shithub: acmed

ref: 8322a4dd98640ddf36741db9aaa4315b22045b18
dir: /acmed.man/

View raw version 
.TH ACMED 8
.SH NAME
acmed \- acme certificate client
.SH SYNOPSIS
.B acmed
[
.B -o
.I outdir
]
[
.B -p
.I provider
]
[
.B -a
.I acctkey
]
[
[
.B e
.I chalcmd
]
[
.B w
.I chaldir
]
.I acctname
.I csr
.SH DESCRIPTION
Acmed fetches and renews TLS certificates
using the
.I acme
protocol.
It requires a pregenerated account key
and certificate signing key.
.PP
There are a number of options.
.TP
.B -o
.I outdir
Specifies that the signed certificate is placed in
.I outdir
in place of the default
.IR /sys/lib/tls/acme/ .
.TP
.B -p
.I provider
Specifies that
.I provider
is used as the provider URL, in place of the default
.IR https://acme-v02.api.letsencrypt.org/directory .
This must be the directory URL for the desired
.I RFC8555
compliant provider
.TP
.B -a
.I acctkey
Specifies that
.I acctkey
is used to sign requests to the
.I provider
in place of the default
.IR /sys/lib/tls/acme/$acctname.pub .
The key must be a
.I jwk
formatted RSA key.
.TP
.B c
.I csrkey
Specifies that
.I csrkey
is used to produce the CSR sent to
.I provider
in place of the default
.IR /sys/lib/tls/acme/$domain.key .
The key must be a plan 9 formatted
RSA key suitable for
.IR aux/rsa2csr .
.TP
.B w
.I chaldir
Specifies that the challenge is written out to
.IR chaldir .
For HTTP challenges, this defaults to
.IR /usr/web/.well-known/acme-challenge/ .
.SH EXAMPLES
Before
.B acmed
is run, the keys must be generated.
.IP
.EX
auth/rsagen -t 'service=acme role=sign hash=sha256 acct=me@example.org' \\
	| tee >{auth/rsa2jwk \\
		>/sys/lib/tls/acmed/me@example.org.pub}
	| ipso -r -l factotum
auth/rsagen -t 'service=tls owner=*' \\
	| tee >{auth/rsa2csr 'CN=mydomain.com' \\
		>/sys/lib/tls/acmed/mydomain.com.csr} \\
	| ipso -r -l factotum
.EE
.PP
This need only be run once.
.EE
.PP
The certificate for the domain can now be fetched:
.IP
.EX
acmed me@example.org mydomain.com \\
	>/sys/lib/tls/acmed/mydomain.com.crt
.EE
.SH SOURCE
.B /sys/src/cmd/$somewhere/acmed.c
.SH BUGS
.I Acmed only supports HTTP challenges that are
placed in static directories.
It should add support for DNS challenges, and provide
a way for a script to be invoked while handling them.