DOC: acme: add details about key pair generation in ACME section

In 3.3 it is possible to generate a key pair without needing a existing certificate on the disk.
2025-12-07 02:31:01 +01:00 · 2025-11-20 12:48:22 +01:00 · 2025-11-20 12:48:22 +01:00 · 1b443bdec5
commit 1b443bdec5
parent d6e3e5b3a6
1 changed files with 5 additions and 4 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -31029,13 +31029,14 @@ The ACME section allows to configure HAProxy as an ACMEv2 client. This feature
 is experimental meaning that "expose-experimental-directives" must be in the
 global section so this can be used.

-Current limitations as of 3.2:
+Current limitations as of 3.3:
 - The feature is limited to the HTTP-01 or DNS-01 challenges for now. HTTP-01
  is completely handled by HAProxy, but DNS-01 needs either the dataplaneAPI or
  another 3rd party tool to talk to a DNS provider API.
- Configuring acme needs a configuration with a crt, it's currently not
-  possible to start without this crt on the disk, a key-pair must already exist
-  to start haproxy. It is recommanded to use an expired certificate for that.
+- It is possible to start without an existing certificate on the disk. To do
+  so, the certificate must configured in a crt-store.
+  When using the "acme" keyword in a crt-store, a temporary key pair will be
+  used until the ACME certificate is generated.
 - The current HAProxy architecture is a non-blocking model, access to the disk
  is not supposed to be done after the configuration is loaded, because it
  could block the event loop, blocking the traffic on the same thread. Meaning