.ie \n(.g .ds Aq \(aq

.el .ds Aq '

.nh

.ad l

uacme \- ACMEv2 client written in plain C with minimal dependencies

.sp

\fBuacme\fR [\fB\-a\fR|\fB\-\-acme\-url\fR \fIURL\fR] [\fB\-b\fR|\fB\-\-bits\fR \fIBITS\fR] [\fB\-c\fR|\fB\-\-confdir\fR \fIDIR\fR] [\fB\-d\fR|\fB\-\-days\fR \fIDAYS\fR] [\fB\-e\fR|\fB\-\-eab\fR KEYID:KEY] [\fB\-f\fR|\fB\-\-force\fR] [\fB\-h\fR|\fB\-\-hook\fR \fIPROGRAM\fR] [\fB\-i\fR|\fB\-\-no\-ari\fR] [\fB\-l\fR|\fB\-\-alternate\fR \fIN\fR | \fIFP\fR] [\fB\-m\fR|\fB\-\-must\-staple\fR] [\fB\-n\fR|\fB\-\-never\-create\fR] [\fB\-o\fR|\fB\-\-no\-ocsp\fR] [\fB\-p\fR|\fB\-\-profile\fR PROFILE] [\fB\-r\fR|\fB\-\-reason\fR CODE] [\fB\-s\fR|\fB\-\-staging\fR] [\fB\-t\fR|\fB\-\-type\fR \fBRSA\fR|\fBEC\fR] [\fB\-v\fR|\fB\-\-verbose\fR \&...] [\fB\-V\fR|\fB\-\-version\fR] [\fB\-y\fR|\fB\-\-yes\fR] [\fB\-?\fR|\fB\-\-help\fR] \fBnew\fR [\fIEMAIL\fR] | \fBupdate\fR [\fIEMAIL\fR] | \fBdeactivate\fR | \fBnewkey\fR | \fBissue\fR \fIIDENTIFIER\fR [\fIALTNAME\fR \&...]] | \fBissue\fR \fICSRFILE\fR | \fBrevoke\fR \fICERTFILE\fR [\fICERTKEYFILE\fR]

.sp

\fBuacme\fR is a client for the ACMEv2 protocol described in RFC8555, written in plain C with minimal dependencies (libcurl and one of GnuTLS, OpenSSL or mbedTLS)\&. The ACMEv2 protocol allows a Certificate Authority (https://letsencrypt\&.org is a popular one) and an applicant to automate the process of verification and certificate issuance\&. The protocol also provides facilities for other certificate management functions, such as certificate revocation\&. For more information see https://tools\&.ietf\&.org/html/rfc8555

.PP

\fB\-a, \-\-acme\-url\fR \fIURL\fR

.RS 4

ACMEv2 server directory object

\fIURL\fR\&. If not specified

uses one of the following:

.PP

.RS 4

production URL

.RE

.PP

.RS 4

staging URL (see

\fB\-s, \-\-staging\fR

below)

.RE

.RE

.PP

\fB\-b, \-\-bits\fR \fIBITS\fR

.RS 4

key bit length (default 2048 for RSA, 256 for EC)\&. Only applies to newly generated keys\&. RSA key length must be a multiple of 8 between 2048 and 8192\&. EC key length must be either 256 (\fBNID_X9_62_prime256v1\fR

curve) or 384 (\fBNID_secp384r1\fR

curve)\&.

.RE

.PP

\fB\-c, \-\-confdir\fR \fICONFDIR\fR

.RS 4

Use configuration directory

(default

\fI/etc/ssl/uacme\fR)\&. The structure is as follows (multiple

allowed)

.PP

.RS 4

ACME account private key

.RE

.PP

.RS 4

certificate key for

.RE

.PP

.RS 4

certificate for

.RE

.RE

.PP

\fB\-d, \-\-days\fR \fIDAYS\fR

.RS 4

Do not reissue certificates that are still valid for longer than

(default 30)\&. This only applies as a fallback if no server renewal information is available\&. See also

\fB\-i, \-\-no\-ari\fR

and

\fB\-o, \-\-no\-ocsp\fR\&.

.RE

.PP

\fB\-e, \-\-eab\fR \fIKEYID:KEY\fR

.RS 4

Specify RFC8555 External Account Binding credentials according to

https://tools\&.ietf\&.org/html/rfc8555#section\-7\&.3\&.4, in order to associate a new ACME account with an existing account in a non\-ACME system such as a CA customer database\&.

must be an ASCII string\&.

must be base64url\-encoded\&.

