tls-secure

TLS Secure

Channel Revision Published Runs on
latest/edge 8 24 Oct 2023
Ubuntu 22.04
juju deploy tls-secure --channel edge
Show information

Learn to deploy on juju >

Platform:

Ubuntu
22.04

Learn about configurations >

  • debug | boolean

    Use debugging to show more command output.

  • debug-level | string

    Default: 1

    The debug level to use. 0, 1, 2 or 3

  • eab-hmac-key | string

    EAB hmac key from the certificate service provider.

    Also see the eab-kid config value description.

  • eab-kid | string

    EAB key id from the certificate service provider. See the acme.sh wiki or each service provider's webpage for information on how to generate the EAB credentials.

    If the values for eab-kid and eab-hmac-key are not empty there will be an attempt to use them in combination with the server and in some cases also the email address.

    If any non-standard supported CA is used an account will attempt to be created using the email and the eab credentials, if there are eab credentials otherwise only the email will be used. If use-email is false and empty email is used. For standard supported CAs see the config option "server".

    EAB credentials are:

    • Required for CAs:
      • google
      • googletest
      • sslcom_rsa
    • Optional for CAs:
      • zerossl
    • Unused for CAs:
      • letsencrypt
      • letsencrypt_test
      • buypass
      • buypass_test

  • email | string

    Configures the email used for registering with the certificate provider (CA).

    This is the email to which you will get certificate expiring notices and if you have registered with a provider it is the account email. Please also see the use-email config option. If the email is changed it will be updated and used for subsequent requests to the CA.

    An email is required for:

    • zerossl (if not using EAB credentials)
    • sslcom_rsa
    • buypass
    • buypass_test
    • google
    • googletest

  • haproxy-service-options | string

    Default: mode http, acl is_acme_challenge path_beg -i /.well-known/acme-challenge/, http-request redirect scheme https if !{ ssl_fc } !is_acme_challenge

    Haproxy service_options as a comma separated list of options.

    See https://bazaar.launchpad.net/~haproxy-team/charm-haproxy/trunk/view/head:/README.md for more information

  • proxy-service | string

    Default: haproxy

    The proxy service to use.

    This means that if another charm is related to this it will wait to issue the certificate until the proxy relation has been established. If using "none" as the proxy service the charm will attempt to issue the certificate but the requirer charm (or operator) has to make sure the acme challenge for the http-01 challenge will succeed.

    Currently supported are "haproxy", "none"

  • server | string

    Default: zerossl

    Configures the ACME server directory URL.

    Please see acme.sh supported here https://github.com/acmesh-official/acme.sh/wiki/Server Any other RFC8555-compliant CA should also be supported.

    Currently supported in the charm are:

    • letsencrypt
    • letsencrypt_test
    • buypass
    • buypass_test
    • zerossl
    • sslcom_rsa
    • google
    • googletest
    • any other RFC8555-compliant CA should also be supported.

  • use-email | boolean

    Default: True

    A boolean value indicating if you want to use an email for expiry notifications (see email config option).

    If this is set to true and there is no email configured the charm will wait for an email to be set in the config before issuing a certificate. If set to false, no email is required to start issuing certificates.

    Set to to false to not use an email. (Only letsencrypt does not require an email)