upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-04 06:15:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Attempting to fix build errors.

Browse source
This commit is contained in:
Peter Conrad 2017-12-20 13:35:44 -08:00
parent 1e8db70670
commit ddad4ce4c6
10 changed files with 124 additions and 134 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
README.rst
View file

@ -1,4 +1,4 @@
s file contains a series of comments that are used to include sections of this README in other files. Do not modify these comments unless you know what you are doing. tag:intro-begin
.. This file contains a series of comments that are used to include sections of this README in other files. Do not modify these comments unless you know what you are doing. tag:intro-begin
Certbot is part of EFFs effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
@ -30,9 +30,6 @@ Certbot is packaged for many common operating systems and web servers. Check whe
certbot.eff.org_, where you will also find the correct installation instructions for
your system.
.. Note:: Unless you have very specific requirements, we kindly suggest that you use the Certbot packages provided by your package manager (see certbot.eff.org_). If such packages are not available, we recommend using ``certbot-auto``, which automates the process of installing Certbot on your system.
.. _certbot.eff.org: https://certbot.eff.org
Contributing
@ -59,25 +56,28 @@ In many cases, you can just run ``certbot-auto`` or ``certbot``, and the
client will guide you through the process of obtaining and installing certs
interactively.
For full command line help, you can type::
For full command line help, you can type
::
  ./certbot-auto --help all
You can also tell it exactly what you want it to do from the command line.
For instance, if you want to obtain a cert for ``example.com``,
``www.example.com``, and ``other.example.net``, using the Apache plugin to both
obtain and install the certs, you could do this::
obtain and install the certs, you could do this
  ./certbot-auto --apache -d example.com -d www.example.com -d other.example.net
::
./certbot-auto --apache -d example.com -d www.example.com -d other.example.net
(The first time you run the command, it will make an account, and ask for an
email and agreement to the Let's Encrypt Subscriber Agreement; you can
automate those with ``--email`` and ``--agree-tos``)
If you want to use a webserver that doesn't have full plugin support yet, you
can still use "standalone" or "webroot" plugins to obtain a certificate::
can still use "standalone" or "webroot" plugins to obtain a certificate
::
  ./certbot-auto certonly --standalone --email admin@example.com -d example.com -d www.example.com -d other.example.net

58
docs/challenges.rst
View file

@ -9,9 +9,9 @@ To receive a certificate from Let's Encrypt certificate authority (CA), you must
prove you control each of the domain names that will be listed in the certificate. A challenge is  one of 
three tasks that only someone who controls the domain should be able to accomplish:
* Posting a specified file in a specified location on a web site (the HTTP-01_ challenge)
* Offering a specified temporary certificate on a web site (the TLS-SNI-01_ challenge) 
* Posting a specified DNS record in the domain name system (the DNS-01_ challenge)
* Posting a specified file in a specified location on a web site (See the IETF draft of the `HTTP-01`_ challenge)
* Offering a specified temporary certificate on a web site (See the IETF draft of the `TLS-SNI-01`_ challenge) 
* Posting a specified DNS record in the domain name system (See the IETF draft of the `DNS-01`_ challenge)
The DNS-01 challenge, in particular, requires configuration of a DNS server on
port 53, though that's often not the same machine as your webserver.
@ -21,10 +21,9 @@ changes itself, or runs another program that does so), or *manually* (Certbot te
certain change, and you edit a configuration file of some kind in order to accomplish it). Certbot's 
design favors performing challenges automatically, and this is the normal case for most users of Certbot.
.. _challenges: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7
.. _ TLS-SNI-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3
.. _ HTTP-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.2
.. _ DNS-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.4
.. _TLS-SNI-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3
.. _HTTP-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.2
.. _DNS-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.4
Tips for Challenges
@ -32,51 +31,60 @@ Tips for Challenges
General tips:
* Run Certbot on your web server, not on your laptop or another server. Its usually the easiest way to get a certificate.
* Use a tool like the DNSchecker at dnsstuff.com to check your DNS records to make sure 
  there are no serious errors. A DNS error can prevent a certificate authority from 
  issuing a certificate, even if it does not prevent your site from loading in a browser.
