.\" $OpenBSD: acme-client.1,v 1.29 2019/02/03 20:39:35 jmc Exp $ .\" .\" Copyright (c) 2016 Kristaps Dzonsons .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: February 3 2019 $ .Dt ACME-CLIENT 1 .Os .Sh NAME .Nm acme-client .Nd ACME client .Sh SYNOPSIS .Nm acme-client .Op Fl ADFnrv .Op Fl f Ar configfile .Ar domain .Sh DESCRIPTION .Nm is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the .Ar domain given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation (i.e. prove that the domain is who it says it is). The certificates are typically used to provide HTTPS for web servers, but can be used in any situation where domain name validation is required (such as mail servers). .Pp Before a certificate can be requested, an account key needs to be created using the .Fl A argument. The first time a certificate is requested, a domain key needs to be created with .Fl D . So a typical invocation the first time it's run would be: .Pp .Dl # acme-client -ADv example.com .Pp If the certificate already exists and is less than 30 days from expiry, .Nm attempts to renew the certificate. .Pp In order to prove that the client has access to the domain, a challenge is issued by the signing authority. .Nm implements the .Dq http-01 challenge type, where a file is created within a directory accessible by a locally run web server. The default challenge directory .Pa /var/www/acme can be served by .Xr httpd 8 with this location block, which will properly map response challenges: .Bd -literal -offset indent location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } .Ed .Pp The options are as follows: .Bl -tag -width Ds .It Fl A Create a new RSA account key if one does not already exist. .It Fl D Create a new RSA domain key if one does not already exist. .It Fl F Force certificate renewal, even if it's too soon. .It Fl f Ar configfile Specify an alternative configuration file. .It Fl n No operation: check and print configuration. .It Fl r Revoke the X.509 certificate. .It Fl v Verbose operation. Specify twice to also trace communication and data transfers. .It Ar domain The domain name. .El .Sh FILES .Bl -tag -width "/etc/acme-client.conf" -compact .It Pa /etc/acme Private keys for .Nm . .It Pa /etc/acme-client.conf Default configuration. .It Pa /var/www/acme Default challengedir. .El .Sh EXIT STATUS .Nm returns 0 if certificates were changed (revoked or updated), 1 on failure, or 2 if the certificates didn't change (up to date). .Sh EXAMPLES Example configuration files for .Nm and .Xr httpd 8 are provided in .Pa /etc/examples/acme-client.conf and .Pa /etc/examples/httpd.conf . .Pp To generate a certificate for example.com and use it to provide HTTPS, create .Pa acme-client.conf and .Pa httpd.conf and run: .Pp .Dl # acme-client -ADv example.com && rcctl reload httpd .Pp A .Xr cron 8 job can renew the certificate as necessary. On renewal, .Xr httpd 8 is reloaded: .Bd -literal -offset indent 0 * * * * sleep $((RANDOM \e% 2048)) && \e acme-client example.com && rcctl reload httpd .Ed .Sh SEE ALSO .Xr openssl 1 , .Xr acme-client.conf 5 , .Xr httpd.conf 5 .Sh STANDARDS .Rs .%U https://tools.ietf.org/html/draft-ietf-acme-acme-03 .%T Automatic Certificate Management Environment (ACME) .Re .Sh HISTORY The .Nm utility first appeared in .Ox 6.1 . .Sh AUTHORS The .Nm utility was written by .An Kristaps Dzonsons Aq Mt kristaps@bsd.lv . .Sh BUGS The challenge and certificate processes currently retain their (root) privileges. .Pp For the time being, .Nm only supports RSA as an account key format.