ref: ac9970d30b5153298b96d551379f99923b4d1a57
dir: /aclient.man/
.TH ACLIENT 1 .SH NAME aclient \- acme certificate client .SH SYNOPSIS .B aclient [ .B -o .I outdir ] [ .B -p .I provider ] [ .B -a .I acctkey ] [ .B c .I csrkey ] [ .B w .I chaldir ] .I acctname .I domain .SH DESCRIPTION Aclient fetches and renews TLS certificates using the .I acme protocol. It requires a pregenerated account key and certificate signing key. .PP There are a number of options. .TP .B -o .I outdir Specifies that the signed certificate is placed in .I outdir in place of the default .IR /sys/lib/tls/acme/ . .TP .B -p .I provider Specifies that .I provider is used as the provider URL, in place of the default .IR https://acme-v02.api.letsencrypt.org/directory . This must be the directory URL for the desired .I RFC8555 compliant provider .TP .B -a .I acctkey Specifies that .I acctkey is used to sign requests to the .I provider in place of the default .IR /sys/lib/tls/acme/$acctname.pub . The key must be a .I jwk formatted RSA key. .TP .B c .I csrkey Specifies that .I csrkey is used to produce the CSR sent to .I provider in place of the default .IR /sys/lib/tls/acme/$domain.key . The key must be a plan 9 formatted RSA key suitable for .IR aux/rsa2csr . .TP .B w .I chaldir Specifies that the challenge is written out to .IR chaldir . For HTTP challenges, this defaults to .IR /usr/web/.well-known/acme-challenge/ . .SH EXAMPLES Before .B aclient is run, the keys must be generated. .IP .EX auth/rsagen -t 'service=acme role=sign hash=sha256 acct=me@example.org' | tee /sys/lib/acme/me@example.org.priv | auth/rsa2jwk > /sys/lib/acme/me@example.org.pub auth/rsagen -t 'service=tls owner=*' >/sys/lib/acme/mydomain.com.key .EE .PP This need only be run once. Once the keys are generated, they should be loaded into factotum: .IP .EX cat /sys/lib/acme/mydomain.com.key >/mnt/factotum/ctl cat /sys/lib/acme/me@example.org.priv >/mnt/factotum/ctl .EE .PP The certificate for the domain can now be fetched: .IP .EX aclient me@example.org mydomain.com .EE .SH SOURCE .B /sys/src/cmd/$somewhere/aclient.c .SH BUGS .I Aclient only supports HTTP challenges that are placed in static directories. It should add support for DNS challenges, and provide a way for a script to be invoked while handling them.