* Use a tool like the DNSchecker at dnsstuff.com to check your DNS records to make sure
there are no serious errors. A DNS error can prevent a certificate authority from 
issuing a certificate, even if it does not prevent your site from loading in a browser.
* If you are using Apache or NGINX plugins, make sure the configuration of your Apache or NGINX server is correct.
.. _http_01_challenge:
HTTP-01 Challenge
~~~~~~~~~~~~~~~~~
* Make sure the domain name exists and is already pointed to the public IP address of the server where 
  youre requesting the certificate.
youre requesting the certificate.
* Make sure port 80 is open, publicly reachable from the Internet, and not blocked by a router or firewall.
* When using the Webroot plugin or the manual plugin, make sure the the webroot directory exists and that you
  specify it properly. If you set the webroot directory for example.com to `/var/www/example.com`
  then a file placed in `/var/www/example.com/.well-known/acme-challenge/testfile` should appear on
  your web site at `http://example.com/.well-known/acme-challenge/testfile` (A redirection to HTTPS
  is OK here and should not stop the challenge from working.)
specify it properly. If you set the webroot directory for example.com to `/var/www/example.com`
then a file placed in `/var/www/example.com/.well-known/acme-challenge/testfile` should appear on
your web site at `http://example.com/.well-known/acme-challenge/testfile` (A redirection to HTTPS
is OK here and should not stop the challenge from working.)
* In some web server configurations, all pages are dynamically generated by some kind of framework, 
  usually using a database backend. In this case, there might not be a particular directory 
  from which the web server can serve filesdirectly. Using the Webroot plugin in this case 
  requires making a change to your web server configuration first.
usually using a database backend. In this case, there might not be a particular directory 
from which the web server can serve filesdirectly. Using the Webroot plugin in this case 
requires making a change to your web server configuration first.
* Make sure your web server serves files properly from the directory where the challenge 
  file is placed (e. g. `/.well-known/acme-challenge`) to the expected location on the 
  website without adding a header or footer.
file is placed (e. g. `/.well-known/acme-challenge`) to the expected location on the 
website without adding a header or footer.
* When using the Standalone plugin, make sure another program is not already listening to port 80 on the server.
* When using the Webroot plugin, make sure there is a web server listening on port 80.
.. _tls_sni_01_challege:
TLS-SNI-01 Challenge
~~~~~~~~~~~~~~~~~~~~
* The TLS-SNI-01 challenge doesnt work with content delivery networks (CDNs) 
  like CloudFlare and Akamai because the domain name is pointed at the CDN, not directly at your server.
like CloudFlare and Akamai because the domain name is pointed at the CDN, not directly at your server.
* Make sure port 443 is open, publicly reachable from the Internet, and not blocked by a router or firewall.
* When using the Apache plugin, make sure you are running Apache and no other web server on port 443.
* When using the NGINX plugin, make sure you are running NGINX and no other web server on port 443.
* With either the Apache or NGINX plugin, certbot modifies your web server configuration. If you get
  an error after successfully completing the challenge, then you have received a certificate but the
  plugin was unable to modify your web server configuration, meaning that you'll have to install the certificate manually.
  In that case, please file a bug to help us improve certbot!
an error after successfully completing the challenge, then you have received a certificate but the
plugin was unable to modify your web server configuration, meaning that you'll have to install the certificate manually.
In that case, please file a bug to help us improve certbot!
* When using the Standalone plugin, make sure another program is not already listening to port 443 on the server.
.. _dns_01_challenge:
DNS-01 Challenge
~~~~~~~~~~~~~~~~
* When using the manual plugin, make sure your DNS records are correctly updated; 
  you must be able to make appropriate changes to your DNS zone in order to pass the challenge.
you must be able to make appropriate changes to your DNS zone in order to pass the challenge.

