acmetool(8)                 System Manager's Manual                acmetool(8)

       acmetool - request certificates from ACME servers automatically

       acmetool [<flags>] <command> [<args> ...]

       acmetool is a utility for the automated retrieval, management and
       renewal of certificates from ACME server such as Let's Encrypt. It
       emphasises automation, idempotency and the minimisation of state.

       You use acmetool by configuring targets (typically using the "want")
       command.  acmetool then requests certificates as necessary to satisfy
       the configured targets. New certificates are requested where existing
       ones are soon to expire.

       acmetool stores its state in a state directory. It can be specified on
       invocation via the --state option; otherwise, the path in
       ACME_STATE_DIR is used, or, failing that, the path "/var/db/acme"

       The --xlog options control the logging. The --service options control
       privilege dropping and daemonization and are applicable only to the
       redirector subcommand.

       --help Show context-sensitive help (also try --help-long and --help-

              Path to the state directory (env: ACME_STATE_DIR)

              Path to the notification hooks directory (env: ACME_HOOKS_DIR)

              Do not attempt interaction; useful for cron jobs. (acmetool can
              still obtain responses from a response file, if one was

              Don't attempt to use console dialogs; fall back to stdio prompts

              Read dialog responses from the given file (default:

              Print version information

              Syslog facility to use

              Log to syslog?

              Syslog severity limit

              Log to systemd journal?

              Systemd journal severity limit

              Log severity (any syslog severity name or number)

              Log to filename

              File logging severity limit

              Log to stderr?

              stderr logging severity limit

              Write CPU profile to file

              Address for debug server to listen on (do not specify a public
              address) (default: disabled)

              UID to run as (default: don't drop privileges)

              GID to run as (default: don't drop privileges)

              Run as daemon? (doesn't fork)

              Keep stderr open when daemonizing

              Chroot to a directory (must set UID, GID) ("/" disables)

              Write PID to file with given filename and hold a write lock

              Fork? (implies -daemon)

   help [<command>...]
       Show help.

       Reconcile ACME state, idempotently requesting and renewing certificates
       to satisfy configured targets.

       This is the default command.

   cull [<flags>]
       Delete expired, unused certificates

       -n, --simulate
              Show which certificates would be deleted without deleting any

       Show active configuration

   want [<flags>] <hostname>...
       Add a target with one or more hostnames

              Specify --no-reconcile to skip reconcile after adding target

   unwant <hostname>...
       Modify targets to remove any mentions of the given hostnames

   quickstart [<flags>]
       Interactively ask some getting started questions (recommended)

              Ask more questions in quickstart wizard

   redirector [<flags>]
       HTTP to HTTPS redirector with challenge response support

              Path to serve challenge files from

              GID to chgrp the challenge path to (optional)

              Maximum duration before timing out read of the request (default:

              Maximum duration before timing out write of the request
              (default: '20s')

              HTTP status code to use when redirecting (default '308')

   test-notify [<hostname>...]
       Test-execute notification hooks as though given hostnames were updated

   import-jwk-account <provider-url> <private-key-file>
       Import a JWK account key

   import-pem-account <provider-url> <private-key-file>
       Import a PEM account key

   import-key <private-key-file>
       Import a certificate private key

   import-le [<le-state-path*>]
       Import a Let's Encrypt client state directory

   revoke [<certificate-id-or-path>]
       Revoke a certificate

       Prints account thumbprints

       © 2015 Hugo Landau <>  MIT License

       Documentation: <>

       Report bugs at: <>

                                   acmetool                        acmetool(8)