doc updates

WouterTinus · WouterTinus · commit 8d6e81c1f940 · 2025-09-10T22:01:03.000+02:00
diff --git a/reference/plugins/installation/iis.md b/reference/plugins/installation/iis.md
@@ -2,12 +2,16 @@
 layout: plugin
 plugin: ea6a5be3-f8de-4d27-a6bd-750b619b2ee2
 compatibility: Windows (admin only)
+settings:
+  - Installation.IIS.BindingFlags
 examples:
       - 
           name: Typical
           cmd: '[‑‑installationsiteid 14] [‑‑sslport 8443] [‑‑sslipaddress 192.168.0.1]'
 ---
 
+This plugins manages bindings in the Microsoft IIS web server.
+
 ### HTTP binding update algorithm
 - Existing HTTPS bindings in *any* web site linked to the previous certificate are updated to use the new certificate.
 - Hosts names which are determined to not yet have been covered by any existing binding, will be processed further.
diff --git a/reference/plugins/store/certificatestore.md b/reference/plugins/store/certificatestore.md
@@ -16,5 +16,8 @@ Saves certificates to the Windows Certificate store. This will always import to
 ## Compatibility
 For best compatibility with legacy applications, the program attempts to store certificates with RSA keys using the `Microsoft RSA SChannel Cryptographic Provider`. If you require a more modern approach to key storage, refer to the setting listed below.
 
+# Private key permissions
+By default the `administrators` group (or local equivalent) will be granted full control access to the private key, to prevent inconsistent access levels between certificates created by adminstrators (either interactive or unattended) and certificates renewed by the scheduled task (which runs as `SYSTEM`). If you intend to not have administrators able to access the private key, then you must specifically set the permissions to an empty string, e.g. `‑‑acl-fullcontrol ""`. 
+
 ## Private key export
 By default the private keys *not* exportable. This can be changed globally via the settings, but generally we recommend not doing this, because 99% of use cases should be manageable by using another (additional) store step. If you're looking to move the certificate to another server, read more about [migration to another server](/manual/migration).
diff --git a/reference/plugins/validation/dns/script.md b/reference/plugins/validation/dns/script.md
@@ -1,79 +1,4 @@
 ---
-layout: plugin
-plugin: 8f1da72e-f727-49f0-8546-ef69e5ecec32
-settings:
-    - Script.PowershellExecutablePath
-    - Script.Timeout
-    - Validation.DisableMultiThreading
-compatibility: All platforms
-examples:
-    -
-        name: Create script only
-        cmd: ‑‑dnscreatescript c:\create.ps1 [‑‑dnscreatescriptarguments {args}]
-    -
-        name: Separate create and delete scripts
-        cmd: ‑‑dnscreatescript c:\create.ps1 ‑‑dnsdeletescript c:\delete.ps1 [‑‑dnscreatescriptarguments {args}] [‑‑dnsdeletescriptarguments {args}]
-    - 
-        name: Combined script
-        cmd: ‑‑dnsscript c:\create-and-delete.ps1 [‑‑dnscreatescriptarguments {args}] [‑‑dnsdeletescriptarguments {args}]
----
-Run an external script or program to create or update the validation records.
-
-## Create
-A script that creates a DNS TXT record at your provider must be provided. The argument template 
-passed to the script will be `create {Identifier} {RecordName} {Token}` by default, with the following 
-replacements made by simple-acme:
-
-<div class="table-responsive my-4 me-5 pe-5">
-    <table class="table table-striped">
-        <thead>
-            <tr><th>Value</th><th>Replaced with</th></tr>
-        </thead>
-        <tbody>
-            <tr><td><code>{Identifier}</code></td><td>Host name that's being validated, e.g. <code>sub.example.com</code></td></tr>
-            <tr><td><code>{RecordName}</code></td><td>Full name of the TXT record that will be queried, e.g. <code>_acme-challenge.sub.example.com</code></td></tr>
-            <tr><td><code>{ZoneName}</code></td><td>Registerable domain, e.g. <code>example.com</code></td></tr>
-            <tr><td><code>{NodeName}</code></td><td>Relative record name, e.g. <code>_acme-challenge.sub</code></td></tr>
-            <tr><td><code>{Token}</code></td><td>Content of the TXT record, e.g. <code>DGyRejmCefe7v4NfDGDKfA</code></td></tr>
-            <tr><td><code>{vault://json/mysecret}</code></td><td>Secret from the <a href="/manual/advanced-use/secret-management">secret vault</a></td></tr>
-            </tbody></table></div>
-
-The order and format of arguments may be customized by providing a diffent argument template. For example if your script needs arguments like: `‑‑host _acme-challenge.example.com ‑‑token DGyRejmCefe7v4NfDGDKfA` then the argument template string provided to simple-acme should look like this: `‑‑host {RecordName} ‑‑token {Token}`
-
-## Delete
-Optionally, another script may be provided to delete the record after validation. The arguments template for that
-script is `delete {Identifier} {RecordName} {Token}` by default. The order and format of arguments may be 
-customized by providing a diffent argument template, just like for the create script. 
