cleanup
This commit is contained in:
parent
596ae53dbb
commit
27ff2ef53f
35
README.md
35
README.md
|
@ -81,20 +81,33 @@ require('greenlock-express').create({
|
||||||
|
|
||||||
First and foremost:
|
First and foremost:
|
||||||
|
|
||||||
* You MUST run this on the public-facing webserver, *as the webserver* (exception: using a 'dns-01' challenge, such as `le-challenge-route53`, you can validate domains set to private addresses - 10.x, 192.168.x, etc)
|
* You MUST run this on the public-facing webserver, *as the webserver* (exception: using a 'dns-01' challenge, such as `le-challenge-route53`, you can validate domains set to private addresses )
|
||||||
|
|
||||||
Double check each of the following:
|
Double check the following:
|
||||||
|
|
||||||
* Let's Encrypt **v2** uses `version: 'draft-11'`, but v1 uses `version: 'v01'`
|
* **Public Facing IP** for `http-01` challenges
|
||||||
* You MUST set `email` to a **valid address** with **valid MX** records (`dig MX example.com` for `'john@example.com'`)
|
* Are you running this *as* a public-facing webserver (good)? or localhost (bad)?
|
||||||
* You MUST set `approveDomains` to domains with **valid DNS records** (test with `dig +trace A example.com; dig +trace www.example.com` for `[ 'example.com', 'www.example.com' ]`)
|
* Does `ifconfig` show a public address (good)? or a private one - 10.x, 192.168.x, etc (bad)?
|
||||||
* You MUST have **write access** to `configDir` so that certs can be saved (test with `touch ~/acme/etc/tmp.tmp`)
|
* If you're on a non-public server, are you using the `dns-01` challenge?
|
||||||
* You MUST have **bind privileges** to ports 80 and 44 via `sudo` or [`setcap`](https://gist.github.com/firstdoit/6389682)
|
* **correct ACME version**
|
||||||
|
* Let's Encrypt **v2** (ACME v2) must use `version: 'draft-11'`
|
||||||
|
* Let's Encrypt v1 must use `version: 'v01'`
|
||||||
|
* **valid email**
|
||||||
|
* You MUST set `email` to a **valid address**
|
||||||
|
* MX records must validate (`dig MX example.com` for `'john@example.com'`)
|
||||||
|
* **valid DNS records**
|
||||||
|
* You MUST set `approveDomains` to real domains
|
||||||
|
* Must have public DNS records (test with `dig +trace A example.com; dig +trace www.example.com` for `[ 'example.com', 'www.example.com' ]`)
|
||||||
|
* **write access**
|
||||||
|
* You MUST set `configDir` to a writeable location (test with `touch ~/acme/etc/tmp.tmp`)
|
||||||
|
* **port binding privileges**
|
||||||
|
* You MUST be able to bind to ports 80 and 44
|
||||||
|
* You can do this via `sudo` or [`setcap`](https://gist.github.com/firstdoit/6389682)
|
||||||
|
* **API limits**
|
||||||
* You MUST NOT exceed the API [**usage limits**](https://letsencrypt.org/docs/staging-environment/) per domain, certificate, IP address, etc
|
* You MUST NOT exceed the API [**usage limits**](https://letsencrypt.org/docs/staging-environment/) per domain, certificate, IP address, etc
|
||||||
|
* **Red Lock, Untrusted**
|
||||||
If you get a **red** lock instead of a green lock:
|
* You MUST change the `server` value **in production**
|
||||||
|
* Shorten the 'acme-staging-v02' part of the server URL to 'acme-v02'
|
||||||
* You MUST change the `server` value **in production**. Just shorten the 'acme-staging-v02' part to 'acme-v02'
|
|
||||||
|
|
||||||
### Get it working in staging first!
|
### Get it working in staging first!
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue