This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

acme_srv.cfg

configuration options for acme2certifier

Section	Option	Description	Values	default
DEFAULT	debug	Debug mode	True/False
False
DEFAULT	async_mode	Enable asynchronous Mode	True/False	False
DEFAULT	proxy_server_list	Proxy-server configuration	{"bar.local$": "http​://10.0.0.1:3128", "foo.local$": "socks5://10.0.0.1:1080"}	None
Account	contact_check_disable	do not require to send contact information	True/False	False
Account	ecc_only	mandates the usage of ECC for account key generation	True/False	False
Account	inner_header_nonce_allow	allow nonce header on inner JWS during key-rollover	True/False	False
Account	tos_check_disable	turn off "Terms of Service" acceptance check	True/False	False
Authorization	expiry_check_disable	Disable authorization expiration	True/False	False
Authorization	prevalidated_domainlist	List of pre-validated identfiers	["host-01.bar.local", "*.example.local"]	None
Authorization	validity	Authorization validity in seconds	Integer	86400
CAhandler	handler_file	path and name of ca_handler file to be loaded. If not specified acme_srv/ca_handler.py will be loaded	examples/ca_handler/openssl_handler.py	acme_srv/ca_handler.py
Certificate	cert_reusage_timeframe	in case a csr will be resend within this timeframe (in seconds) the certificate already stored in the database will be returned and no enrollment will be triggered	Integer	0 (disabled)
Certificate	enrollment_timeout	timeout in seconds for asynchronous ca_handler threat	Integer	5
Certificate	cert_operations_log	log certificate issuance and revocation operations	True/False/json	False
Certificate	revocation_reason_check_disable	disable the check of revocation reason	True/False	False
Challenge	challenge_validation_disable	disable challenge validation via http or dns. THIS IS A SEVERE SECURITY ISSUE! Please enable for testing/debugging purposes only.	True/False	False
Challenge	challenge_validation_timeout	Timeout in seconds for challenge validation	Integer	10
Challenge	forward_address_check	Only in combination with challenge_validation_disable parameter. a2c checks if the acme-client ip is registered for the fqdns being part of the order request	True/False	False
Challenge	reverse_address_check	Only in combination with challenge_validation_disable parameter. a2c checks if dns-name part of the order request is a PTR record for the client-ip sending the request	True/False	False
Challenge	dns_server_list	Use own dns servers for name resolution during challenge verification	["ip1", "ip2"]	[]
Challenge	dns_validation_pause_timer	pause interval in seconds after failed validation of a dns challenge	10	0.5
Challenge	sectigo_sim	provide sectigo-email-01 challenges - Only for development and testing!	True/False	False
DBhandler	dbfile	path and name of database file. If not specified acme_srv/acme_srv.db will be used. Parameter is only available for a wsgi handler and will be ignored if django handler is getting used	'acme/database.db'	acme_srv/acme_srv.db
Directory	caaidentities	ACME server hostname[s] for CAA record validation as defined in RFC6844	'string'	None
Directory	db_check	check database connection compare schemes and report as OK/NOK in meta information	True/False	False
Directory	home	homepage string to be shown when fetching the directory ressource	'string'	'https://github.com/grindsa/acme2certifier'
Directory	supress_product_information	Do not show product name, author and version when fetching the directory resource	True/False	False
Directory	supress_version	Do not show version information when fetching the directory resource	True/False	False
Directory	tos_url	Terms of Service URL	URL	None
Directory	url_prefix	url prefix for acme2certifier resources	'/foo'	None
EABhandler	eab_handler_file	EAB handler file	path/file	None
EABhandler	key_file	EAB credential file	path/file	None
EABhandler	eabkid_check_disable	validate kid during every transaction	True/False	False
EABhandler	invalid_eabkid_deactivate	deactivate invalid eab-kids	True/False	False
Helper	log_format	Format of logging information	check the 'LogRecord attributes' Section of the python logging module	%(message)s
Hooks	hooks_file	path and name of hooks (for pre- and post-enrollment hooks) file to be loaded	None
Hooks	ignore_pre_hook_failure	True/False	False
Hooks	ignore_post_hook_failure	True/False	True
Hooks	ignore_success_hook_failure	True/False	False
Message	signature_check_disable	disable signature check of incoming JWS messages. THIS IS A SEVERE SECURITY ISSUE bypassing security checks and allowing message manipulations during transit. Please enable for testing/debugging purposes only.	True/False	False
Nonce	nonce_check_disable	disable nonce check. THIS IS A SECURITY ISSUE as it exposes the API for replay attacks! Should be enabled for testing/debugging purposes only.	True/False	False
Order	expiry_check_disable	Disable order expiration	True/False	False
Order	header_info_list	HTTP header fields to be passed to ca handler	["HTTP_USER_AGENT", "FOO_BAR"]	[]
Order	retry_after_timeout	Retry-After value to be send to client in case a certificate enrollment request gets pending on CA server	Integer	120
Order	identifier_limit	Maximum number of identifiers submitted in a single order request which translate later into SANs per certificate	Integer	20
Order	idempotent_finalize	Allow Non-RFC compliant order polling via finalization request	True/False	False
Order	tnauthlist_support	accept TNAuthList identifiers and challenges containing tkauth-01 type	True/False	False
Order	validity	Order validity in seconds	Integer	86400
Order	profiles	specifies acme-profiles to be offered by the server	{"profile1": "url1", "profile2": "url2"}	{}
Order	profiles_check_disable	Disables validation of the client-submitted profile against the profiles advertised by the server	True/False	False
Renewalinfo	renewalthreshold_pctg	Defines the percentage of certificate lifetime after which renewal is allowed or recommended	Integer	85
Renewalinfo	retry_after_timeout	Number of seconds a client should wait before retrying a pending certificate renewal	Integer	600
Renewalinfo	renewal_force	Forces certificate renewal regardless of the usual renewal threshold or timing conditions	True/False	False

The options for the CAhandler section depend on the CA handler.

Further options for the Hooks section depend on the concrete hooks class.

Instructions for Insta Certifier

Instructions for NetGuard Certificate Lifecycle Manager

Instructions for Microsoft Certification Authority Web Enrollment Service

Instructions for the generic EST handler

Instructions for the generic CMPv2 handler

Instructions for XCA handler

Instructions for Openssl based CA handler