• The email account used to create an account against Let’s Encrypt

• type:string

• default:null (no registration is done, and so no certificate is issued if an account does not exist yet)

• Iftrue, Let’s Encrypt staging servers will be used (useful for testing purpose)

• type:boolean

• default:false

• The ACME protocol version to use (deprecated1 or current2)

• type:integer

• default:2

• The ACME CA server to use

• type:string representing a valid URL

• default:null (ACME CA server URL is determined usingstaging andapi_version values)

• An object describing the files and directories permissions to apply on generated certificates

• type:object

• default:null (default permissions are applied: certificates are owned by the user/group running DNSroboCert,and are only accessible by this user/group)

files_mode

• The permissions to apply to files, defined in POSIX octal notation

• type:integer orstring defined in octal notation (eg.0644 or"0755")

• default:0640

dirs_mode

• The permissions to apply to directories, defined in POSIX octal notation

• type:integer orstring defined in octal notation (eg.0755 or"0755")

• default:0750

user

• The user name or uid that should be owner of the certificates

• type:integer (for a uid, eg.1000) orstring (for a user name, eg."myuser")

• default:null (user running DNSroboCert will be owner of the certificates)

group

• The group name or gid that should group owner of the certificates

• type:integer (for a gid, eg.1000) orstring (for a user name, eg."mygroup")

• default:null (group running DNSroboCert will group owner of the certificates)

• A cron pattern defining the frequency for certificates renewal check

• type:string representing a valid cron pattern

• default:1201,13*** (twice a day)

• The name of the profile, used to reference this profile in thecertificates section.

• type:string

• mandatory property

• Name of the DNS provider supported by Lexicon

• type:string

• mandatory property

• Anobject defining all properties to use for the DNS provider defined for this profile

• type:object

• default:null

Each property that should be added inprovider_option depends on the actual provider used.You can check all properties available for each provider in theLexicon Providers configuration reference page.As an example for Aliyun it will be:

provider_options:auth_key_id:MY_KEY_IDauth_secret:MY_SECRET

• Time in seconds to wait after the TXT entries are inserted into the DNS zone to perform the DNS-01 challengeof a certificate

• type:integer

• default:30

• Maximum number of checks to verify that the TXT entries have been properly inserted into the DNS zone beforeperforming the DNS-01 challenge of a certificate. DNSroboCert will wait for the amount of time defined insleep_time between each check. Set to0 to disable these checks.

• type: integer

• default:0 (no check is done)

• Time to live in seconds for the TXT entries inserted in the DNS zone during a DNS-01 challenge.

• type:integer

• default:null (use any default TTL value specific to the DNS provider associated to this profile)

• Switch on/off the dynamic resolution of the actual zone for a given domain using live DNS requests. This isparticularly useful for zones that concerns non second-level domains (eg.sub.domain.net).If set toFalse, DNSRoboCert will rely on a static list of top level domains to guess second level domains:you would need the optiondelegated_subdomain to work with a third (or more) level domain. Disabling thedynamic zone resolution can be useful on environments where DNS responses are unreliable (eg. slow requestsor timeouts).

• type:boolean

• default:True (dynamic zone resolution is enabled by default)

• Ifdynamic_zone_resolution is set toFalse and you are working on a subdomain which has beendelegated to a specific zone (eg.sub.domain.net delegated fromdomain.net), this option allowsto explicitly set the actual domain of that zone (otherwise DNSRoboCert may assume the zone isdomain.netinstead ofsub.domain.net when dynamic zone resolution is not set).

• type:boolean

• default:null

• The profile name to use to validated DNS-01 challenges. This profile must exist in theprofilessection.

• type:string

• mandatory property

• List of the domains to include in the certificate.

• type:list[string]

• mandatory property

• Name of the certificate, used in particular to define where the certificate assets (key, cert, chain…)will be stored on the filesystem. For a certificate namedmy-cert, files will be available in thedirectory whose path is[CERTS_PATH]/live/my-cert. If the name is not specified, the effectivecertificate name will be the first domain listed in thedomains property.

• type:string

• default:null (in this case name is extracted from the first domain listed indomains, forinstanceexample.net forexample.net or*.example.net)

• Configure an export of the certificate into the PFX (also known as PKCS#12) format upon creation/renewal.

• type:object

• default:null (certificate is not exported in PFX format)

export

• Iftrue, the certificate is exported in PFX format.

• type:boolean

• default:false (the certificate is not exported in PFX format)

passphrase

• If set, the PFX file will be protected with the given passphrase.

• type:string

• default:null (the PFX file is not protected by a passphrase)

• A command hook to execute locally when the certificate is created/renewed.

• type:string

• default:null (no deploy hook is configured)

• Iftrue, the certificate will be force renewed when DNSroboCert configuration changes. Usefulfor debugging purposes.

• type:boolean

• default:false (the certificate is not force renewed)

• Iftrue, DNSroboCert will follow the chain of CNAME that may be defined for the challengeDNS names_acme-challenge.DOMAIN (whereDOMAIN is the domain to validate and integratein the certificate). This allows to delegate the validation to another DNS zone for securitypurpose. See thislink for more details.

• type:boolean

• default:false (CNAME chain is not followed)

• Iftrue, the existing private key will be reused during certificate renewal instead ofcreating a new one each time the certificate is renewed.

• type:boolean

• default:false (the private key is never reused for certificate renewal)

• Type of key to use when the certificate is generated. Must bersa orecdsa.

• type:string

• default:rsa (a RSA-type key will be used)

• Configure an automated restart of target containers when the certificate is created/renewed. Thisproperty takes a list of autorestart configurations. Each autorestart is triggered in the orderthey have been inserted here.

• type:list[object]

• default:null (no automated restart is triggered)

containers

• A list of Docker containers to restart.

• type:list[string]

• default:null (no containers to restart)

swarm_services

• A list of swarm services to force restart

• type:list[string]

• default:null (no swarm services to restart)

podman_containers

• A list of Podman containers to restart.

• type:list[string]

• default:null (no containers to restart)

Property configuration example

autorestart:-containers:-container1-container2swarm_services:-service1

• Configure an automated execution of an arbitrary command on target containers when the certificate isis created/renewed. This property takes a list of autocmd configurations. Each autocmd is triggeredin the order they have been inserted here.

• type:list[object]

• default:null (no automated command is triggered)

cmd

• The command to execute in each target container. Only commands of string type will be executed in a shell.

• type:string orlist[string]

• Mandatory property

containers

• A list of Docker containers on which the command will be executed.

• type:list[string]

• default:null (no containers to restart)

Property configuration example

autocmd:-containers:-container1-container2cmd:[echo,"HelloWorld!"]-containers:-container3cmd:env