Configuration

configobjectrequired
Hide Child Parameters
account_emailstringrequired

The account identifier. Can be reused in a different plugin instance.
This field is encrypted.
This field is referenceable.

Match pattern:[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*

account_keyobject

The private key associated with the account.

Hide Child Parameters
key_idstringrequired

The Key ID.

key_setstring

The ID of the key set to associate the Key ID with.

allow_any_domainboolean

If set to true, the plugin allows all domains and ignores any values in the domains list.

Default:false

api_uristring

A string representing a URL, such as https://example.com/path/to/resource?q=search.

Default:https://acme-v02.api.letsencrypt.org/directory

cert_typestring

The certificate type to create. The possible values are rsa for RSA certificate or ecc for EC certificate.

Allowed values:eccrsa

Default:rsa

domainsarray[string]

An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label (‘*’)

eab_hmac_keystring

External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don’t need to set this unless it is explicitly required by the CA.
This field is referenceable.
This field is encrypted.

eab_kidstring

External account binding (EAB) key id. You usually don’t need to set this unless it is explicitly required by the CA.
This field is referenceable.
This field is encrypted.

enable_ipv4_common_nameboolean

A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.

Default:true

fail_backoff_minutesnumber

Minutes to wait for each domain that fails to create a certificate. This applies to both a
new certificate and a renewal certificate.

Default:5

preferred_chainstring

A string value that specifies the preferred certificate chain to use when generating certificates.

renew_threshold_daysnumber

Days remaining to renew the certificate before it expires.

Default:14

rsa_key_sizeinteger

RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.

Allowed values:204830724096

Default:4096

storagestring

The backend storage type to use. In DB-less mode and Konnect, kong storage is unavailable. In hybrid mode and Konnect, shm storage is unavailable. shm storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of kong, redis, consul, or vault in production.

Allowed values:consulkongredisshmvault

Default:shm

storage_configobject
Hide Child Parameters
consulobject
Hide Child Parameters
hoststring

A string representing a host name, such as example.com.

httpsboolean

Boolean representation of https.

Default:false

kv_pathstring

KV prefix path.

portinteger

An integer representing a port number between 0 and 65535, inclusive.

>= 0<= 65535

timeoutnumber

Timeout in milliseconds.

tokenstring

Consul ACL token.
This field is referenceable.

kongobject
* Additional properties are allowed.
redisobject
Hide Child Parameters
databaseinteger

Database to use for the Redis connection when using the redis strategy

Default:0

extra_optionsobject

Custom ACME Redis options

Show Child Parameters
hoststring

A string representing a host name, such as example.com.

passwordstring

Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
This field is encrypted.
This field is referenceable.

>= 0 characters

portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:6379

>= 0<= 65535

server_namestring

A string representing an SNI (server name indication) value for TLS.

sslboolean

If set to true, uses SSL to connect to Redis.

Default:false

ssl_verifyboolean

If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.

Default:false

timeoutinteger

An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

Default:2000

>= 0<= 2147483646

usernamestring

Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
This field is referenceable.

shmobject
Hide Child Parameters
shm_namestring

Name of shared memory zone used for Kong API gateway storage

Default:kong

vaultobject
Hide Child Parameters
auth_methodstring

Auth Method, default to token, can be ‘token’ or ‘kubernetes’.

Allowed values:kubernetestoken

Default:token

auth_pathstring

Vault’s authentication path to use.

auth_rolestring

The role to try and assign.

hoststring

A string representing a host name, such as example.com.

httpsboolean

Boolean representation of https.

Default:false

jwt_pathstring

The path to the JWT.

kv_pathstring

KV prefix path.

portinteger

An integer representing a port number between 0 and 65535, inclusive.

>= 0<= 65535

timeoutnumber

Timeout in milliseconds.

tls_server_namestring

SNI used in request, default to host if omitted.

tls_verifyboolean

Turn on TLS verification.

Default:true

tokenstring

Consul ACL token.
This field is referenceable.

tos_acceptedboolean

If you are using Let’s Encrypt, you must set this to true to agree the terms of service.

Default:false

protocolsarray[string]

A set of strings representing HTTP protocols.

Allowed values:grpcgrpcshttphttps

Default:grpc, grpcs, http, https

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!