Document REQUEST_CA_BUNDLE or add a ca-bundle command for custom ACME providers

[evilhamsterman]

My operating system is (include version):

All

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

All

Certbot's behavior differed from what I expected because:

This is basically reopening #7170 because it is still and issue. The REQUESTS_CA_BUNDLE environment variable is not documents and internal ACME services are becoming more common. The only way I was able to learn about the variable was through the step-ca documentation but this should really be documented by certbot itself.

Also as stated in that previous bug that a command line switch would be helpful and saving the custom bundle to the certificate conf file so it is automatically used on renewal without having to add the root cert to the system store. It was brought up why add a command switch when the variable works fine. This is a common ability in many applications where you can provide options by either command line or by environment variable because both can be useful depending on the situation.

At the very least this functionality needs to be documented

[alexzorin]

Agreed. To begin with, I think https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server could be improved or rewritten to include this kind of information.

An additional note:

The certbot packages for some Linux distributions will create a cron entry or systemd timer like this for you. This entry won’t work with step-ca because it doesn’t set the REQUESTS_CA_BUNDLE environment variable. You need to manually update it.

systemd does let you create override files which enable you to overlay an Environment= directive on top of the systemd units that come with Certbot packages. I'm on the fence about whether that's something we want to dedicate room to documenting ourselves, but input welcome.

[osirisinferi]

Fixed in #9357.