You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The ACME plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
acme
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
An optional custom name to identify an instance of the plugin, for example
acme_my-service
.The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.
An instance name must be unique within the following context:
- Within a workspace for Kong Gateway Enterprise
- Within a control plane or control plane group for Konnect
- Globally for Kong Gateway (OSS)
-
boolean default:
true
Whether this plugin will be applied.
-
record required
-
string required referenceable encrypted matches:
%w*%p*@+%w*%.?%w*
The account identifier. Can be reused in a different plugin instance.
-
record
-
string default:
https://acme-v02.api.letsencrypt.org/directory
A string representing a URL, such as https://example.com/path/to/resource?q=search.
-
boolean default:
false
If you are using Let’s Encrypt, you must set this to
true
to agree the terms of service.
-
string referenceable encrypted
External account binding (EAB) key id. You usually don’t need to set this unless it is explicitly required by the CA.
-
string referenceable encrypted
External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don’t need to set this unless it is explicitly required by the CA.
-
string default:
rsa
Must be one of:rsa
,ecc
The certificate type to create. The possible values are
'rsa'
for RSA certificate or'ecc'
for EC certificate.
-
number default:
4096
Must be one of:2048
,3072
,4096
RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.
-
number default:
14
Days remaining to renew the certificate before it expires.
-
array of type
string
An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label (‘*’)
-
boolean default:
false
If set to
true
, the plugin allows all domains and ignores any values in thedomains
list.
-
number default:
5
Minutes to wait for each domain that fails to create a certificate. This applies to both a new certificate and a renewal certificate.
-
string default:
shm
Must be one of:kong
,shm
,redis
,consul
,vault
The backend storage type to use. The possible values are
'kong'
,'shm'
,'redis'
,'consul'
, or'vault'
. In DB-less mode,'kong'
storage is unavailable. Note that'shm'
storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of'kong'
,'redis'
,'consul'
, or'vault'
in production. Please refer to the Hybrid Mode sections below as well.
-
record required
-
record required
-
record required
-
record required
-
string
A string representing a host name, such as example.com.
-
integer between:
0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
number
The index of the Redis database to use.
-
string referenceable
The Redis password to use for authentication.
-
boolean required default:
false
Whether to use SSL/TLS encryption when connecting to the Redis server.
-
boolean required default:
false
Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.
-
string
The expected server name for the SSL/TLS certificate presented by the Redis server.
-
string required len_min:
0
A namespace to prepend to all keys stored in Redis.
-
-
record required
-
boolean default:
false
Boolean representation of https.
-
string
A string representing a host name, such as example.com.
-
integer between:
0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
string
KV prefix path.
-
number
Timeout in milliseconds.
-
string referenceable
Consul ACL token.
-
-
record required
-
boolean default:
false
Boolean representation of https.
-
string
A string representing a host name, such as example.com.
-
integer between:
0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
string
KV prefix path.
-
number
Timeout in milliseconds.
-
string referenceable
Consul ACL token.
-
boolean default:
true
Turn on TLS verification.
-
string
SNI used in request, default to host if omitted.
-
string default:
token
Must be one of:token
,kubernetes
Auth Method, default to token, can be ‘token’ or ‘kubernetes’.
-
string
Vault’s authentication path to use.
-
string
The role to try and assign.
-
string
The path to the JWT.
-
-
-
string
A string value that specifies the preferred certificate chain to use when generating certificates.
-
boolean default:
true
A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.
-