ACMED(8)                                                 ACMED(8)

     NAME
          ip/acmed - acme certificate client

     SYNOPSIS
          ip/acmed [ -a acctkey ] [ -o chalout ] [ -p provider ] [ -t
          type ] acctname csr [ domain ]

     DESCRIPTION
          Acmed fetches and renews TLS certificates using the acme
          (RFC8555) protocol.  It requires a pregenerated account key
          and certificate signing key.

          Acmed accepts the following options:

          -a   acctkey Specifies that acctkey is used to sign requests
               to the provider in place of the default
               /sys/lib/tls/acme/$acctname.pub. The key must be a jwk
               formatted RSA key.

          -o   chalout specifies that the challenge material is placed
               in the location chalout.

               For HTTP challenges, chalout must be a directory that
               your choice of httpd will serve at
               http://domain.com/.well-known/acme-challenge. For DNS
               challenges, chalout is a file that should be included
               in your ndb database.

               If unspecified, http challenges will output to
               /usr/web/.well-known/acme-challenge, whle dns chal-
               lenges will output to /lib/ndb/dnschallenge.

          -p   provider Specifies that provider is used as the pro-
               vider URL, in place of the default https://acme-
               v02.api.letsencrypt.org/directory. This must be the
               directory URL for the desired RFC8555 compliant pro-
               vider

          -t   type Specifies that the challenge type. Supported chal-
               lenge types are currently http and dns.

     EXAMPLES
          Before acmed is run, the keys must be generated.

               auth/rsagen -t 'service=acme role=sign hash=sha256 acct=a@b.org'\
                    >acct.key
               auth/rsa2jwk acct.key >/sys/lib/tls/acmed/me@example.org.pub
               auth/rsagen -t 'service=tls owner=*' >cert.key
               auth/rsa2csr 'CN=mydomain.com' cert.key \
                    >/sys/lib/tls/acmed/mydomain.com.csr} \

          This need only be run once.

          The certificate for the domain can now be fetched:

               acmed me@example.org /sys/lib/tls/acmed/mydomain.com.csr \
                    >/sys/lib/tls/acmed/mydomain.com.crt

          When using a DNS challenge, your DNS server must be config-
          ured, and must be configured to include the DNS challenge
          file:

               database=
                    file=/net/ndb
                    file=/lib/ndb/local
                    file=/lib/ndb/common
                    file=/lib/ndb/dnschallenge

               And acmed must be invoked with the domain:

               acmed me@example.org \
                    /sys/lib/tls/acmed/mydomain.com.csr \
                    mydomain.com \
                    >/sys/lib/tls/acmed/mydomain.com.crt

     SEE ALSO
          rsa(8), srvtls(4).

     SOURCE
          /sys/src/cmd/ip/acmed.c

     HISTORY
          Ip/acmed first appeared in 9front (Oct 2021)