ACME - Certbot¶
Configuration via /etc/letsencrypt/cli.ini¶
Any global –some-option can be used in cli.ini by
omitting the leading hyphens (–). To set an option
for a specific certificate set the option on the
respective config file in
email = email@example.com agree-tos = true
Change key type:
key-type = ecdsa elliptic-curve = secp384r1
preferred-chain = ISRG Root X1
The CAA DNS record type can be used to limit what CA can issue a certificate for a domain or subdomain.
Send reports about unauthorized request to issue a certificate to a specific mail address:
example.com. IN CAA 0 iodef "mailto:firstname.lastname@example.org"
Not all CAs support this.
Allow only Let’s Encrypt to issue certificates:
example.com. IN CAA 0 issue "letsencrypt.org"
Only allow a certain validation method and specific accounts 2:
; Allow letsencrypt example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-staging.api.letsencrypt.org/acme/reg/571142; validationmethods=http-01" example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/7738050; validationmethods=http-01"
You usually want to specify a production and a staging account URI to ensure –dry-run works.
Prohibit issuance of a certificate:
; non-wildcard example.com. IN CAA 0 issue ";" ; wildcard example.com. IN CAA 0 issuewild ";"
Override policy for subdomain:
example.com. IN CAA 0 issue "letsencrypt.org" subdomain.example.com. IN CAA 0 issue "ca.example.org"
When issuing certificate for www.subdomain.example.com, a CAA record is searched for at www.subdomain.example.com, subdomain.example.com, and example.com, in this order. The first policy found applies. 3
CAA and CNAME cannot coexist for a subdomain as CNAME will delegate CAA as well.