From 7ee27b689653d31cd89c3494623444a0dd68d406 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Tue, 26 Jan 2016 14:37:05 -0500 Subject: Improve documentation --- README.md | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index b2d5422..d9d6437 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,28 @@ This program can be used to obtain a certificate from the [Let's Encrypt](https://letsencrypt.org/) certificate authority, using their ACME protocol. -## Rate Limits +Simplest usage is to specify only the mandatory options, along with an email +address to register: + +``` +DOMAIN=yourdomain.com + +acme-certify --email webmaster@${DOMAIN} \ + --key webmaster@${DOMAIN}.key \ + --domain ${DOMAIN} \ + --domain www.${DOMAIN} \ + --challenge-dir /var/www/html/.well-known/acme-challenge + +ls -l ${DOMAIN}/cert.combined.pem ${DOMAIN}/cert.pem +``` + +You must have write permission to `/var/www/html/.well-known/acme-challenge` for +that to work. + +(Of course, there also must be a web server hosting your domains from +`/var/www/html`.) + +## Multiple Domains & Rate Limits This tool supports multiple domain names per certificate. Note that `Let's Encrypt` will not sign a certificate with more than 100 names; nor will it allow @@ -65,12 +86,13 @@ mkdir -p ${DOMAIN} openssl genrsa 4096 > ${DOMAIN}/rsa.key ``` -## Receive certificate +## Generated certificate The signed certificate will be saved by this program in `./${DOMAIN}/cert.pem`. -A combined certificate, containing the issuer certificate, the private key, and -(possibly) DH parameters, will be saved in `./${DOMAIN}/cert.combined.pem`. You -can copy that file to the place your TLS server is configured to read it. +A combined certificate -- containing the issuer certificate, the private key, +and (by default) DH parameters -- will be saved in +`./${DOMAIN}/cert.combined.pem`. You can copy that file to the place your TLS +server is configured to read it. You can also view the certificate like so: @@ -78,17 +100,17 @@ You can also view the certificate like so: openssl x509 -in ${DOMAIN}/cert.pem -noout -text | less ``` -## Create a certificate for HAProxy +## DH Params Vo Minh Thu, the original author of this program, suggests to include explicit DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). This is now automatically performed by default. -Note: generating DH params is CPU-intensive and takes a long time. For that +Generating DH params is CPU-intensive and takes a long time. For that reason, it is done once per domain, and the result is saved in -`${DOMAIN}/dhparams.pem`. +`${DOMAIN}/dhparams.pem` for reuse. -You can also disable DH generation it with `--skip-dhparams`. +You can disable DH generation it with `--skip-dhparams`. The certificate is generated by this program equivalently to this: -- cgit v1.2.3