diff options
author | Andrew Cady <d@jerkface.net> | 2016-01-26 14:37:05 -0500 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-01-26 14:40:50 -0500 |
commit | 7ee27b689653d31cd89c3494623444a0dd68d406 (patch) | |
tree | 7f43d0a66294f7a20143ec5f8998babcf8791f6b /README.md | |
parent | 64e8a8ef7833fb7a9325372c09bcb9a682e1ed30 (diff) |
Improve documentation
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 40 |
1 files changed, 31 insertions, 9 deletions
@@ -31,7 +31,28 @@ This program can be used to obtain a certificate from the | |||
31 | [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their | 31 | [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their |
32 | ACME protocol. | 32 | ACME protocol. |
33 | 33 | ||
34 | ## Rate Limits | 34 | Simplest usage is to specify only the mandatory options, along with an email |
35 | address to register: | ||
36 | |||
37 | ``` | ||
38 | DOMAIN=yourdomain.com | ||
39 | |||
40 | acme-certify --email webmaster@${DOMAIN} \ | ||
41 | --key webmaster@${DOMAIN}.key \ | ||
42 | --domain ${DOMAIN} \ | ||
43 | --domain www.${DOMAIN} \ | ||
44 | --challenge-dir /var/www/html/.well-known/acme-challenge | ||
45 | |||
46 | ls -l ${DOMAIN}/cert.combined.pem ${DOMAIN}/cert.pem | ||
47 | ``` | ||
48 | |||
49 | You must have write permission to `/var/www/html/.well-known/acme-challenge` for | ||
50 | that to work. | ||
51 | |||
52 | (Of course, there also must be a web server hosting your domains from | ||
53 | `/var/www/html`.) | ||
54 | |||
55 | ## Multiple Domains & Rate Limits | ||
35 | 56 | ||
36 | This tool supports multiple domain names per certificate. Note that `Let's | 57 | This tool supports multiple domain names per certificate. Note that `Let's |
37 | Encrypt` will not sign a certificate with more than 100 names; nor will it allow | 58 | Encrypt` will not sign a certificate with more than 100 names; nor will it allow |
@@ -65,12 +86,13 @@ mkdir -p ${DOMAIN} | |||
65 | openssl genrsa 4096 > ${DOMAIN}/rsa.key | 86 | openssl genrsa 4096 > ${DOMAIN}/rsa.key |
66 | ``` | 87 | ``` |
67 | 88 | ||
68 | ## Receive certificate | 89 | ## Generated certificate |
69 | 90 | ||
70 | The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`. | 91 | The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`. |
71 | A combined certificate, containing the issuer certificate, the private key, and | 92 | A combined certificate -- containing the issuer certificate, the private key, |
72 | (possibly) DH parameters, will be saved in `./${DOMAIN}/cert.combined.pem`. You | 93 | and (by default) DH parameters -- will be saved in |
73 | can copy that file to the place your TLS server is configured to read it. | 94 | `./${DOMAIN}/cert.combined.pem`. You can copy that file to the place your TLS |
95 | server is configured to read it. | ||
74 | 96 | ||
75 | You can also view the certificate like so: | 97 | You can also view the certificate like so: |
76 | 98 | ||
@@ -78,17 +100,17 @@ You can also view the certificate like so: | |||
78 | openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less | 100 | openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less |
79 | ``` | 101 | ``` |
80 | 102 | ||
81 | ## Create a certificate for HAProxy | 103 | ## DH Params |
82 | 104 | ||
83 | Vo Minh Thu, the original author of this program, suggests to include explicit | 105 | Vo Minh Thu, the original author of this program, suggests to include explicit |
84 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). | 106 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). |
85 | This is now automatically performed by default. | 107 | This is now automatically performed by default. |
86 | 108 | ||
87 | Note: generating DH params is CPU-intensive and takes a long time. For that | 109 | Generating DH params is CPU-intensive and takes a long time. For that |
88 | reason, it is done once per domain, and the result is saved in | 110 | reason, it is done once per domain, and the result is saved in |
89 | `${DOMAIN}/dhparams.pem`. | 111 | `${DOMAIN}/dhparams.pem` for reuse. |
90 | 112 | ||
91 | You can also disable DH generation it with `--skip-dhparams`. | 113 | You can disable DH generation it with `--skip-dhparams`. |
92 | 114 | ||
93 | The certificate is generated by this program equivalently to this: | 115 | The certificate is generated by this program equivalently to this: |
94 | 116 | ||