Migration from v4 to v5

This section contains migration guides for migrating from v4 to v5.

  • This guide describes the changes between the v4 and v5 versions of the command line.
  • This guide describes the changes between the v4 and v5 versions of the library.
May 13, 2026

Subsections of Migration from v4 to v5

CLI Guide

This guide describes the changes between the v4 and v5 versions of the command line.

Caution

Please run the new v5 command lego migrate before running any other commands.

This command will migrate the file structure to the new one.

This is a requirement.

This command will not work if you were using the deprecated --filename flag.

If you need help, please open a discussion.

Commands

The global flags have been moved to flags of the commands.

Example:

# Before
lego --dns foo -d '*.example.com' -d example.com run
# After
lego run --dns foo -d '*.example.com' -d example.com

The command renew has been removed because the command run is able to renew certificates.

The command list has been removed and replaced by accounts list and certificates list.

The command revoke has been removed and replaced by certificates revoke.

Flags

Some flags have been changed, renamed or removed:

v4 Change Type v5
--disable-cn removed and replaced --enable-cn
--dns.disable-cp removed and replaced --dns.propagation.wait
--dns.propagation-wait renamed --dns.propagation.wait
--dns.propagation-disable-ans renamed --dns.propagation.disable-ans
--dns.propagation-rns removed and replaced --dns.propagation.disable-rns
--dns-timeout renamed --dns.timeout
--kid renamed --eab.kid
--hmac renamed --eab.hmac
--days renamed --renew-days1
--dynamic removed This is the default behavior now.
--run-hook renamed --deploy-hook
--renew-hook renamed --deploy-hook
--tls.port renamed --tls.address
--http.port renamed --http.address
--pfx.pass renamed --pfx.password

Directory structure

The directory structure has been changed.

.
├── accounts
│   └── <server-name-1>
│       ├── <account-name-1>
│       │   ├── account.json
│       │   └── keys
│       │       └── <account-name-1>.key
│       └── <account-name-2>
│           ├── account.json
│           └── keys
│               └── <account-name-2>.key
└── certificates
    ├── example.com.crt
    ├── example.com.issuer.crt
    ├── example.com.json
    ├── example.com.key
    ├── example.org.crt
    ├── example.org.issuer.crt
    ├── example.org.json
    └── example.org.key
.
├── accounts
│   └── <server-name-1>
│       ├── <account-name-1>
│       │   ├── account.json
│       │   └── <account-name-1>.key
│       └── <account-name-2>
│           ├── account.json
│           └── <account-name-2>.key
└── certificates
    ├── example.com.crt
    ├── example.com.issuer.crt
    ├── example.com.json
    ├── example.com.key
    ├── example.org.crt
    ├── example.org.issuer.crt
    ├── example.org.json
    └── example.org.key

The directory structure has changed but also the content of the JSON files, so don’t migrate the files manually.

To migrate the directory structure and the files, run the command lego migrate.

If you need to do it manually, please open a discussion and we will help you.

Environment variables

The following environment variables have been removed without replacement:

  • SELECTEL_BASE_URL
  • VSCALE_BASE_URL

The following environment variables related to the hook have been renamed:

v4 v5
LEGO_ACCOUNT_EMAIL LEGO_HOOK_ACCOUNT_EMAIL
LEGO_CERT_DOMAIN LEGO_HOOK_CERT_NAME
LEGO_CERT_PATH LEGO_HOOK_CERT_PATH
LEGO_CERT_KEY_PATH LEGO_HOOK_CERT_KEY_PATH
LEGO_CERT_PEM_PATH LEGO_HOOK_CERT_PEM_PATH
LEGO_CERT_PFX_PATH LEGO_HOOK_CERT_PFX_PATH

CommonName

The support of the common name is disabled by default.

PEM encoding

Lego uses PKCS#8 instead of PKCS#1 for PEM encoding.

Default resolver/nameserver fallbacks

The default resolver/nameserver fallbacks have been changed.

