Improve documentation

1 files changed, 31 insertions, 9 deletions

diff --git a/README.md b/README.md
index b2d5422..d9d6437 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,28 @@ This program can be used to obtain a certificate from the
 [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their
 ACME protocol.
 
-## Rate Limits
+Simplest usage is to specify only the mandatory options, along with an email
+address to register:
+
+```
+DOMAIN=yourdomain.com
+
+acme-certify --email          webmaster@${DOMAIN} \
+             --key            webmaster@${DOMAIN}.key \
+             --domain             ${DOMAIN} \
+             --domain         www.${DOMAIN} \
+             --challenge-dir  /var/www/html/.well-known/acme-challenge
+
+ls -l ${DOMAIN}/cert.combined.pem ${DOMAIN}/cert.pem
+```
+
+You must have write permission to `/var/www/html/.well-known/acme-challenge` for
+that to work.
+
+(Of course, there also must be a web server hosting your domains from
+`/var/www/html`.)
+
+## Multiple Domains & Rate Limits
 
 This tool supports multiple domain names per certificate. Note that `Let's
 Encrypt` will not sign a certificate with more than 100 names; nor will it allow
@@ -65,12 +86,13 @@ mkdir -p ${DOMAIN}
 openssl genrsa 4096 > ${DOMAIN}/rsa.key
 ```
 
-## Receive certificate
+## Generated certificate
 
 The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`.
-A combined certificate, containing the issuer certificate, the private key, and
-(possibly) DH parameters, will be saved in `./${DOMAIN}/cert.combined.pem`. You
-can copy that file to the place your TLS server is configured to read it.
+A combined certificate -- containing the issuer certificate, the private key,
+and (by default) DH parameters -- will be saved in
+`./${DOMAIN}/cert.combined.pem`. You can copy that file to the place your TLS
+server is configured to read it.
 
 You can also view the certificate like so:
 
@@ -78,17 +100,17 @@ You can also view the certificate like so:
 openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less
 ```
 
-## Create a certificate for HAProxy
+## DH Params
 
 Vo Minh Thu, the original author of this program, suggests to include explicit
 DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/).
 This is now automatically performed by default.
 
-Note: generating DH params is CPU-intensive and takes a long time. For that
+Generating DH params is CPU-intensive and takes a long time. For that
 reason, it is done once per domain, and the result is saved in
-`${DOMAIN}/dhparams.pem`.
+`${DOMAIN}/dhparams.pem` for reuse.
 
-You can also disable DH generation it with `--skip-dhparams`.
+You can disable DH generation it with `--skip-dhparams`.
 
 The certificate is generated by this program equivalently to this: