NAME
acme-client
—
ACME client
SYNOPSIS
acme-client |
[-Fnrv ] [-f
configfile] handle |
DESCRIPTION
acme-client
is an Automatic Certificate Management
Environment (ACME) client: it looks in its configuration for a domain section
corresponding to the handle given as command line
argument and uses that configuration to retrieve an X.509 certificate which
can be used to provide domain name validation (i.e. prove that the domain is
who it says it is). The certificates are typically used to provide HTTPS for
web servers, but can be used in any situation where domain name validation is
required (such as mail servers).
If the certificate already exists and is less than 30 days from
expiry, acme-client
attempts to renew the
certificate.
In order to prove that the client has access to the domain, a
challenge is issued by the signing authority.
acme-client
implements the “http-01”
challenge type, where a file is created within a directory accessible by a
locally run web server. The default challenge directory
/var/www/acme can be served by
httpd(8)
with this location block, which will properly map response challenges:
location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 }
The options are as follows:
-F
- Force certificate renewal, even if it has more than 30 days validity.
-f
configfile- Specify an alternative configuration file.
-n
- No operation: check and print configuration.
-r
- Revoke the X.509 certificate.
-v
- Verbose operation. Specify twice to also trace communication and data transfers.
- handle
- The handle of the domain section of the configuration that contains the details of the certificate to be created, renewed or revoked.
FILES
- /etc/acme
- Private keys for
acme-client
. - /etc/acme-client.conf
- Default configuration.
- /var/www/acme
- Default challengedir.
EXIT STATUS
acme-client
returns 0 if certificates were
changed (revoked or updated), 1 on failure, or 2 if the certificates didn't
change (up to date).
EXAMPLES
Example configuration files for
acme-client
and
httpd(8) are
provided in /etc/examples/acme-client.conf and
/etc/examples/httpd.conf.
To generate a certificate for example.com and use it to provide HTTPS, create acme-client.conf and httpd.conf and run:
# acme-client -v example.com
&& rcctl reload httpd
A cron(8) job can renew the certificate as necessary. On renewal, httpd(8) is reloaded:
~ * * * * acme-client example.com && \ rcctl reload httpd
SEE ALSO
STANDARDS
R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, Automatic Certificate Management Environment (ACME), RFC 8555, March 2019.
HISTORY
The acme-client
utility first appeared in
OpenBSD 6.1.
AUTHORS
The acme-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.