36
docs/configure.rst
View file

@ -1,10 +1,12 @@
onfiguration Files
Configuration Files
=====================
.. contents:: Table of Contents
   :local:
:local:
This is another new section that will talk about what can be configured and will explain the interaction between the renewal configuration file and the global configuration file. The text about the global configuration file has been moved here from using.rst
This is another new section that will talk about what can be configured and will explain
the interaction between the renewal configuration file and the global configuration file.
The text about the global configuration file has been moved here from using.rst
.. _renewal-config-file:
@ -43,23 +45,19 @@ you must follow this with an invocation of ``certbot update_symlinks``.
For example, say that a certificate's renewal configuration file previously contained the following
directives::
  archive_dir = /etc/letsencrypt/archive/example.com
  cert = /etc/letsencrypt/live/example.com/cert.pem
  privkey = /etc/letsencrypt/live/example.com/privkey.pem
  chain = /etc/letsencrypt/live/example.com/chain.pem
  fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
The following commands could be used to specify where these files are located::
  mv /etc/letsencrypt/archive/example.com /home/user/me/certbot/example_archive
  sed -i 's,/etc/letsencrypt/archive/example.com,/home/user/me/certbot/example_archive,' /etc/letsencrypt/renewal/example.com.conf
  mv /etc/letsencrypt/live/example.com/*.pem /home/user/me/certbot/
  sed -i 's,/etc/letsencrypt/live/example.com,/home/user/me/certbot,g' /etc/letsencrypt/renewal/example.com.conf
  certbot update_symlinks
mv /etc/letsencrypt/archive/example.com /home/user/me/certbot/example_archive
sed -i 's,/etc/letsencrypt/archive/example.com,/home/user/me/certbot/example_archive,' /etc/letsencrypt/renewal/example.com.conf
mv /etc/letsencrypt/live/example.com/*.pem /home/user/me/certbot/
sed -i 's,/etc/letsencrypt/live/example.com,/home/user/me/certbot,g' /etc/letsencrypt/renewal/example.com.conf
certbot update_symlinks
.. _config-file:
@ -81,9 +79,7 @@ example configuration file is shown below:
By default, the following locations are searched:
- ``/etc/letsencrypt/cli.ini``
- ``$XDG_CONFIG_HOME/letsencrypt/cli.ini`` (or
  ``~/.config/letsencrypt/cli.ini`` if ``$XDG_CONFIG_HOME`` is not
  set).
- ``$XDG_CONFIG_HOME/letsencrypt/cli.ini`` (or ``~/.config/letsencrypt/cli.ini`` if ``$XDG_CONFIG_HOME`` is not set).
Since this configuration file applies to all invocations of certbot it is incorrect
to list domains in it. Listing domains in cli.ini may prevent renewal from working.

61
docs/contributing.rst
View file

@ -3,7 +3,7 @@ Developer Guide
===============
.. contents:: Table of Contents
   :local:
:local:
.. _getting_started:
@ -20,7 +20,7 @@ running:
.. code-block:: shell
   git clone https://github.com/certbot/certbot
  git clone https://github.com/certbot/certbot
If you're on macOS, we recommend you skip the rest of this section and instead
run Certbot in Docker. You can find instructions for how to do this :ref:`here
@ -31,17 +31,17 @@ a new plugin is introduced.
.. code-block:: shell
   cd certbot
   ./certbot-auto --os-packages-only
   ./tools/venv.sh
  cd certbot
  ./certbot-auto --os-packages-only
  ./tools/venv.sh
Then in each shell where you're working on the client, do:
.. code-block:: shell
   source ./venv/bin/activate
   export SERVER=https://acme-staging.api.letsencrypt.org/directory
   source tests/integration/_common.sh
  source ./venv/bin/activate
  export SERVER=https://acme-staging.api.letsencrypt.org/directory
  source tests/integration/_common.sh
After that, your shell will be using the virtual environment, and you run the
client by typing `certbot` or `certbot_test`. The latter is an alias that
@ -123,8 +123,8 @@ Boulder:
.. code-block:: shell
   export SERVER=http://localhost:4000/directory
   source tests/integration/_common.sh
  export SERVER=http://localhost:4000/directory
  source tests/integration/_common.sh
Run the integration tests using:
@ -258,13 +258,13 @@ the virtualenv used by `certbot-auto`, but they will be wiped away when
`certbot-auto` upgrades.
