Attention: this version of acme-client has been archived, as it now
lives in OpenBSD base.
If you're using the upstream version of this code, you're using old code!
The live code, /usr/sbin/acme-client in OpenBSD, is well-maintained and current.
See the CVS repository for
If you can't use OpenBSD, the current code-base can fairly easily be ported, but this is not an effort I have a
Please see the portable version's GitHub
README.md for hints.
I'm leaving this page up for historical reference.
Be up-front about security:
OpenSSL is known to have issues,
you can't trust what comes down the pipe,
and your private key's integrity is a hard requirement.
Not a situation where you can be careless.
acme-client is a client for Let's Encrypt users, but one designed for security.
A straightforward, open source
implementation in C that isolates each step of the sequence.
request, receive, and serialise the certificate chain from the issuer
Why so complicated?
Key integrity and trust.
You don't want the private key processes interacting with anybody else (acctproc.c, keyproc.c).
You don't want network-touching processes interacting with the file-system (dnsproc.c and netproc.c). You
don't want the process parsing (revokeproc.c) your
certificate — which comes down the pipe and might be rigged to blow — to touch your file-system
or the network.
Same goes with the process converting the downloaded certificates to the format usable by your web
Moreover, you don't want the process scribbling in your webroot to scribble elsewhere (chngproc.c).
Same goes with the process scribbling in your public certificate directory (fileproc.c).
In the diagramme, processes with file-system write access are in red.
and are isolated in a chroot(2) file-system jail.
Those with network access are in blue and
are pledge(2)ed only for networking and DNS
Orange nodes are off-site.
All other processes are locked down with full pledge(2)s.
Each process uses the fork+exec model:
Use of fork+exec in privilege separated programs. The strategy is to give each process a fresh &
unique address space for ASLR, stack protector — as protection against address space
discovery attacks. (From OpenBSD's innovations.)
In the portable version without pledge(2),
all processes but the red are privilege-dropped and chroot(2)ed.
The red file-system processes do not drop privileges.