summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2016-09-01 08:45:59 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2016-09-01 08:45:59 +0000
commit81899e0bd3074b9a4dfd3a5ff11a4eb020dcf026 (patch)
tree1b51f4b51fc3d27c150fe2526a8ef0a6e909ff8a
parentfab71394eec13ccf8ac9468dc448fbfb27e58ba0 (diff)
various cleanup;
-rw-r--r--usr.sbin/acme-client/acme-client.1134
1 files changed, 67 insertions, 67 deletions
diff --git a/usr.sbin/acme-client/acme-client.1 b/usr.sbin/acme-client/acme-client.1
index f9d4bd7294c..42f78328af0 100644
--- a/usr.sbin/acme-client/acme-client.1
+++ b/usr.sbin/acme-client/acme-client.1
@@ -1,4 +1,4 @@
-.\" $Id: acme-client.1,v 1.3 2016/08/31 23:44:58 florian Exp $
+.\" $OpenBSD: acme-client.1,v 1.4 2016/09/01 08:45:58 jmc Exp $
.\"
.\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
.\"
@@ -14,36 +14,36 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: August 31 2016 $
-.Dt acme-client 1
+.Dd $Mdocdate: September 1 2016 $
+.Dt ACME-CLIENT 1
.Os
.Sh NAME
.Nm acme-client
.Nd secure Let's Encrypt client
.Sh SYNOPSIS
.Nm acme-client
-.Op Fl bFmnNrsv
+.Op Fl bFmNnrsv
.Op Fl a Ar agreement
.Op Fl C Ar challengedir
.Op Fl c Ar certdir
.Op Fl f Ar accountkey
.Op Fl k Ar domainkey
.Ar domain
-.Op Ar altnames...
+.Op Ar altname ...
.Sh DESCRIPTION
The
.Nm
utility submits an X509 certificate for
.Ar domain
and its alternate DNS names
-.Ar altnames
+.Ar altname
to a
-.Dq Let's Encrypt
+.Qq Let's Encrypt
server for automated signing.
-It can also revoke previously-submitted signatures.
-It must be run as root.
-(Why?
-.Xr chroot 2 . )
+It can also revoke previously submitted signatures.
+It must be run as root
+(see
+.Xr chroot 2 ) .
.Pp
By default, it uses
.Pa /var/www/acme
@@ -59,49 +59,71 @@ and
.Pa /etc/acme/privkey.pem
for the account private key
.Pq Fl f .
-All of these must exist unless you use
+All of these must exist unless
.Fl n
and/or
-.Fl N ,
-which will generate the account and domain private keys, respectively.
-Its arguments are as follows:
+.Fl N
+are being used,
+which generates an account and domain private keys, respectively.
+.Pp
+The options are as follows:
.Bl -tag -width Ds
+.It Fl a Ar agreement
+Use an alternative agreement URL.
+The default uses the current one, but it may be out of date.
.It Fl b
-Back up all
-.Sx Certificates
-in the certificate directory.
-This will only back up if something will be done to them (remove or
-replace).
-The backups are called
+Back up all certificates in the certificate directory.
+This only happens if a remove or replace operation is possible.
+The backups are named
.Pa cert-NNNNN.pem ,
.Pa chain-NNNNN.pem ,
and
.Pa fullchain-NNNNN.pem ,
where
.Li NNNNN
-is the current UNIX epoch.
-Any given backup effort will use the same epoch time for all three
-certificates.
-If there are no certificates in place, this does nothing.
+is the current
+.Ux
+Epoch.
+Any given backup uses the same Epoch time for all three certificates.
+If there are no certificates in place, this option does nothing.
+.It Fl C Ar challengedir
+The directory to register challenges.
+See
+.Sx Challenges
+for details.
+.It Fl c Ar certdir
+The directory to store public certificates.
+See
+.Sx Certificates
+for details.
.It Fl F
Force updating the certificate signature even if it's too soon.
+.It Fl f Ar accountkey
+The account private key.
+This was either made with a previous
+.Dq Let's Encrypt
+client or with
+.Fl n .
+.It Fl k Ar domainkey
+The private key for the domain.
+This may also be created with
+.Fl N .
.It Fl m
Append
.Ar domain
to all default paths except the challenge path
-.Pq i.e., those that are overriden by Fl c , k , f .
+.Pq i.e. those that are overridden by Fl c , k , f .
Thus,
.Ar foo.com
as the initial domain would make the default domain private key into
.Pa /etc/ssl/acme/private/foo.com/privkey.pem .
This is useful in setups with multiple domain sets.
-.It Fl n
-Create a new 4096-bit RSA account key if one does not already exist.
.It Fl N
Create a new 4096-bit RSA domain key if one does not already exist.
+.It Fl n
+Create a new 4096-bit RSA account key if one does not already exist.
.It Fl r
-Revoke the X509 certificate found in
-.Sx Certificates .
+Revoke the X509 certificate found in the certificates.
.It Fl s
Use the
.Dq Let's Encrypt
@@ -109,45 +131,22 @@ staging server instead of the real thing.
.It Fl v
Verbose operation.
Specify twice to also trace communication and data transfers.
-.It Fl a Ar agreement
-Use an alternative agreement URL.
-The default uses the current one, but it may be out of date.
-.It Fl C Ar challengedir
-Where to register challenges.
-See
-.Sx Challenges
-for details.
-.It Fl c Ar certdir
-Where to put public certificates.
-See
-.Sx Certificates
-for details.
-.It Fl f Ar accountkey
-The account private key.
-This was either made with a previous
-.Dq Let's Encrypt
-client or with
-.Fl n .
-.It Fl k Ar domainkey
-The private key for the domain.
-This may also be created with
-.Fl N .
.It Ar domain
The domain name.
-The only difference between this and the
-.Ar altnames
+The only difference between this and
+.Ar altname
is that it's put into the certificate's
.Li CN
-field and is use the
-.Dq main
+field and it uses the
+.Qq main
domain when specifying
.Fl m .
-.It Ar altnames
+.It Ar altname
Alternative names
.Pq Dq SAN
for the domain name.
The number of SAN entries is limited by
-.Dq Let's Encrypt
+.Qq Let's Encrypt
to 100 or so.
.El
.Pp
@@ -159,21 +158,22 @@ In this, the
is the ACME server for Let's Encrypt.
.Bl -enum
.It
-Access the CA (unauthenticated) and requests its list of resources.
+Access the CA (unauthenticated) and request its list of resources.
.It
Optionally create and register a new RSA account key.
.It
Read and process the RSA account key.
This is used to authenticate each subsequent communication to the CA.
.It
-For each domain name,
-.Bl -enum
+For each domain name:
+.Pp
+.Bl -enum -compact
.It
-submit a challenge for authentication to the CA,
+submit a challenge for authentication to the CA
.It
-create a challenge response file,
+create a challenge response file
.It
-wait until the CA has verified the challenge.
+wait until the CA has verified the challenge
.El
.It
Read and extract the domain key.
@@ -193,7 +193,7 @@ Download the certificate chain from the issuer.
The revocation sequence is similar:
.Bl -enum
.It
-Request list of resources, manage RSA account key as in the case for
+Request a list of resources, and manage the RSA account key as in the case for
signing.
.It
Read and extract the X509 certificate (if found).
@@ -243,7 +243,7 @@ These are all created as the root user with mode 444.
The
.Pa cert.pem
file, if found, is checked for its expiration: if more than 30 days from
-expiring,
+expiry,
.Nm
will not attempt to refresh the signature.
.Sh EXIT STATUS