Using the ACME client

The Sectigo Preconfigured ACME client works on various platforms (Linux, Windows, macOS) with these syntaxes:

  • Linux/mac:

    ./spacme [command]

  • Windows:

    spacme.exe [command]

Process the config file

To issue or renew certificates based on your configuration:

  • Linux/mac:

    ./spacme process

  • Windows:

    spacme.exe process

This command will:

  • Check if a certificate already exists.

  • Determine if renewal is necessary.

  • Communicate with the ACME server and solve DNS challenges.

  • Save the resulting certificates to the certs/ directory.

About the output files

All certificates and related files are stored in the certs/<name>/ directory.

  • fullchain.pem: Contains the full certificate chain (your certificate followed by the issuer certificates).

  • cert.pem: The leaf certificate only.

  • chain.pem: The issuer/CA chain only.

  • privkey.pem: The private key associated with your certificate. Keep this file secure.

  • spacme_metadata.json: Internal metadata used by the client to track certificate state and renewal requirements.

  • archived/: A subdirectory where old certificate files are moved after a successful renewal.

  • revoked/: A subdirectory where certificates are moved after a successful revocation.

Automatic renewal

The client can automatically register itself in your system’s task scheduler to ensure certificates never expire.

To enable automatic renewal:

  • Linux/mac:

    ./spacme register-autorenew

  • Windows:

    spacme.exe register-autorenew

This registers a task in Cron (Linux/macOS) or Task Scheduler (Windows).

To disable automatic renewal:

  • Linux/mac:

    ./spacme deregister-autorenew

  • Windows:

    spacme.exe deregister-autorenew

Revoke a certificate

To revoke a certificate that is compromised or no longer needed:

  • Linux/mac:

    ./spacme revoke --name <cert_name or common_name> --reason <reason_code>

  • Windows:

    spacme.exe revoke --name <cert_name or common_name> --reason <reason_code>

Valid reason codes are:

  • 0 (Unspecified, default)

  • 1 (keyCompromise)

  • 4 (superseded)

  • 5 (cessationOfOperation)

Troubleshooting

Finding logs

Location of log files depends on your OS. Use one of the following commands to find the location:

  • Linux/mac:

    ./spacme open-logs

  • Windows:

    spacme.exe open-logs

  • logs.txt: Contains logs from manual command executions.

  • autorenew/logs.txt: Contains logs from scheduled automatic renewal tasks.

Finding ACME account cache

ACME account authorizations are cached to be reused when renewing or revoking certificates. You can inspect those files by opening the state directory:

  • Linux/mac:

    ./spacme open-state

  • Windows:

    spacme.exe open-state