Update certbot-config.md

docs/certbot-config.md

@@ -1,14 +1,90 @@
 ---
 id: certbot-config
-title: Configure Certbot to use a new ACME Server
-sidebar_label: Change ACME Server
+title: Certbot Overrides
+sidebar_label: Certbot Overrides
 ---
 
 
 ### NOTE:
-Most (almost all) users do not need to modify Certbot configs. CapRover automatically manages it for you. You can skip this page.
+Most (almost all) users do not need to modify Certbot configs. CapRover automatically manages it for you. You should skip this page!
 
-## First step
+## Customize Certbot command to use DNS-01 challenge
+
+As of CapRover 1.12.0, you're able to customize the command that Certbot uses to generate SSL certificates. By default, CapRover uses the following command:
+```bash
+certbot certonly --webroot -w ${webroot} -d ${domainName}'
+```
+which works via HTTP-01 challenge. In this mode, Certbot will verify the ownership of your domain by sending a request to `http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>` where the content of <TOKEN> is generated by Certbot. 
+
+This challenge works fine for most users, but you can optionally use a different challenge if you want to. You can do so by overriding the Certbot's certificate generation command. 
+
+### Certbot Docker image
+The default Certbot Docker image does not include the [3rd party plugins](https://hub.docker.com/r/certbot/certbot). You need to build a custom image:
+
+For example, for Cloudflare:
+```
+
+BASE_IMAGE="certbot/dns-cloudflare"  # Change this to any other base image listed here: https://hub.docker.com/r/certbot/certbot
+
+TEMP_DOCKERFILE=$(mktemp)
+cat > $TEMP_DOCKERFILE <<EOF
+FROM $BASE_IMAGE
+ENTRYPOINT ["/bin/sh", "-c"]
+CMD ["sleep 9999d"]
+EOF
+docker build -t certbot-customized -f $TEMP_DOCKERFILE .
+rm $TEMP_DOCKERFILE
+
+
+
+```
+
+### Store your DNS credentials
+
+```
+mkdir /captain/data/letencrypt/etc/captain-files
+nano mycreds.ini
+```
+Then enter your DNS credentials. For example, for Cloudflare DNS, you can use:
+```
+# Cloudflare API token used by Certbot
+dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
+```
+See details [here](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins)
+
+
+### Override the Certbot command
+
+Edit `/captain/data/config-override.json` by running:
+```
+nano /captain/data/config-override.json
+```
+
+Then enter the following blob. Make sure to replace `your/repo:certbot-sleeping` and change `certbotCertCommand` to fit your needs.  
+
+```json
+{
+  "skipVerifyingDomains": "true",
+  "certbotImageName": "certbot-customized",
+  "certbotCertCommand": [
+    {
+      "domain": "*",
+      "command":  "certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/captain-files/mycreds.ini -d ${domain}" 
+    }
+  ]
+}
+```
+
+### Restart CapRover
+
+```
+docker service update captain-captain --force
+```
+
+
+## Configure Certbot to use a new ACME Server
+
+### First step
 
 Normally, the directory `/captain/data/letsencrypt/etc` should contain the volume used by Certbot,
 to configure Certbot, add a `cli.ini` file in this directory:
@@ -17,7 +93,7 @@ $ cd /captain/data/letsencrypt/etc/
 $ nano cli.ini
 ```
 
-## Configure the right things
+### Configure the right things
 
 We will take as an example ZeroSSL's ACME server to guide you over the steps needed to make Certbot work correctly with it,
 
@@ -34,7 +110,7 @@ eab-kid = some-short-string
 eab-hmac-key = a-big-key
 ```
 
-## Restart certbot
+### Restart certbot
 
 Then to apply our changes we need to update Certbot's service:
 ```
@@ -43,7 +119,7 @@ $ docker service update captain-certbot
 
 And you're done !
 
-## CAA Record
+### CAA Record
 
 Remember to add a CAA record in your DNS to avoid any problem when generating SSL certs