References
This section contains references to command, flags, and the configuration file.
-
This describes the configuration file format.
-
This page lists all the available commands and flags.
Subsections of References
Configuration file
This describes the configuration file format.
lego looks for configuration files in the following paths from the current working directory:
.lego.yml.lego.yaml
The configuration file can be validated with the JSON Schema: lego.jsonschema.json
Global configuration
# Path to the directory to use for storing the data.
#
# Default: ./lego
storage: /tmp/lego/
# The network stack to use.
# It can be:
# - ipv6only
# - ipv4only
#
# Default: both
networkStack: ipv6only
# The user agent to use when connecting to the ACME server.
#
# Default: information related to lego.
userAgent: fooCertificates
# When a certificate definition is removed from the configuration file, the corresponding certificate files are archived.
# The archives are deleted after 30 days.
certificates:
# The ID/Name of the certificate.
myCert:
# The challenge type.
# It can be:
# 1. `http-01` (This is a special name to use the default HTTP challenge provider)
# 2. `tls-alpn-01` (This is a special name to use the default TLS-ALPN-01 challenge provider)
# 3. a reference to the ID of a challenge provider defined in the configuration section `challenges`.
#
# Required.
challenge: one
# The account ID/Name.
# If there is no account defined in the configuration file, the default account is used.
# If there is only one account defined in the configuration file, the account ID can be omitted.
#
# Required.
account: foo
# The key type used to generate the certificate.
# If not set, use the account key type, or EC256 if no account key type is defined.
#
# Required.
keyType: RSA2048
# The domains to request a certificate for.
#
# Mutually exclusive with `csr`.
domains:
- example.com
- '*.example.com'
# The path to a Certificate Signing Request (CSR) file.
#
# Mutually exclusive with `domains`.
csr: /tmp/foo.csr
# The preferred chain to use.
#
# Optional.
preferredChain: "ISRG Root X1"
# The ACME server profile
#
# Optional.
profile: "tls"
# Enable the use of the Common Name (CN) in the certificate.
# CN is deprecated and should not be used.
#
# Optional.
# Default: false
enableCommonName: true
# The notBefore field in the certificate.
#
# Optional.
notBefore: ""
# The notAfter field in the certificate.
#
# Optional.
notAfter: ""
# Do not create a certificate bundle by adding the issuers certificate to the new certificate.
#
# Default: false
noBundle: true
# Include the OCSP must staple TLS extension in the CSR and generated certificate.
# Only works if the CSR is generated by lego.
#
# Default: true
mustStaple: false
# Force the authorizations to be relinquished even if the certificate request was successful.
#
# Default: false
alwaysDeactivateAuthorizations: true
# Options for the certificate renewal.
#
# Optional.
renew:
# Reuse the private key if it exists.
#
# Optional.
# Default: false
reuseKey: true
# The number of days left on a certificate to renew it.
#
# By default, compute dynamically, based on the lifetime of the certificate(s), when to renew:
# use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates.
days: 1
# Do not add a random sleep before the renewal.
#
# We do not recommend using this option if you are doing your renewals in an automated way.
#
# Default: false
disableRandomSleep: true
# ARI configuration.
#
# Optional.
ari:
# Disable the ARI mechanism.
#
# Default: false
disable: true
# The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.
#
# Default: 0s
waitToRenewDuration: 1m
# Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.
#
# Optional.
pfx:
# The password used to encrypt the .pfx (PCKS#12) file.
#
# Required.
password: xxx
# The encoding format to use when encrypting the .pfx (PCKS#12) file.
#
# Supported:
# - DES
# - RC2
# - SHA256
# - PBMAC1
#
# Optional.
# Default: RC2
format: PBMAC1Challenges
# The challenge configurations.
challenges:
# The ID/Name of the challenge.
#
# Required.
one:
# The HTTP-01 challenge configuration.
#
# Optional.
http:
# The address to listen on.
#
# Default: ":80"
address: ":80"
# Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.
#
# Default: 0s
delay: 6s
# Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.
#
# Optional.
proxyHeader: Host
# The webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file.
# This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge".
#
# Optional.
webroot: /tmp/webroot
# The memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
#
# Optional.
memcachedHosts:
- memcached:11211
# The S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
s3Bucket: 's3-bucket'
# The ID/Name of the challenge.
#
# Required.
two:
# The TLS-ALPN-01 challenge configuration.
#
# Optional.
tls:
# The address to listen on.
#
# Default: ":443"
address: ":443"
# Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.
#
# Default: 0s
delay: 6s
# The ID/Name of the challenge.
#
# Required.
three:
# The DNS-01 challenge configuration.
#
# Optional.
dns:
# The DNS provider.
#
# Required.
provider: cloudflare
# The path to the dotenv file containing the credentials.
#
# Optional.
envFile: /tmp/secrets/.env
# The configuration related to propagation check.
#
# Optional.
propagation:
# By setting this option to true,
# disables the need to await propagation of the TXT record to all authoritative name servers.
#
# Default: false
disableAuthoritativeNameservers: true
# By setting this option to true,
# disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
#
# Default: false
disableRecursiveNameservers: true
# Disables all the propagation checks of the TXT record and uses a wait duration instead.
#
# This option is strongly discouraged.
#
# Default: 0
wait: 5s
# Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.
#
# Default: 10
dnsTimeout: 30
# Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination.
