to request a certificate for the domain. If Let's Encrypt can verify the ownership
of the domain, the module will retrieve the certificate and its chain, store it
in the local file system (see <code class="directive"><a href="#mdstoredir">MDStoreDir</a></code>)
- and provide it, on next restart, to mod_ssl.
+ and provide it, on next restart, to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.
</p><p>
This happens while the server is already running. All other hosts will continue
to work as before. While a certificate is not available, requests for the managed
<div class="directive-section"><h2><a name="MDCAChallenges" id="MDCAChallenges">MDCAChallenges</a> <a name="mdcachallenges" id="mdcachallenges">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Type of ACME challenge used to prove domain ownership.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCAChallenges name [ name ... ]</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCAChallenges <var>name</var> [ <var>name</var> ... ]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDCAChallenges tls-sni-01 http-01</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<div class="directive-section"><h2><a name="MDCertificateAgreement" id="MDCertificateAgreement">MDCertificateAgreement</a> <a name="mdcertificateagreement" id="mdcertificateagreement">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The URL of the Terms-of-Service document, that the CA server requires you to accept.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateAgreement url-of-terms-of-service</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateAgreement <var>url-of-terms-of-service</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
<div class="directive-section"><h2><a name="MDCertificateAuthority" id="MDCertificateAuthority">MDCertificateAuthority</a> <a name="mdcertificateauthority" id="mdcertificateauthority">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The URL of the ACME Certificate Authority service.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateAuthority url</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateAuthority <var>url</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<div class="directive-section"><h2><a name="MDCertificateProtocol" id="MDCertificateProtocol">MDCertificateProtocol</a> <a name="mdcertificateprotocol" id="mdcertificateprotocol">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The protocol to use with the Certificate Authority.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateProtocol protocol</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCertificateProtocol <var>protocol</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDCertificateProtocol ACME</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
renew it.
</p><p>
In 'manual' mode, it is your duty to do all this. The module will provide the existing
- certificate to mod_ssl, if available. But it will not contact the CA for signup/renewal.
+ certificate to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, if available. But it will not contact the CA for signup/renewal.
This can be useful in clustered setups where you want just one node to perform
the driving.
</p><p>
<div class="directive-section"><h2><a name="MDHttpProxy" id="MDHttpProxy">MDHttpProxy</a> <a name="mdhttpproxy" id="mdhttpproxy">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a proxy for outgoing connections.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDHttpProxy url</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDHttpProxy <var>url</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
<div class="directive-section"><h2><a name="MDMember" id="MDMember">MDMember</a> <a name="mdmember" id="mdmember">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Additional hostname for the managed domain.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDMember hostname</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDMember <var>hostname</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
</table>
<p>
Instead of listing all dns names on the same line, you may use
- <code class="directive"><a href="#mdmember">MDMember</a></code> to add such names
+ <code class="directive">MDMember</code> to add such names
to a managed domain.
</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><MDomainSet example.org>
<p>Defines if newly requested certificate should have the OCSP Must Staple flag
set or not. If a certificate has this flag, the server is required to send a
OCSP stapling response to every client. This only works if you configure
-
mod_ssl to generate this (see <code class="directive"><a href="../mod/mod_ssl.html#sslusestapling">SSLUseStapling</a></code>
+
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to generate this (see <code class="directive"><a href="../mod/mod_ssl.html#sslusestapling">SSLUseStapling</a></code>
and friends).
</p>
<div class="directive-section"><h2><a name="MDNotifyCmd" id="MDNotifyCmd">MDNotifyCmd</a> <a name="mdnotifycmd" id="mdnotifycmd">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Run a program when Managed Domain are ready.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDNotifyCmd path</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDNotifyCmd <var>path</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
</table>
<p>
All the names in the list are managed as one Managed Domain (MD).
