NAME
acme-client.conf
—
acme-client configuration
file
DESCRIPTION
The acme-client.conf
file is divided into
the following main sections:
- Macros
- User-defined variables may be defined and used later, simplifying the configuration file.
- Authorities
- Certificate authorities (CAs) that can be contacted via ACME.
- Domains
- Certificate specifications.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/acme-client.sub.conf"
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, underscore, or '/' must be quoted.
MACROS
Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words. Macros are not expanded inside quotes.
For example:
api_url="https://acme-v02.api.letsencrypt.org/directory" authority letsencrypt { api url $api_url account key "/etc/acme/letsencrypt-privkey.pem" }
AUTHORITIES
The configured certificate authorities.
Each authority section starts with a declaration of the name identifying a certificate authority.
- The name is a string used to reference this certificate authority.
It is followed by a block of options enclosed in curly brackets:
account key
file [keytype]- Specify a file used to identify the user of this
certificate authority. keytype can be
rsa
orecdsa
. It defaults torsa
. api url
url- Specify the url under which the ACME API is reachable.
DOMAINS
The certificates to be obtained through ACME.
domain
name {...}- Each domain section begins with the
domain
keyword followed by the name to be used as the common name component of the subject of the X.509 certificate.
It is followed by a block of options enclosed in curly brackets:
alternative names
{...}- Specify a list of alternative names for which the certificate will be valid. The common name is included automatically if this option is present, but there is no automatic conversion/inclusion between "www." and plain domain name forms.
domain key
file [keytype]- The private key file for which the certificate will be obtained.
keytype can be
rsa
orecdsa
. It defaults torsa
. domain certificate
file- The filename of the certificate that will be issued. This is optional if domain full chain certificate is specified.
domain chain certificate
file- The filename in which to store the certificate chain that will be returned by the certificate authority. It needs to be in the same directory as the domain certificate (or in a subdirectory) and can be specified as a relative or absolute path. This setting is optional.
domain full chain certificate
file- The filename in which to store the full certificate chain that will be returned by the certificate authority. It needs to be in the same directory as the domain certificate (or in a subdirectory) and can be specified as a relative or absolute path. This is a combination of the domain certificate and the domain chain certificate in one file, and is required by most browsers. This is optional if domain certificate is specified.
sign with
authority- The certificate authority (as declared above in the AUTHORITIES section) to use. If this setting is absent, the first authority specified is used.
challengedir
path- The directory in which the challenge file will be stored. If it is not specified, a default of /var/www/acme will be used.
FILES
- /etc/acme-client.conf
- acme-client(1) configuration file
- /etc/examples/acme-client.conf
- example configuration file
SEE ALSO
HISTORY
The acme-client.conf
file format first
appeared in OpenBSD 6.1.