Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
acmetool(8)		    System Manager's Manual		   acmetool(8)

       acmetool	- request certificates from ACME servers automatically

       acmetool	[<flags>] <command> [<args> ...]

       acmetool	 is  a utility for the automated retrieval, management and re-
       newal of	certificates from ACME server such as Let's Encrypt. It	empha-
       sises automation, idempotency and the minimisation of state.

       You  use	 acmetool  by configuring targets (typically using the "want")
       command.	 acmetool then requests	certificates as	necessary  to  satisfy
       the  configured	targets. New certificates are requested	where existing
       ones are	soon to	expire.

       acmetool	stores its state in a state directory. It can be specified  on
       invocation   via	  the	--state	  option;   otherwise,	 the  path  in
       ACME_STATE_DIR is used, or, failing that, the path "/var/db/acme" (rec-

       The  --xlog  options control the	logging. The --service options control
       privilege dropping and daemonization and	are  applicable	 only  to  the
       redirector subcommand.

       --help Show  context-sensitive  help  (also try --help-long and --help-

	      Path to the state	directory (env:	ACME_STATE_DIR)

	      Path to the notification hooks directory (env: ACME_HOOKS_DIR)

	      Do not attempt interaction; useful for cron jobs.	(acmetool  can
	      still  obtain  responses	from  a	response file, if one was pro-

	      Don't attempt to use console dialogs; fall back to stdio prompts

	      Read  dialog   responses	 from	the   given   file   (default:

	      Print version information

	      Syslog facility to use

	      Log to syslog?

	      Syslog severity limit

	      Log to systemd journal?

	      Systemd journal severity limit

	      Log severity (any	syslog severity	name or	number)

	      Log to filename

	      File logging severity limit

	      Log to stderr?

	      stderr logging severity limit

	      Write CPU	profile	to file

	      Address  for  debug server to listen on (do not specify a	public
	      address) (default: disabled)

	      UID to run as (default: don't drop privileges)

	      GID to run as (default: don't drop privileges)

	      Run as daemon? (doesn't fork)

	      Keep stderr open when daemonizing

	      Chroot to	a directory (must set UID, GID)	("/" disables)

	      Write PID	to file	with given filename and	hold a write lock

	      Fork? (implies -daemon)

   help	[<command>...]
       Show help.

   reconcile [<target-filenames>...]
       Reconcile ACME state, idempotently requesting and renewing certificates
       to satisfy configured targets.

       This is the default command.

   cull	[<flags>]
       Delete expired, unused certificates

       -n, --simulate
	      Show which certificates would be deleted without deleting	any

       Show active configuration

   want	[<flags>] <hostname>...
       Add a target with one or	more hostnames

	      Specify --no-reconcile to	skip reconcile after adding target

   unwant <hostname>...
       Modify targets to remove	any mentions of	the given hostnames

   quickstart [<flags>]
       Interactively ask some getting started questions	(recommended)

	      Ask more questions in quickstart wizard

   redirector [<flags>]
       HTTP to HTTPS redirector	with challenge response	support

	      Path to serve challenge files from

	      GID to chgrp the challenge path to (optional)

	      Maximum duration before timing out read of the request (default:

	      Maximum duration before timing out write	of  the	 request  (de-
	      fault: '20s')

	      HTTP status code to use when redirecting (default	'308')

	      Bind address for redirectory (default ':80')

   test-notify [<hostname>...]
       Test-execute notification hooks as though given hostnames were updated

   import-jwk-account <provider-url> <private-key-file>
       Import a	JWK account key

   import-pem-account <provider-url> <private-key-file>
       Import a	PEM account key

   import-key <private-key-file>
       Import a	certificate private key

   import-le [<le-state-path*>]
       Import a	Let's Encrypt client state directory

   revoke [<certificate-id-or-path>]
       Revoke a	certificate

       Prints account thumbprints

       A(C) 2015 Hugo Landau <>  MIT	License

       Documentation: <>

       Report bugs at: <>

				   acmetool			   acmetool(8)


Want to link to this manual page? Use this URL:

home | help