- mod_md will request one single certificate that is valid for all these names. This
+ <code class="module"><a href="../mod/mod_md.html">mod_md</a></code> will request one single certificate that is valid for all these names. This
directive uses the global settings (see other MD directives below). If you
need specific settings for one MD, use
the <code class="directive"><a href="#mdomainset"><MDomainSet></a></code>.
In this example, the domain 'www.example.org' is automatically added to
the MD 'example.org'. Similarly for 'example2.org' where 'auto' is configured
explicitly. Whenever you add more ServerAlias names to this
- virtual host, they will be added as well to the Manged Domain.
+ virtual host, they will be added as well to the Managed Domain.
</p><p>
If you prefer to explicitly declare all the domain names, use 'manual' mode.
An error will be logged if the names do not match with the expected ones.
<div class="directive-section"><h2><a name="MDPortMap" id="MDPortMap">MDPortMap</a> <a name="mdportmap" id="mdportmap">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Map external to internal ports for domain ownership verification.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDPortMap map1 [ map2 ]</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDPortMap <var>map1</var> [ <var>map2</var> ]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDPortMap 80:80 443:443</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
</table>
<p>
- The ACME protocol provides two method to verify domain ownership: one that uses
+ The ACME protocol provides two methods to verify domain ownership: one that uses
port 80 and one for port 443. If your server is not reachable by at least one
of the two, ACME will not work for you.
</p><p>
another one. Your server might only listen on ports 5001 and 5002, but be reached
on ports 443 and 80. How should <code class="module"><a href="../mod/mod_md.html">mod_md</a></code> figure that one out?
</p><p>
- With MDPortMap you can tell it which 'Internet port' corresponds to which local
- port.
+ With <code class="directive">MDPortMap</code> you can tell it which 'Internet port'
+ corresponds to which local port.
</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDPortMap 80:- 443:5002</pre>
</div>
<div class="directive-section"><h2><a name="MDPrivateKeys" id="MDPrivateKeys">MDPrivateKeys</a> <a name="mdprivatekeys" id="mdprivatekeys">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set type and size of the private keys generated.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDPrivateKeys type [ params... ]</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDPrivateKeys <var>type</var> [ <var>params</var>... ]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDPrivateKeys RSA 2048</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<div class="directive-section"><h2><a name="MDRenewWindow" id="MDRenewWindow">MDRenewWindow</a> <a name="mdrenewwindow" id="mdrenewwindow">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control when a certificate will be renewed.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDRenewWindow duration</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDRenewWindow <var>duration</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDRenewWindow 33%</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
</table>
<p>
- If the validity of the certificate falls below duration, mod_md will get a
- new signed certificate.
+ If the validity of the certificate falls below duration, <code class="module"><a href="../mod/mod_md.html">mod_md</a></code>
+ will get a new signed certificate.
</p><p>
- Normally, certificates are valid for around 90 days and mod_md will renew
+ Normally, certificates are valid for around 90 days and <code class="module"><a href="../mod/mod_md.html">mod_md</a></code> will renew
them the earliest 33% of their complete lifetime before they expire (so for
90 days validity, 30 days before it expires). If you think this is not what
you need, you can specify either the exact time, as in:
you cannot simply take it back again.
</li>
</ol>
- <p>You can achieve the same with mod_alias and some Redirect configuration,
+ <p>You can achieve the same with <code class="module"><a href="../mod/mod_alias.html">mod_alias</a></code> and some
+ <code class="directive"><a href="../mod/mod_alias.html#redirect">Redirect</a></code> configuration,
basically. If you do it yourself, please make sure to exclude the paths
- /.well-known/* from your redirection, otherwise mod_md might have trouble
- signing on new certificates.
+ /.well-known/* from your redirection, otherwise <code class="module"><a href="../mod/mod_md.html">mod_md</a></code>
+ might have trouble signing on new certificates.
</p>
<p>If you set this globally, it applies to all managed domains. If you want
it for a specific domain only, use:
projects / apache / commitdiff