  • google-public-dns-a.google.com:53
  • google-public-dns-b.google.com:53
  • 1.1.1.1:53
  • 1.0.0.1:53
  • [2606:4700:4700::1111]:53
  • [2606:4700:4700::1001]:53

  1. By default, the renewal time is dynamically computed (the behavior of the previous --dynamic flag). ↩︎

May 13, 2026

Library Guide

This guide describes the changes between the v4 and v5 versions of the library.

Context

Most of the functions and methods are now using a context.

Example:

// Before
client.Certificate.Obtain(request)
// After
client.Certificate.Obtain(context.TODO(), request)

Logger

The logger is now slog and can be set using the log.SetDefault(logger) function.

DNS core client

The function dns01.ParseNameservers() is removed.

The function dns01.RecursiveNSsPropagationRequirement() is removed and replaced by dns01.DisableAuthoritativeNssPropagationRequirement().

The function dns01.AddRecursiveNameservers() is removed and replaced by an option dns01.Options.RecursiveNameservers.

opts := &dns01.Options{RecursiveNameservers: []string{"8.8.8.8"}}

dns01.SetDefaultClient(dns01.NewClient(opts))

The function dns01.AddDNSTimeout() is removed and replaced by an option dns01.Options.DNSTimeout.

opts := &dns01.Options{Timeout: 2*time.Second}

dns01.SetDefaultClient(dns01.NewClient(opts))

Method and function changes

v4 v5
crypto.GenerateCSR crypto.CreateCSR
crypto.GetKeyType crypto.ToKeyType
Certifier.RenewWithOption Certifier.Renew
OrderService.NewWithOptions OrderService.New
acmedns.NewDNSProviderClient acmedns.NewDNSProviderConfig
scaleway.Config.Token scaleway.Config.SecretKey

The functions and methods related to the private key are now using the crypto.Signer interface instead of the crypto.PrivateKey type.

The following methods now return an *acme.ExtendedAccount instead of an *registration.Ressouce.

  • registration.Registrar.Register
  • registration.Registrar.RegisterWithExternalAccountBinding
  • registration.Registrar.QueryRegistration
  • registration.Registrar.UpdateRegistration
  • registration.Registrar.ResolveAccountByKey

The structure registration.Ressouce has been removed.

The method http01.ProviderServer.SetProxyHeader() is removed and replaced by an option http01.Options.ProxyHeaderName.

The function dns01.RecursiveNSsPropagationRequirement() is removed and replaced by dns01.DisableAuthoritativeNssPropagationRequirement().

Field changes

The field RetryAfter of acme.RateLimitedError and acme.ExtendedChallenge is now a time.Duration instead of a string.

CertifierOptions

CommonName

The support of the common name is disabled by default.

The field DisableCommonName of certificate.CertifierOptions has been removed.

The option is now determined by the EnableCommonName field of the certificate.ObtainRequest and certificate.ObtainForCSRRequest.

KeyType

The field KeyType of certificate.CertifierOptions has been removed.

The key type is now determined by the KeyType field of the certificate.ObtainRequest.

certcrypto.KeyType

The string values of the certcrypto.KeyType enum have been changed:

v4 v5
P256 EC256
P384 EC384
2048 RSA2048
3072 RSA3072
4096 RSA4096
8192 RSA8192

Removed elements

The following elements have been removed without replacements:

  • selectel.Config.BaseURL
  • selectel.EnvBaseURL
  • SELECTEL_BASE_URL
  • vscale.Config.BaseURL
  • vscale.EnvBaseURL
  • VSCALE_BASE_URL
  • ipv64.Config.SequenceInterval
  • netcup.Config.TTL
  • netcup.EnvTTL
  • vultr.Config.HTTPTimeout

Package changes

The package platform/config/env has been moved to platform/env.

The following packages have been removed:

  • platform/tester
  • platform/wait

PEM encoding

It uses PKCS#8 instead of PKCS#1 for PEM encoding.

Default resolver/nameserver fallbacks

The default resolver/nameserver fallbacks have been changed.

  • google-public-dns-a.google.com:53
  • google-public-dns-b.google.com:53
  • 1.1.1.1:53
  • 1.0.0.1:53
  • [2606:4700:4700::1111]:53
  • [2606:4700:4700::1001]:53