OpenBSD manual page server

Manual Page Search Parameters
ACME-CLIENT.CONF(5) File Formats Manual ACME-CLIENT.CONF(5)

acme-client.confacme-client configuration file

The acme-client.conf config file is divided into three main sections:

User-defined variables may be defined and used later, simplifying the configuration file.
TLS authorities that can be contacted via ACME.
Domains that the user wants to receive TLS certificates for.

Additional configuration files can be included with the include keyword, for example:

include "/etc/acme-client.sub.conf"

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, underscore or '/' must be quoted.

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words. Macros are not expanded inside quotes.

For example:

le="letsencrypt"
domain example.com {
	sign with $le
}

The configured certificate authorities.

Each authority section starts with a declaration of the name identifying a certificate authority.

name {...}
The name is a string used to reference this certificate authority.

It is followed by a block of options enclosed in curly brackets:

file
Specify a file used to identify the user of this CA.
url
Specify the url of a contract under which the certificates are supplied by the certificate authority.
url
Specify the url under which the ACME API is reachable.

An example authority block:

authority letsencrypt {
	agreement url https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
	api url "https://acme-v01.api.letsencrypt.org/directory"
	account key "/etc/ssl/private/my-acme.key"
}

The domains that are configured to obtain SSL certificates through ACME.

name {...}
Each domain section begins with the domain keyword followed by the domain name.

It is followed by a block of options enclosed in curly brackets:

{...}
Specify a list of alternative names the certificate will be valid for.
domain key file
The private key file for which the certificate will be obtained.
domain certificate file
The filename of the certificate that will be issued.
domain chain certificate file
The filename in which to store the certificate chain that will be returned by the CA. It needs to be in the same directory as the domain certificate (or in a subdirectory) and can be specified as a relative or absolute path.
domain full chain certificate file
The filename in which to store the full certificate chain that will be returned by the CA. It needs to be in the same directory as the domain certificate (or in a subdirectory) and can be specified as a relative or absolute path. This is a combination of the domain certificate and the domain chain certificate in one file, and is required by most browsers.
authority
The certificate authority (as declared above in the AUTHORITIES section) to use for this domain is selected.
path
The directory in which the challenge file will be stored. If it is not specified, a default of /var/www/acme will be used.

An example domain declaration looks like this:

domain example.com {
	alternative names { secure.example.com www.example.com }
	domain key "/etc/ssl/private/example.com.key"
	domain certificate "/etc/ssl/example.com.crt"
	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
	sign with letsencrypt
	challengedir "/var/www/acme"
}

An httpd.conf(5) server declaration to use that certificate looks like this:

server "example.com" {
        alias "www.example.com"
        alias "secure.example.com"
        listen on $ext_addr port 80
        listen on $ext_addr tls port 443
        tls certificate "/etc/ssl/example.com.fullchain.pem"
        tls key "/etc/ssl/private/example.com.key"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2
        }
        root "/htdocs"
}

/etc/acme-client.conf
acme-client(1) configuration file

acme-client(1)

The acme-client.conf file format first appeared in OpenBSD 6.1.

March 29, 2017 OpenBSD-6.1