mirror of
https://github.com/caddyserver/caddy.git
synced 2025-05-24 02:02:26 -04:00
Document TLS maintenance properties
parent
34f165b4db
commit
0ad6256240
@ -1923,7 +1923,9 @@ Configures TLS certificate automation.
|
|||||||
"burst": 0
|
"burst": 0
|
||||||
},
|
},
|
||||||
"ask": ""
|
"ask": ""
|
||||||
}
|
},
|
||||||
|
"renew_interval": "12h",
|
||||||
|
"ocsp_interval": "1h"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -1933,6 +1935,8 @@ Configures TLS certificate automation.
|
|||||||
- `on_demand.rate_limit.interval`: A duration value. A certificate may be obtained `burst` times during this interval.
|
- `on_demand.rate_limit.interval`: A duration value. A certificate may be obtained `burst` times during this interval.
|
||||||
- `on_demand.rate_limit.burst`: How many times during an interval a certificate can be obtained.
|
- `on_demand.rate_limit.burst`: How many times during an interval a certificate can be obtained.
|
||||||
- `on_demand.ask`: A URL which will be queried to check if Caddy should be allowed to try to get a certificate for a hostname. The name will be passed in a query string parameter like so: `?domain=example.com`. The endpoint must return a 200 OK if a certificate is allowed; anything else will cause it to be denied. Redirects are not followed.
|
- `on_demand.ask`: A URL which will be queried to check if Caddy should be allowed to try to get a certificate for a hostname. The name will be passed in a query string parameter like so: `?domain=example.com`. The endpoint must return a 200 OK if a certificate is allowed; anything else will cause it to be denied. Redirects are not followed.
|
||||||
|
- `renew_interval`: How often to scan loaded certificates for renewal. Default is 12 hours. Should be at least an order of magnitude shorter than certificate lifetimes.
|
||||||
|
- `ocsp_interval`: How often to scan active OCSP staples for staleness. Default is 1 hour. Should be at least an order of magnitude less than the lifetime of an OCSP response.
|
||||||
|
|
||||||
|
|
||||||
#### tls/automation/policies
|
#### tls/automation/policies
|
||||||
@ -1960,6 +1964,7 @@ This module uses ACME to manage TLS certificates.
|
|||||||
"module": "acme",
|
"module": "acme",
|
||||||
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
|
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
|
||||||
"email": "",
|
"email": "",
|
||||||
|
"renew_ahead": "30d",
|
||||||
"key_type": "",
|
"key_type": "",
|
||||||
"acme_timeout": "",
|
"acme_timeout": "",
|
||||||
"must_staple": false,
|
"must_staple": false,
|
||||||
@ -1975,11 +1980,13 @@ This module uses ACME to manage TLS certificates.
|
|||||||
"dns": {}
|
"dns": {}
|
||||||
},
|
},
|
||||||
"on_demand": false,
|
"on_demand": false,
|
||||||
"storage": {}
|
"storage": {},
|
||||||
|
"trusted_roots_pem_files": []
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
- `ca`: The ACME CA's directory endpoint.
|
- `ca`: The ACME CA's directory endpoint.
|
||||||
- `email`: Your email address, so the CA can contact you if necessary. Not required but strongly recommended to provide one so you can be reached if there is a problem.
|
- `email`: Your email address, so the CA can contact you if necessary. Not required but strongly recommended to provide one so you can be reached if there is a problem.
|
||||||
|
- `renew_ahead`: How long before a certificate's expiration to try renewing it. Default is 30 days. Should usually be about 1/3 of certificate lifetime, but long enough to give yourself time to troubleshoot problems before expiration.
|
||||||
- `key_type`: The type of key to generate for the certificate. Supported values: `rsa2048`, `rsa4096`, `p256`, `p384`
|
- `key_type`: The type of key to generate for the certificate. Supported values: `rsa2048`, `rsa4096`, `p256`, `p384`
|
||||||
- `acme_timeout`: Duration to wait before timing out an ACME operation.
|
- `acme_timeout`: Duration to wait before timing out an ACME operation.
|
||||||
- `must_staple`: If true, the certificate will have MustStaple set.
|
- `must_staple`: If true, the certificate will have MustStaple set.
|
||||||
@ -1993,6 +2000,7 @@ This module uses ACME to manage TLS certificates.
|
|||||||
- `challenges.dns`: Configures the ACME DNS challenge. Doing so disables the other challenge types. This challenge type must be configured using a DNS challenge module.
|
- `challenges.dns`: Configures the ACME DNS challenge. Doing so disables the other challenge types. This challenge type must be configured using a DNS challenge module.
|
||||||
- `on_demand`: If true, certificates will be managed "on demand", that is, during TLS handshakes or when needed, as opposed to at startup.
|
- `on_demand`: If true, certificates will be managed "on demand", that is, during TLS handshakes or when needed, as opposed to at startup.
|
||||||
- `storage`: Optionally configure a separate storage module associated with this manager, instead of using Caddy's global/default-configured storage.
|
- `storage`: Optionally configure a separate storage module associated with this manager, instead of using Caddy's global/default-configured storage.
|
||||||
|
- `trusted_roots_pem_files`: An array of CA certificates to accept when connecting to the ACME CA.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user