.RE

.PP

\fB\-f, \-\-force\fR

.RS 4

Force certificate reissuance regardless of expiration date and renewal information from the server\&.

.RE

.PP

\fB\-h, \-\-hook\fR \fIPROGRAM\fR

.RS 4

Challenge hook program\&. If not specified

interacts with the user for every ACME challenge, printing information about the challenge type, token and authorization on stderr\&. If specified

executes

(a binary, a shell script or any file that can be executed by the operating system) for every challenge with the following 5 string arguments:

.PP

.RS 4

one of

\fBbegin\fR,

or

\fBfailed\fR\&.

.PP

.RS 4

is called at the beginning of the challenge\&.

must return 0 to accept it\&. Any other return code declines the challenge\&. Neither

nor

method calls are made for declined challenges\&.

.RE

.PP

.RS 4

is called upon successful completion of an accepted challenge\&.

.RE

.PP

.RS 4

is called upon failure of an accepted challenge\&.

.RE

.RE

.PP

.RS 4

challenge type (\fBdns\-01\fR,

or

\fBtls\-alpn\-01\fR)

.RE

.PP

.RS 4

The identifier the challenge refers to

.RE

.PP

.RS 4

The challenge token

.RE

.PP

.RS 4

The key authorization (for

and

already converted to the base64url\-encoded SHA256 digest format)

.RE

.RE

.PP

\fB\-i, \-\-no\-ari\fR

.RS 4

Do not query or use the server\(cqs certificate renewal information window to decide whether to reissue an existing certificate\&. See also

\fB\-d, \-\-days\fR

and

\fB\-o, \-\-no\-ocsp\fR\&.

.RE

.PP

\fB\-l, \-\-alternate\fR \fIN\fR | \fIFP\fR

.RS 4

According to

https://tools\&.ietf\&.org/html/rfc8555#section\-7\&.4\&.2

the server MAY provide one or more additional certificate download URLs, each pointing to alternative certificate chains starting with the same end\-entity certificate\&. This option allows selecting one such chain in one of two ways\&. A positive integer

makes

select the Nth alternative chain in the order presented by the server\&. A colon (\fI:\fR) separated list of two or more 2\-digit hexadecimal numbers

makes

select the first alternative chain containing either a certificate whose SHA256 fingerprint begins with

\fIFP\fR, or a certificate in which the Authority Key Identifier extension contains a keyIdentifier field beginning with

\fIFP\fR\&. In all cases

falls back to the main certificate URL if it cannot match an alternative chain or the download thereof fails\&.

.RE

.PP

\fB\-m, \-\-must\-staple\fR

.RS 4

Request certificates with the RFC7633 Certificate Status Request TLS Feature Extension, informally also known as "OCSP Must\-Staple"\&. This option is ignored when using an externally supplied Certificate Signing Request file (see USAGE below)\&.

.RE

.PP

\fB\-n, \-\-never\-create\fR

.RS 4

By default

creates directories/keys if they do not exist\&. When this option is specified

never does so and instead exits with an error if anything required is missing\&.

.RE

.PP

\fB\-o, \-\-no\-ocsp\fR

.RS 4

When this flag is

specified and the certificate has an Authority Information Access extension with an OCSP server location according to

https://tools\&.ietf\&.org/html/rfc5280#section\-4\&.2\&.2\&.1

makes an OCSP request to the server; if the certificate is reported as revoked

forces reissuance regardless of the expiration date\&. See also

\fB\-d, \-\-days\fR\&.

.RE

.PP

\fB\-p, \-\-profile\fR \fIPROFILE\fR

.RS 4

If the server supports it, use

\fIPROFILE\fR, a collection of attributes about the certificate that will be issued, such as what extensions it will contain, how long it will be valid for, and more\&.

.RE

.PP

\fB\-r, \-\-reason\fR \fICODE\fR

.RS 4

Use

(default 0) as reason code in revocation requests\&. A list of values is at

https://tools\&.ietf\&.org/html/rfc5280#section\-5\&.3\&.1\&.

.RE

.PP

\fB\-s, \-\-staging\fR

.RS 4

Use Let\(cqs Encrypt staging URL for testing\&. This only works if

\fB\-a, \-\-acme\-url\fR

is

specified\&.

.RE

.PP

\fB\-t, \-\-type\fR=\fIRSA\fR | \fIEC\fR

.RS 4

Key type, either RSA or EC\&. Only applies to newly generated keys\&. The bit length can be specified with

\fB\-b, \-\-bits\fR\&.

