1UACME(1) User Commands UACME(1)
2
3
4
6 uacme - ACMEv2 client written in plain C with minimal dependencies
7
9 uacme [-a|--acme-url URL] [-b|--bits BITS] [-c|--confdir DIR]
10 [-d|--days DAYS] [-e|--eab KEYID:KEY] [-f|--force] [-h|--hook PROGRAM]
11 [-l|--alternate N | FP] [-m|--must-staple] [-n|--never-create]
12 [-o|--no-ocsp] [-r|--reason CODE] [-s|--staging] [-t|--type RSA|EC]
13 [-v|--verbose ...] [-V|--version] [-y|--yes] [-?|--help] new [EMAIL] |
14 update [EMAIL] | deactivate | newkey | issue IDENTIFIER [ALTNAME ...]]
15 | issue CSRFILE | revoke CERTFILE [CERTKEYFILE]
16
18 uacme is a client for the ACMEv2 protocol described in RFC8555, written
19 in plain C with minimal dependencies (libcurl and one of GnuTLS,
20 OpenSSL or mbedTLS). The ACMEv2 protocol allows a Certificate Authority
21 (https://letsencrypt.org is a popular one) and an applicant to automate
22 the process of verification and certificate issuance. The protocol also
23 provides facilities for other certificate management functions, such as
24 certificate revocation. For more information see
25 https://tools.ietf.org/html/rfc8555
26
28 -a, --acme-url URL
29 ACMEv2 server directory object URL. If not specified uacme uses one
30 of the following:
31
32 https://acme-v02.api.letsencrypt.org/directory
33 production URL
34
35 https://acme-staging-v02.api.letsencrypt.org/directory
36 staging URL (see -s, --staging below)
37
38 -b, --bits BITS
39 key bit length (default 2048 for RSA, 256 for EC). Only applies to
40 newly generated keys. RSA key length must be a multiple of 8
41 between 2048 and 8192. EC key length must be either 256
42 (NID_X9_62_prime256v1 curve) or 384 (NID_secp384r1 curve).
43
44 -c, --confdir CONFDIR
45 Use configuration directory CONFDIR (default /etc/ssl/uacme). The
46 structure is as follows (multiple IDENTIFIERs allowed)
47
48 CONFDIR/private/key.pem
49 ACME account private key
50
51 CONFDIR/private/IDENTIFIER/key.pem
52 certificate key for IDENTIFIER
53
54 CONFDIR/IDENTIFIER/cert.pem
55 certificate for IDENTIFIER
56
57 -d, --days DAYS
58 Do not reissue certificates that are still valid for longer than
59 DAYS (default 30). See also -o, --no-ocsp.
60
61 -e, --eab KEYID:KEY
62 Specify RFC8555 External Account Binding credentials according to
63 https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to
64 associate a new ACME account with an existing account in a non-ACME
65 system such as a CA customer database. KEYID must be an ASCII
66 string. KEY must be base64url-encoded.
67
68 -f, --force
69 Force certificate reissuance regardless of expiration date.
70
71 -h, --hook PROGRAM
72 Challenge hook program. If not specified uacme interacts with the
73 user for every ACME challenge, printing information about the
74 challenge type, token and authorization on stderr. If specified
75 uacme executes PROGRAM (a binary, a shell script or any file that
76 can be executed by the operating system) for every challenge with
77 the following 5 string arguments:
78
79 METHOD
80 one of begin, done or failed.
81
82 begin
83 is called at the beginning of the challenge. PROGRAM must
84 return 0 to accept it. Any other return code declines the
85 challenge. Neither done nor failed method calls are made
86 for declined challenges.
87
88 done
89 is called upon successful completion of an accepted
90 challenge.
91
92 failed
93 is called upon failure of an accepted challenge.
94
95 TYPE
96 challenge type (dns-01, http-01 or tls-alpn-01)
97
98 IDENT
99 The identifier the challenge refers to
100
101 TOKEN
102 The challenge token
103
104 AUTH
105 The key authorization (for dns-01 and tls-alpn-01 already
106 converted to the base64url-encoded SHA256 digest format)
107
108 -l, --alternate N | FP
109 According to https://tools.ietf.org/html/rfc8555#section-7.4.2 the
110 server MAY provide one or more additional certificate download
111 URLs, each pointing to alternative certificate chains starting with
112 the same end-entity certificate. This option allows selecting one
113 such chain in one of two ways. A positive integer N makes uacme
114 select the Nth alternative chain in the order presented by the
115 server. A colon (:) separated list of two or more 2-digit
116 hexadecimal numbers FP makes uacme select the first alternative
117 chain containing a certificate whose SHA256 fingerprint begins with
118 FP. In both cases uacme falls back to the main certificate URL if
119 it cannot match an alternative chain or the download thereof fails.
