[OpenBSD]

Manual Page Search Parameters
ACME-CLIENT(1) General Commands Manual ACME-CLIENT(1)

acme-client
ACME client

acme-client [-ADFnrv] [-f configfile] domain

acme-client is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the domain given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation (i.e. prove that the domain is who it says it is). The certificates are typically used to provide HTTPS for web servers, but can be used in any situation where domain name validation is required (such as mail servers).

Before a certificate can be requested, an account key needs to be created using the -A argument. The first time a certificate is requested, a domain key needs to be created with -D. So a typical invocation the first time it's run would be:

# acme-client -ADv example.com

If the certificate already exists and is less than 30 days from expiry, acme-client attempts to renew the certificate.

In order to prove that the client has access to the domain, a challenge is issued by the signing authority. acme-client implements the “http-01” challenge type, where a file is created within a directory accessible by a locally run web server. The default challenge directory /var/www/acme can be served by httpd(8) with this location block, which will properly map response challenges:

location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
}

The options are as follows:

Create a new RSA account key if one does not already exist.
Create a new RSA domain key if one does not already exist.
Force certificate renewal, even if it's too soon.
configfile
Specify an alternative configuration file.
No operation: check and print configuration.
Revoke the X.509 certificate.
Verbose operation. Specify twice to also trace communication and data transfers.
domain
The domain name.

/etc/acme
Private keys for acme-client.
/etc/acme-client.conf
Default configuration.
/var/www/acme
Default challengedir.

acme-client returns 0 if certificates were changed (revoked or updated), 1 on failure, or 2 if the certificates didn't change (up to date).

Example configuration files for acme-client and httpd(8) are provided in /etc/examples/acme-client.conf and /etc/examples/httpd.conf.

To generate a certificate for example.com and use it to provide HTTPS, create acme-client.conf and httpd.conf and run:

# acme-client -ADv example.com && rcctl reload httpd

A cron(8) job can renew the certificate as necessary. On renewal, httpd(8) is reloaded:

0	*	*	*	*	sleep $((RANDOM \% 2048)) && \
	acme-client example.com && rcctl reload httpd

openssl(1), acme-client.conf(5), httpd.conf(5)

Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.

The acme-client utility first appeared in OpenBSD 6.1.

The acme-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.

The challenge and certificate processes currently retain their (root) privileges.

For the time being, acme-client only supports RSA as an account key format.

February 3, 2019 OpenBSD-current