.TH LETSENCRYPT "1" "MARCH 2016" "Tiny Let's Encrypt ACME client" "User Commands"

.SH NAME
letsencrypt \- Tiny Let's Encrypt ACME client

.SH SYNOPSIS
.B letsencrypt\fR [\fB\-\-config=\fIFILENAME\fR]
[\fB\-\-socket=\fIPATH\fR] [\fIOPTION\fR ...] \fICOMMAND\fR
[\fIARGUMENT\fR ...]


.SH DESCRIPTION
.PP
.B letsencrypt\fR is a tiny ACME client written with process isolation
and minimal privileges in mind.
It is divided into four components, each with its own executable:

.IP \[bu] 4
A \fIletsencrypt\-accountd\fR(1) process to manage the account key and
issue SHA\-256 signatures needed for each ACME command.
(This process binds to a UNIX\-domain socket to reply to signature
requests from the ACME client.)
One can use the UNIX\-domain socket forwarding facility of OpenSSH 6.7
and later to run \fIletsencrypt\-accountd\fR(1) and \fBletsencrypt\fR on
different hosts.

.IP \[bu] 4
A \(lqmaster\(rq \fBletsencrypt\fR process, which runs as root and is
the only component with access to the private key material of the server
keys.
It is used to fork the ACME client (and optionally the ACME webserver)
after dropping root privileges.
For certificate issuances (\fBnew\-cert\fR command), it also generates
Certificate Signing Requests, then verifies the validity of the issued
certificate, and optionally reloads or restarts services when the
\fInotify\fR option is set.

.IP \[bu] 4
An actual ACME client (specified with the \fIcommand\fR option of the
\(lq[client]\(rq section of the configuration file), which builds ACME
commands and dialogues with the remote ACME server.
Since ACME commands need to be signed with the account key, the
\(lqmaster\(rq \fBletsencrypt\fR process passes the
\fIletsencrypt\-accountd\fR(1) UNIX\-domain socket to the ACME client:
data signatures are requested by writing the data to be signed to the
socket.

.IP \[bu] 4
For certificate issuances (\fBnew\-cert\fR command), an optional
webserver (specified with the \fIcommand\fR option of the
\(lq[webserver]\(rq section of the configuration file), which is spawned
by the \(lqmaster\(rq \fBletsencrypt\fR process when no service is
listening on the HTTP port.
(The only challenge type currently supported by \fBletsencrypt\fR is
\(lqhttp\-01\(rq, which requires a webserver to answer challenges.)
That webserver only processes GET and HEAD requests under the
\(lq/.well\-known/acme\-challenge/\(rq URI.
By default some \fIiptables\fR(1) rules are automatically installed to
open the HTTP port, and removed afterwards.

.SH COMMANDS
.TP
.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBnew\-reg \fR[\fICONTACT\fR ...]
Register the account key managed by \fIletsencrypt\-accountd\fR(1).  A
list of \fICONTACT\fR information (such as \(lqmaito:\(rq
URIs) can be specified in order for the server to contact the client for
issues related to this registration (such as notifications about
server\-initiated revocations).

\fB\-\-agreement\-uri=\fR can be used to specify a \fIURI\fR referring
to a subscriber agreement or terms of service provided by the server;
adding this options indicates the client's agreement with the referenced
terms.  Note that the server might require the client to agree to
subscriber agreement before performing any further actions.

If the account key is already registered, \fBletsencrypt\fR prints the
URI of the existing registration and aborts.

.TP
.B letsencrypt \fR[\fB\-\-agreement\-uri=\fIURI\fR]\fB \fBreg=\fIURI\fR \fR[\fICONTACT\fR ...]

Dump or edit the registration \fIURI\fR (relative to the ACME server URI,
which is specified with the \fIserver\fR option of the \(lq[client]\(rq
section of the configuration file).

When specified, the list of \fICONTACT\fR information and the agreement
\fIURI\fR are sent to the server to replace the existing values.

.TP
.B letsencrypt \fR[\fB\-\-config\-certs=\fIFILE\fR]\fB \fBnew\-cert \fR[\fISECTION\fR ...]

Read the certificate configuration \fIFILE\fR (see the \fBCERTIFICATE
CONFIGURATION FILE\fR section below for the configuration options), and
request new Certificate Issuance for each of its sections (or the given
list of \fISECTION\fRs).

