151 lines
2.6 KiB
Text
151 lines
2.6 KiB
Text
.TH ACMED 8
|
|
.SH NAME
|
|
ip/acmed \- acme certificate client
|
|
.SH SYNOPSIS
|
|
.B ip/acmed
|
|
[
|
|
.B -a
|
|
.I acctkey
|
|
]
|
|
[
|
|
.B -o
|
|
.I chalout
|
|
]
|
|
[
|
|
.B -p
|
|
.I provider
|
|
]
|
|
[
|
|
.B -t
|
|
.I type
|
|
]
|
|
.I acctname
|
|
.I csr
|
|
[
|
|
.I domain
|
|
]
|
|
.SH DESCRIPTION
|
|
Acmed fetches and renews TLS certificates
|
|
using the
|
|
.I acme (RFC8555)
|
|
protocol.
|
|
It requires a pre-generated account key
|
|
and certificate signing key.
|
|
.PP
|
|
Acmed accepts the following options:
|
|
.TP
|
|
.B -a
|
|
.I acctkey
|
|
Specifies that
|
|
.I acctkey
|
|
is used to sign requests to the
|
|
.I provider
|
|
in place of the default
|
|
.IR /sys/lib/tls/acme/$acctname.pub .
|
|
The key must be a
|
|
.I jwk
|
|
formatted RSA key.
|
|
.TP
|
|
.B -o
|
|
.I chalout
|
|
Specifies that the challenge material is
|
|
placed in the location
|
|
.IR chalout .
|
|
Its behavior depends on the challenge type,
|
|
as specified with the
|
|
.B -t
|
|
flag.
|
|
.IP
|
|
For HTTP challenges,
|
|
.I chalout
|
|
must be a directory that your choice of
|
|
.I httpd
|
|
will serve at
|
|
.IR http://domain.com/.well-known/acme-challenge .
|
|
For DNS challenges,
|
|
.I chalout
|
|
is a file that should be included in your
|
|
.I ndb
|
|
database.
|
|
.IP
|
|
If unspecified,
|
|
.I http
|
|
challenges will output to
|
|
.IR /usr/web/.well-known/acme-challenge ,
|
|
whle
|
|
.I dns
|
|
challenges will output to
|
|
.IR /lib/ndb/dnschallenge .
|
|
.TP
|
|
.B -p
|
|
.I provider
|
|
Specifies that
|
|
.I provider
|
|
is used as the provider URL, in place of the default
|
|
.IR https://acme-v02.api.letsencrypt.org/directory .
|
|
This must be the directory URL for the desired
|
|
.I RFC8555
|
|
compliant provider
|
|
.TP
|
|
.B -t
|
|
.I type
|
|
Specifies that the challenge type. Supported challenge
|
|
types are currently
|
|
.I http
|
|
and
|
|
.IR dns .
|
|
.SH EXAMPLES
|
|
Before
|
|
.B acmed
|
|
is run, the keys must be generated.
|
|
.IP
|
|
.EX
|
|
auth/rsagen -t 'service=acme role=sign hash=sha256 acct=a@b.org'\\
|
|
>acct.key
|
|
auth/rsa2jwk acct.key >/sys/lib/tls/acmed/me@example.org.pub
|
|
auth/rsagen -t 'service=tls owner=*' >cert.key
|
|
auth/rsa2csr 'CN=mydomain.com' cert.key \\
|
|
>/sys/lib/tls/acmed/mydomain.com.csr} \\
|
|
.EE
|
|
.PP
|
|
This need only be run once.
|
|
.EE
|
|
.PP
|
|
The certificate for the domain can now be fetched:
|
|
.IP
|
|
.EX
|
|
acmed me@example.org /sys/lib/tls/acmed/mydomain.com.csr \\
|
|
>/sys/lib/tls/acmed/mydomain.com.crt
|
|
.EE
|
|
|
|
.PP
|
|
When using a DNS challenge, your DNS server must be
|
|
configured, and must be configured to include the
|
|
DNS challenge file:
|
|
.IP
|
|
.EX
|
|
database=
|
|
file=/net/ndb
|
|
file=/lib/ndb/local
|
|
file=/lib/ndb/common
|
|
file=/lib/ndb/dnschallenge
|
|
.EE
|
|
.PP
|
|
And
|
|
.I acmed
|
|
must be invoked with the domain:
|
|
.IP
|
|
.EX
|
|
ip/acmed me@example.com mydomain.com.csr mydomain.com \\
|
|
>mydomain.com.crt
|
|
.EE
|
|
.SH SEE ALSO
|
|
.IR rsa (8),
|
|
.IR srvtls (4).
|
|
.SH SOURCE
|
|
.B /sys/src/cmd/ip/acmed.c
|
|
.SH BUGS
|
|
.B https://bugzilla.mozilla.org/show_bug.cgi?id=647959
|
|
.SH HISTORY
|
|
.PP
|
|
Ip/acmed first appeared in 9front (Oct 2021)
|