certhub-lego-run@.service

Synopsis

certhub-lego-run@.service

certhub-lego-run@.path

Description

A service which runs certhub-lego-run with a CSR read from the config directory. The resulting fullchain certificate is committed to the repository. A commit message is generated automatically.

A path unit which runs the service unit if the expiry status file managed by certhub-cert-expiry@.service exists or if the CSR file changed.

The instance name (systemd instance string specifier %i) is used as the basename of the configuration and the resulting certificate file.

Environment

CERTHUB_REPO

URL of the repository where certificates are stored. Defaults to: /var/lib/certhub/certs.git

CERTHUB_CERT_PATH

Path to the certificate file inside the repository. Defaults to: {WORKDIR}/%i.fullchain.pem

CERTHUB_CSR_PATH

Path to the CSR file. Defaults to: /etc/certhub/%i.csr.pem

CERTHUB_LEGO_ARGS

Additional Arguments for lego --csr run. Empty by default.

CERTHUB_LEGO_PREFERRED_CHAIN

Set the preferred certificate chain. If the CA offers multiple certificate chains, prefer the chain whose topmost certificate was issued from this Subject Common Name. If no match, the default offered chain will be used. Empty by default.

Specify CERTHUB_LEGO_PREFERRED_CHAIN=ISRG Root X1 in one of the envfiles listed in the next section to use the alternate/short Let’s Encrypt chain.

CERTHUB_LEGO_CHALLENGE_ARGS

Use this environment variable to select a challenge method. Empty by default. Lego will fall back to HTTP-01 challenge if this variable is not set.

CERTHUB_LEGO_DIR

The path to the directory where lego stores accound data and issued certificates. Defaults to: var/lib/certhub/private/lego

Files

/etc/certhub/env

Optional environment file shared by all instances and certhub services.

/etc/certhub/%i.env

Optional per-instance environment file shared by all certhub services.

/etc/certhub/certhub-lego-run.env

Optional per-service environment file shared by all certhub service instances.

/etc/certhub/%i.certhub-lego-run.env

Optional per-instance and per-service environment file.

See Also

certhub-cert-expiry@.service, certhub-lego-run(1), certhub-message-format(1)