[OpenBSD]

Manual Page Search Parameters
ACME-CLIENT(1) General Commands Manual ACME-CLIENT(1)

acme-client
ACME client

acme-client [
-ADFnrv
] [
-f configfile
] domain

The acme-client utility is an Automatic Certificate Management Environment (ACME) client.
The options are as follows:
 
 
Create a new RSA account key if one does not already exist.
 
 
Create a new RSA domain key if one does not already exist.
 
 
Force updating the certificate signature even if it's too soon.
 
 
configfile
Specify an alternative configuration file.
 
 
No operation: check and print configuration.
 
 
Revoke the X509 certificate found in the certificates.
 
 
Verbose operation. Specify twice to also trace communication and data transfers.
 
 
domain
The domain name.
acme-client looks in its configuration for a domain section corresponding to the domain given as command line argument. It then uses that configuration to retrieve a TLS certificate. If the certificate already exists and is less than 30 days from expiry, acme-client will attempt to refresh the signature. Before a certificate can be requested, an account key needs to be created using the -A argument. The first time a certificate is requested, the RSA key needs to be created with -D.
Challenges are used to verify that the submitter has access to the registered domains. acme-client only implements the “http-01” challenge type, where a file is created within a directory accessible by a locally-run web server. The default challenge directory /var/www/acme can be served by httpd(8) with this location block, which will properly map response challenges: 
location "/.well-known/acme-challenge/*" { 
	root "/acme" 
	root strip 2 
}

/etc/acme-client.conf
Default configuration.
/var/www/acme
Default challengedir.

acme-client returns 1 on failure, 2 if the certificates didn't change (up to date), or 0 if certificates were changed (revoked or updated).

To initialize a new account and Domain key:
# acme-client -vAD example.com
To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:
# acme-client -vD example.com
A daily cron(8) job can renew the certificates:
acme-client example.com && rcctl reload httpd

openssl(1), acme-client.conf(5), httpd.conf(5)

Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.

The acme-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.

The challenge and certificate processes currently retain their (root) privileges.
For the time being, acme-client only supports RSA as an account key format.
March 22, 2017 OpenBSD-6.1