Docs: Clarify standalone dns01 API configuration structure with example (#1155)

stuartbirrell · web-flow · commit 904b5e38b171 · 2024-09-27T15:32:36.000+02:00
* adding additional documentation detail for standalone DNS-01 verification

* added example

* Update Standalone-certificates.md

* minor mistake

* Update Standalone-certificates.md

* Update Standalone-certificates.md
diff --git a/docs/Standalone-certificates.md b/docs/Standalone-certificates.md
@@ -51,16 +51,51 @@ LETSENCRYPT_app_HOST=('myapp.yourdomain.tld' 'myapp.yourotherdomain.tld' 'servic
 LETSENCRYPT_othersite_HOST=('yetanotherdomain.tld')
 ```
 
+**Example using DNS-01 verification:**
+
+In this example: `web` and `app` generate a certificate using the global/default configuration. However `othersite` will perform it's certificate verification using a specific DNS-01 API configuration.
+
+```bash
+LETSENCRYPT_STANDALONE_CERTS=('web' 'app' 'othersite')
+LETSENCRYPT_web_HOST=('yourdomain.tld' 'www.yourdomain.tld')
+LETSENCRYPT_app_HOST=('myapp.yourdomain.tld' 'myapp.yourotherdomain.tld' 'service.yourotherdomain.tld')
+LETSENCRYPT_othersite_HOST=('yetanotherdomain.tld')
+
+ACME_othersite_CHALLENGE=DNS-01
+declare -A ACMESH_othersite_DNS_API_CONFIG=(
+    ['DNS_API']='dns_cf'
+    ['CF_Token']='<CLOUDFLARE_TOKEN>'
+    ['CF_Account_ID']='<CLOUDFLARE_ACCOUNT_ID>'
+    ['CF_Zone_ID']='<CLOUDFLARE_ZONE_ID>'
+)
+```
+
 ### Optional configuration parameters:
 
-Those are all single bash variables.
+Single bash variables:
 
 `LETSENCRYPT_uniqueidentifier_EMAIL` : must be a valid email and will be used by Let's Encrypt to warn you of impeding certificate expiration (should the automated renewal fail).
 
 `LETSENCRYPT_uniqueidentifier_KEYSIZE` : determines the size of the requested private key. See [private key size](./Let's-Encrypt-and-ACME.md#private-key-size) for accepted values.
 
 `LETSENCRYPT_uniqueidentifier_TEST` : if set to true, the corresponding certificate will be a test certificates: it won't have the 5 certs/week/domain limits and will be signed by an untrusted intermediate (ie it won't be trusted by browsers).
 
+DNS-01 related variables:
+
+`ACME_uniqueidentifier_CHALLENGE`: Defaults to HTTP-01. In order to switch to the DNS-01 ACME challenge set it to `DNS-01`
+
+`ACMESH_uniqueidentifier_DNS_API_CONFIG`: Defaults to the values of DNS_API_CONFIG. However if you wish to specify a specific DNS-01 verification method on a particular standalone certificate. It must be defined as a bash associative array.
+
+Example
+```bash
+declare -A ACMESH_alt_DNS_API_CONFIG=(
+    ['DNS_API']='dns_cf'
+    ['CF_Token']='<CLOUDFLARE_TOKEN>'
+    ['CF_Account_ID']='<CLOUDFLARE_ACCOUNT_ID>'
+    ['CF_Zone_ID']='<CLOUDFLARE_ZONE_ID>'
+)
+```
+
 ### Picking up changes to letsencrypt_user_data
 
 The container does not actively watch the `/app/letsencrypt_user_data` file for changes.
