TLS Certificates¶

ACME - Certbot¶

Configuration via /etc/letsencrypt/cli.ini¶

Any global –some-option can be used in cli.ini by omitting the leading hyphens (–). To set an option for a specific certificate set the option on the respective config file in /etc/letsencrypt/renewal/.

Useful defaults:

email = person@example.com
agree-tos = true

Change key type:

key-type = ecdsa
elliptic-curve = secp384r1

Alternative chains:

preferred-chain = ISRG Root X1

Specifying ISRG Root X1 will omit the expired root certificate included by default to support ancient versions of Android. [1]

CAA¶

The CAA DNS record type can be used to limit what CA can issue a certificate for a domain or subdomain.

Send reports about unauthorized request to issue a certificate to a specific mail address:

example.com. IN CAA 0 iodef "mailto:hostmaster@example.com"

Not all CAs support this.

Allow only Let’s Encrypt to issue certificates:

example.com. IN CAA 0 issue "letsencrypt.org"

Only allow a certain validation method and specific accounts:

; Allow letsencrypt
example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-staging.api.letsencrypt.org/acme/reg/571142; validationmethods=http-01"
example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/7738050; validationmethods=http-01"

You usually want to specify a production and a staging account URI to ensure –dry-run works.

Prohibit issuance of a certificate:

; non-wildcard
example.com. IN CAA 0 issue ";"

; wildcard
example.com. IN CAA 0 issuewild ";"

Override policy for subdomain:

example.com. IN CAA 0 issue "letsencrypt.org"
subdomain.example.com. IN CAA 0 issue "ca.example.org"

When issuing certificate for www.subdomain.example.com, a CAA record is searched for at www.subdomain.example.com, subdomain.example.com, and example.com, in this order. The first policy found applies. [2]