ACME-CLIENT(1) FreeBSD General Commands Manual ACME-CLIENT(1)
NAME
acme-client - ACME client
SYNOPSIS
acme-client [-Fnrv] [-f configfile] handle
DESCRIPTION
acme-client is an Automatic Certificate Management Environment (ACME)
client: it looks in its configuration for a domain section corresponding
to the handle given as command line argument and uses that configuration
to retrieve an X.509 certificate which can be used to provide domain name
validation (i.e. prove that the domain is who it says it is). The
certificates are typically used to provide HTTPS for web servers, but can
be used in any situation where domain name validation is required (such
as mail servers).
If the certificate already exists and is less than 30 days from expiry,
acme-client attempts to renew the certificate.
In order to prove that the client has access to the domain, a challenge
is issued by the signing authority. acme-client implements the "http-01"
challenge type, where a file is created within a directory accessible by
a locally run web server. The default challenge directory /var/www/acme
can be served by httpd(8) with this location block, which will properly
map response challenges:
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
The options are as follows:
-F Force certificate renewal, even if it has more than 30 days
validity.
-f configfile
Specify an alternative configuration file.
-n No operation: check and print configuration.
-r Revoke the X.509 certificate.
-v Verbose operation. Specify twice to also trace communication and
data transfers.
handle The handle of the domain section of the configuration that
contains the details of the certificate to be created, renewed or
revoked.
FILES
/etc/acme Private keys for acme-client.
/etc/acme-client.conf Default configuration.
/var/www/acme Default challengedir.
EXIT STATUS
acme-client returns 0 if certificates were changed (revoked or updated),
1 on failure, or 2 if the certificates didn't change (up to date).
EXAMPLES
Example configuration files for acme-client and httpd(8) are provided in
/etc/examples/acme-client.conf and /etc/examples/httpd.conf.
To generate a certificate for example.com and use it to provide HTTPS,
create acme-client.conf and httpd.conf and run:
# acme-client -v example.com && rcctl reload httpd
A cron(8) job can renew the certificate as necessary. On renewal,
httpd(8) is reloaded:
~ * * * * acme-client example.com && rcctl reload httpd
SEE ALSO
openssl(1), acme-client.conf(5), httpd.conf(5), ssl(8)
STANDARDS
R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, Automatic
Certificate Management Environment (ACME), RFC 8555, March 2019.
HISTORY
The acme-client utility first appeared in OpenBSD 6.1.
AUTHORS
The acme-client utility was written by Kristaps Dzonsons
<
[email protected]>.
CAVEATS
The usual ACME service providers are notoriously picky about
authenticating rules, and yield fairly long time-outs after just a few
invalid attempts. It is strongly suggested to first validate a
configuration with a staging server before moving an official certificate
validation workflow to crontab(5) status.
FreeBSD 14.1-RELEASE-p8 May 16, 2023 FreeBSD 14.1-RELEASE-p8