ZeroSSL Crypt::LE client v0.12
===============
USAGE EXAMPLES:
===============
a) To register (if needed) and issue a certificate:
le.pl --key account.key --email "my@email.address" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "www.domain.ext,domain.ext" \\
--generate-missing
Please note that email is only used for the initial registration and cannot be changed later. Even though it is optional,
you may want to have your email registered to receive certificate expiration notifications and be able to recover your
account in the future if needed.
b) To have challenge files automatically placed into your web directory before the verification and then removed after the verification:
le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "www.domain.ext,domain.ext" --generate-missing \\
--path /some/path/.well-known/acme-challenge --unlink
c) To use external modules to handle challenges and process completion while getting a certificate:
le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "www.domain.ext,domain.ext" --generate-missing \\
--handle-with Crypt::LE::Challenge::Simple --complete-with Crypt::LE::Complete::Simple
- See provided Crypt::LE::Challenge::Simple for an example of a challenge-handling module.
- See provided Crypt::LE::Complete::Simple for an example of a completion-handling module.
d) To pass parameters to external modules as JSON either directly or by specifying a file name:
le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "www.domain.ext,domain.ext" --generate-missing \\
--handle-with Crypt::LE::Challenge::Simple --complete-with Crypt::LE::Complete::Simple \\
--handle-params '{"key1": 1, "key2": 2, "key3": "something"}' --complete-params complete.json
e) To use basic DNS verification:
le.pl --key account.key --csr domain.csr --csr-key domain.key --crt domain.crt --domains "www.domain.ext,domain.ext" --generate-missing \\
--handle-as dns --handle-with Crypt::LE::Challenge::Simple
f) To just generate the keys and CSR:
le.pl --key account.key --csr domain.csr --csr-key domain.key --domains "www.domain.ext,domain.ext" --generate-missing --generate-only
g) To revoke a certificate:
le.pl --key account.key --crt domain.crt --revoke
===============
RENEWAL PROCESS
===============
To RENEW your existing certificate: use the same command line as you used for issuing the certificate, with one additional parameter
--renew XX, where XX is the number of days left until certificate expiration.
If le.pl detects that it is XX or fewer days left until certificate expiration, then (and only then) the renewal process will be run, so the script can be safely put into crontab to run on a daily basis if needed. The amount of days left is checked by either of two methods:
1) If the certificate (which name is used with --crt parameter) is available locally, then it will be loaded and checked.
2) If the certificate is not available locally (for example if you moved it to another server), then an attempt to
connect to the domains listed in --domains or CSR will be made until the first successful response is received. The
peer certificate will be then checked for expiration.
NOTE: by default a staging server is used, which does not provide trusted certificates. This is to avoid hitting a
rate limits on Let's Encrypt live server. To generate an actual certificate, always add --live option.
==================================
LOGGING CONFIGURATION FILE EXAMPLE
==================================
log4perl.rootLogger=DEBUG, File, Screen
log4perl.appender.File = Log::Log4perl::Appender::File
log4perl.appender.File.filename = le.log
log4perl.appender.File.mode = append
log4perl.appender.File.layout = PatternLayout
log4perl.appender.File.layout.ConversionPattern = %d [%p] %m%n
log4perl.appender.Screen = Log::Log4perl::Appender::Screen
log4perl.appender.Screen.layout = PatternLayout
log4perl.appender.Screen.layout.ConversionPattern = %d [%p] %m%n
=====================
AVAILABLE PARAMETERS:
=====================
key <file> - Your account key file.
csr <file> - Your CSR file.
csr-key <file> - Key for your CSR (only mandatory if CSR is missing and to be generated).
domains <list> - Domains as comma-separated list (only mandatory if CSR is missing).
path <absolute path> - Path to local .well-known/acme-challenge/ to drop required challenge files into (optional).
handle-with <Some::Module> - Module name to handle challenges with (optional).
handle-as <http|dns|tls|...> - Type of challenge to request, by default 'http' (optional).
handle-params <{json}|file> - JSON (or name of the file containing it) with parameters to be passed to the challenge-handling module (optional).
complete-with <Another::Module> - Module name to handle process completion with (optional).
complete-params <{json}|file> - JSON (or name of the file containing it) with parameters to be passed to the completion-handling module (optional).
email <some@mail.address> - Mail address for the account registration and certificate expiration notifications (optional).
log-config <file> - Configuration file for logging (perldoc Log::Log4perl to see configuration examples).
generate-missing - Generate missing files (key, csr and csr-key).
generate-only - Generate a new key and/or CSR if they are missing and then exit.
unlink - Remove challenge files which were automatically created if --path option was used.
renew <XX> - Renew the certificate if XX or fewer days are left until its expiration.
crt <file> - Name for the domain certificate file.
revoke - Revoke a certificate.
live - Connect to a live server instead of staging.
debug - Print out debug messages.
help - This screen.