OpenBSD manual page server

Manual Page Search Parameters

ACME-CLIENT(1) General Commands Manual ACME-CLIENT(1)

acme-clientACME client

acme-client [-ADFnrv] [-f configfile] domain

The acme-client utility is an Automatic Certificate Management Environment (ACME) client.

The options are as follows:

Create a new RSA account key if one does not already exist.
Create a new RSA domain key if one does not already exist.
Force updating the certificate signature even if it's too soon.
configfile
Specify an alternative configuration file.
No operation: check and print configuration.
Revoke the X509 certificate found in the certificates.
Verbose operation. Specify twice to also trace communication and data transfers.
domain
The domain name.

acme-client looks in its configuration for a domain section corresponding to the domain given as command line argument. It then uses that configuration to retrieve a TLS certificate. If the certificate already exists and is less than 30 days from expiry, acme-client will attempt to refresh the signature. Before a certificate can be requested, an account key needs to be created using the -A argument. The first time a certificate is requested, the RSA key needs to be created with -D.

Challenges are used to verify that the submitter has access to the registered domains. acme-client only implements the “http-01” challenge type, where a file is created within a directory accessible by a locally-run web server. The default challenge directory /var/www/acme can be served by httpd(8) with this location block, which will properly map response challenges:

location "/.well-known/acme-challenge/*" {
	root "/acme"
	root strip 2
}

/etc/acme-client.conf
Default configuration.
/var/www/acme
Default challengedir.

acme-client returns 1 on failure, 2 if the certificates didn't change (up to date), or 0 if certificates were changed (revoked or updated).

To initialize a new account and Domain key:

# acme-client -vAD example.com

To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:

# acme-client -vD example.com

A daily cron(8) job can renew the certificates:

acme-client example.com && rcctl reload httpd

openssl(1), acme-client.conf(5), httpd.conf(5)

Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.

The acme-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.

The challenge and certificate processes currently retain their (root) privileges.

For the time being, acme-client only supports RSA as an account key format.

March 22, 2017 OpenBSD-6.1