120
121 -m, --must-staple
122 Request certificates with the RFC7633 Certificate Status Request
123 TLS Feature Extension, informally also known as "OCSP Must-Staple".
124 This option is ignored when using an externally supplied
125 Certificate Signing Request file (see USAGE below).
126
127 -n, --never-create
128 By default uacme creates directories/keys if they do not exist.
129 When this option is specified uacme never does so and instead exits
130 with an error if anything required is missing.
131
132 -o, --no-ocsp
133 When this flag is not specified and the certificate has an
134 Authority Information Access extension with an OCSP server location
135 according to https://tools.ietf.org/html/rfc5280#section-4.2.2.1
136 uacme makes an OCSP request to the server; if the certificate is
137 reported as revoked uacme forces reissuance regardless of the
138 expiration date. See also -d, --days.
139
140 -r, --reason CODE
141 Use CODE (default 0) as reason code in revocation requests. A list
142 of values is at https://tools.ietf.org/html/rfc5280#section-5.3.1.
143
144 -s, --staging
145 Use Let’s Encrypt staging URL for testing. This only works if -a,
146 --acme-url is NOT specified.
147
148 -t, --type=RSA | EC
149 Key type, either RSA or EC. Only applies to newly generated keys.
150 The bit length can be specified with -b, --bits.
151
152 -v, --verbose
153 By default uacme only produces output upon errors or when user
154 interaction is required. When this option is specified uacme prints
155 information about what is going on on stderr. This option can be
156 specified more than once to increase verbosity.
157
158 -V, --version
159 Print program version on stderr and exit.
160
161 -y, --yes
162 Autoaccept ACME server terms (if any) upon new account creation.
163
164 -?, --help
165 Print a brief usage text on stderr and exit.
166
168 uacme [OPTIONS ...] new [EMAIL]
169 Create a new ACME account with optional EMAIL contact. If the
170 account private key does not exist at CONFDIR/private/key.pem a new
171 key is generated unless -n, --never-create is specified. A valid
172 account must be created before any other operation can succeed
173 (with the exception of certificate revocation requests signed by
174 the certificate private key). Any certificate issued by the ACME
175 server is associated with a single account. An account can be
176 associated with multiple certificates, subject of course to the
177 rate limits imposed by the ACME server.
178
179 uacme [OPTIONS ...] update [EMAIL]
180 Update the EMAIL associated with the ACME account corresponding to
181 the account private key. If EMAIL is not specified the account
182 contact email is removed.
183
184 uacme [OPTIONS ...] deactivate
185 Deactivate the ACME account corresponding to the account private
186 key. WARNING this action is irreversible. Users may wish to do
187 this when the account key is compromised or decommissioned. A
188 deactivated account can no longer request certificate issuances and
189 revocations or access resources related to the account.
190
191 uacme [OPTIONS ...] newkey
192 Change the ACME account private key. If the new account private key
193 does not exist at CONFDIR/private/newkey.pem it is generated unless
194 -n, --never-create is specified. The new key is then submitted to
195 the server and if the operation succeeds the old key is hardlinked
196 to CONFDIR/private/key-TIMESTAMP.pem before renaming
197 CONFDIR/private/newkey.pem to CONFDIR/private/key.pem.
198
199 uacme [OPTIONS ...] issue IDENTIFIER [ALTNAME ...]
