ACMETOOL(8) - Linux man page online | Administration and privileged commands

Request certificates from ACME servers automatically.

acmetool(8) System Manager's Manual acmetool(8)


acmetool - request certificates from ACME servers automatically


acmetool [<flags>] <command> [<args> ...]


acmetool is a utility for the automated retrieval, management and renewal of certificates from ACME server such as Let's Encrypt. It emphasises automation, idempotency and the min‐ imisation of state. You use acmetool by configuring targets (typically using the "want") command. acmetool then requests certificates as necessary to satisfy the configured targets. New certifi‐ cates are requested where existing ones are soon to expire. acmetool stores its state in a state directory. It can be specified on invocation via the --state option; otherwise, the path in ACME_STATE_DIR is used, or, failing that, the path "/var/lib/acme" (recommended). The --xlog options control the logging. The --service options control privilege dropping and daemonization and are applicable only to the redirector subcommand.


--help Show context-sensitive help (also try --help-long and --help-man). --state=/var/lib/acme Path to the state directory (env: ACME_STATE_DIR) --hooks=/etc/acme/hooks Path to the notification hooks directory (env: ACME_HOOKS_DIR) --batch Do not attempt interaction; useful for cron jobs. (acmetool can still obtain responses from a response file, if one was provided.) --stdio Don't attempt to use console dialogs; fall back to stdio prompts --response-file=RESPONSE-FILE Read dialog responses from the given file (default: $ACME_STATE_DIR/conf/responses) --version Print version information --xlog.facility=daemon Syslog facility to use --xlog.syslog Log to syslog? --xlog.syslogseverity=DEBUG Syslog severity limit --xlog.journal Log to systemd journal? --xlog.journalseverity=DEBUG Systemd journal severity limit --xlog.severity=NOTICE Log severity (any syslog severity name or number) --xlog.file="" Log to filename --xlog.fileseverity=TRACE File logging severity limit --xlog.stderr Log to stderr? --xlog.stderrseverity=TRACE stderr logging severity limit --service.cpuprofile="" Write CPU profile to file --service.debugserveraddr="" Address for debug server to listen on (do not specify a public address) (default: disabled) --service.uid="" UID to run as (default: don't drop privileges) --service.gid="" GID to run as (default: don't drop privileges) --service.daemon Run as daemon? (doesn't fork) --service.stderr Keep stderr open when daemonizing --service.chroot="" Chroot to a directory (must set UID, GID) ("/" disables) --service.pidfile="" Write PID to file with given filename and hold a write lock --service.fork Fork? (implies -daemon)


help [<command>...] Show help. reconcile Reconcile ACME state, idempotently requesting and renewing certificates to satisfy config‐ ured targets. This is the default command. cull [<flags>] Delete expired, unused certificates -n, --simulate Show which certificates would be deleted without deleting any status Show active configuration want [<flags>] <hostname>... Add a target with one or more hostnames --reconcile Specify --no-reconcile to skip reconcile after adding target unwant <hostname>... Modify targets to remove any mentions of the given hostnames quickstart [<flags>] Interactively ask some getting started questions (recommended) --expert Ask more questions in quickstart wizard redirector [<flags>] HTTP to HTTPS redirector with challenge response support --path=PATH Path to serve challenge files from --challenge-gid=CHALLENGE-GID GID to chgrp the challenge path to (optional) --read-timeout=10s Maximum duration before timing out read of the request (default: '10s') --write-timeout=20s Maximum duration before timing out write of the request (default: '20s') --status-code=308 HTTP status code to use when redirecting (default '308') test-notify [<hostname>...] Test-execute notification hooks as though given hostnames were updated import-jwk-account <provider-url> <private-key-file> Import a JWK account key import-pem-account <provider-url> <private-key-file> Import a PEM account key import-key <private-key-file> Import a certificate private key import-le [<le-state-path*>] Import a Let's Encrypt client state directory revoke [<certificate-id-or-path>] Revoke a certificate account-thumbprint Prints account thumbprints


© 2015 Hugo Landau <> MIT License


Documentation: <> Report bugs at: <>
acmetool acmetool(8)
Download raw manual
Main page System Manager's Manual (+2060) № 8 (+5755)
Go top