|
Acmed fetches and renews a TLS certificate using the ACME (RFC8555)
protocol. It requires a pre–generated account key in factotum(4)
that is identified by acctname or an acctkey file. It also needs
a certificate signing request file csr in binary X.509 ASN.1/DER
format that contains the public key and subjects (domain
names) that we want to get a certificate for. On success, acmed
outputs the new certificate in PEM format to standard output.
Acmed accepts the following options:
–a acctkey Specifies that acctkey is used to sign requests to the
provider in place of the default /sys/lib/tls/acmed/acctname.pub
file. The key must be a JWK formatted RSA public key (see rsa(8)).
–e cmd Specifies that an external command should be run to install
the challenge material. The cmd is run with the following four
arguments: The challenge method, the subject (domain), the token,
and last the challenge response. If cmd returns an error status,
it is assumed that it does not support the challenge
| |
method for the given subject (domain) and another method might
be tried. Because of this, the –o and –t options are unnecessary.
–
|
o chalout Specifies that the challenge material is placed in the
location chalout. Its behavior depends on the challenge type,
as specified with the –t flag.
| |
For HTTP challenges, chalout must be a directory that your webserver
will serve at
http://mydomain.com/.well–known/acme–challenge.
It defaults to /usr/web/.well–known/acme–challenge.
For DNS challenges, chalout is a file that should be included
in your ndb(6) database. It defaults to /lib/ndb/dnschallenge.
–
|
t type Specifies the challenge type. Supported challenge types
are currently http and dns.
–p provider Specifies that provider is used as the provider URL,
in place of the default https://acme–v02.api.letsencrypt.org/directory.
This must be the directory URL for the desired RFC8555 compliant
provider.
|