200 Issue a certificate for IDENTIFIER with zero or more ALTNAMEs. If a
201 certificate is already available at CONFDIR/IDENTIFIER/cert.pem for
202 the specified IDENTIFIER and ALTNAMEs and is still valid for longer
203 than DAYS no action is taken unless -f, --force is specified or -o,
204 --no-ocsp is not specified and the certificate is reported as
205 revoked by the OCSP server. The new certificate is saved to
206 CONFDIR/IDENTIFIER/cert.pem. If the certificate file already exists
207 it is hardlinked to CONFDIR/IDENTIFIER/cert-TIMESTAMP.pem before
208 overwriting. The private key for the certificate is loaded from
209 CONFDIR/private/IDENTIFIER/key.pem. If no such file exists, a new
210 key is generated unless -n, --never-create is specified. Wildcard
211 IDENTIFIERs or ALTNAMEs are dealt with correctly, as long as the
212 ACME server supports them; note that any such wildcards are
213 automatically removed from the configuration subdirectory name: for
214 example a certificate for *.test.com is saved to
215 CONFDIR/test.com/cert.pem. IP address IDENTIFIERs and ALTNAMEs are
216 also supported according to
217 https://tools.ietf.org/html/rfc8738#section-3
218
219 uacme [OPTIONS ...] issue CSRFILE
220 Issue a certificate based on a RFC2986 Certificate Signing Request
221 contained in CSRFILE, which must be in PEM format. In this mode of
222 issuance uacme neither needs nor generates the certificate private
223 key, but it is of course the responsibility of the user to ensure
224 that the CSR is constructed and signed appropriately. If a
225 certificate file CSRBASE-cert.pem (where CSRBASE is obtained by
226 stripping the extension, if any, from CSRFILE) is already available
227 in the same directory containing CSRFILE, and is still valid for
228 longer than DAYS no action is taken unless -f, --force is specified
229 or -o, --no-ocsp is not specified and the certificate is reported
230 as revoked by the OCSP server. If the certificate file already
231 exists it is hardlinked to BASENAME-cert-TIMESTAMP.pem before
232 overwriting. Wildcard identifiers in the CSR are dealt with
233 correctly, as long as the ACME server supports them. IP addresses
234 are also supported according to
235 https://tools.ietf.org/html/rfc8738#section-3
236
237 uacme [OPTIONS ...] revoke CERTFILE [CERTKEYFILE]
238 Revoke the certificate stored in CERTFILE. The revocation request
239 is signed with the private key of either the certificate, when
240 CERTKEYFILE is specified; or the ACME account associated with the
241 certificate, when only CERTFILE is specified. In the first instance
242 the account key and the configuration directory are not required.
243 If successful CERTFILE is renamed to revoked-TIMESTAMP.pem. The
244 reason code in the revocation request defaults to 0 but it can be
245 specified by the user with -r, --reason.
246
248 0
249 Success
250
251 1
252 Certificate not reissued because it is still current
253
254 2
255 Failure (syntax or usage error; configuration error; processing
256 failure; unexpected error).
257
259 The uacme.sh hook script included in the distribution can be used to
260 automate the certificate issuance with http-01 challenges, provided a
261 web server for the domain being validated runs on the same machine,
262 with webroot at /var/www
263
264 #!/bin/sh
265 CHALLENGE_PATH=/var/www/.well-known/acme-challenge
266 ARGS=5
267 E_BADARGS=85
268
269 if test $# -ne "$ARGS"
270 then
271 echo "Usage: $(basename "$0") method type ident token auth" 1>&2
272 exit $E_BADARGS
273 fi
274
275 METHOD=$1
276 TYPE=$2
277 IDENT=$3
278 TOKEN=$4
279 AUTH=$5
280
281 case "$METHOD" in
282 "begin")
283 case "$TYPE" in
284 http-01)
285 echo -n "${AUTH}" > "${CHALLENGE_PATH}/${TOKEN}"
286 exit $?
287 ;;
288 *)
289 exit 1
290 ;;
291 esac
292 ;;
293 "done"|"failed")
294 case "$TYPE" in
295 http-01)
296 rm "${CHALLENGE_PATH}/${TOKEN}"
297 exit $?
298 ;;
299 *)
300 exit 1
301 ;;
302 esac
303 ;;
304 *)
305 echo "$0: invalid method" 1>&2
306 exit 1
307 esac
308
310 If you believe you have found a bug, please create a new issue at
311 https://github.com/ndilieto/uacme/issues with any applicable
312 information.
313
315 ualpn(1)
316
318 uacme was written by Nicola Di Lieto
319
321 Copyright © 2019-2023 Nicola Di Lieto <nicola.dilieto@gmail.com>
322
323 This file is part of uacme.
324
325 uacme is free software: you can redistribute it and/or modify it under
326 the terms of the GNU General Public License as published by the Free
327 Software Foundation, either version 3 of the License, or (at your
328 option) any later version.
329
330 uacme is distributed in the hope that it will be useful, but WITHOUT
331 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
332 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
333 for more details.
334
335 You should have received a copy of the GNU General Public License along
336 with this program. If not, see http://www.gnu.org/licenses/.
337
338
339
340uacme 1.7.4 02/18/2023 UACME(1)