NAME
acme-client
—
ACME client
SYNOPSIS
acme-client |
[-ADFnrv ] [-f
configfile] domain |
DESCRIPTION
The acme-client
utility is an Automatic
Certificate Management Environment (ACME) client.
The options are as follows:
-A
- Create a new RSA account key if one does not already exist.
-D
- Create a new RSA domain key if one does not already exist.
-F
- Force updating the certificate signature even if it's too soon.
-f
configfile- Specify an alternative configuration file.
-n
- No operation: check and print configuration.
-r
- Revoke the X509 certificate found in the certificates.
-v
- Verbose operation. Specify twice to also trace communication and data transfers.
- domain
- The domain name.
acme-client
looks in its configuration for
a domain section corresponding to the domain given as
command line argument. It then uses that configuration to retrieve a TLS
certificate. If the certificate already exists and is less than 30 days from
expiry, acme-client
will attempt to refresh the
signature. Before a certificate can be requested, an account key needs to be
created using the -A
argument. The first time a
certificate is requested, the RSA key needs to be created with
-D
.
Challenges are used to verify that the submitter has access to the
registered domains. acme-client
only implements the
“http-01” challenge type, where a file is created within a
directory accessible by a locally-run web server. The default challenge
directory /var/www/acme can be served by
httpd(8) with this location block, which will properly map response
challenges:
location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 }
FILES
- /etc/acme-client.conf
- Default configuration.
- /var/www/acme
- Default challengedir.
EXIT STATUS
acme-client
returns 1 on failure, 2 if the
certificates didn't change (up to date), or 0 if certificates were changed
(revoked or updated).
EXAMPLES
To initialize a new account and Domain key:
# acme-client -vAD
example.com
To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:
# acme-client -vD
example.com
A daily cron(8) job can renew the certificates:
acme-client example.com &&
rcctl reload httpd
SEE ALSO
STANDARDS
Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.
AUTHORS
The acme-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.
BUGS
The challenge and certificate processes currently retain their (root) privileges.
For the time being, acme-client
only
supports RSA as an account key format.