ref: aa8713e13b9f8de595b6c34015a9d068425fc9c4
dir: /acmed.man/
.TH ACLIENT 8 .SH NAME acmed \- acme certificate client .SH SYNOPSIS .B acmed [ .B -o .I outdir ] [ .B -p .I provider ] [ .B -a .I acctkey ] [ [ .B e .I chalcmd ] [ .B w .I chaldir ] .I acctname .I csr .SH DESCRIPTION Acmed fetches and renews TLS certificates using the .I acme protocol. It requires a pregenerated account key and certificate signing key. .PP There are a number of options. .TP .B -o .I outdir Specifies that the signed certificate is placed in .I outdir in place of the default .IR /sys/lib/tls/acme/ . .TP .B -p .I provider Specifies that .I provider is used as the provider URL, in place of the default .IR https://acme-v02.api.letsencrypt.org/directory . This must be the directory URL for the desired .I RFC8555 compliant provider .TP .B -a .I acctkey Specifies that .I acctkey is used to sign requests to the .I provider in place of the default .IR /sys/lib/tls/acme/$acctname.pub . The key must be a .I jwk formatted RSA key. .TP .B c .I csrkey Specifies that .I csrkey is used to produce the CSR sent to .I provider in place of the default .IR /sys/lib/tls/acme/$domain.key . The key must be a plan 9 formatted RSA key suitable for .IR aux/rsa2csr . .TP .B w .I chaldir Specifies that the challenge is written out to .IR chaldir . For HTTP challenges, this defaults to .IR /usr/web/.well-known/acme-challenge/ . .SH EXAMPLES Before .B acmed is run, the keys must be generated. .IP .EX auth/rsagen -t 'service=acme role=sign hash=sha256 acct=me@example.org' \\ | tee >{auth/rsa2jwk \\ >/sys/lib/tls/acmed/me@example.org.pub} | ipso -r -l factotum auth/rsagen -t 'service=tls owner=*' \\ | tee >{auth/rsa2csr 'CN=mydomain.com' \\ >/sys/lib/tls/acmed/mydomain.com.csr} \\ | ipso -r -l factotum .EE .PP This need only be run once. .EE .PP The certificate for the domain can now be fetched: .IP .EX acmed me@example.org mydomain.com \\ >/sys/lib/tls/acmed/mydomain.com.crt .EE .SH SOURCE .B /sys/src/cmd/$somewhere/acmed.c .SH BUGS .I Acmed only supports HTTP challenges that are placed in static directories. It should add support for DNS challenges, and provide a way for a script to be invoked while handling them.