paths & servers --cert-path CERT_PATH - Path to where cert is saved (with auth --csr), + Path to where certificate is saved (with auth --csr), installed from, or revoked. (default: None) - --key-path KEY_PATH Path to private key for cert installation or + --key-path KEY_PATH Path to private key for certificate installation or revocation (if account key is missing) (default: None) --fullchain-path FULLCHAIN_PATH - Accompanying path to a full certificate chain (cert - plus chain). (default: None) + Accompanying path to a full certificate chain + (certificate plus chain). (default: None) --chain-path CHAIN_PATH Accompanying path to a certificate chain. (default: None) @@ -225,10 +226,10 @@ manage: directory run: - Options for obtaining & installing certs + Options for obtaining & installing certificates certonly: - Options for modifying how a cert is obtained + Options for modifying how a certificate is obtained --csr CSR Path to a Certificate Signing Request (CSR) in DER or PEM format. Currently --csr only works with the @@ -267,9 +268,9 @@ renew: the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example, "/etc/letsencrypt/live/example.com") containing the - new certs and keys; the shell variable + new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list - of renewed cert domains (for example, + of renewed certificate domains (for example, "example.com www.example.com") (default: None) --disable-hook-validation Ordinarily the commands specified for --pre-hook @@ -288,7 +289,7 @@ delete: Options for deleting a certificate revoke: - Options for revocation of certs + Options for revocation of certificates --reason {keycompromise,affiliationchanged,superseded,unspecified,cessationofoperation} Specify reason for revoking certificate. (default: 0) @@ -324,7 +325,7 @@ unregister: --account ACCOUNT_ID Account ID to use (default: None) install: - Options for modifying how a cert is deployed + Options for modifying how a certificate is deployed config_changes: Options for controlling which changes are displayed @@ -347,7 +348,7 @@ plugins: --installers Limit to installer plugins only. (default: None) update_symlinks: - Recreates cert and key symlinks in /etc/letsencrypt/live, if you changed + Recreates certificate and key symlinks in /etc/letsencrypt/live, if you changed them by hand or edited a renewal configuration file plugins: @@ -366,13 +367,13 @@ plugins: -i INSTALLER, --installer INSTALLER Installer plugin name (also used to find domains). (default: None) - --apache Obtain and install certs using Apache (default: False) - --nginx Obtain and install certs using Nginx (default: False) - --standalone Obtain certs using a "standalone" webserver. (default: + --apache Obtain and install certificates using Apache (default: False) + --nginx Obtain and install certificates using Nginx (default: False) + --standalone Obtain certificates using a "standalone" webserver. (default: False) --manual Provide laborious manual instructions for obtaining a - cert (default: False) - --webroot Obtain certs by placing files in a webroot directory. + certificate (default: False) + --webroot Obtain certificates by placing files in a webroot directory. (default: False) nginx: diff --git a/docs/using.rst b/docs/using.rst index 1bcf1483b..614f79608 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -24,16 +24,16 @@ Getting certificates (and choosing plugins) The Certbot client supports two types of plugins for obtaining and installing certificates: authenticators and installers. -Authenticators are plugins used with the ``certonly`` command to obtain a cert. +Authenticators are plugins used with the ``certonly`` command to obtain a certificate. The authenticator validates that you -control the domain(s) you are requesting a cert for, obtains a cert for the specified -domain(s), and places the cert in the ``/etc/letsencrypt`` directory on your -machine. The authenticator does not install the cert (it does not edit any of your server's configuration files to serve the +control the domain(s) you are requesting a certificate for, obtains a certificate for the specified +domain(s), and places the certificate in the ``/etc/letsencrypt`` directory on your +machine. The authenticator does not install the certificate (it does not edit any of your server's configuration files to serve the obtained certificate). If you specify multiple domains to authenticate, they will all be listed in a single certificate. To obtain multiple separate certificates you will need to run Certbot multiple times. -Installers are Plugins used with the ``install`` command to install a cert. +Installers are Plugins used with the ``install`` command to install a certificate. These plugins can modify your webserver's configuration to serve your website over HTTPS using certificates obtained by certbot. @@ -44,19 +44,19 @@ a combination of distinct authenticator and installer plugins. =========== ==== ==== =============================================================== ============================= Plugin Auth Inst Notes Challenge types (and port) =========== ==== ==== =============================================================== ============================= -apache_ Y Y | Automates obtaining and installing a cert with Apache 2.4 on tls-sni-01_ (443) - | Debian-based distributions with ``libaugeas0`` 1.0+. -webroot_ Y N | Obtains a cert by writing to the webroot directory of an http-01_ (80) - | already running webserver. -nginx_ Y Y | Automates obtaining and installing a cert with Nginx. Alpha tls-sni-01_ (443) - | release shipped with Certbot 0.9.0. -standalone_ Y N | Uses a "standalone" webserver to obtain a cert. Requires http-01_ (80) or - | port 80 or 443 to be available. This is useful on systems tls-sni-01_ (443) - | with no webserver, or when direct integration with the local - | webserver is not supported or not desired. -manual_ Y N | Helps you obtain a cert by giving you instructions to perform http-01_ (80) or - | domain validation yourself. Additionally allows you to dns-01_ (53) - | specify scripts to automate the validation task in a +apache_ Y Y | Automates obtaining and installing a certificate with Apache tls-sni-01_ (443) + | 2.4 on Debian-based distributions with ``libaugeas0`` 1.0+. +webroot_ Y N | Obtains a certificate by writing to the webroot directory of http-01_ (80) + | an