25 lines
1.5 KiB
ReStructuredText
25 lines
1.5 KiB
ReStructuredText
This addons requests a certificate for the domain named in the configuration
|
|
parameter ``web.base.url`` - if this comes back as ``localhost`` or the like,
|
|
the module doesn't request anything.
|
|
|
|
Futher self-explanatory settings are in Settings -> General Settings. There you
|
|
can add further domains to the CSR, add a custom script that updates your DNS
|
|
and add a script that will be used to reload your web server (if needed).
|
|
The number of domains that can be added to a certificate is
|
|
`capped at 100 <https://letsencrypt.org/docs/rate-limits/>`_. A wildcard
|
|
certificate can be used to avoid that limit.
|
|
|
|
Note that all those domains must be publicly reachable on port 80 via HTTP, and
|
|
they must have an entry for ``.well-known/acme-challenge`` pointing to
|
|
``$datadir/letsencrypt/acme-challenge`` of your odoo instance.
|
|
|
|
Since DNS changes can take some time to propagate, when we respond to a DNS challenge
|
|
and the server tries to check our response, it might fail (and probably will).
|
|
The solution to this is documented in https://tools.ietf.org/html/rfc8555#section-8.2
|
|
and basically is a ``Retry-After`` header under which we can instruct the server to
|
|
retry the challenge.
|
|
At the time these lines were written, Boulder had not implemented this functionality.
|
|
This prompted us to use ``letsencrypt.backoff`` configuration parameter, which is the
|
|
amount of minutes this module will try poll the server to retry validating the answer
|
|
to our challenge, specifically it is the ``deadline`` parameter of ``poll_and_finalize``.
|