forked from TrueCloudLab/lego
Improve documentation (#1265)
This commit is contained in:
parent
03ca08048c
commit
abd783a124
2 changed files with 25 additions and 3 deletions
|
@ -34,7 +34,7 @@ GLOBAL OPTIONS:
|
||||||
--eab Use External Account Binding for account registration. Requires --kid and --hmac.
|
--eab Use External Account Binding for account registration. Requires --kid and --hmac.
|
||||||
--kid value Key identifier from External CA. Used for External Account Binding.
|
--kid value Key identifier from External CA. Used for External Account Binding.
|
||||||
--hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
|
--hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
|
||||||
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384. (default: "ec384")
|
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
|
||||||
--filename value (deprecated) Filename of the generated certificate.
|
--filename value (deprecated) Filename of the generated certificate.
|
||||||
--path value Directory to use for storing the data. (default: "./.lego") [$LEGO_PATH]
|
--path value Directory to use for storing the data. (default: "./.lego") [$LEGO_PATH]
|
||||||
--http Use the HTTP challenge to solve challenges. Can be mixed with other types of challenges.
|
--http Use the HTTP challenge to solve challenges. Can be mixed with other types of challenges.
|
||||||
|
|
|
@ -16,7 +16,29 @@ If your environment does not allow you to bind to these ports, please read [Port
|
||||||
lego --email="foo@bar.com" --domains="example.com" --http run
|
lego --email="foo@bar.com" --domains="example.com" --http run
|
||||||
```
|
```
|
||||||
|
|
||||||
(Find your certificate in the `.lego` folder of current working directory.)
|
You will find your certificate in the `.lego` folder of the current working directory:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ ls -1 ./.lego/certificates
|
||||||
|
example.com.crt
|
||||||
|
example.com.issuer.crt
|
||||||
|
example.com.json
|
||||||
|
example.com.key
|
||||||
|
[maybe more files for different domains...]
|
||||||
|
```
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `example.com.crt` is the server certificate (including the CA certificate),
|
||||||
|
- `example.com.key` is the private key needed for the server certificate,
|
||||||
|
- `example.com.issuer.crt` is the CA certificate, and
|
||||||
|
- `example.com.json` contains some JSON encoded meta information.
|
||||||
|
|
||||||
|
For each domain, you will have a set of these four files.
|
||||||
|
Please note, that for wildcard certificates (`*.example.com`), the filenames will look like `_.example.com.crt`.
|
||||||
|
The `.crt` and `.key` files are PEM encoded x509 certificates and private keys.
|
||||||
|
If you're looking for a `cert.pem` and `privkey.pem`, you can just use `example.com.crt` and `example.com.key`.
|
||||||
|
|
||||||
|
|
||||||
### Obtain a certificate (and hook)
|
### Obtain a certificate (and hook)
|
||||||
|
|
||||||
|
@ -84,7 +106,7 @@ lego --email="foo@bar.com" --http --csr=/path/to/csr.pem run
|
||||||
If you have an existing server running on port 80 the `--http` option needs to also use the `--http.webroot` option.
|
If you have an existing server running on port 80 the `--http` option needs to also use the `--http.webroot` option.
|
||||||
This just writes the token to the given directory in the folder `.well-known/acme-challenge` and does not start a server.
|
This just writes the token to the given directory in the folder `.well-known/acme-challenge` and does not start a server.
|
||||||
|
|
||||||
The given directory **should** be publicly served as `/` on the domain(s) for the validation to complete.
|
The given directory **should** be publicly served as `/` on the domain(s) for the validation to complete.
|
||||||
|
|
||||||
If the given directory is not publicly served you will have to support rewriting the request to the directory;
|
If the given directory is not publicly served you will have to support rewriting the request to the directory;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue