agent.yml’s certificates[].profile).
Fields
| Field | Type | Required | Notes |
|---|---|---|---|
type | enum: wildcard, multi_san | yes | |
dns_names | string[] | yes | Allowed DNS names. Non-empty. |
acme.challenge | enum: dns-01, http-01 | yes | Wildcard profiles require dns-01. |
acme.credentials | string | for dns-01 | Secret reference resolved by the broker’s secrets provider. |
renew_before | duration | no (default 720h) | When the broker considers a cached cert “due” for renewal. |
additionalProperties: false).
type: wildcard
For *.zone certificates.
dns_namesmust contain exactly one entry of the form*.<zone>.acme.challengemust bedns-01(Let’s Encrypt does not allowhttp-01for wildcards).acme.credentialsis required and resolves to your DNS provider credential.
type: multi_san
For certificates with a fixed list of SANs.
dns_nameslists every SAN the profile may include.acme.challengemay bedns-01orhttp-01.acme.credentialsis required fordns-01.- The agent’s CSR SANs must be a subset of
dns_names.
renew_before
This is the broker-side renewal window. When an agent asks for a cached certificate and the cache entry is within renew_before of expiry, the broker requests a fresh certificate from ACME instead of returning the cached one. Agents have their own renew_before in agent.yml — they should be roughly equal to avoid an agent asking too late.
Common values: 720h (30 days) for 90-day Let’s Encrypt certificates.
Credential references
Theacme.credentials string is opaque to the policy compiler. It is interpreted by the configured secrets provider in broker.yml:
| Provider | Interpretation of acme.credentials |
|---|---|
env | Environment variable name. |
file | Path to a file on the broker. |
vault / openbao | Vault path under mount_path. |