OpenBSD manual page server

Manual Page Search Parameters

ACME-CLIENT(1) General Commands Manual ACME-CLIENT(1)

ACME client

acme-client [-Fnrv] [-f configfile] domain

acme-client is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the domain given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation (i.e. prove that the domain is who it says it is). The certificates are typically used to provide HTTPS for web servers, but can be used in any situation where domain name validation is required (such as mail servers).

If the certificate already exists and is less than 30 days from expiry, acme-client attempts to renew the certificate.

In order to prove that the client has access to the domain, a challenge is issued by the signing authority. acme-client implements the “http-01” challenge type, where a file is created within a directory accessible by a locally run web server. The default challenge directory /var/www/acme can be served by httpd(8) with this location block, which will properly map response challenges:

location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2

The options are as follows:

Force certificate renewal, even if it's too soon.
Specify an alternative configuration file.
No operation: check and print configuration.
Revoke the X.509 certificate.
Verbose operation. Specify twice to also trace communication and data transfers.
The domain name.

Private keys for acme-client.
Default configuration.
Default challengedir.

acme-client returns 0 if certificates were changed (revoked or updated), 1 on failure, or 2 if the certificates didn't change (up to date).

Example configuration files for acme-client and httpd(8) are provided in /etc/examples/acme-client.conf and /etc/examples/httpd.conf.

To generate a certificate for and use it to provide HTTPS, create acme-client.conf and httpd.conf and run:

# acme-client -v && rcctl reload httpd

A cron(8) job can renew the certificate as necessary. On renewal, httpd(8) is reloaded:

0	*	*	*	*	sleep $((RANDOM \% 2048)) && \
	acme-client && rcctl reload httpd

openssl(1), acme-client.conf(5), httpd.conf(5)

R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, Automatic Certificate Management Environment (ACME), RFC 8555, March 2019.

The acme-client utility first appeared in OpenBSD 6.1.

The acme-client utility was written by Kristaps Dzonsons <>.
June 15, 2019 OpenBSD-current