SYNOPSIS
- acmetool [<flags>] <command> [<args> ...]
-
DESCRIPTION
acmetool is a utility for the automated retrieval, management and renewal of certificates from ACME server such as Let's Encrypt. It emphasises automation, idempotency and the minimisation of state.You use acmetool by configuring targets (typically using the "want") command. acmetool then requests certificates as necessary to satisfy the configured targets. New certificates are requested where existing ones are soon to expire.
acmetool stores its state in a state directory. It can be specified on invocation via the --state option; otherwise, the path in ACME_STATE_DIR is used, or, failing that, the path "/var/lib/acme" (recommended).
The --xlog options control the logging. The --service options control privilege dropping and daemonization and are applicable only to the redirector subcommand.
OPTIONS
- --help
- Show context-sensitive help (also try --help-long and --help-man).
- --state=/var/lib/acme
- Path to the state directory (env: ACME_STATE_DIR)
- --hooks=/etc/acme/hooks
- Path to the notification hooks directory (env: ACME_HOOKS_DIR)
- --batch
- Do not attempt interaction; useful for cron jobs. (acmetool can still obtain responses from a response file, if one was provided.)
- --stdio
- Don't attempt to use console dialogs; fall back to stdio prompts
- --response-file=RESPONSE-FILE
- Read dialog responses from the given file (default: $ACME_STATE_DIR/conf/responses)
- --version
- Print version information
- --xlog.facility=XLOG.FACILITY
- syslog facility to use
- --xlog.syslog
- log to syslog?
- --xlog.syslogseverity=XLOG.SYSLOGSEVERITY
- syslog severity limit
- --xlog.journal
- log to systemd journal?
- --xlog.journalseverity=XLOG.JOURNALSEVERITY
- systemd journal severity limit
- --xlog.severity=XLOG.SEVERITY
- log severity (any syslog severity name or number)
- --xlog.file=XLOG.FILE
- log to filename
- --xlog.fileseverity=XLOG.FILESEVERITY
- file logging severity limit
- --xlog.stderr
- log to stderr?
- --xlog.stderrseverity=XLOG.STDERRSEVERITY
- stderr logging severity limit
- --service.cpuprofile=SERVICE.CPUPROFILE
- Write CPU profile to file
- --service.debugserveraddr=SERVICE.DEBUGSERVERADDR
- Address for debug server to listen on (do not specify a public address) (default: disabled)
- --service.uid=SERVICE.UID
- UID to run as (default: don't drop privileges)
- --service.gid=SERVICE.GID
- GID to run as (default: don't drop privileges)
- --service.daemon
- Run as daemon? (doesn't fork)
- --service.stderr
- Keep stderr open when daemonizing
- --service.chroot=SERVICE.CHROOT
- Chroot to a directory (must set UID, GID) ("/" disables)
- --service.pidfile=SERVICE.PIDFILE
- Write PID to file with given filename and hold a write lock
- --service.fork
- Fork? (implies -daemon)
SUBCOMMANDS
help [<command>...]
Show help.
reconcile
Reconcile ACME state, idempotently requesting and renewing certificates to satisfy configured targets.
This is the default command.
cull [<flags>]
Delete expired, unused certificates
- -n, --simulate
- Show which certificates would be deleted without deleting any
status
Show active configuration
want [<flags>] <hostname>...
Add a target with one or more hostnames
- --reconcile
- Specify --no-reconcile to skip reconcile after adding target
unwant <hostname>...
Modify targets to remove any mentions of the given hostnames
quickstart [<flags>]
Interactively ask some getting started questions (recommended)
- --expert
- Ask more questions in quickstart wizard
redirector [<flags>]
HTTP to HTTPS redirector with challenge response support
- --path=PATH
- Path to serve challenge files from
- --challenge-gid=CHALLENGE-GID
- GID to chgrp the challenge path to (optional)
test-notify [<hostname>...]
Test-execute notification hooks as though given hostnames were updated
import-jwk-account <provider-url> <private-key-file>
Import a JWK account key
import-key <private-key-file>
Import a certificate private key
import-le [<le-state-path*>]
Import a Let's Encrypt client state directory
revoke [<certificate-id-or-path>]
Revoke a certificate
account-thumbprint
Prints account thumbprints