Merge pull request #3151 from unic/feature/acme-documentation-improvement
ACME documentation improvement
This commit is contained in:
commit
497afc3b46
|
@ -1171,6 +1171,23 @@ The following configuration properties are required to use the PowerDNS ACME Plu
|
|||
|
||||
File/Dir path to CA Bundle: Verifies the TLS certificate was issued by a Certificate Authority in the provided CA bundle.
|
||||
|
||||
ACME Plugin
|
||||
~~~~~~~~~~~~
|
||||
|
||||
The following configration properties are optional for the ACME plugin to use. They allow reusing an existing ACME
|
||||
account. See :ref:`Using a pre-existing ACME account <AcmeAccountReuse>` for more details.
|
||||
|
||||
|
||||
.. data:: ACME_PRIVATE_KEY
|
||||
:noindex:
|
||||
|
||||
This is the private key, the account was registered with (in JWK format)
|
||||
|
||||
.. data:: ACME_REGR
|
||||
:noindex:
|
||||
|
||||
This is the registration for the ACME account, the most important part is the uri attribute (in JSON)
|
||||
|
||||
.. _CommandLineInterface:
|
||||
|
||||
Command Line Interface
|
||||
|
|
|
@ -511,3 +511,47 @@ The following must be added to the config file to activate the pinning (the pinn
|
|||
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
|
||||
-----END CERTIFICATE-----
|
||||
"""
|
||||
|
||||
|
||||
.. _AcmeAccountReuse:
|
||||
|
||||
LetsEncrypt: Using a pre-existing ACME account
|
||||
-----------------------------------------------
|
||||
|
||||
Let's Encrypt allows reusing an existing ACME account, to create and especially revoke certificates. The current
|
||||
implementation in the acme plugin, only allows for a single account for all ACME authorities, which might be an issue,
|
||||
when you try to use Let's Encrypt together with another certificate authority that uses the ACME protocol.
|
||||
|
||||
To use an existing account, you need to configure the `ACME_PRIVATE_KEY` and `ACME_REGR` variables in the lemur
|
||||
configuration.
|
||||
|
||||
`ACME_PRIVATE_KEY` needs to be in the JWK format::
|
||||
|
||||
{
|
||||
"kty": "RSA",
|
||||
"n": "yr1qBwHizA7ME_iV32bY10ILp.....",
|
||||
"e": "AQAB",
|
||||
"d": "llBlYhil3I.....",
|
||||
"p": "-5LW2Lewogo.........",
|
||||
"q": "zk6dHqHfHksd.........",
|
||||
"dp": "qfe9fFIu3mu.......",
|
||||
"dq": "cXFO-loeOyU.......",
|
||||
"qi": "AfK1sh0_8sLTb..........."
|
||||
}
|
||||
|
||||
|
||||
Using `python-jwt` converting an existing private key in PEM format is quite easy::
|
||||
|
||||
import python_jwt as jwt, jwcrypto.jwk as jwk
|
||||
|
||||
priv_key = jwk.JWK.from_pem(b"""-----BEGIN RSA PRIVATE KEY-----
|
||||
...
|
||||
-----END RSA PRIVATE KEY-----""")
|
||||
|
||||
print(priv_key.export())
|
||||
|
||||
`ACME_REGR` needs to be a valid JSON with a `body` and a `uri` attribute, similar to this::
|
||||
|
||||
{"body": {}, "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/<ACCOUNT_NUMBER>"}
|
||||
|
||||
The URI can be retrieved from the ACME create account endpoint when creating a new account, using the existing key.
|
Loading…
Reference in New Issue