ACME-CLIENT(1) | General Commands Manual | ACME-CLIENT(1) |
acme-client
— ACME
client
acme-client |
[-ADFnrv ] [-f
configfile] domain |
The acme-client
utility is an Automatic
Certificate Management Environment (ACME) client.
The options are as follows:
-A
-D
-F
-f
configfile-n
-r
-v
acme-client
looks in its configuration for
a domain section corresponding to the domain given as
command line argument. It then uses that configuration to retrieve a TLS
certificate. If the certificate already exists and is less than 30 days from
expiry, acme-client
will attempt to refresh the
signature. Before a certificate can be requested, an account key needs to be
created using the -A
argument. The first time a
certificate is requested, the RSA key needs to be created with
-D
.
Challenges are used to verify that the submitter has access to the
registered domains. acme-client
only implements the
“http-01” challenge type, where a file is created within a
directory accessible by a locally-run web server. The default challenge
directory /var/www/acme can be served by
httpd(8) with this location
block, which will properly map response challenges:
location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 }
acme-client
returns 1 on failure, 2 if the
certificates didn't change (up to date), or 0 if certificates were changed
(revoked or updated).
To initialize a new account and Domain key:
# acme-client -vAD
example.com
To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:
# acme-client -vD
example.com
A daily cron(8) job can renew the certificates:
acme-client example.com &&
rcctl reload httpd
Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.
The acme-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.
The challenge and certificate processes currently retain their (root) privileges.
For the time being, acme-client
only
supports RSA as an account key format.
March 22, 2017 | OpenBSD-6.1 |