certificate: merge old LE doc

NethServer · Jul 23, 2021 · ffa4c8a · ffa4c8a
1 parent 598aa2c
commit ffa4c8a
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/developer-manual/certificate_management.rst b/developer-manual/certificate_management.rst
@@ -78,3 +78,63 @@ value type:
 
        db configuration setprop pki CommonName custom.cn
 
+Let's Encrypt
+=============
+
+NethServer can request and renews Let's Encrypt (LE) certificates.
+The main helper ``/usr/libexec/nethserver/letsencrypt-certs`` can be executed also from command line.
+
+For more info, see: ::
+
+  /usr/libexec/nethserver/letsencrypt-certs -h
+
+
+Database properties under ``pki`` key inside ``configuration`` database:
+
+- ``LetsEncryptMail``: (optional) registration mail for LE notifications
+- ``LetsEncryptDomains``: comma-separated list of domains added to certificate SAN field
+- ``LetsEncryptChallenge``: challenge to use for validating the certificate, default is ``http``.
+  It accepts also values like ``dns-<provider>``. Where ``<provider>`` is the name of the DNS provider.
+  See the full list of available DNS provider plugins by executing ``certbot -h certonly``.
+  More info at https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins.
+
+DNS challenge
+-------------
+
+To use the DNS challenge, follow these steps:
+
+- install the required certbot plugin plugin using yum; to see the list of available package use ``yum search certbot-dns``
+- set ``LetsEncryptChallenge`` property to correct DNS plugin
+- configure all required properties accordingly to plugin documentation
+
+When using the dns challenge, make sure to set extra properties accordingly to certbot configuration.
+All properties for the dns challenge should be in the form ``LetsEncrypt_<certbot_option>``, where
+``<certbot_option>`` is the option specific to certbot DNS plugin.
+
+Digitial Ocean example
+^^^^^^^^^^^^^^^^^^^^^^
+
+1. Install the plugin:
+
+   ::
+
+     yum install python2-certbot-dns-digitalocean
+
+2. Configure the challenge type:
+
+   ::
+
+     config setprop pki LetsEncryptChallenge dns-digitalocean
+
+3. Configure required props accordingly to https://certbot-dns-digitalocean.readthedocs.io/en/stable/:
+
+   ::
+
+     config setprop pki LetsEncrypt_dns_digitalocean_token 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+
+4. Request certificate for domain ``myserver.nethserver.org``:
+
+   ::
+
+     /usr/libexec/nethserver/letsencrypt-certs -v -d myserver.nethserver.org
+