shithub: acmed

ref: 4ab0e6e7237a631dc096603c18a154b6d7669947
dir: /aclient.man/

View raw version
.TH ACLIENT 1
.SH NAME
aclient \- acme certificate client
.SH SYNOPSIS
.B aclient
[
.B -o
.I outdir
]
[
.B -p
.I provider
]
[
.B -a
.I acctkey
]
[
.B c
.I csrkey
]
[
.B w
.I chaldir
]
.I acctname
.I domain
.SH DESCRIPTION
Aclient fetches and renews TLS certificates
using the
.I acme
protocol.
It requires a pregenerated account key
and certificate signing key.
.PP
There are a number of options.
.TP
.B -o
.I outdir
Specifies that the signed certificate is placed in
.I outdir
in place of the default
.IR /sys/lib/tls/acme/ .
.TP
.B -p
.I provider
Specifies that
.I provider
is used as the provider URL, in place of the default
.IR https://acme-v02.api.letsencrypt.org/directory .
This must be the directory URL for the desired
.I RFC8555
compliant provider
.TP
.B -a
.I acctkey
Specifies that
.I acctkey
is used to sign requests to the
.I provider
in place of the default
.IR /sys/lib/tls/acme/$acctname.pub .
The key must be a
.I jwk
formatted RSA key.
.TP
.B c
.I csrkey
Specifies that
.I csrkey
is used to produce the CSR sent to
.I provider
in place of the default
.IR /sys/lib/tls/acme/$domain.key .
The key must be a plan 9 formatted
RSA key suitable for
.IR aux/rsa2csr .
.TP
.B w
.I chaldir
Specifies that the challenge is written out to
.IR chaldir .
For HTTP challenges, this defaults to
.IR /usr/web/.well-known/acme-challenge/ .
.SH EXAMPLES
Before
.B aclient
is run, the keys must be generated.
.IP
.EX
auth/rsagen -t 'service=acme role=sign hash=sha256 acct=me@example.org' |
	tee /sys/lib/acme/me@example.org.priv |
	auth/rsa2jwk > /sys/lib/acme/me@example.org.pub
auth/rsagen -t 'service=tls owner=*'
	>/sys/lib/acme/mydomain.com.key
.EE
.PP
This need only be run once.
Once the keys are generated, they should be loaded into factotum:
.IP
.EX
cat /sys/lib/acme/mydomain.com.key >/mnt/factotum/ctl
cat /sys/lib/acme/me@example.org.priv >/mnt/factotum/ctl
.EE
.PP
The certificate for the domain can now be fetched:
.IP
.EX
aclient me@example.org mydomain.com
.EE
.SH SOURCE
.B /sys/src/cmd/$somewhere/aclient.c
.SH BUGS
.I Aclient only supports HTTP challenges that are
placed in static directories.
It should add support for DNS challenges, and provide
a way for a script to be invoked while handling them.