diff options
author | alexzorin <alex@zorin.id.au> | 2022-07-20 02:17:27 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-20 02:17:27 +0300 |
commit | ae7967c8aed28a8416a329e5eeac117c1672c878 (patch) | |
tree | 94b3fd21d514a7a786ff50ee7c250b80fe0af071 | |
parent | 32608a142bbd9c7df2ddc6cbfa2a46a6c310901b (diff) |
docs: how to override the trusted CA certificates (#9357)merge-master
* docs: how to override the trusted CA certificates
* Update certbot/docs/using.rst
Co-authored-by: ohemorange <ebportnoy@gmail.com>
Co-authored-by: ohemorange <ebportnoy@gmail.com>
-rw-r--r-- | certbot/certbot/configuration.py | 6 | ||||
-rw-r--r-- | certbot/docs/using.rst | 6 |
2 files changed, 11 insertions, 1 deletions
diff --git a/certbot/certbot/configuration.py b/certbot/certbot/configuration.py index d5ad87599..dd40a096f 100644 --- a/certbot/certbot/configuration.py +++ b/certbot/certbot/configuration.py @@ -170,7 +170,11 @@ class NamespaceConfig: @property def no_verify_ssl(self) -> bool: - """Disable verification of the ACME server's certificate.""" + """Disable verification of the ACME server's certificate. + + The root certificates trusted by Certbot can be overriden by setting the + REQUESTS_CA_BUNDLE environment variable. + """ return self.namespace.no_verify_ssl @property diff --git a/certbot/docs/using.rst b/certbot/docs/using.rst index 0038d1f83..c4f55bc02 100644 --- a/certbot/docs/using.rst +++ b/certbot/docs/using.rst @@ -1078,6 +1078,12 @@ ACME directory. For example, if you would like to use Let's Encrypt's staging server, you would add ``--server https://acme-staging-v02.api.letsencrypt.org/directory`` to the command line. +If Certbot does not trust the SSL certificate used by the ACME server, you +can use the `REQUESTS_CA_BUNDLE +<https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification>`_ +environment variable to override the root certificates trusted by Certbot. Certbot +uses the ``requests`` library, which does not use the operating system trusted root store. + If you use ``--server`` to specify an ACME CA that implements the standardized version of the spec, you may be able to obtain a certificate for a wildcard domain. Some CAs (such as Let's Encrypt) require that domain |