-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seth and noah updated some confusing things [revisions requested] #3232
Conversation
the same command line flags and arguments. Throughout our and others' documentation | ||
you should substitute the name of the command that certbot.eff.org_ told you | ||
to use on your system. (``certbot-auto`` should always be run from the directory | ||
where it has been downloaded and invoked via ``./certbot-auto``). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also tell people they can copy it into their path, eg /usr/local/bin/certbot-auto
?
Probably to clarify the docs for |
|
||
``--expand`` tells Certbot to update an existing certificate with a new | ||
certificate that contains all of the old domains and one or more additional | ||
new domains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also document --allow-subset-of-names
here!
It's unclear to me whether the lineage management docs should just live in the RST documentation, or perhaps whether we should create a new "lineages" section of the CLI documentation, and put some explanation of lineages in there. |
## Questions
|
… questions in my comment certbot#3232 (comment)
@pconrad-fb, thanks for your questions; I've tried to answer them below.
The project used to be called letsencrypt but was renamed to certbot. It is the same codebase, but some people will have old packages and/or scripts and/or third-party guides that refer to the old name.
Should probably be certbot everywhere, although a small number of OS package managers will also still use the old name.
Right.
Yeah, something like that might be useful.
Obtaining a cert means saving it in the filesystem, while installing it means modifying the configuration file of some server application (such as Apache or Nginx, or others) to refer to that certificate and cause it to be used for inbound TLS connections. Plugins can be used with The point of
The authenticators are plugins that are used to prove to the CA that the user is entitled to obtain certs for a particular domain name or domain names because the user controls the name(s) in question. In order to provide this proof, they need to perform some kind of configuration change that is specified by the CA and also visible to the CA (which is called "completing a challenge"). Authenticators know how to perform one or more challenges; the way that they do this varies from authenticator to authenticator and could include things like changing a file on the system, changing a web server configuration file, spawning a temporary web server, giving instructions to a human user about a configuration change that should be made by hand, and (in the future) perhaps uploading a file to a different server or changing entries in a DNS zone. The appropriate authenticator to use depends on how you want to prove control over names, and which ones are practical options depends on the particular system and context (for example, which web server, if any, is already running).
It depends on how you installed it. If you have an operating system package, you have
Those are both plugins. The standalone plugin creates its own temporary webserver in order to perform the authentication step (responding to challenges); the webroot plugin instead responds to challenges by writing files into a specified directory (the "webroot") for each domain, so that an existing webserver that's already running on the system will be able to serve those files at the called-for locations when the CA asks for them. If you're not running a webserver on your system at all, standalone is great because it will make one for you (and shut it down when it's done). If you are already running a webserver, webroot is probably the best choice as long as the webserver is somehow serving files out of the filesystem (as opposed to out of a database or something). An advantage of webroot is that it works without any specific knowledge of webserver integration, so it will work well today with non-Apache webservers as well as Apache (though in that case only with certonly because webroot does not offer an installer!).
certonly is named in contrast to the idea of obtaining and installing a cert; it is "cert only" because it only obtains the cert. As I noted above, you can also use it for individual-cert renewals, whether due to expiry or due to a change in the content of the cert, or if you want to change the defaults for how the cert will be renewed in the future (e.g., to change which plugin will be used for renewal). certonly always saves the most recent settings that were used to obtain an individual cert in the renewal configuration file for that lineage.
Yes.
Yes.
Yes.
Yes, those plugins provide an authenticator which attempts to satisfy challenges by changing web server configurations (what's now called the TLS-SNI-01 challenge method). In that case, the plugin will be used to perform these changes in order to respond to challenges from the CA. This is an alternative to using the webroot plugin in this context. You would need to have the corresponding web server installed and running.
Yes. (I think there might be some minor details about this, but this is generally the way we think of it.) |
I have a couple more questions in return.
Thanks, |
and
I think for most people we'd suggest they get the certbot-auto file from https://dl.eff.org/certbot-auto
Hmm, I'm not sure I think beginner users will go through the graphical prompt and choose apache when prompted, more advanced users might find themselves doing everything via command-line, though I think the install instructions are critical here. |
hmm, this never got merged - @schoen do you think this is still needed - would you mind cleaning up the merge conflicts so we can submit it if so? |
This is meant to satisfy some of the feedback on #2938 as well as all of the feedback from https://community.letsencrypt.org/t/lets-make-lets-encrypt-easy-and-simple/15724/26