.. warning:: Please be aware though that as this client is still in a
   developer-preview stage, the API may undergo a few changes. If you
   believe the plugin will be beneficial to the community, please
   consider submitting a pull request to the repo and we will update
   it with any necessary API changes.
developer-preview stage, the API may undergo a few changes. If you
believe the plugin will be beneficial to the community, please
consider submitting a pull request to the repo and we will update
it with any necessary API changes.
.. _`setuptools entry points`:
    http://setuptools.readthedocs.io/en/latest/pkg_resources.html#entry-points
http://setuptools.readthedocs.io/en/latest/pkg_resources.html#entry-points
.. _coding-style:
@ -277,27 +277,26 @@ Please:
2. Read `PEP 8 - Style Guide for Python Code`_.
3. Follow the `Google Python Style Guide`_, with the exception that we
   use `Sphinx-style`_ documentation::
3. Follow the `Google Python Style Guide`_, with the exception that we use `Sphinx-style`_ documentation::
        def foo(arg):
            """Short description.
def foo(arg):
    """Short description.
            :param int arg: Some number.
      :param int arg: Some number.
            :returns: Argument
            :rtype: int
      :returns: Argument
      :rtype: int
            """
            return arg
      """
      return arg
4. Remember to use ``pylint``.
.. _Google Python Style Guide:
  https://google.github.io/styleguide/pyguide.html
.. _Google Python Style Guide: https://google.github.io/styleguide/pyguide.html
.. _Sphinx-style: http://sphinx-doc.org/
.. _PEP 8 - Style Guide for Python Code:
  https://www.python.org/dev/peps/pep-0008
.. _PEP 8 - Style Guide for Python Code: https://www.python.org/dev/peps/pep-0008
Submitting a pull request
=========================
@ -337,7 +336,7 @@ manually updating this script, run the build script, which lives at
.. code-block:: shell
   python letsencrypt-auto-source/build.py
  python letsencrypt-auto-source/build.py
Running ``build.py`` will update the ``letsencrypt-auto-source/letsencrypt-auto``
script.  Note that the ``certbot-auto`` and ``letsencrypt-auto`` scripts in the root
@ -383,8 +382,8 @@ testing Certbot. This is especially useful for macOS users. To install Docker
Compose, follow the instructions at https://docs.docker.com/compose/install/.
.. note:: Linux users can simply run ``pip install docker-compose`` to get
  Docker Compose after installing Docker Engine and activating your shell as
  described in the :ref:`Getting Started <getting_started>` section.
  Docker Compose after installing Docker Engine and activating your shell as
  described in the :ref:`Getting Started <getting_started>` section.
Now you can develop on your host machine, but run Certbot and test your changes
in Docker. When using ``docker-compose`` make sure you are inside your clone of

38
docs/how.rst
View file

@ -9,8 +9,6 @@ are doing these tasks later, it all makes sense.
XXX Description of the order of events. That is... you pick your webserver and OS on the interactive installation tool. Behind the scenes, certbot knows how to modify the config file and handle the challenge. You can optionally do hooks. You get authenticated and the cert gets installed. A config file gets created so that automatic renewal can happen. After that, you can manage, modify, or delete certs.
.. include:: challenges.rst
@ -43,20 +41,20 @@ a combination_ of distinct authenticator and installer plugins.
