ACME-CLIENT.CONF(5) | File Formats Manual | ACME-CLIENT.CONF(5) |
acme-client.conf
—
acme-client configuration file
The acme-client.conf
config file is
divided into three main sections:
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/acme-client.sub.conf"
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, underscore or '/' must be quoted.
Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words. Macros are not expanded inside quotes.
For example:
le="letsencrypt" domain example.com { sign with $le }
The configured certificate authorities.
Each authority section starts with a declaration of the name identifying a certificate authority.
It is followed by a block of options enclosed in curly brackets:
account
key
fileagreement
url
urlapi
url
urlAn example authority block:
authority letsencrypt { agreement url https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf api url "https://acme-v01.api.letsencrypt.org/directory" account key "/etc/ssl/private/my-acme.key" }
The domains that are configured to obtain SSL certificates through ACME.
domain
name {...}domain
keyword
followed by the domain name.It is followed by a block of options enclosed in curly brackets:
alternative
names
{...}domain key
filedomain certificate
filedomain chain certificate
filedomain full chain certificate
filesign
with
authoritychallengedir
pathAn example domain declaration looks like this:
domain example.com { alternative names { secure.example.com www.example.com } domain key "/etc/ssl/private/example.com.key" domain certificate "/etc/ssl/example.com.crt" domain full chain certificate "/etc/ssl/example.com.fullchain.pem" sign with letsencrypt challengedir "/var/www/acme" }
An httpd.conf(5) server declaration to use that certificate looks like this:
server "example.com" { alias "www.example.com" alias "secure.example.com" listen on $ext_addr port 80 listen on $ext_addr tls port 443 tls certificate "/etc/ssl/example.com.fullchain.pem" tls key "/etc/ssl/private/example.com.key" location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } root "/htdocs" }
The acme-client.conf
file format first
appeared in OpenBSD 6.1.
March 29, 2017 | OpenBSD-6.1 |