muacme.conf

# Configuration file for muacme.
# vim: set ft=sh: ts=4:

# ACMEv2 server directory object URL. If not specified uacme uses
# https://acme-v02.api.letsencrypt.org/directory for production or
# https://acme-staging-v02.api.letsencrypt.org/directory if $staging is yes.
#acme_url=

# Path of the base directory where to store the account key, certificates and
# keys for each domain (uacme calls it "confdir").
#certs_dir="/etc/ssl/uacme"

# Path(s) of the challenge hook program(s) separated by a whitespace.
# If the first one exits with a non-zero status, the next one will be executed,
# and so on. This can be used to support multiple challenge methods.
#challenge_hook="/usr/share/uacme/uacme.sh"
#
# Uncomment the following line to use muacme's http-01 challenge script instead.
# This script uses busybox httpd to serve the key authorization on port 80.
# On Alpine Linux: install package busybox-extras (provides busybox httpd).
# challenge_hook="/usr/share/muacme/httpd-challenge-hook.sh"
#
# Or uncomment the following line to use muacme's dns-01 challenge script instead.
# On Alpine Linux: install package knot-utils (provides knsupdate and kdig).
# challenge_hook="/usr/share/muacme/nsupdate-challenge-hook.sh"
#
# Or the following line to use ACME-DNS server instead of DDNS via nsupdate:
# On Alpine Linux: install package knot-utils (provides kdig).
# challenge_hook="/usr/share/muacme/acmedns-challenge-hook.sh"

# Do not reissue certificates that are still valid for longer than specified
# number of days.
#days=37

# Key bit length (defaults to 3072). Only applies to newly generated keys.
# RSA key length must be a multiple of 8 between 2048 and 8192.
# EC key length must be either 256 (NID_X9_62_prime256v1 curve) or
# 384 (NID_secp384r1 curve).
key_bits=256

# Key type, either "RSA" (default) or "EC". Only applies to newly generated
# keys. The bit length can be specified with $key_bits.
key_type="EC"

# Path of the renew hook program that is executed after at least one
# certificate has been successfully renewed. It will get domain names of the
# renewed certificate (only CN, not alternative names) as arguments.
# Set empty string to disable.
#renew_hook="/etc/muacme/renew-hook.sh"

# Request certificates with the RFC7633 Certificate Status Request TLS Feature
# Extension, informally also known as "OCSP Must-Staple".
#must_staple=no

# Log to syslog in addition to STDERR.
#syslog=no

# Syslog facility; used when $syslog is yes.
#syslog_facility="cron"

# Be more verbose. By default uacme only produces output upon errors or when
# user interaction is required. When this option is specified uacme prints
# verbose information about what is going on.
#verbose=no


## Options for nsupdate-challenge-hook.sh

# TSIG key to authenticate dynamic update requests; either absolute path to
# a file with the TSIG key, or the TSIG key itself. TSIG key must be in format
# [<alg>:]<name>:<key>. This option is required.
#dns01_ddns_key=

# Hostname or IP address of the receiving server for dynamic DNS updates.
# If not provided, the master nameserver for the given record will be used.
#dns01_ddns_server=

# Maximum number of seconds to wait for the record to be propagated into the
# master nameserver.
#dns01_wait_max=10

# (k)dig command.
#dns01_dig="kdig +timeout=5 +retry=3"

# (k)nsupdate command.
# Options: -t timeout, -r retries, -v use TCP connection
#dns01_nsupdate="knsupdate -t 5 -r 3 -v"

# NOTE: Each of the above dns01_* options can be overriden using environment
# variable with the same name, but capitalized (e.g. DNS01_DDNS_KEY).


## Options for acmedns-challenge-hook.sh

# Path of the file that contains triplet(s) <subdomain>:<username>:<password>
# for the acme-dns API. To get these values, you must call the register endpoint
# on your acme-dns server (you can use `muacme-acmedns register`).
#dns01_acmedns_keys="/etc/muacme/acme-dns.keys"

# NOTE: dns01_wait_max, dns01_dig and dns01_debug can be used even for this hook