ACME-CLIENT(1) | General Commands Manual | ACME-CLIENT(1) |
acme-client
— ACME
client
acme-client |
[-Fnrv ] [-f
configfile] handle |
acme-client
is an Automatic Certificate
Management Environment (ACME) client: it looks in its configuration for a
domain section corresponding to the handle given as
command line argument and uses that configuration to retrieve an X.509
certificate which can be used to provide domain name validation (i.e. prove
that the domain is who it says it is). The certificates are typically used
to provide HTTPS for web servers, but can be used in any situation where
domain name validation is required (such as mail servers).
If the certificate already exists and is less than 30 days from
expiry, acme-client
attempts to renew the
certificate.
In order to prove that the client has access to the domain, a
challenge is issued by the signing authority.
acme-client
implements the “http-01”
challenge type, where a file is created within a directory accessible by a
locally run web server. The default challenge directory
/var/www/acme can be served by
httpd(8) with this location block, which
will properly map response challenges:
location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 }
The options are as follows:
-F
-f
configfile-n
-r
-v
acme-client
.acme-client
returns 0 if certificates were
changed (revoked or updated), 1 on failure, or 2 if the certificates didn't
change (up to date).
Example configuration files for
acme-client
and
httpd(8) are provided in
/etc/examples/acme-client.conf and
/etc/examples/httpd.conf.
To generate a certificate for example.com and use it to provide HTTPS, create acme-client.conf and httpd.conf and run:
# acme-client -v example.com
&& rcctl reload httpd
A cron(8) job can renew the certificate as necessary. On renewal, httpd(8) is reloaded:
~ * * * * acme-client example.com && rcctl reload httpd
R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, Automatic Certificate Management Environment (ACME), RFC 8555, March 2019.
The acme-client
utility first appeared in
OpenBSD 6.1.
The acme-client
utility was written by
Kristaps Dzonsons
<kristaps@bsd.lv>.
The usual ACME service providers are notoriously picky about authenticating rules, and yield fairly long time-outs after just a few invalid attempts. It is strongly suggested to first validate a configuration with a staging server before moving an official certificate validation workflow to crontab(5) status.
May 16, 2023 | x86_64 |