-
-## Combined
-You can also choose to use the same script for create and delete, with each their own argument string.
-
-## Parallelism
-You can use `‑‑dnsscriptparallelism` to specify if your script supports parallelism. You may use the following values:
-
-<div class="table-responsive my-4 me-5 pe-5">
-    <table class="table table-striped">
-        <thead>
-            <tr><th>Value</th><th>Meaning</th></tr>
-        </thead>
-        <tbody>
-            <tr><td>0</td><td>Serial, default serial behaviour</td></tr>
-            <tr><td>1</td><td>Allow multiple new records to created as the same time. Only do this when you are sure multiple instances of "create" running at the same time will not interfere with eachother. Typically difficult to achieve and therefor not recommended.</td></tr>
-            <tr><td>2</td><td>Allow multiple validations to run at the same time. This is possible in theory with any DNS provider, but you must be sure that your script is non-destructive, e.g. it should not overwrite pre-existing TXT records, nor delete more than the one specifically asked for</td></tr>
-            <tr><td>3</td><td>Combination of 1 and 2</td></tr>
-            </tbody></table></div>
-
-<div class="callout-block callout-block-warning pb-1 mt-3">
-    <div class="content">
-        <p>This only has any effect when <code>DisableParallelism</code> is set to <code>false</code></p>
-    </div>
-</div>
-
-## Reference scripts
-Some reference scripts are available on [GitHub](https://github.com/simple-acme/reference-scripts/tree/main/Validation), including ones for EasyDNS, ZoneEdit, deSEC and Windows DNS.
-
-## External esources
-A lot of good reference scripts are available from the 
-[POSH-ACME](https://github.com/rmbolger/Posh-ACME/tree/master/Posh-ACME/DnsPlugins)
-project. Note that these scripts are **not compatible** with simple-acme. You will have
-to make changes (e.g. in terms of accepted parameters and such) in order to use them.
+layout: redirect
+target: /reference/plugins/validation/script
+---
diff --git a/reference/plugins/validation/dns/webnames.md b/reference/plugins/validation/dns/webnames.md
@@ -0,0 +1,10 @@
+---
+layout: plugin
+plugin: 86c8d86b-2069-4048-9bf1-fadb07e84d61
+compatibility: All platforms
+examples:
+    -
+        name: Default
+        cmd: ‑‑apiusername johndoe ‑‑apikey *****
+---
+Create the record at [Webnames](/https://www.webnames.ca/).
diff --git a/reference/plugins/validation/script.md b/reference/plugins/validation/script.md
@@ -0,0 +1,102 @@
+---
+layout: plugin
+plugin: 8f1da72e-f727-49f0-8546-ef69e5ecec32
+arguments:
+    - validationmode
+settings:
+    - Script.PowershellExecutablePath
+    - Script.Timeout
+    - Validation.DisableMultiThreading
+compatibility: All platforms
+examples:
+    -
+        name: Prepare script only
+        cmd: ‑‑validationpreparescript c:\create.ps1 [‑‑validationpreparescriptarguments {args}]
+    -
+        name: Separate prepare and cleanup scripts
+        cmd: ‑‑validationpreparescript c:\create.ps1 ‑‑validationcleanupscript c:\delete.ps1 [‑‑validationpreparescriptarguments {args}] [‑‑validationcleanupscriptarguments {args}]
+    - 
+        name: Combined script
+        cmd: ‑‑validationscript c:\create-and-delete.ps1 [‑‑validationpreparescriptarguments {args}] [‑‑validationcleanupscriptarguments {args}]
+---
+Run an external script or program to prepare for the validation challenge. Use this option to create TXT records at DNS providers that are not supported by native plugins (yet?) or to handle HTTP challenges in unconventional ways (e.g. calling into some API, starting a custom web server, etc.)
+
+## General 
+A preparation script is always required to prepare for the challenge answer. Providing a cleanup script to undo any changes made by the former is optional. You may also point to a single script to handle both tasks using different arguments. 
+
+## Challenge type selection
+For backwards compatibility, the script default to handling DNS challenges. To switch to HTTP challenges, you must provide the argument `--validationmode http-01` in unattended mode. In interactive mode this will simply be question asked during the setup process.
