MTG ACME Configuration
application.properties
| Property | Description | ||
|---|---|---|---|
clm.url |
Points to the HTTP location where the RA is running. Example: ra.example.com/ra |
||
clm.apiclient.id |
The ID that the RA API Client uses for the connection to the RA. This can be obtained from the RA when an API client with an ACME-based policy is configured. Example: ffc0d281-f9df-45cd-a30d-1881cd67012a |
||
clm.apiclient.secret |
The secret that the RA API Client uses for the connection to the RA. This can be obtained from the RA when an API client with an ACME-based policy is configured. |
||
clm.client.version |
The version of the API client that connects to the RA. It can be left empty. Example: 1.0.0 |
||
clm.client.truststore.path |
The location of a keystore file containing certificates that are used to verify the TLS connection to the RA. It can be left empty. Example: /tmp/trustore.jks |
||
clm.client.truststore.password |
The password protecting the truststore (see property clm.client.truststore.path). It can be left empty. |
||
clm.client.truststore.type |
The format of the truststore (see property clm.client.truststore.path).
Valid values are |
||
clm.client.tls.version |
The version of the TLS protocol to use in the connection to the RA. Valid values are Default: TLSv1.2 |
||
clm.client.timeout.seconds |
An integer value specifying the seconds to timeout the connection to the RA. It can be left empty. Default: 60 |
||
openid.provider.baseUrl |
Points to the HTTP location where the Keycloak server is running. |
||
openid.client.truststore.path |
The location of a keystore file containing certificates that are used to verify the TLS connection to the Keycloak server. It can be left empty. |
||
openid.client.truststore.password |
The password protecting the truststore (see property openid.client.truststore.path). It can be left empty. |
||
openid.client.truststore.type |
The format of the truststore (see property openid.client.truststore.path).
Valid values are |
||
openid.client.tls.version |
The version of the TLS protocol to use in the connection to the Keycloak server. Valid values are |
||
openid.client.timeout.seconds |
An integer value specifying the seconds to timeout the connection to Keycloak server. It can be left empty. |
||
spring.datasource.driver-class-name |
The name of a Java Class describing the driver to use for the connection to the database. Example: org.mariadb.jdbc.Driver |
||
spring.datasource.url |
The URL of the database. Example: |
||
spring.datasource.username |
The database user to connect to the database. |
||
spring.datasource.password |
The user password to connect to the database. |
||
spring.flyway.enabled |
If set to "true", then the database tables are generated automatically, as well as the future migrations by enabling the database migration tool, Flyway. If set to "false", then the database table and any migration are generated externally.
|
||
acmePrefixUrl |
The URL where the ACME server is reachable. This is used by the ACME clients to locate the correct resources. Example: example.com/acme-server |
||
termsOfServiceUrl |
The URL of the current terms of service.
If this parameter is empty it is not required by the client to accept the terms of service.
It must be consistent with the values of Default: empty. Example: example.com/terms-of-service |
||
websiteUrl |
The URL of a website that includes information about the ACME service. Default: empty. Example: example.com/acme-information |
||
caaIdentities |
A comma separated list of names that the ACME server accepts for CAA record validation. It can be left empty. If this is empty the server does not send any caaIdentities. For more details about the semantics of this property see RFC8659. Default: empty. Example: name1, name2, … |
||
requiredNewTermsOfServiceAgreed |
If set to Default: false |
||
dateTermsOfServiceAgreed |
The date of the current terms of service (valid format YYYY-MM-DD). If this parameter is empty, then the client must not accept the terms of service or the changed terms of service. Default: empty. Example: 2020-11-01 |
||
instanceTermsOfServiceUrl |
Specifies the URL where the client can get instructions on how to agree to the new terms of service.
It must be consistent with the values of Default: empty. Example: example.com/how-to-agree-with-tos |
||
acme.error-type.prefix |
Specifies the prefix of MTG ACME Server specific error types.
