1*77b35356Sespie.\" $OpenBSD: acme-client.1,v 1.42 2023/05/16 09:02:50 espie Exp $ 25ca6d1baSflorian.\" 35ca6d1baSflorian.\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> 45ca6d1baSflorian.\" 55ca6d1baSflorian.\" Permission to use, copy, modify, and distribute this software for any 65ca6d1baSflorian.\" purpose with or without fee is hereby granted, provided that the above 75ca6d1baSflorian.\" copyright notice and this permission notice appear in all copies. 85ca6d1baSflorian.\" 95ca6d1baSflorian.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 105ca6d1baSflorian.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 115ca6d1baSflorian.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 125ca6d1baSflorian.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 135ca6d1baSflorian.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 145ca6d1baSflorian.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 155ca6d1baSflorian.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 165ca6d1baSflorian.\" 17*77b35356Sespie.Dd $Mdocdate: May 16 2023 $ 1889f00eb3Sjmc.Dt ACME-CLIENT 1 1906e06facSflorian.Os 2006e06facSflorian.Sh NAME 21ab6dda46Sflorian.Nm acme-client 22501c4e2cSjmc.Nd ACME client 2306e06facSflorian.Sh SYNOPSIS 24ab6dda46Sflorian.Nm acme-client 252570ecd0Sflorian.Op Fl Fnrv 26383e31e9Sbenno.Op Fl f Ar configfile 2787f5451dSbenno.Ar handle 2806e06facSflorian.Sh DESCRIPTION 2906e06facSflorian.Nm 3082e45f40Sjmcis an 3182e45f40SjmcAutomatic Certificate Management Environment (ACME) client: 3282e45f40Sjmcit looks in its configuration for a domain section 3382e45f40Sjmccorresponding to the 3487f5451dSbenno.Ar handle 3582e45f40Sjmcgiven as command line argument 3682e45f40Sjmcand uses that configuration to retrieve an X.509 certificate 3782e45f40Sjmcwhich can be used to provide domain name validation 3882e45f40Sjmc(i.e. prove that the domain is who it says it is). 3982e45f40SjmcThe certificates are typically used to provide HTTPS for web servers, 4082e45f40Sjmcbut can be used in any situation where domain name validation is required 4182e45f40Sjmc(such as mail servers). 4282e45f40Sjmc.Pp 4382e45f40SjmcIf the certificate already exists and is less than 30 days from expiry, 4406e06facSflorian.Nm 4582e45f40Sjmcattempts to renew the certificate. 4682e45f40Sjmc.Pp 4782e45f40SjmcIn order to prove that the client has access to the domain, 4882e45f40Sjmca challenge is issued by the signing authority. 4982e45f40Sjmc.Nm 5082e45f40Sjmcimplements the 5106e06facSflorian.Dq http-01 52b73162d5Sbennochallenge type, where a file is created within a directory accessible 5382e45f40Sjmcby a locally run web server. 54ab6dda46SflorianThe default challenge directory 55ab6dda46Sflorian.Pa /var/www/acme 56ab6dda46Sfloriancan be served by 57ab6dda46Sflorian.Xr httpd 8 58c8ac644eSjmcwith this location block, 59c8ac644eSjmcwhich will properly map response challenges: 60c54983f4Sjmc.Bd -literal -offset indent 61e406b4dfSdenislocation "/.well-known/acme-challenge/*" { 62ab6dda46Sflorian root "/acme" 63de6c234aSreyk request strip 2 64ab6dda46Sflorian} 6506e06facSflorian.Ed 6682e45f40Sjmc.Pp 6782e45f40SjmcThe options are as follows: 6882e45f40Sjmc.Bl -tag -width Ds 6982e45f40Sjmc.It Fl F 70f0c83cb3SsthenForce certificate renewal, even if it has more than 30 days 71f0c83cb3Ssthenvalidity. 7282e45f40Sjmc.It Fl f Ar configfile 7382e45f40SjmcSpecify an alternative configuration file. 7482e45f40Sjmc.It Fl n 7582e45f40SjmcNo operation: check and print configuration. 