+
+## Argument customization
+The plugin has some hard-coded default argument templates which can be overruled according to your needs and preferences. Depending on the chosen challenge type, simple-acme will replace certain pre-defined tokens in the argument template to derive the actual arguments that will be passed to the script, thus enabling dynamic arguments to be passed. For example if your script handles DNS challenges and needs arguments like: `‑‑host _acme-challenge.example.com ‑‑token DGyRejmCefe7v4NfDGDKfA` then the argument template provided to simple-acme should look like this: `‑‑host {RecordName} ‑‑token {Token}`
+
+## DNS challenge arguments
+For DNS challenges following replacements are made to the arguments:
+
+<div class="table-responsive my-4 me-5 pe-5">
+    <table class="table table-striped">
+        <thead>
+            <tr><th>Value</th><th>Replaced with</th></tr>
+        </thead>
+        <tbody>
+            <tr><td><code>{Identifier}</code></td><td>Host name that's being validated, e.g. <code>sub.example.com</code></td></tr>
+            <tr><td><code>{RecordName}</code></td><td>Full name of the TXT record that will be queried, e.g. <code>_acme-challenge.sub.example.com</code></td></tr>
+            <tr><td><code>{ZoneName}</code></td><td>Registerable domain, e.g. <code>example.com</code></td></tr>
+            <tr><td><code>{NodeName}</code></td><td>Relative record name, e.g. <code>_acme-challenge.sub</code></td></tr>
+            <tr><td><code>{Token}</code></td><td>Content of the TXT record, e.g. <code>DGyRejmCefe7v4NfDGDKfA</code></td></tr>
+            <tr><td><code>{vault://json/mysecret}</code></td><td>Secret from the <a href="/manual/advanced-use/secret-management">secret vault</a></td></tr>
+            </tbody></table></div>
+
+Default for preparation: `create {Identifier} {RecordName} {Token}`
+
+Default for cleanup: `delete {Identifier} {RecordName} {Token}`
+
+## HTTP challenge arguments
+For HTTP challenges following replacements are made to the arguments:
+
+<div class="table-responsive my-4 me-5 pe-5">
+    <table class="table table-striped">
+        <thead>
+            <tr><th>Value</th><th>Replaced with</th></tr>
+        </thead>
+        <tbody>
+            <tr><td><code>{Identifier}</code></td><td>Identifier that is being validated, e.g. <code>sub.example.com</code></td></tr>
+            <tr><td><code>{Path}</code></td><td>Relative URI that will be requested (e.g. <code>/.well-known/acme-challenge/2fsdf2</code>)</td></tr>
+            <tr><td><code>{FileName}</code></td><td>Name of the file that will be requested, e.g. <code>2fsdf2</code></td></tr>
+            <tr><td><code>{Token}</code></td><td>Expected response content</td></tr>
+            <tr><td><code>{vault://json/mysecret}</code></td><td>Secret from the <a href="/manual/advanced-use/secret-management">secret vault</a></td></tr>
+            </tbody></table></div>
+
+Default for preparation: `prepare {Identifier} {Path} {Token}`
+
+Default for cleanup: `cleanup {Identifier} {Path} {Token}`
+
+## Parallelism
+You can use `‑‑validationscriptparallelism` to specify if your script supports parallelism. You may use the following values:
+
+<div class="table-responsive my-4 me-5 pe-5">
+    <table class="table table-striped">
+        <thead>
+            <tr><th>Value</th><th>Meaning</th></tr>
+        </thead>
+        <tbody>
+            <tr><td><code>0</code></td><td>Serial, default serial behaviour</td></tr>
+            <tr><td><code>1</code></td><td>Allow multiple validations to be prepared at the same time. Only do this when you are sure multiple instances of "prepare" running at the same time will not interfere with eachother. Typically difficult to achieve and therefor not recommended.</td></tr>
+            <tr><td><code>2</code></td><td>Allow multiple validations to run at the same time. This is possible in theory with every method, but you must be sure that your script is non-destructive, e.g. it should not overwrite pre-existing records or files, nor delete more than what is specifically asked for</td></tr>
+            <tr><td><code>3</code></td><td>Combination of 1 and 2</td></tr>
+            </tbody></table></div>
+
+<div class="callout-block callout-block-warning pb-1 mt-3">
+    <div class="content">
+        <p>This only has any effect when <code>DisableParallelism</code> is set to <code>false</code></p>
+    </div>
+</div>
+
+## Reference scripts
+Some reference scripts are available on [GitHub](https://github.com/simple-acme/reference-scripts/tree/main/Validation), including ones for EasyDNS, ZoneEdit, deSEC and Windows DNS.
+
+## External resources
+A lot of good reference scripts are available from the 
+[POSH-ACME](https://github.com/rmbolger/Posh-ACME/tree/master/Posh-ACME/DnsPlugins)
+project. Note that these scripts are **not compatible** with simple-acme. You will have
+to make changes (e.g. in terms of accepted parameters and such) in order to use them.
