plan9fox/sys/man/8/acmed

266 lines
4.8 KiB
Text
Raw Normal View History

2021-10-15 00:32:32 +00:00
.TH ACMED 8
.SH NAME
auth/acmed \- acme certificate client
2021-10-15 00:32:32 +00:00
.SH SYNOPSIS
.B auth/acmed
2021-10-15 00:32:32 +00:00
[
.B -a
.I acctkey
]
[
.B -e
.I cmd
|
2021-10-15 00:32:32 +00:00
.B -o
.I chalout
2021-10-27 17:06:48 +00:00
.B -t
.I type
2021-10-15 00:32:32 +00:00
]
[
.B -p
.I provider
]
.I acctname
.I csr
2021-10-27 17:06:48 +00:00
>
.I crt
2021-10-15 00:32:32 +00:00
.SH DESCRIPTION
2021-10-27 17:06:48 +00:00
Acmed fetches and renews a TLS certificate
2021-10-15 00:32:32 +00:00
using the
2021-10-27 17:06:48 +00:00
.I ACME (RFC8555)
2021-10-15 00:32:32 +00:00
protocol.
2021-10-27 17:06:48 +00:00
It requires a pre-generated account key in
.IR factotum (4)
that is identified by
.I acctname
or an
.I acctkey
file.
2021-10-27 17:18:24 +00:00
It also needs a certificate signing request file
2021-10-27 17:06:48 +00:00
.I csr
in binary X.509 ASN.1/DER format
that contains the public key and subjects (domain names)
that we want to get a certificate for.
On success,
.I acmed
outputs the new certificate in
PEM format to stdandard output.
2021-10-15 00:32:32 +00:00
.PP
2021-10-27 17:06:48 +00:00
.I Acmed
accepts the following options:
2021-10-15 00:32:32 +00:00
.TP
.B -a
.I acctkey
Specifies that
.I acctkey
is used to sign requests to the
.I provider
in place of the default
2021-10-27 17:06:48 +00:00
.BI /sys/lib/tls/acme/ acctname .pub
file.
The key must be a JWK formatted RSA public key
(see
.IR rsa (8)).
2021-10-15 00:32:32 +00:00
.TP
.B -e
.I cmd
2021-10-25 21:48:05 +00:00
Specifies that an external command should be run to
2021-10-27 17:06:48 +00:00
install the challenge material.
The
.I cmd
is run with the following four arguments:
The challenge method,
2021-10-27 17:06:48 +00:00
the subject (domain),
the token,
and last the challenge response.
2021-10-27 17:06:48 +00:00
If
.I cmd
returns an error status,
it is assumed that it does not support the
challenge method for the given subject (domain)
and another method might be tried.
Because of this, the
.B -o
and
.B -t
options are unnecessary.
.TP
2021-10-15 00:32:32 +00:00
.B -o
.I chalout
Specifies that the challenge material is
placed in the location
.IR chalout .
Its behavior depends on the challenge type,
as specified with the
.B -t
flag.
.IP
For HTTP challenges,
.I chalout
2021-10-27 17:06:48 +00:00
must be a directory that your webserver will serve at
.br
.BI http:// mydomain.com /.well-known/acme-challenge .
.br
It defaults to
.BR /usr/web/.well-known/acme-challenge .
.IP
2021-10-15 00:32:32 +00:00
For DNS challenges,
.I chalout
is a file that should be included in your
2021-10-27 17:06:48 +00:00
.IR ndb (6)
2021-10-15 00:32:32 +00:00
database.
2021-10-27 17:06:48 +00:00
It defaults to
.BR /lib/ndb/dnschallenge .
.TP
.B -t
.I type
Specifies that the challenge type. Supported challenge
types are currently
.B http
and
.BR dns .
2021-10-15 00:32:32 +00:00
.TP
.B -p
.I provider
Specifies that
.I provider
is used as the provider URL, in place of the default
2021-10-27 17:06:48 +00:00
.BR https://acme-v02.api.letsencrypt.org/directory .
2021-10-15 00:32:32 +00:00
This must be the directory URL for the desired
.I RFC8555
2021-10-27 17:06:48 +00:00
compliant provider.
