From d195235a7ed78a83f6f93257b9aa8971ba93d8bf Mon Sep 17 00:00:00 2001
From: Tim Kimber <tkimber@mobius.org.uk>
Date: Sun, 4 Oct 2020 20:12:41 +0100
Subject: [PATCH] Document the settings used for DNS verification

---
 getssl | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/getssl b/getssl
index a6fa355..f99c53e 100755
--- a/getssl
+++ b/getssl
@@ -252,7 +252,6 @@ ACCOUNT_KEY_TYPE="rsa"
 CA="https://acme-staging-v02.api.letsencrypt.org/directory"
 CA_CERT_LOCATION=""
 CHALLENGE_CHECK_TYPE="http"
-CHECK_ALL_AUTH_DNS="false"
 CHECK_REMOTE="true"
 CHECK_REMOTE_WAIT=0
 CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
@@ -260,10 +259,6 @@ CSR_SUBJECT="/"
 CURL_USERAGENT="${PROGNAME}/${VERSION}"
 DEACTIVATE_AUTH="false"
 DEFAULT_REVOKE_CA="https://acme-v02.api.letsencrypt.org"
-DNS_EXTRA_WAIT=60          # How long to wait after the DNS has updated before telling the ACME server to check.
-DNS_WAIT_RETRY_ADD="false" # Try the dns_add_command again if the DNS record hasn't updated
-DNS_WAIT=10                # How long to wait before checking the DNS record again
-DNS_WAIT_COUNT=100         # How many times to wait for the DNS record to update
 DOMAIN_KEY_LENGTH=4096
 DUAL_RSA_ECDSA="false"
 GETSSL_IGNORE_CP_PRESERVE="false"
@@ -272,8 +267,6 @@ IGNORE_DIRECTORY_DOMAIN="false"
 ORIG_UMASK=$(umask)
 PREVIOUSLY_VALIDATED="true"
 PRIVATE_KEY_ALG="rsa"
-PUBLIC_DNS_SERVER=""
-CHECK_PUBLIC_DNS_SERVER="true"
 RELOAD_CMD=""
 RENEW_ALLOW="30"
 REUSE_PRIVATE_KEY="true"
@@ -284,8 +277,22 @@ OCSP_MUST_STAPLE="false"
 TEMP_UPGRADE_FILE=""
 TOKEN_USER_ID=""
 USE_SINGLE_ACL="false"
-VALIDATE_VIA_DNS=""
 WORKING_DIR_CANDIDATES=("/etc/getssl/" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${HOME}/.getssl")
+
+# Variables used when validating using a DNS entry
+VALIDATE_VIA_DNS=""             # Set this to "true" to enable DNS validation
+AUTH_DNS_SERVER=""              # Use this DNS server to check the challenge token has been set
+PUBLIC_DNS_SERVER=""            # Use this DNS server to find the authoritative DNS servers for the domain
+CHECK_ALL_AUTH_DNS="false"      # Check the challenge token has been set on all authoritative DNS servers
+CHECK_PUBLIC_DNS_SERVER="true"  # Check the public DNS server as well as the authoritative DNS servers
+DNS_ADD_COMMAND=""              # Use this command/script to add the challenge token to the DNS entries for the domain
+DNS_DEL_COMMAND=""              # Use this command/script to remove the challenge token from the DNS entries for the domain
+DNS_WAIT_COUNT=100              # How many times to wait for the DNS record to update
+DNS_WAIT=10                     # How long to wait before checking the DNS record again
+DNS_EXTRA_WAIT=60               # How long to wait after the DNS entries are visible to us before telling the ACME server to check.
+DNS_WAIT_RETRY_ADD="false"      # Try the dns_add_command again if the DNS record hasn't updated
+
+# Private variables
 _CHECK_ALL=0
 _CREATE_CONFIG=0
 _FORCE_RENEW=0