The prefix should have the form Default: de:mtg |
||
performPublicKeyQualityChecks |
Specifies whether to perform checks about the quality of the public key in the request and the public key of the account or not. Default: true |
||
nonces.lifetime.sec |
The lifetime period for new generated nonces in seconds. Default: 3600 Example: 3600 (corresponds to 1h) |
||
orders.lifetime.min |
The lifetime period of orders in minutes. Default: 1440 (corresponds to 24h) |
||
authorizations.pending.lifetime.min |
The lifetime of pending authorizations in minutes. Example: 1440 (corresponds to 24h) |
||
authorizations.valid.lifetime.min |
The lifetime of valid authorizations in minutes. Example: 1440 (corresponds to 24h) |
||
expired.cleanup.cron |
Cron expression, that is used from Quartz, for deleting expired and invalid authorizations, orders and nonce values, represents [second minute hour day month weekday]. Example: 0 0 12 * * ? (which means that the schedule job of deleting expired authorizations/orders runs every day at 12 pm) |
||
challenge.retry.maxcount |
The maximum number of attempts, the server should try to validate a challenge before it aborts the challenge validation. Default: 3 |
||
challenge.retry.interval.sec |
The duration in seconds, the server should wait after a failed challenge validation before it starts the next attempt. Default: 10 |
||
timeout.cleanup.cron |
Cron expression, that is used from Quartz, for resetting the status of challenges from status processing to pending if the challenge stays in status processing for too long. This is a safety mechanism that prevents a deadlock in the event of an unexpected stop of a challenge validation process. Default: 0 0 * * * ? (which means that the schedule job runs every full hour) |
||
domain.validation.dns.servers |
The comma-separated addresses of DNS servers used for DNS domain validation. This property is mandatory for the DNS validation. Example: dns01.example.com, dns02.example.com |
||
domain.validation.http.nonProxyHosts |
The comma-separated addresses of HTTP servers that should not be validated through an HTTP proxy. Default: empty. Example: nonproxy01.example.com, nonproxy02.example.com |
||
domain.validation.http.proxy.host |
The host of the HTTP proxy for HTTP validation. If it is empty validations over HTTP are performed directly. Default: empty. |
||
domain.validation.http.proxy.port |
The port of the HTTP proxy for HTTP validation. Default: 3128. |
||
domain.validation.http.connectTimeoutMillis |
The connection timeout in milliseconds for the HTTP connection for the HTTP based domain validation. Default: 20000. Example: 20000 (for a timeout of 20 seconds) |
||
domain.validation.http.socketTimeoutMillis |
The socket timeout in milliseconds for the HTTP connection for the HTTP based domain validation. Default: 20000. Example: 15000 (for a timeout of 15 seconds) |
||
spring.quartz.properties.org.quartz.jobStore.isClustered |
Boolean property, which is used to turn on the clustering features that allows multiple instances of Quartz that use the same set of database tables. Default: true |
||
allowIpIdentifiers |
If set to true then the ACME server accepts certification requests containing IP addresses. If set to false, then certification requests containing IP addresses are not accepted. Default: false |
||
logging.config |
Specifies the path to a log4j2/logback configuration file.
The path can be an exact location or to the current directory.
This property cannot be used together with the |
||
logging.file.path |
Specifies the directory where the application log files are stored.
The directory path can be an exact location or relative to the current directory.
This property cannot be used together with the |
||
logging.level.app |
Specifies the log level of the log messages which are created directly by the application.
This property is only used if the property |
||
logging.level.* |
Specifies the level of the log messages which are created by third party components. It allows very fine granular control of the logging level. See also docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#logging.level .
This property is only used if the property Examples: logging.level.sql=DEBUG, logging.level.web=WARN |
||
logging.logback.rollingpolicy.file-name-pattern |
The filename pattern used to create log archives. (Copied verbatim from LogRotation.) |
||
logging.logback.rollingpolicy.clean-history-on-start |
If log archive cleanup should occur when the application starts. (Copied verbatim from LogRotation.) |
||
logging.logback.rollingpolicy.max-file-size |
The maximum size of log file before it is archived. (Copied verbatim from LogRotation.) |
||
logging.logback.rollingpolicy.total-size-cap |
The maximum amount of size log archives can take before being deleted. (Copied verbatim from LogRotation.) |
||
logging.logback.rollingpolicy.max-history |
The maximum number of archive log files to keep (defaults to 7). (Copied verbatim from LogRotation.) |
||
tomcat.ajp.enabled |
If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd. Default: true |
||
tomcat.ajp.port |
Specifies the port for the ajp connector. It is used only if tomcat.ajp.enabled is set to true. Default: 8702 |
||
tomcat.ajp.secret.required |
If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enabled is set to true. Default: false |
||
tomcat.ajp.secret |
Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enabled is set to true. |
||
server.port |
Specifies the ports where the server is listening. |
||
server.servlet.context-path |
Specifies the prefix of the URL where the server is listening. Example: /acme |
||
localTLDsAllowed |
Specifies whether certification of domains with TLD localhost or localdomain are allowed or not. Default: false |
||
allowedTLDs |
A comma separated list of proprietary TLDs. Domains with these TLDs are allowed to be certified. Example: tld1, tld2 |
||
clm.client.http.proxy.host |
Specifies the host of the HTTP proxy server for the connection to CLM. It can be left empty. |
||
clm.client.http.proxy.port |
Specifies the port of the HTTP proxy server for the connection to CLM. It can be left empty. |
||
openid.client.http.proxy.host |
Specifies the host of the HTTP proxy server for the connection to the OpenID server. It can be left empty. |
||
openid.client.http.proxy.port |
Specifies the port of the HTTP proxy server for the connection to the OpenID server. It can be left empty. |
||
management.elastic.metrics.export.enabled |
If set to true then metrics are sent to an OpenSearch server. It can be left empty. |
||
management.elastic.metrics.export.host |
Specifies the URL where the OpenSearch server can be accessed. It can be left empty. |
||
management.elastic.metrics.export.user-name |
Specifies the user who has access to the OpenSearch server. It can be left empty. |
||
management.elastic.metrics.export.password |
Specifies the password of the user of the OpenSearch server. It can be left empty. |
| Additional properties that can be configured can be found here: docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html |