Skip to main content

General settings reference

Every field on Settings → General, grouped exactly as on the page. Settings are stored as a single versioned document — the form uses optimistic concurrency, so if another admin saved while you were editing, your save is rejected with a conflict and the page reloads the current values.

Approval requirements

When a toggle is on, operators must get admin/owner approval before performing that operation. Admins and owners are auto-approved but still go through the request flow, so the action is captured as an approval record.

FieldGated operationDefault
require_approval_for_issueIssuing new certificatesoff
require_approval_for_reissueReissuing existing certificates with new parametersoff
require_approval_for_renewRenewing certificates approaching expirationoff
require_approval_for_revokeRevoking active certificatesoff
require_approval_for_downloadDownloading certificate private keysoff

See Certificate policy & approval workflow for the request/approve/reject flow.

Certificate defaults

Defaults applied to new certificates; each can be overridden per certificate at issue time.

FieldWhat it doesRangeDefault
default_renewal_threshold_daysDays before expiration at which a certificate becomes eligible for automatic renewal.1–90 days30
default_key_typeDefault key algorithm for new certificates. ECDSA is faster and smaller; RSA has broader legacy compatibility.ECDSA-P256, ECDSA-P384, RSA-2048, RSA-3072, RSA-4096ECDSA-P256
default_key_rotation_policyReuse keeps the same private key across renewals; Rotate generates a fresh key each time.reuse / rotatereuse
default_auto_renewWhether new certificates are automatically renewed before expiration.on / offon

See Renewal for how the renewal sweep uses the threshold.

Runtime limits

warning

These settings directly affect system performance and resource usage. The page shows the same warning.

FieldWhat it doesRangeDefault
renewal_check_interval_minutesHow often the scheduler scans for certificates that need renewal. Lower values detect expiring certs faster but increase database load.5–1440 min60
domain_check_interval_minutesHow often tracked domains are checked for certificate changes or expiration on remote endpoints.5–1440 min60
domain_check_batch_sizeNumber of domains checked concurrently per scan cycle.1–50050
default_max_job_attemptsRetry attempts for failed jobs before they are marked permanently failed.1–103
distribution_execution_timeout_minutesMaximum time a distribution job may run across all its targets; the job is cancelled if exceeded.5–120 min30
distribution_parallel_execution_enabledDistribution modules process targets concurrently. Disable to force sequential execution as a safety fallback.on / offon
distribution_ssh_max_concurrencySystem-level override for SSH distribution concurrency. 0 = use the module config default (10). Higher values speed up large deployments but may hit remote sshd connection limits.0–500
distribution_fanout_thresholdTarget count above which a distribution is split into parallel child jobs. 0 = disabled (single job for all targets). Recommended: 50+.0–5000
distribution_fanout_batch_sizeTargets per child job when fan-out is active. 0 = default (50). Smaller values create more parallel jobs.0–2000

The three distribution_* fan-out fields drive the fan-out execution engine — see Distribution fan-out.

DNS propagation

These fields control the local propagation gate that runs before the CA is asked to validate a DNS-01 challenge. They matter most on locked-down networks — see DNS propagation settings for scenario guidance.

FieldWhat it doesRangeDefault
dns_propagation_timeout_secondsMaximum time to wait for DNS challenge records to propagate before giving up on ACME validation.30–600 s120
dns_propagation_poll_interval_secondsHow often propagation is re-checked during validation. Must be less than the propagation timeout (the form enforces this).2–60 s5
dns_resolversResolvers used for the manual-DNS TXT propagation pre-check. Entries are host or host:port; bare hosts default to port 53 (e.g. 10.0.0.53 or dns.internal:53). Empty = public default (8.8.8.8, 8.8.4.4, 1.1.1.1).listempty
dns_propagation_allow_partialOff (strict, default): a TXT record counts as propagated only if every resolver returns it. On: a single agreeing resolver is enough — for networks that can reach only one resolver.on / offoff
dns_propagation_skip_precheckOff (default): manual-DNS Validate first confirms the TXT record is visible via the resolvers above before asking the CA. On: skip the local gate and let the CA validate directly — for split-horizon networks where the local check can't see what the CA sees.on / offoff
Skip pre-check trade-off

The pre-check is only an optimisation — the CA is the authoritative validator and does its own lookup. But if you skip the gate and the record isn't actually ready, a CA validation attempt is wasted, and failed validations count against the CA's rate limits.

See Manual DNS validation for the workflow these settings gate.

UI preferences

FieldWhat it doesRangeDefault
default_page_sizeItems shown per page in tables throughout the UI.5–10020
dashboard_refresh_interval_secondsHow often the dashboard auto-refreshes. Lower values are closer to real-time but increase API calls.10–3600 s60

See also