.TP
.B letsencrypt \fBrevoke\-cert \fIFILE\fR [\fIFILE\fR ...]

Request that the given certificate(s) \fIFILE\fR(s) be revoked.  For
this command, \fIletsencrypt\-accountd\fR(1) can be pointed to either
the account key or the server's private key.


.SH GENERIC OPTIONS
.TP
.B \-\-config=\fIfilename\fR
Use \fIfilename\fR as configuration file.  See the \fBCONFIGURATION
FILE\fR section below for the configuration options.

.TP
.B \-\-socket=\fIpath\fR
Use \fIpath\fR as the \fIletsencrypt\-accountd\fR(1) UNIX\-domain socket
to connect to for signature requests from the ACME client.
\fBletsencrypt\fR aborts if \fIpath\fR is readable or writable by
other users, or if its parent directory is writable by other users.
This overrides the \fIsocket\fR option of the \(lq[client]\(rq section
of the configuration file.

.TP
.B \-?\fR, \fB\-\-help\fR
Display a brief help and exit.

.TP
.B \-\-debug
Turn on debug mode.


.SH CONFIGURATION FILE
If \fB\-\-config=\fR is not given, \fBletsencrypt\fR uses the first
existing configuration file among
\fI./letsencrypt.conf\fR,
\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt.conf\fR (or
\fI~/.config/letsencrypt\-tiny/letsencrypt.conf\fR if the
XDG_CONFIG_HOME environment variable is not set), and
\fI/etc/letsencrypt\-tiny/letsencrypt.conf\fR.
Valid options are:

.TP
Default section
.RS
.TP
.I config\-certs
For certificate issuances (\fBnew\-cert\fR command), specify the
certificate configuration file to use (see the \fBCERTIFICATE
CONFIGURATION FILE\fR section below for the configuration options).
.RE

.TP
\(lq[client]\(rq section
This section is used for configuring the ACME client (which takes care
of ACME commands and dialogues with the remote ACME server).

.RS
.TP
.I socket
See \fB\-\-socket=\fR.
Default: \(lq$XDG_RUNTIME_DIR/S.letsencrypt\(rq if the XDG_RUNTIME_DIR
environment variable is set.

.TP
.I user
The username to drop privileges to (setting both effective and real
uid).
Preserve root privileges if the value is empty (not recommended).
Default: \(lqnobody\(rq.

.TP
.I group
The groupname to drop privileges to (setting both effective and real
gid, and also setting the list of supplementary gids to that single
group).  Preserve root privileges if the value is empty (not
recommended).
Default: \(lqnogroup\(rq.

.TP
.I command
Path to the ACME client executable.
Default: \(lq/usr/lib/letsencrypt\-tiny/client\(rq.

.TP
.I server
Root URI of the ACME server.
Default: \(lqhttps://acme\-v01.api.letsencrypt.org/\(rq.

.TP
.I timeout
Timeout in seconds after which the client stops polling the ACME server
and considers the request failed.
Default: \(lq10\(rq.

.TP
.I SSL_verify
Whether to verify the server certificate chain.
Default: \(lqYes\(rq.

.TP
.I SSL_version
Specify the version of the SSL protocol used to transmit data.

.TP
.I SSL_cipher_list
Specify the cipher list for the connection.
.RE

.TP
\(lq[webserver]\(rq section
This section is used for configuring the ACME webserver.

.RS
.TP
.I listen
Specify the local address to listen on, in the form
\fIADDRESS\fR[:\fIPORT\fR].
If \fIADDRESS\fR is enclosed with brackets \(oq[\(cq/\(oq]\(cq then it
denotes an IPv6; an empty \fIADDRESS\fR means \(oq0.0.0.0\(cq.
Default: \(lq:80\(rq.

.TP
.I challenge\-directory
If a webserver is already running, specify a non\-existent directory
under which the webserver is configured to serve GET requests for
challenge files under \(lq/.well\-known/acme\-challenge/\(rq (for each
virtual hosts requiring authorization) as static files.
Default: \(lq/var/www/acme\-challenge\(rq.

.TP
.I user
The username to drop privileges to (setting both effective and real
uid).
Preserve root privileges if the value is empty (not recommended).
Default: \(lqwww\-data\(rq.

.TP
.I group
The groupname to drop privileges to (setting both effective and real
gid, and also setting the list of supplementary gids to that single
group).  Preserve root privileges if the value is empty (not
recommended).
Default: \(lqwww\-data\(rq.