already running webserver. +nginx_ Y Y | Automates obtaining and installing a certificate with Nginx. tls-sni-01_ (443) + | Alpha release shipped with Certbot 0.9.0. +standalone_ Y N | Uses a "standalone" webserver to obtain a certificate. http-01_ (80) or + | Requires port 80 or 443 to be available. This is useful on tls-sni-01_ (443) + | systems with no webserver, or when direct integration with + | the local webserver is not supported or not desired. +manual_ Y N | Helps you obtain a certificate by giving you instructions to http-01_ (80) or + | perform domain validation yourself. Additionally allows you dns-01_ (53) + | to specify scripts to automate the validation task in a | customized way. =========== ==== ==== =============================================================== ============================= @@ -82,7 +82,7 @@ The Apache plugin currently requires an OS with augeas version 1.0; currently `i supports `_ modern OSes based on Debian, Fedora, SUSE, Gentoo and Darwin. -This automates both obtaining *and* installing certs on an Apache +This automates both obtaining *and* installing certificates on an Apache webserver. To specify this plugin on the command line, simply include ``--apache``. @@ -92,7 +92,7 @@ Webroot If you're running a local webserver for which you have the ability to modify the content being served, and you'd prefer not to stop the webserver during the certificate issuance process, you can use the webroot -plugin to obtain a cert by including ``certonly`` and ``--webroot`` on +plugin to obtain a certificate by including ``certonly`` and ``--webroot`` on the command line. In addition, you'll need to specify ``--webroot-path`` or ``-w`` with the top-level directory ("web root") containing the files served by your webserver. For example, ``--webroot-path /var/www/html`` @@ -144,11 +144,11 @@ the ``--nginx`` flag on the commandline. Standalone ---------- -Use standalone mode to obtain a cert if you don't want to use (or don't currently have) +Use standalone mode to obtain a certificate if you don't want to use (or don't currently have) existing server software. The standalone plugin does not rely on any other server -software running on the machine where you obtain the cert. +software running on the machine where you obtain the certificate. -To obtain a cert using a "standalone" webserver, you can use the +To obtain a certificate using a "standalone" webserver, you can use the standalone plugin by including ``certonly`` and ``--standalone`` on the command line. This plugin needs to bind to port 80 or 443 in order to perform domain validation, so you may need to stop your @@ -167,10 +167,10 @@ the Internet on the specified port using each requested domain name. Manual ------ -If you'd like to obtain a cert running ``certbot`` on a machine +If you'd like to obtain a certificate running ``certbot`` on a machine other than your target webserver or perform the steps for domain validation yourself, you can use the manual plugin. While hidden from -the UI, you can use the plugin to obtain a cert by specifying +the UI, you can use the plugin to obtain a certificate by specifying ``certonly`` and ``--manual`` on the command line. This requires you to copy and paste commands into another terminal session, which may be on a different computer. @@ -213,11 +213,11 @@ plesk_ Y Y Integration with the Plesk web hosting tool haproxy_ Y Y Integration with the HAProxy load balancer s3front_ Y Y Integration with Amazon CloudFront distribution of S3 buckets gandi_ Y Y Integration with Gandi's hosting products and API -varnish_ Y N Obtain certs via a Varnish server +varnish_ Y N Obtain certificates via a Varnish server external_ Y N A plugin for convenient scripting (See also ticket 2782_) -icecast_ N Y Deploy certs to Icecast 2 streaming media servers -pritunl_ N Y Install certs in pritunl distributed OpenVPN servers -proxmox_ N Y Install certs in Proxmox Virtualization servers +icecast_ N Y Deploy certificates to Icecast 2 streaming media servers +pritunl_ N Y Install certificates in pritunl distributed OpenVPN servers +proxmox_ N Y Install certificates in Proxmox Virtualization servers postfix_ N Y STARTTLS Everywhere is becoming a Certbot Postfix/Exim plugin heroku_ Y Y Integration with Heroku SSL =========== ==== ==== =============================================================== @@ -336,9 +336,9 @@ use the ``revoke`` command to do so. Note that the ``revoke`` command takes the certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem Additionally, if a certificate -is a test cert obtained via the ``--staging`` or ``--test-cert`` flag, that flag must be passed to the +is a test certificate obtained via the ``--staging`` or ``--test-cert`` flag, that flag must be passed to the ``revoke`` subcommand. -Once a certificate is revoked (or for other cert management tasks), all of a certificate's +Once a certificate is revoked (or for other certificate management tasks), all of a certificate's relevant files can be removed from the system with the ``delete`` subcommand:: certbot delete --cert-name example.com @@ -371,7 +371,7 @@ Since ``renew`` only renews certificates that are near expiry it can be run as frequently as you want - since it will usually take no action. The ``renew`` command includes hooks for running commands or scripts before or after a certificate is -renewed. For example, if you have a single cert obtained using +renewed. For example, if you have a single certificate obtained using the standalone_ plugin, you might need to stop the webserver before renewing so standalone can bind to the necessary ports, and then restart it after the plugin is finished. Example:: @@ -497,7 +497,7 @@ renewal configuration file, located at ``/etc/letsencrypt/renewal/CERTNAME``. For most tasks, it is safest to limit yourself to pointing symlinks at the files there, or using ``--renew-hook`` to copy / make new files based upon those files, if your operational situation requires it -(for instance, combining certs and keys in different way, or having copies of things with different +(for instance, combining certificates and keys in different way, or having copies of things with different specific permissions that are demanded by other programs). If the contents of ``/etc/letsencrypt/archive/CERTNAME`` are moved to a new folder, first specify