=========== ==== ==== =============================================================== =============================
Plugin      Auth Inst Notes                                                           Challenge types (and port)
=========== ==== ==== =============================================================== ===========================
apache_     Y    Y    | Automates obtaining and installing a certificate with Apache  tls-sni-01_ (443)
=========== ==== ==== =============================================================== =============================
apache_     Y    Y    | Automates obtaining and installing a certificate with Apache  :ref:`TLS-SNI-01 <tls_sni_01_challege>` (443)
                      | 2.4 on Debian-based distributions with ``libaugeas0`` 1.0+.
webroot_    Y    N    | Obtains a certificate by writing to the webroot directory of  http-01_ (80)
webroot_    Y    N    | Obtains a certificate by writing to the webroot directory of  :ref:`HTTP-01 <http_01_challenge>` (80)
                      | an already running webserver.
nginx_      Y    Y    | Automates obtaining and installing a certificate with Nginx.  tls-sni-01_ (443)
nginx_      Y    Y    | Automates obtaining and installing a certificate with Nginx.  :ref:`TLS-SNI-01 <tls_sni_01_challege>` (443)
                      | Shipped with Certbot 0.9.0.
standalone_ Y    N    | Uses a "standalone" webserver to obtain a certificate.        http-01_ (80) or
                      | Requires port 80 or 443 to be available. This is useful on    tls-sni-01_ (443)
standalone_ Y    N    | Uses a "standalone" webserver to obtain a certificate.        :ref:`HTTP-01 <http_01_challenge>` (80) or
                      | Requires port 80 or 443 to be available. This is useful on    :ref:`TLS-SNI-01 <tls_sni_01_challege>` (443)
                      | systems with no webserver, or when direct integration with
                      | the local webserver is not supported or not desired.
manual_     Y    N    | Helps you obtain a certificate by giving you instructions to  http-01_ (80),
                      | perform domain validation yourself. Additionally allows you   dns-01_ (53) or
                      | to specify scripts to automate the validation task in a       tls-sni-01_ (443)
manual_     Y    N    | Helps you obtain a certificate by giving you instructions to  :ref:`HTTP-01 <http_01_challenge>` (80),
                      | perform domain validation yourself. Additionally allows you   :ref:`DNS-01 <dns_01_challenge>` (53) or
                      | to specify scripts to automate the validation task in a       :ref:`TLS-SNI-01 <tls_sni_01_challege>` (443)
                      | customized way.
=========== ==== ==== =============================================================== =============================
@ -137,11 +135,9 @@ Pre and Post Validation Hooks
Certbot allows for the specification of pre and post validation hooks when run
in manual mode. The flags to specify these scripts are ``--manual-auth-hook``
and ``--manual-cleanup-hook`` respectively and can be used as follows:
and ``--manual-cleanup-hook`` respectively and can be used as follows::
::
 certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
certbot certonly --manual --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
This will run the ``authenticator.sh`` script, attempt the validation, and then run
the ``cleanup.sh`` script. Additionally certbot will pass relevant environment
@ -158,11 +154,9 @@ Additionally for cleanup:
- ``CERTBOT_AUTH_OUTPUT``: Whatever the auth script wrote to stdout
Example usage for HTTP-01:
Example usage for HTTP-01::
::
 certbot certonly --manual --preferred-challenges=http --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
certbot certonly --manual --preferred-challenges=http --manual-auth-hook /path/to/http/authenticator.sh --manual-cleanup-hook /path/to/http/cleanup.sh -d secure.example.com
/path/to/http/authenticator.sh
@ -178,11 +172,9 @@ Example usage for HTTP-01:
   #!/bin/bash
   rm -f /var/www/htdocs/.well-known/acme-challenge/$CERTBOT_TOKEN
Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is)
Example usage for DNS-01 (Cloudflare API v4) (for example purposes only, do not use as-is)::
::
 certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com
 certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com
/path/to/dns/authenticator.sh

5
docs/index.rst
View file

@ -6,12 +6,16 @@ Welcome to the Certbot documentation!
   start
intro
what
how
challenges
   install
   using
   contributing
   packaging
   resources
reference
configure
.. toctree::
   :maxdepth: 1
@ -26,4 +30,3 @@ Indices and tables
* :ref:`modindex`
* :ref:`search`

35
docs/install.rst
View file

@ -50,8 +50,8 @@ The ``certbot-auto`` wrapper script installs Certbot, obtaining some dependencie
from your web server OS and putting others in a python virtual environment. You can
download and run it as follows::
  user@webserver:~$ wget https://dl.eff.org/certbot-auto
  user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
  user@webserver:~$ ./certbot-auto --help
.. hint:: The certbot-auto download is protected by HTTPS, which is pretty good, but if you'd like to
@ -289,10 +289,7 @@ When using the ``dns`` challenge, ``certbot`` will ask you to place a TXT DNS
record with specific contents under the domain name consisting of the hostname
for which you want a certificate issued, prepended by ``_acme-challenge``.