.TP
.I command
Path to the ACME webserver executable.
Default: \(lq/usr/lib/letsencrypt\-tiny/webserver\(rq.

.TP
.I iptables
Whether to automatically install \fIiptables\fR(1) rules to open the
\fIADDRESS\fR[:\fIPORT\fR] specified with \fIlisten\fR.
Theses rules are automatically removed once \fBletsencrypt\fR exits.
Default: \(lqYes\(rq.
.RE


.SH CERTIFICATE CONFIGURATION FILE
For certificate issuances (\fBnew\-cert\fR command), a separate file is
used to configure paths to the certificate and key, as well as the
subject, subjectAltName, etc. to generate Certificate Signing Requests.
If \fB\-\-config\-certs=\fR is not given, and if the
\fIconfig\-certs\fR configuration option is absent,
then \fBletsencrypt\fR uses the first existing configuration file among
\fI./letsencrypt\-certs.conf\fR,
\fI$XDG_CONFIG_HOME/letsencrypt\-tiny/letsencrypt\-certs.conf\fR (or
\fI~/.config/letsencrypt\-tiny/letsencrypt\-certs.conf\fR if the
XDG_CONFIG_HOME environment variable is not set), and
\fI/etc/letsencrypt\-tiny/letsencrypt\-certs.conf\fR.
Each section denotes a separate certificate issuance.
Valid options are:

.TP
.I certificate
Where to store the issued certificate (in PEM format).
At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is
required.

.TP
.I certificate\-chain
Where to store the issued certificate, concatenated with the content of
the file specified specified with the \fICAfile\fR option (in PEM
format).
At least one of \fIcertificate\fR or \fIcertificate\-chain\fR is
required.

.TP
.I certificate\-key
Path the service's private key.  This option is required.  The following
command can be used to generate a new 4096\-bits RSA key in PEM format
with mode 0600:

.nf
    openssl genrsa 4096 | install -m0600 /dev/stdin /path/to/priv.key
.fi

.TP
.I min\-days
For an existing certificate, the minimum number of days before its
expiration date the section is considered for re\-issuance.
Default: \(lq10\(rq.


.TP
.I CAfile
Path to the issuer's certificate.  This is used for
\fIcertificate\-chain\fR and to verify the validity of each issued
certificate.
Specifying an empty value skip certificate validation.
Default: \(lq/usr/share/letsencrypt\-tiny/lets\-encrypt\-x1\-cross\-signed.pem\(rq.

.TP
.I hash
Message digest to sign the Certificate Signing Request with.

.TP
.I keyUsage
Comma\-separated list of Key Usages, see \fIx509v3_config\fR(5ssl).

.TP
.I subject
Subject field of the Certificate Signing Request, in the form
\fR/\fItype0\fR=\fIvalue0\fR/\fItype1\fR=\fIvalue1\fR/\fItype2\fR=...
This option is required.

.TP
.I subjectAltName
Comma\-separated list of Subject Alternative Names, in the form
\fItype0\fR:\fIvalue1\fR,\fItype1\fR:\fIvalue1\fR,\fItype2\fR:...
The only \fItype\fR currently supported is \(lqDNS\(rq, to specify an
alternative domain name.

.TP
.I chown
An optional \fIusername\fR[:\fIgroupname\fR] to chown the issued
\fIcertificate\fR and \fIcertificate\-chain\fR with.

.TP
.I chmod
An optional octal mode to chmod the issued \fIcertificate\fR and
\fIcertificate\-chain\fR with.

.TP
.I notify
Command to pass the the system's command shell (\(lq/bin/sh \-c\(rq)
after successful installation of the \fIcertificate\fR and/or
\fIcertificate\-chain\fR.


.SH EXAMPLES

.nf
    ~$ sudo letsencrypt new-reg mailto:noreply@example.com
    ~$ sudo letsencrypt reg=/acme/reg/137760 --agreement-uri=https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf
    ~$ sudo letsencrypt new-cert
    ~$ sudo letsencrypt revoke-cert /path/to/server/certificate.pem
.fi


.SH SEE ALSO
\fBletsencrypt\-accountd\fR(1)

.SH AUTHOR
.ie \n[www-html] \{\
  Written by
. MTO guilhem@fripost.org "Guilhem Moulin" .
\}
.el \{\
  Written by Guilhem Moulin
. MT guilhem@fripost.org
. ME .
\}