acmetool(8)

acmetool - request certificates from ACME servers automatically

Section 8 acmetool bookworm source

Description

acmetool

NAME

acmetool - request certificates from ACME servers automatically

SYNOPSIS

acmetool [<flags>] <command> [<args> ...]

DESCRIPTION

acmetool is a utility for the automated retrieval, management and renewal of certificates from ACME server such as Let’s Encrypt. It emphasises automation, idempotency and the minimisation of state.

You use acmetool by configuring targets (typically using the "want") command. acmetool then requests certificates as necessary to satisfy the configured targets. New certificates are requested where existing ones are soon to expire.

acmetool stores its state in a state directory. It can be specified on invocation via the --state option; otherwise, the path in ACME_STATE_DIR is used, or, failing that, the path "/var/lib/acme" (recommended).

The --xlog options control the logging. The --service options control privilege dropping and daemonization and are applicable only to the redirector subcommand.

OPTIONS

--help

Show context-sensitive help (also try --help-long and --help-man).

--state=/var/lib/acme

Path to the state directory (env: ACME_STATE_DIR)

--hooks=/etc/acme/hooks

Path to the notification hooks directory (env: ACME_HOOKS_DIR)

--batch

Do not attempt interaction; useful for cron jobs. (acmetool can still obtain responses from a response file, if one was provided.)

--stdio

Don’t attempt to use console dialogs; fall back to stdio prompts

--response-file=RESPONSE-FILE

Read dialog responses from the given file (default: $ACME_STATE_DIR/conf/responses)

--version

Print version information

--xlog.facility=daemon

Syslog facility to use

--xlog.syslog

Log to syslog?

--xlog.syslogseverity=DEBUG

Syslog severity limit

--xlog.journal

Log to systemd journal?

--xlog.journalseverity=DEBUG

Systemd journal severity limit

--xlog.severity=NOTICE

Log severity (any syslog severity name or number)

--xlog.file=""

Log to filename

--xlog.fileseverity=TRACE

File logging severity limit

--xlog.stderr

Log to stderr?

--xlog.stderrseverity=TRACE

stderr logging severity limit

--service.cpuprofile=""

Write CPU profile to file

--service.debugserveraddr=""

Address for debug server to listen on (do not specify a public address) (default: disabled)

--service.uid=""

UID to run as (default: don’t drop privileges)

--service.gid=""

GID to run as (default: don’t drop privileges)

--service.daemon

Run as daemon? (doesn’t fork)

--service.stderr

Keep stderr open when daemonizing

--service.chroot=""

Chroot to a directory (must set UID, GID) ("/" disables)

--service.pidfile=""

Write PID to file with given filename and hold a write lock

--service.fork

Fork? (implies -daemon)

SUBCOMMANDS

help [<command>...]

Show help.

reconcile [<target-filenames>...]

Reconcile ACME state, idempotently requesting and renewing certificates to satisfy configured targets.

This is the default command.

cull [<flags>]

Delete expired, unused certificates
-n, --simulate

Show which certificates would be deleted without deleting any

status

Show active configuration

want [<flags>] <hostname>...

Add a target with one or more hostnames
--reconcile

Specify --no-reconcile to skip reconcile after adding target

unwant <hostname>...

Modify targets to remove any mentions of the given hostnames

quickstart [<flags>]

Interactively ask some getting started questions (recommended)
--expert

Ask more questions in quickstart wizard

redirector [<flags>]

HTTP to HTTPS redirector with challenge response support
--path=PATH

Path to serve challenge files from

--challenge-gid=CHALLENGE-GID

GID to chgrp the challenge path to (optional)

--read-timeout=10s

Maximum duration before timing out read of the request (default: ’10s’)

--write-timeout=20s

Maximum duration before timing out write of the request (default: ’20s’)

--status-code=308

HTTP status code to use when redirecting (default ’308’)

--bind=":80"

Bind address for redirectory (default ’:80’)

test-notify [<hostname>...]

Test-execute notification hooks as though given hostnames were updated

import-jwk-account <provider-url> <private-key-file>

Import a JWK account key

import-pem-account <provider-url> <private-key-file>

Import a PEM account key

import-key <private-key-file>

Import a certificate private key

import-le [<le-state-path*>]

Import a Let’s Encrypt client state directory

revoke [<certificate-id-or-path>]

Revoke a certificate

account-thumbprint

Prints account thumbprints

account-url

Show account URL

AUTHOR

© 2015 Hugo Landau <hlandau@devever.net> MIT License

SEE ALSO

Documentation: <https://github.com/hlandau/acmetool>

Report bugs at: <https://github.com/hlandau/acmetool/issues>