For example, for the domain ``example.com``, a zone file entry would look like:
::
For example, for the domain ``example.com``, a zone file entry would look like::
        _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"
When using the ``tls-sni`` challenge, ``certbot`` will prepare a self-signed
@ -319,13 +316,11 @@ The Nginx plugin has been distributed with Certbot since version 0.9.0 and shoul
work for most configurations. We recommend backing up Nginx
configurations before using it (though you can also revert changes to
configurations with ``certbot --nginx rollback``). You can use it by providing
the ``--nginx`` flag on the commandline.
::
the ``--nginx`` flag on the commandline::
   certbot nginx
* NGINX plugin: (TLS-SNI-01) Tries to edit your NGINX configuration files to temporarily serve a 
* NGINX plugin: (TLS-SNI-01) Tries to edit your NGINX configuration files to temporarily serve a
  Certbot-generated certificate for a specified name. Use the NGINX plugin when you're running 
  Certbot on a web server with NGINX listening on port 443.
@ -359,6 +354,7 @@ the Internet on the specified port using each requested domain name.
  port 80 (for HTTP-01) or HTTPS on port 443 (for TLS-SNI-01). Use the Standalone plugin if no existing program 
  is listening to these ports. Choose TLS-SNI-01 or HTTP-01 using the `--preferred-challenges` option.
.. _webroot:
Webroot
@ -377,25 +373,20 @@ If you're getting a certificate for many domains at once, the plugin
needs to know where each domain's files are served from, which could
potentially be a separate directory for each domain. When requesting a
certificate for multiple domains, each domain will use the most recently
specified ``--webroot-path``. So, for instance,
specified ``--webroot-path``. So, for instance::
::
  certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
    certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
would obtain a single certificate for all of those names, using the
``/var/www/example`` webroot directory for the first two, and
``/var/www/other`` for the second two.
would obtain a single certificate for all of those names, using the
``/var/www/example`` webroot directory for the first two, and ``/var/www/other`` for the second two.
The webroot plugin works by creating a temporary file for each of your requested
domains in ``${webroot-path}/.well-known/acme-challenge``. Then the Let's Encrypt
validation server makes HTTP requests to validate that the DNS for each
requested domain resolves to the server running certbot. An example request
made to your web server would look like:
made to your web server would look like::
::
    66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Note that to use the webroot plugin, your server must be configured to serve
files from hidden directories. If ``/.well-known`` is treated specially by
@ -426,7 +417,7 @@ and your origin server, which cannot use the tls-sni-01_ challenge due to the
intermediate proxy.
::
    certbot run -a webroot -i apache -w /var/www/html -d example.com

4
docs/start.rst
View file

@ -13,7 +13,9 @@ What youll find there:
* Instructions for getting a certificate
* Automated renewal instructions
You only need to go to the Manual Installation section if you have special needs: an unusual server or configuration, if you need to modify an existing certificate, if you need to run special scripts automatically before or after installation.
You only need to go to the Manual Installation section if you have special needs:
an unusual server or configuration, if you need to modify an existing certificate,
if you need to run special scripts automatically before or after installation.
Getting Help

3
docs/using.rst
View file

@ -1,5 +1,4 @@
rking with Certificates
Working with Certificates
=========================
.. contents:: Table of Contents

2
docs/what.rst
View file

@ -18,7 +18,7 @@ You can use Certbot to easily obtain and configure a free certificate from Let's
joint project of EFF, Mozilla, and many other sponsors.
Certificates and Lineages
=========================
-------------------------
Certbot introduces the concept of a *lineage,* which is a collection of all the versions of a certificate
plus Certbot configuration information maintained for that certificate from