Sortix
current nightly

Sortix volatile manual

This manual documents Sortix volatile, a development build that has not been officially released. You can instead view this document in the latest official manual.

NAME

acme-clientACME client

SYNOPSIS

acme-client [-Fnrv] [-f configfile] handle

DESCRIPTION

acme-client is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the handle given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation (i.e. prove that the domain is who it says it is). The certificates are typically used to provide HTTPS for web servers, but can be used in any situation where domain name validation is required (such as mail servers).
If the certificate already exists and is less than 30 days from expiry, acme-client attempts to renew the certificate.
In order to prove that the client has access to the domain, a challenge is issued by the signing authority. acme-client implements the “http-01” challenge type, where a file is created within a directory accessible by a locally run web server. The default challenge directory /var/www/acme can be served by nginx(8) with this location block, which will properly map response challenges:
location /.well-known/acme-challenge/ { 
	root /var/www/acme; 
	rewrite ^/.well-known/acme-challenge/(.*)$ /$1 break; 
}
The options are as follows:
-F
Force certificate renewal, even if it has more than 30 days validity.
-f configfile
Specify an alternative configuration file.
-n
No operation: check and print configuration.
-r
Revoke the X.509 certificate.
-v
Verbose operation. Specify twice to also trace communication and data transfers.
handle
The handle of the domain section of the configuration that contains the details of the certificate to be created, renewed or revoked.

FILES

/etc/acme
Private keys for acme-client.
/etc/acme-client.conf
Default configuration.
/var/www/acme
Default challengedir.

EXIT STATUS

acme-client returns 0 if certificates were changed (revoked or updated), 1 on failure, or 2 if the certificates didn't change (up to date).

EXAMPLES

Example configuration files for acme-client and nginx(8) are provided in /etc/examples/acme-client.conf, /etc/default/nginx/sites-available/acme, and /etc/default/nginx/sites-available/https.
Create a CAA DNS entry for the domain before obtaining the certificate, per the below security consideration.
To generate a certificate for example.com and use it to provide HTTPS, create acme-client.conf and configure nginx(8) with the acme site and invoke acme-client, and finally configure nginx(8) to use HTTPS:
mkdir -p /etc/nginx 
mkdir -p /etc/nginx/sites-available 
mkdir -p /etc/nginx/sites-enabled 
cp /etc/default/nginx/sites-available/acme /etc/nginx/sites-available/acme 
ln -s ../sites-available/acme /etc/nginx/sites-enabled/acme 
service nginx enable # or reload if already enabled 
 
cp /etc/examples/acme-client.conf /etc/acme-client.conf 
# edit /etc/acme-client.conf 
mkdir -p /var/www/acme 
mkdir -p /etc/letsencrypt/live/example.com 
acme-client -v example.com 
 
cp /etc/default/nginx/sites-available/https /etc/nginx/sites-available/example.com 
ln -s ../sites-available/example.com /etc/nginx/sites-enabled/example.com 
# edit /etc/nginx/sites-available/example.com 
service nginx reload
An init(5) daemon can renew the certificate as necessary. Create /etc/init/local-cert-example.com:
require network optional 
require nginx optional 
exec sh -c 'while true; do acme-client -v example.com && service nginx reload; eval "echo >&$READYFD"; sleep 24h; done'
Enable the renewal daemon by running:
service local-cert-example.com enable
On renewal, the daemon reloads nginx(8).

SEE ALSO

openssl(1), acme-client.conf(5), nginx(8)

STANDARDS

R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten, Automatic Certificate Management Environment (ACME), RFC 8555, March 2019.

HISTORY

The acme-client utility first appeared in OpenBSD 6.1.

AUTHORS

The acme-client utility was written by Kristaps Dzonsons <kristaps@bsd.lv>.

CAVEATS

The usual ACME service providers are notoriously picky about authenticating rules, and yield fairly long time-outs after just a few invalid attempts. It is strongly suggested to first validate a configuration with a staging server before moving an official certificate validation workflow to crontab(5) status.

SECURITY CONSIDERATIONS

It's strongly recommended to have a CAA DNS entry for the domain, which states which certificate authorities are allowed to issue certificates for the domain. Otherwise an attacker might be able to obtain a certificates from a competing certificate authority with lesser security requirements.
Copyright 2011-2025 Jonas 'Sortie' Termansen and contributors.
Sortix's source code is free software under the ISC license. 		#sortix on irc.sortix.org
@sortix_org