1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
.\" $OpenBSD: acme-client.1,v 1.42 2023/05/16 09:02:50 espie Exp $
.\"
.\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: May 16 2023 $
.Dt ACME-CLIENT 1
.Os
.Sh NAME
.Nm acme-client
.Nd ACME client
.Sh SYNOPSIS
.Nm acme-client
.Op Fl Fnrv
.Op Fl f Ar configfile
.Ar handle
.Sh DESCRIPTION
.Nm
is an
Automatic Certificate Management Environment (ACME) client:
it looks in its configuration for a domain section
corresponding to the
.Ar handle
given as command line argument
and uses that configuration to retrieve an X.509 certificate
which can be used to provide domain name validation
(i.e. prove that the domain is who it says it is).
The certificates are typically used to provide HTTPS for web servers,
but can be used in any situation where domain name validation is required
(such as mail servers).
.Pp
If the certificate already exists and is less than 30 days from expiry,
.Nm
attempts to renew the certificate.
.Pp
In order to prove that the client has access to the domain,
a challenge is issued by the signing authority.
.Nm
implements the
.Dq http-01
challenge type, where a file is created within a directory accessible
by a locally run web server.
The default challenge directory
.Pa /var/www/acme
can be served by
.Xr httpd 8
with this location block,
which will properly map response challenges:
.Bd -literal -offset indent
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
.Ed
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl F
Force certificate renewal, even if it has more than 30 days
validity.
.It Fl f Ar configfile
Specify an alternative configuration file.
.It Fl n
No operation: check and print configuration.
.It Fl r
Revoke the X.509 certificate.
.It Fl v
Verbose operation.
Specify twice to also trace communication and data transfers.
.It Ar handle
The handle of the domain section of the configuration that contains the
details of the certificate to be created, renewed or revoked.
.El
.Sh FILES
.Bl -tag -width "/etc/acme-client.conf" -compact
.It Pa /etc/acme
Private keys for
.Nm .
.It Pa /etc/acme-client.conf
Default configuration.
.It Pa /var/www/acme
Default challengedir.
.El
.Sh EXIT STATUS
.Nm
returns 0 if certificates were changed (revoked or updated),
1 on failure,
or
2 if the certificates didn't change (up to date).
.Sh EXAMPLES
Example configuration files for
.Nm
and
.Xr httpd 8
are provided in
.Pa /etc/examples/acme-client.conf
and
.Pa /etc/examples/httpd.conf .
.Pp
To generate a certificate for example.com and use it to provide HTTPS,
create
.Pa acme-client.conf
and
.Pa httpd.conf
and run:
.Pp
.Dl # acme-client -v example.com && rcctl reload httpd
.Pp
A
.Xr cron 8
job can renew the certificate as necessary.
On renewal,
.Xr httpd 8
is reloaded:
.Bd -literal -offset indent
~ * * * * acme-client example.com && rcctl reload httpd
.Ed
.Sh SEE ALSO
.Xr openssl 1 ,
.Xr acme-client.conf 5 ,
.Xr httpd.conf 5 ,
.Xr ssl 8
.Sh STANDARDS
.Rs
.%A R. Barnes
.%A J. Hoffman-Andrews
.%A D. McCarney
.%A J. Kasten
.%D March 2019
.%R RFC 8555
.%T Automatic Certificate Management Environment (ACME)
.Re
.Sh HISTORY
The
.Nm
utility first appeared in
.Ox 6.1 .
.Sh AUTHORS
The
.Nm
utility was written by
.An Kristaps Dzonsons Aq Mt kristaps@bsd.lv .
.Sh CAVEATS
The usual ACME service providers are notoriously picky about
authenticating rules, and yield fairly long time-outs after just a
few invalid attempts.
It is strongly suggested to first validate a configuration with a
staging server before moving an official certificate validation
workflow to
.Xr crontab 5
status.
|