shithub: acmed

ref: b96a6c3ebfde70209c94154454b002d1a74bfb7f
dir: /acmed.man/

View raw version
.TH ACMED 8
.SH NAME
acmed \- acme certificate client
.SH SYNOPSIS
.B acmed
[
.B -a
.I acctkey
]
[
.B -d
.I domain
]
[
.B -o
.I chalout
]
[
.B -p
.I provider
]
[
.B -t
.I type
]
.I acctname
.I csr
[
.I domain
]
.SH DESCRIPTION
Acmed fetches and renews TLS certificates
using the
.I acme (RFC8555)
protocol.
It requires a pregenerated account key
and certificate signing key.
.PP
There are a number of options.
.B -a
.I acctkey
Specifies that
.I acctkey
is used to sign requests to the
.I provider
in place of the default
.IR /sys/lib/tls/acme/$acctname.pub .
The key must be a
.I jwk
formatted RSA key.
.TP
.B -d
specifies the domain name that will be used
for
.I DNS
challenges.
.TP
.B -o
.I chalout
specifies that the challenge material is
placed in the location
.IR chalout .
.IP
For HTTP challenges,
.I chalout
must be a directory that your choice of
.I httpd
will serve at
.IR http://domain.com/.well-known/acme-challenge .
For DNS challenges,
.I chalout
is a file that should be included in your
.I ndb
database.
.IP
If unspecified,
.I http
challenges will output to
.IR /usr/web/.well-known/acme-challenge ,
whle
.I dns
challenges will output to
.IR /lib/ndb/dnschallenge .
.TP
.B -p
.I provider
Specifies that
.I provider
is used as the provider URL, in place of the default
.IR https://acme-v02.api.letsencrypt.org/directory .
This must be the directory URL for the desired
.I RFC8555
compliant provider
.TP
.B -t
.I type
Specifies that the challenge type. Supported challenge
types are currently
.I http
and
.IR dns .
.SH EXAMPLES
Before
.B acmed
is run, the keys must be generated.
.IP
.EX
auth/rsagen -t 'service=acme role=sign hash=sha256 [email protected]' \\
	| tee >{auth/rsa2jwk \\
		>/sys/lib/tls/acmed/[email protected]}
	| ipso -r -l factotum
auth/rsagen -t 'service=tls owner=*' \\
	| tee >{auth/rsa2csr 'CN=mydomain.com' \\
		>/sys/lib/tls/acmed/mydomain.com.csr} \\
	| ipso -r -l factotum
.EE
.PP
This need only be run once.
.EE
.PP
The certificate for the domain can now be fetched:
.IP
.EX
acmed [email protected] mydomain.com \\
	>/sys/lib/tls/acmed/mydomain.com.crt
.EE
.SH SOURCE
.B /sys/src/cmd/$somewhere/acmed.c
.SH BUGS
.I Acmed only supports HTTP challenges that are
placed in static directories.
It should add support for DNS challenges, and provide
a way for a script to be invoked while handling them.