2021-10-15 00:32:32 +00:00
.SH EXAMPLES
Before
2021-10-27 17:06:48 +00:00
.I acmed
can be used, the account key must be generated:
2021-10-15 00:32:32 +00:00
.IP
.EX
2021-10-27 17:06:48 +00:00
auth/rsagen -t \\
'service=acme role=sign hash=sha256 acct=me@example.com' \\
> acct.key
auth/rsa2jwk acct.key > /sys/lib/tls/acmed/me@example.com.pub
2021-10-15 00:32:32 +00:00
.EE
.PP
2021-10-27 17:06:48 +00:00
Then the
.B acct.key
must be loaded into
.IR factotum(4).
It is recommended to put
.B acct.key
into
.IR secstore (1)
instead of saving it unencrypted on the file system.
.IP
.EX
cat acct.key > /mnt/factotum/ctl
2021-10-15 00:32:32 +00:00
.EE
.PP
2021-10-27 17:06:48 +00:00
On the TLS server side, you can generate a RSA key
and certificate signing request file like this:
2021-10-15 00:32:32 +00:00
.IP
.EX
2021-10-27 17:06:48 +00:00
auth/rsagen -t 'service=tls owner=*' > cert.key
auth/rsa2csr 'CN=mydomain.com' cert.key \\
> /sys/lib/tls/acmed/mydomain.com.csr
2021-10-15 00:32:32 +00:00
.EE
.PP
2021-10-27 17:06:48 +00:00
See
.IR rsa (8)
and
.IR tlssrv (8)
for more examples on how to use RSA keys.
.IP
.PP
The certificate for the domain can now be fetched.
This requires
.IR webfs(4)
to be mounted as the ACME protocol uses HTTP
to talk to the provider.
.IP
.EX
auth/acmed me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
2021-10-27 17:06:48 +00:00
> /sys/lib/tls/acmed/mydomain.com.crt
.EE
.PP
When using the DNS challenge method,
your DNS server
(see
.IR ndb (8))
must be configured,
and
.IR ndb (6)
must be setup to include the
.I chalout
file that
.I acmed
can write to:
2021-10-15 00:32:32 +00:00
.IP
.EX
database=
file=/net/ndb
file=/lib/ndb/local
file=/lib/ndb/common
file=/lib/ndb/dnschallenge
.EE
.PP
2021-10-27 17:06:48 +00:00
In addition, the domains that you like to get verified
needs to have a certificate authority authorization record
of your ACME provider declared:
.IP
.EX
dom=mydomain.com caa=letsencrypt.org
.EE
.PP
Then
2021-10-15 00:32:32 +00:00
.I acmed
2021-10-27 17:06:48 +00:00
can be invoked to fetch the certificate using the
DNS challenge method:
2021-10-15 00:32:32 +00:00
.IP
.EX
auth/acmed -t dns me@example.com mydomain.com.csr \\
2021-10-27 17:06:48 +00:00
> /sys/lib/tls/acmed/mydomain.com.crt
2021-10-15 00:32:32 +00:00
.EE
2021-10-27 17:06:48 +00:00
.SH FILES
.BI /sys/lib/tls/acmed/ * .pub
Account public keys.
2021-10-15 00:32:32 +00:00
.SH SOURCE
.B /sys/src/cmd/auth/acmed.c
2021-10-27 17:06:48 +00:00
.SH SEE ALSO
.IR factotum (4),
.IR ndb (6),
.IR ndb (8),
.IR rsa (8),
.IR secstore (1),
.IR tlssrv (8),
.IR webfs (4).
2021-10-17 20:19:09 +00:00
.SH BUGS
2021-10-27 17:06:48 +00:00
.PP
When using DNS challenge,
the
.B -t
.B dns
method assumes that the DNS server runs
on the same machine as
.I acmed
and that it is mounted on
.B /net
and that we have hostowner permissions to
write the
.B refresh
command to
.BR /net/dns .
Also, when using multi-domain certificates,
the usable challenge methods might be different for
individual domains.
Using the
.B -e
.I cmd
option to customize the challenge installation procedure
can be used to work around this.
.PP
2021-10-17 20:19:09 +00:00
.B https://bugzilla.mozilla.org/show_bug.cgi?id=647959
2021-10-15 00:32:32 +00:00
.SH HISTORY
.PP
.I Auth/acmed
first appeared in 9front (Oct 2021)