NAME
acme-client
—
ACME client
SYNOPSIS
acme-client |
[-ADFnrv ] [-f
configfile] domain |
DESCRIPTION
The acme-client
utility is an Automatic
Certificate Management Environment (ACME) client.
The options are as follows:
-A
- Create a new RSA account key if one does not already exist.
-D
- Create a new RSA domain key if one does not already exist.
-F
- Force updating the certificate signature even if it's too soon.
-f
configfile- Specify an alternative configuration file.
-n
- No operation: check and print configuration.
-r
- Revoke the X.509 certificate.
-v
- Verbose operation. Specify twice to also trace communication and data transfers.
- domain
- The domain name.
acme-client
looks in its configuration for
a domain section corresponding to the domain given as
command line argument. It then uses that configuration to retrieve an X.509
certificate. If the certificate already exists and is less than 30 days from
expiry, acme-client
will attempt to refresh the
signature. Before a certificate can be requested, an account key needs to be
created using the -A
argument. The first time a
certificate is requested, the RSA key needs to be created with
-D
.
Challenges are used to verify that the submitter has access to the
registered domains. acme-client
only implements the
“http-01” challenge type, where a file is created within a
directory accessible by a locally-run web server. The default challenge
directory /var/www/acme can be served by
httpd(8) with this location block, which will properly map response
challenges:
location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 }
FILES
- /etc/acme-client.conf
- Default configuration.
- /var/www/acme
- Default challengedir.
EXIT STATUS
acme-client
returns 1 on failure, 2 if the
certificates didn't change (up to date), or 0 if certificates were changed
(revoked or updated).
EXAMPLES
To initialize a new account and Domain key:
# acme-client -vAD
example.com
To create and submit a new key for a single domain, assuming that the web server has already been configured to map the challenge directory as above:
# acme-client -vD
example.com
A daily cron(8) job can renew the certificate:
acme-client example.com &&
rcctl reload httpd
SEE ALSO
STANDARDS
Automatic Certificate Management Environment (ACME), https://tools.ietf.org/html/draft-ietf-acme-acme-03.
HISTORY
The acme-client
utility first appeared in
OpenBSD 6.1.
AUTHORS
The acme-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.
BUGS
The challenge and certificate processes currently retain their (root) privileges.
For the time being, acme-client
only
supports RSA as an account key format.