7682e45f40Sjmc.It Fl r 7782e45f40SjmcRevoke the X.509 certificate. 7882e45f40Sjmc.It Fl v 7982e45f40SjmcVerbose operation. 8082e45f40SjmcSpecify twice to also trace communication and data transfers. 8187f5451dSbenno.It Ar handle 8287f5451dSbennoThe handle of the domain section of the configuration that contains the 8387f5451dSbennodetails of the certificate to be created, renewed or revoked. 8482e45f40Sjmc.El 85bff852f7Stj.Sh FILES 86b73162d5Sbenno.Bl -tag -width "/etc/acme-client.conf" -compact 8782e45f40Sjmc.It Pa /etc/acme 8882e45f40SjmcPrivate keys for 8982e45f40Sjmc.Nm . 90b73162d5Sbenno.It Pa /etc/acme-client.conf 91b73162d5SbennoDefault configuration. 92bff852f7Stj.It Pa /var/www/acme 93bff852f7StjDefault challengedir. 94bff852f7Stj.El 9506e06facSflorian.Sh EXIT STATUS 9606e06facSflorian.Nm 9782e45f40Sjmcreturns 0 if certificates were changed (revoked or updated), 9882e45f40Sjmc1 on failure, 9982e45f40Sjmcor 10082e45f40Sjmc2 if the certificates didn't change (up to date). 10106e06facSflorian.Sh EXAMPLES 102fd1ff968SflorianExample configuration files for 103fd1ff968Sflorian.Nm 104fd1ff968Sflorianand 105fd1ff968Sflorian.Xr httpd 8 106fd1ff968Sflorianare provided in 107fd1ff968Sflorian.Pa /etc/examples/acme-client.conf 108fd1ff968Sflorianand 109fd1ff968Sflorian.Pa /etc/examples/httpd.conf . 110b797f9e3Sbenno.Pp 11182e45f40SjmcTo generate a certificate for example.com and use it to provide HTTPS, 11282e45f40Sjmccreate 11382e45f40Sjmc.Pa acme-client.conf 11482e45f40Sjmcand 11582e45f40Sjmc.Pa httpd.conf 11682e45f40Sjmcand run: 117b797f9e3Sbenno.Pp 1182570ecd0Sflorian.Dl # acme-client -v example.com && rcctl reload httpd 11906e06facSflorian.Pp 12082e45f40SjmcA 12106e06facSflorian.Xr cron 8 12282e45f40Sjmcjob can renew the certificate as necessary. 12382e45f40SjmcOn renewal, 12482e45f40Sjmc.Xr httpd 8 12582e45f40Sjmcis reloaded: 12682e45f40Sjmc.Bd -literal -offset indent 127980b3c0cSderaadt~ * * * * acme-client example.com && rcctl reload httpd 12882e45f40Sjmc.Ed 12906e06facSflorian.Sh SEE ALSO 130ab6dda46Sflorian.Xr openssl 1 , 1310964cf78Sbenno.Xr acme-client.conf 5 , 1323b85f8b8Ssthen.Xr httpd.conf 5 , 1333b85f8b8Ssthen.Xr ssl 8 134501c4e2cSjmc.Sh STANDARDS 135501c4e2cSjmc.Rs 1367b00f4e9Sflorian.%A R. Barnes 1377b00f4e9Sflorian.%A J. Hoffman-Andrews 1387b00f4e9Sflorian.%A D. McCarney 1397b00f4e9Sflorian.%A J. Kasten 1407b00f4e9Sflorian.%D March 2019 1417b00f4e9Sflorian.%R RFC 8555 142501c4e2cSjmc.%T Automatic Certificate Management Environment (ACME) 143501c4e2cSjmc.Re 144f273b081Sschwarze.Sh HISTORY 145f273b081SschwarzeThe 146f273b081Sschwarze.Nm 147f273b081Sschwarzeutility first appeared in 148f273b081Sschwarze.Ox 6.1 . 149ab6dda46Sflorian.Sh AUTHORS 150ab6dda46SflorianThe 151ab6dda46Sflorian.Nm 152ab6dda46Sflorianutility was written by 153ab6dda46Sflorian.An Kristaps Dzonsons Aq Mt kristaps@bsd.lv . 154*77b35356Sespie.Sh CAVEATS 155*77b35356SespieThe usual ACME service providers are notoriously picky about 156*77b35356Sespieauthenticating rules, and yield fairly long time-outs after just a 157*77b35356Sespiefew invalid attempts. 158*77b35356SespieIt is strongly suggested to first validate a configuration with a 159*77b35356Sespiestaging server before moving an official certificate validation 160*77b35356Sespieworkflow to 161*77b35356Sespie.Xr crontab 5 162*77b35356Sespiestatus. 163