diff --git a/certbot/docs/challenges.rst b/certbot/docs/challenges.rst index ee8bb8e61..0d026242d 100644 --- a/certbot/docs/challenges.rst +++ b/certbot/docs/challenges.rst @@ -1,16 +1,16 @@ Challenges ========== -To receive a certificate from Let's Encrypt certificate authority (CA), you must pass a *challenge* to -prove you control each of the domain names that will be listed in the certificate. A challenge is one of +To receive a certificate from Let's Encrypt certificate authority (CA), you must pass a *challenge* to +prove you control each of the domain names that will be listed in the certificate. A challenge is one of a list of specified tasks that only someone who controls the domain should be able to accomplish, such as: * Posting a specified file in a specified location on a web site (the HTTP-01 challenge) * Posting a specified DNS record in the domain name system (the DNS-01 challenge) -It’s possible to complete each type of challenge *automatically* (Certbot directly makes the necessary -changes itself, or runs another program that does so), or *manually* (Certbot tells you to make a -certain change, and you edit a configuration file of some kind in order to accomplish it). Certbot's +It’s possible to complete each type of challenge *automatically* (Certbot directly makes the necessary +changes itself, or runs another program that does so), or *manually* (Certbot tells you to make a +certain change, and you edit a configuration file of some kind in order to accomplish it). Certbot's design favors performing challenges automatically, and this is the normal case for most users of Certbot. Some plugins offer an *authenticator*, meaning that they can satisfy challenges: @@ -22,29 +22,29 @@ Some plugins offer an *authenticator*, meaning that they can satisfy challenges: satisfy challenges from the certificate authority. Use the nginx plugin when you're running Certbot on a web server with nginx listening on port 80. * Webroot plugin: (HTTP-01) Tries to place a file where it can be served over HTTP on port 80 by a - web server running on your system. Use the Webroot plugin when you're running Certbot on + web server running on your system. Use the Webroot plugin when you're running Certbot on a web server with any server application listening on port 80 serving files from a folder on disk in response. * Standalone plugin: (HTTP-01) Tries to run a temporary web server listening on HTTP on port 80. Use the Standalone plugin if no existing program is listening to this port. -* Manual plugin: (DNS-01 or HTTP-01) Either tells you what changes to make to your configuration or updates - your DNS records using an external script (for DNS-01) or your webroot (for HTTP-01). Use the Manual +* Manual plugin: (DNS-01 or HTTP-01) Either tells you what changes to make to your configuration or updates + your DNS records using an external script (for DNS-01) or your webroot (for HTTP-01). Use the Manual plugin if you have the technical knowledge to make configuration changes yourself when asked to do so, - and are prepared to repeat these steps every time the certificate needs to be renewed. + and are prepared to repeat these steps every time the certificate needs to be renewed. Tips for Challenges ------------------- General tips: * Run Certbot on your web server, not on your laptop or another server. It’s usually the easiest way to get a certificate. -* Use a tool like the DNSchecker at dnsstuff.com to check your DNS records to make sure - there are no serious errors. A DNS error can prevent a certificate authority from +* Use a tool like the DNSchecker at dnsstuff.com to check your DNS records to make sure + there are no serious errors. A DNS error can prevent a certificate authority from issuing a certificate, even if it does not prevent your site from loading in a browser. * If you are using Apache or NGINX plugins, make sure the configuration of your Apache or NGINX server is correct. HTTP-01 Challenge ~~~~~~~~~~~~~~~~~ -* Make sure the domain name exists and is already pointed to the public IP address of the server where +* Make sure the domain name exists and is already pointed to the public IP address of the server where you’re requesting the certificate. * Make sure port 80 is open, publicly reachable from the Internet, and not blocked by a router or firewall. * When using the Webroot plugin or the manual plugin, make sure the the webroot directory exists and that you @@ -52,12 +52,12 @@ HTTP-01 Challenge then a file placed in `/var/www/example.com/.well-known/acme-challenge/testfile` should appear on your web site at `http://example.com/.well-known/acme-challenge/testfile` (A redirection to HTTPS is OK here and should not stop the challenge from working.) -* In some web server configurations, all pages are dynamically generated by some kind of framework, - usually using a database backend. In this case, there might not be a particular directory - from which the web server can serve filesdirectly. Using the Webroot plugin in this case +* In some web server configurations, all pages are dynamically generated by some kind of framework, + usually using a database backend. In this case, there might not be a particular directory + from which the web server can serve filesdirectly. Using the Webroot plugin in this case requires making a change to your web server configuration first. -* Make sure your web server serves files properly from the directory where the challenge - file is placed (e. g. `/.well-known/acme-challenge`) to the expected location on the +* Make sure your web server serves files properly from the directory where the challenge + file is placed (e. g. `/.well-known/acme-challenge`) to the expected location on the website without adding a header or footer. * When using the Standalone plugin, make sure another program is not already listening to port 80 on the server. * When using the Webroot plugin, make sure there is a web server listening on port 80. @@ -65,6 +65,6 @@ HTTP-01 Challenge DNS-01 Challenge ~~~~~~~~~~~~~~~~ -* When using the manual plugin, make sure your DNS records are correctly updated; +* When using the manual plugin, make sure your DNS records are correctly updated; you must be able to make appropriate changes to your DNS zone in order to pass the challenge. diff --git a/certbot/docs/cli-help.txt b/certbot/docs/cli-help.txt index 5665e9bb7..0086c13a8 100644 --- a/certbot/docs/cli-help.txt +++ b/certbot/docs/cli-help.txt @@ -1,4 +1,4 @@ -usage: +usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, diff --git a/certbot/docs/what.rst b/certbot/docs/what.rst index 3d33346c2..b5e50d882 100644 --- a/certbot/docs/what.rst +++ b/certbot/docs/what.rst @@ -2,14 +2,14 @@ What is a Certificate? ====================== -A public key or digital *certificate* (formerly called an SSL certificate) uses a public key -and a private key to enable secure communication between a client program (web browser, email client, +A public key or digital *certificate* (formerly called an SSL certificate) uses a public key +and a private key to enable secure communication between a client program (web browser, email client, etc.) and a server over an encrypted SSL (secure socket layer) or TLS (transport layer security) connection. -The certificate is used both to encrypt the initial stage of communication (secure key exchange) +The certificate is used both to encrypt the initial stage of communication (secure key exchange) and to identify the server. The certificate includes information about the key, information about the server identity, and the digital signature of the certificate issuer. If the issuer is trusted by the software that initiates the communication, -and the signature is valid, then the key can be used to communicate securely with the server identified by +and the signature is valid, then the key can be used to communicate securely with the server identified by the certificate. Using a certificate is a good way to prevent "man-in-the-middle" attacks, in which someone in between you and the server you think you are talking to is able to insert their own (harmful) content. @@ -23,9 +23,9 @@ Certificates and Lineages Certbot introduces the concept of a *lineage,* which is a collection of all the versions of a certificate plus Certbot configuration information maintained for that certificate from renewal to renewal. Whenever you renew a certificate, Certbot keeps the same configuration unless -you explicitly change it, for example by adding or removing domains. If you add domains, you can +you explicitly change it, for example by adding or removing domains. If you add domains, you can either add them to an existing lineage or create -a new one. +a new one. See also: :ref:`updating_certs`