From 7918cc641bdbd02b36369a1da5a4a2ed30839c8a Mon Sep 17 00:00:00 2001
From: Ronald Portier <ronald@therp.nl>
Date: Tue, 5 Jul 2016 17:53:58 +0200
Subject: [PATCH] [ENH] A little bit more explanation in README.rst. (#475)

---
 letsencrypt/README.rst | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/letsencrypt/README.rst b/letsencrypt/README.rst
index 6dbf989e3..a6164ceb3 100644
--- a/letsencrypt/README.rst
+++ b/letsencrypt/README.rst
@@ -23,10 +23,11 @@ After installation, trigger the cronjob `Update letsencrypt certificates` and
 watch your log for messages.
 
 This addon depends on the ``openssl`` binary and the ``acme_tiny`` and ``IPy``
-python modules.
+python modules. If you use https in your nginx or apache configuration,
+openssl should already be installed.
 
-For installing the OpenSSL binary you can use your distro package manager.
-For Debian and Ubuntu, that would be:
+If you still need to install the OpenSSL binary you can use your distro
+package manager. For Debian and Ubuntu, that would be:
 
     sudo apt-get install openssl
 
@@ -88,7 +89,22 @@ You'll also need a matching sudo configuration, like::
 
     your_odoo_user ALL = NOPASSWD: /usr/sbin/service nginx reload
 
-Further, if you force users to https, you'll need something like for nginx::
+The line above can be added to /etc/sudoers through the visudo command.
+
+If your distribution supports it, like Debian does, you can create and edit
+an automatically included file through
+``visudo -f /etc/sudoers.d/letsencrypt``. This will also put the right
+authorities on the file (-r--r-----).
+
+The server that provides the certificates will try to check that you actually
+control the host that you request a certificate for. It will do this by
+requesting through http a file from an uri that contains
+``/.well-known/acme-challenge/xxx``. The letsencrypt module provides a
+controller that will provide this uri from the Odoo server, but we have to
+configure the frontend nginx or apache server to accept http for these uri's.
+
+Therefore, if you force users to https, you'll need something like this
+for nginx::
 
     if ($scheme = "http") {
         set $redirect_https 1;
@@ -116,7 +132,7 @@ an upstream for your odoo instance and do something like::
 
 If you're using a multi-database installation (with or without dbfilter option)
 where /web/databse/selector returns a list of more than one database, then
-you need to add ``letsencrypt`` addon to wide load addons list
+you need to add ``letsencrypt`` addon to serverwide load addons list
 (by default, only ``web`` addon), setting ``--load`` option.
 For example, ``--load=web,letsencrypt``