.RE

.PP

\fB\-v, \-\-verbose\fR

.RS 4

By default

only produces output upon errors or when user interaction is required\&. When this option is specified

prints information about what is going on on stderr\&. This option can be specified more than once to increase verbosity\&.

.RE

.PP

\fB\-V, \-\-version\fR

.RS 4

Print program version on stderr and exit\&.

.RE

.PP

\fB\-y, \-\-yes\fR

.RS 4

Autoaccept ACME server terms (if any) upon new account creation\&.

.RE

.PP

\fB\-?, \-\-help\fR

.RS 4

Print a brief usage text on stderr and exit\&.

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBnew\fR [\fIEMAIL\fR]

.RS 4

Create a new ACME account with optional

contact\&. If the account private key does not exist at

a new key is generated unless

\fB\-n, \-\-never\-create\fR

is specified\&. A valid account must be created

any other operation can succeed (with the exception of certificate revocation requests signed by the certificate private key)\&. Any certificate issued by the ACME server is associated with a single account\&. An account can be associated with multiple certificates, subject of course to the rate limits imposed by the ACME server\&.

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBupdate\fR [\fIEMAIL\fR]

.RS 4

Update the

associated with the ACME account corresponding to the account private key\&. If

is not specified the account contact email is removed\&.

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBdeactivate\fR

.RS 4

Deactivate the ACME account corresponding to the account private key\&.

this action is irreversible\&. Users may wish to do this when the account key is compromised or decommissioned\&. A deactivated account can no longer request certificate issuances and revocations or access resources related to the account\&.

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBnewkey\fR

.RS 4

Change the ACME account private key\&. If the new account private key does not exist at

it is generated unless

\fB\-n, \-\-never\-create\fR

is specified\&. The new key is then submitted to the server and if the operation succeeds the old key is hardlinked to

before renaming

to

\fICONFDIR/private/key\&.pem\fR\&.

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBissue\fR \fIIDENTIFIER\fR [\fIALTNAME\fR \&...]

.RS 4

Issue a certificate for

with zero or more

\fIALTNAMEs\fR\&. If a certificate is already available at

for the specified

and

and is still valid for longer than

no action is taken unless

\fB\-f, \-\-force\fR

is specified or

\fB\-o, \-\-no\-ocsp\fR

is

specified and the certificate is reported as revoked by the OCSP server\&. The new certificate is saved to

\fICONFDIR/IDENTIFIER/cert\&.pem\fR\&. If the certificate file already exists it is hardlinked to

before overwriting\&. The private key for the certificate is loaded from

\fICONFDIR/private/IDENTIFIER/key\&.pem\fR\&. If no such file exists, a new key is generated unless

\fB\-n, \-\-never\-create\fR

is specified\&. Wildcard

or

are dealt with correctly, as long as the ACME server supports them; note that any such wildcards are automatically removed from the configuration subdirectory name: for example a certificate for

is saved to

\fICONFDIR/test\&.com/cert\&.pem\fR\&. IP address

and

are also supported according to

https://tools\&.ietf\&.org/html/rfc8738#section\-3

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBissue\fR \fICSRFILE\fR

.RS 4

Issue a certificate based on a RFC2986 Certificate Signing Request contained in

\fICSRFILE\fR, which must be in PEM format\&. In this mode of issuance

neither needs nor generates the certificate private key, but it is of course the responsibility of the user to ensure that the CSR is constructed and signed appropriately\&. If a certificate file

(where

is obtained by stripping the extension, if any, from

\fICSRFILE\fR) is already available in the same directory containing

\fICSRFILE\fR, and is still valid for longer than

no action is taken unless

\fB\-f, \-\-force\fR

is specified or

\fB\-o, \-\-no\-ocsp\fR

is

specified and the certificate is reported as revoked by the OCSP server\&. If the certificate file already exists it is hardlinked to

before overwriting\&. Wildcard identifiers in the CSR are dealt with correctly, as long as the ACME server supports them\&. IP addresses are also supported according to

https://tools\&.ietf\&.org/html/rfc8738#section\-3

.RE

.PP

\fBuacme\fR [\fIOPTIONS\fR \&...] \fBrevoke\fR \fICERTFILE\fR [\fICERTKEYFILE\fR]

.RS 4

Revoke the certificate stored in

\fICERTFILE\fR\&. The revocation request is signed with the private key of either the certificate, when

is specified; or the ACME account associated with the certificate, when only

is specified\&. In the first instance the account key and the configuration directory are not required\&. If successful

is renamed to

\fIrevoked\-TIMESTAMP\&.pem\fR\&. The reason code in the revocation request defaults to 0 but it can be specified by the user with

\fB\-r, \-\-reason\fR\&.

