OpenBSD manual page server

Manual Page Search Parameters
ACME-CLIENT(1) General Commands Manual ACME-CLIENT(1)

acme-clientACME client

acme-client [-ADFnrv] [-f configfile] domain

The acme-client utility is an Automatic Certificate Management Environment (ACME) client.

The options are as follows:

Create a new RSA account key if one does not already exist.
Create a new RSA domain key if one does not already exist.
Force updating the certificate signature even if it's too soon.
configfile
Specify an alternative configuration file.
No operation: check and print configuration.
Revoke the X.509 certificate.
Verbose operation. Specify twice to also trace communication and data transfers.
domain
The domain name.

acme-client looks in its configuration for a domain section corresponding to the domain given as command line argument. It then uses that configuration to retrieve an X.509 certificate. If the certificate already exists and is less than 30 days from expiry, acme-client will attempt to refresh the signature. Before a certificate can be requested, an account key needs to be created using the -A argument. The first time a certificate is requested, the RSA key needs to be created with -D.

Challenges are used to verify that the submitter has access to the registered domains. acme-client only implements the “http-01” challenge type, where a file is created within a directory accessible by a locally-run web server. The default challenge directory /var/www/acme can be served by httpd(8) with this location block, which will properly map response challenges:

location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
}

/etc/acme-client.conf
Default configuration.
/var/www/acme
Default challengedir.

acme-client returns 1 on failure, 2 if the certificates didn't change (up to date), or 0 if certificates were changed (revoked or updated).

To initialize a new account and Domain key:

# acme-client -vAD example.com

To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:

# acme-client -vD example.com

A daily cron(8) job can renew the certificate:

acme-client example.com && rcctl reload httpd

openssl(1), acme-client.conf(5), httpd.conf(5)

Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.

The acme-client utility first appeared in OpenBSD 6.1.

The acme-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.

The challenge and certificate processes currently retain their (root) privileges.

For the time being, acme-client only supports RSA as an account key format.

August 2, 2018 OpenBSD-6.4