Client Configuration

Setting the directory

When the ACME server is up and running, the clients need to be pointed to its directory URL. This is achieved in different ways depending on the client and should be part of its documentation. The following clients were tested against and are thus described here.

• Acmetiny: Simply set the argument --directory-url when running the client:

  acme-tiny --directory-url https://my-server.com/directory
  

• Certbot: Set the server option in the certbot.ini and optionally set the config directory to avoid confusion as it is set to /etc/letsencrypt by default.

  certbot.ini:

  server = https://my-server.com/directory
  config-dir = /etc/my_server_acme
  

• AcmeClient: Pass the directory URL when initializing the client object.

  from acmetk.client import AcmeClient
  
  client = AcmeClient(
     directory_url="https://my-server.com/directory",
     private_key=...,
     contact=...,
  )
  

• Dehydrated: Set the CA option in the config file and specify it when running dehydrated.

  ./config:

  CA=https://my-server.com/directory
  

  dehydrated --config ./config
  

External Account Binding

ACME servers may be configured to require that new account registrations contain an external account binding to prove that the user has control over some resource outside of the account key itself, see 7.3.4. External Account Binding.

The mechanism implemented in this package, AcmeEAB, leverages SSL client certificates to identify a user. The user loads their SSL client certificate into a browser and visits https://my-server.com/eab, copying the kid and hmac_key values which are then specified when registering a new account. The following shows how to pass them to Certbot if the kid (equal to the email address in the certificate) is certmail@my-server.com and the hmac_key is L6-GB7Jj-CNNpSAJUgGzZw:

certbot -c certbot.ini register --agree-tos -m certmail@my-server.com \
    --eab-kid certmail@my-server.com \
    --eab-hmac-key L6-GB7Jj-CNNpSAJUgGzZw