.RE

.PP

.RS 4

String naming a file holding one or more CA certificates to verify the ACME server with\&.

.RE

.PP

.RS 4

String naming a directory holding multiple CA certificates to verify the ACME server with\&. If libcurl is built against OpenSSL, the certificate directory must be prepared using the OpenSSL c_rehash utility\&.

.RE

.PP

.RS 4

Comma separated list of DNS servers to be used instead of the system default\&. The format of the dns servers option is

.RE

.PP

.RS 4

String setting the interface name to use as outgoing network interface\&. The name can be an interface name, an IP address, or a hostname\&. If you prefer one of these, you can use the following special prefixes:

.PP

.RS 4

Interface name

.RE

.PP

.RS 4

IP address or hostname

.RE

.PP

.RS 4

Interface name and IP address or hostname

.RE

.RE

.PP

.RS 4

String holding the proxy hostname or dotted numerical IP address\&. A numerical IPv6 address must be written within [brackets]\&. To specify port number in this string, append :[port] to the end of the host name\&. If not specified, default to using port 1080\&. The proxy string may be prefixed with [scheme]:// to specify which kind of proxy is used (http://, https://, socks4://, socks4a://, socks5://, socks5h://)\&. The proxy can also be specified with its associated credentials like for ordinary URLs in the style:

.RE

.sp

The following environment variables are exported for use by the hook program:

.PP

.RS 4

Path to

\fICONFDIR\fR, see

\fB\-c, \-\-confdir\fR

.RE

.PP

.RS 4

Verbosity, see

\fB\-v, \-\-verbose\fR

.RE

.PP

\fBUACME_METHOD\fR, \fBUACME_TYPE\fR, \fBUACME_IDENT\fR, \fBUACME_TOKEN\fR, \fBUACME_AUTH\fR

.RS 4

Copies of the hook program arguments, see

\fB\-h, \-\-hook\fR

.RE

.PP

.RS 4

Success

.RE

.PP

.RS 4

Certificate not reissued because it is still current

.RE

.PP

.RS 4

Failure (syntax or usage error; configuration error; processing failure; unexpected error)\&.

.RE

.sp

The \fIuacme\&.sh\fR hook script included in the distribution can be used to automate the certificate issuance with \fIhttp\-01\fR challenges, provided a web server for the domain being validated runs on the same machine, with webroot at /var/www

.sp

.if n \{\

.RS 4

.\}

.nf

#!/bin/sh

CHALLENGE_PATH=/var/www/\&.well\-known/acme\-challenge

ARGS=5

E_BADARGS=85

.fi

.if n \{\

.RE

.\}

.sp

.if n \{\

.RS 4

.\}

.nf

if test $# \-ne "$ARGS"

then

echo "Usage: $(basename "$0") method type ident token auth" 1>&2

exit $E_BADARGS

fi

.fi

.if n \{\

.RE

.\}

.sp

.if n \{\

.RS 4

.\}

.nf

METHOD=$1

TYPE=$2

IDENT=$3

TOKEN=$4

AUTH=$5

.fi

.if n \{\

.RE

.\}

.sp

.if n \{\

.RS 4

.\}

.nf

case "$METHOD" in

"begin")

case "$TYPE" in

http\-01)

echo \-n "${AUTH}" > "${CHALLENGE_PATH}/${TOKEN}"

exit $?

;;

*)

exit 1

;;

esac

;;

"done"|"failed")

case "$TYPE" in

http\-01)

rm "${CHALLENGE_PATH}/${TOKEN}"

exit $?

;;

*)

exit 1

;;

esac

;;

*)

echo "$0: invalid method" 1>&2

exit 1

esac

.fi

.if n \{\

.RE

.\}

.sp

If you believe you have found a bug, please create a new issue at https://github\&.com/ndilieto/uacme/issues with any applicable information\&.

.sp

\fBualpn\fR(1)

.sp

\fBuacme\fR was written by Nicola Di Lieto

.sp

Copyright \(co 2019\-2024 Nicola Di Lieto <nicola\&.dilieto@gmail\&.com>

.sp

This file is part of \fBuacme\fR\&.

.sp

\fBuacme\fR is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&.

.sp

\fBuacme\fR is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&.

.sp

You should have received a copy of the GNU General Public License along with this program\&. If not, see http://www\&.gnu\&.org/licenses/\&.