#
# For DNS-01 challenge verification, the authoritative DNS server is queried directly.
#
# Supported syntax: host:port.
#
# Optional.
# The default is to use the system resolvers, or Google's DNS resolvers if the system ones cannot be determined.
resolvers:
- 1.1.1.1:53
# The ID/Name of the challenge.
#
# Required.
four:
# The DNS-PERSIST-01 challenge configuration.
#
# Optional.
dnsPersist:
# Override the issuer-domain-name to use for DNS-PERSIST-01 when multiple are offered.
# Must be offered by the challenge.
#
# Optional.
issuerDomainName: example.com
# Set the optional `persistUntil` for DNS-PERSIST-01 records as an RFC3339 timestamp.
#
# Optional.
persistUntil: 2020-01-01T00:00:00Z
# The configuration related to propagation check.
#
# Optional.
propagation:
# By setting this option to true,
# disables the need to await propagation of the TXT record to all authoritative name servers.
#
# Default: false
disableAuthoritativeNameservers: true
# By setting this option to true,
# disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
#
# Default: false
disableRecursiveNameservers: true
# Disables all the propagation checks of the TXT record and uses a wait duration instead.
#
# This option is strongly discouraged.
#
# Default: 0
wait: 5sAccounts
Defining an account is optional: lego will create one for you by default on the Let’s Encrypt ACME server.
If you want to use a different ACME server, or if you want to customize the account, you can define it in the configuration file.
# When an account definition is removed from the configuration file, the corresponding account files are archived.
# The archives are deleted after 30 days.
accounts:
# The ID/Name of the account.
#
# Required.
myAccount:
# The ACME server.
#
# It can be:
# 1. a URL
# 2. a short code (see the shortcode section)
# 3. a reference to the ID of a server defined in the servers configuration section
#
# Default: https://acme-v02.api.letsencrypt.org/directory
server: https://example.com/dir
# The account email.
#
# Optional.
email: foo@example.com
# The key type used to generate the account private key.
#
# Default: EC256
keyType: RSA2048
# The acceptance of the terms of service.
#
# Default: false
acceptsTermsOfService: true
# The External Account Binding (EAB) configuration.
#
# Optional.
eab:
# The External Account Binding (EAB) KID.
#
# Required.
kid: foo
# The External Account Binding (EAB) HMAC key.
#
# Required.
hmacKey: fooServers
servers:
# The ID/Name of the server.
#
# Required.
myServer:
# The ACME server URL.
#
# Required.
url: https://example.com/dir
# ACME overall requests limit.
#
# Default: 18
overallRequestLimit: 7
# Skip the TLS verification of the ACME server.
#
# Default: false
tlsSkipVerify: true
# The HTTP timeout value to a specific value in seconds.
#
# Default: 30
httpTimeout: 60
# The certificate timeout value to a specific value in seconds.
# Only used when getting certificates.
#
# Default: 30
certTimeout: 60Logging
# Logging configuration.
#
# Optional.
log:
# The logging level.
#
# Default: info
level: debug
# The logging format.
#
# Supported:
# - text
# - json
# - colored
#
# Default: colored
format: jsonHooks
# Hooks configuration.
#
# Optional.
hooks:
# The pre-hook.
#
# Optional.
pre:
# The command to execute.
#
# Required.
command: "./my-pre-hook.sh"
# The timeout of the command.
#
# optional.
# Default: 2 minutes.
timeout: 3s
# The deploy-hook.
#
# Optional.
deploy:
# The command to execute.
#
# Required.
command: "./my-deploy-hook.sh"
# The timeout of the command.
#
# optional.
# Default: 2 minutes.
timeout: 3s
# The post-hook.
#
# Optional.
post:
# The command to execute.
#
# Required.
command: "./my-post-hook.sh"
# The timeout of the command.
#
# optional.
# Default: 2 minutes.
timeout: 3sCommands & Flags
This page lists all the available commands and flags.
Main Command
NAME:
lego - ACME client written in Go
USAGE:
lego [global options] [command [command options]]
COMMANDS:
run Get or renew a certificate
certificates Certificates management.
accounts Accounts management.
archives Archives management.
dnshelp Shows additional help for the '--dns' global option
migrate Migrate certificates and accounts.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
Flags related to logs:
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
Flags related to the configuration file:
--config string Path to the configuration file. [$LEGO_CONFIG]run command
NAME:
lego run - Get or renew a certificate
USAGE:
lego run [options]
OPTIONS:
--accept-tos, -a By setting this flag to true, you indicate that you accept the current CA terms of service. [$LEGO_ACCEPT_TOS]
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for private keys. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192. (default: "EC256") [$LEGO_KEY_TYPE]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. [$LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS]
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--csr string Certificate signing request filename, if an external CSR is to be used. [$LEGO_CSR]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
--ipv4only, -4 Use IPv4 only. [$LEGO_IPV4ONLY]
--ipv6only, -6 Use IPv6 only. [$LEGO_IPV6ONLY]
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. [$LEGO_MUST_STAPLE]
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. [$LEGO_NO_BUNDLE]
--not-after time Set the notAfter field in the certificate (RFC3339 format) [$LEGO_NOT_AFTER]
--not-before time Set the notBefore field in the certificate (RFC3339 format) [$LEGO_NOT_BEFORE]
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. [$LEGO_PREFERRED_CHAIN]
--private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated. [$LEGO_PRIVATE_KEY]
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. [$LEGO_PROFILE]
Flags related to certificate renewal:
--ari-disable (ARI) Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. [$LEGO_ARI_DISABLE]
--ari-wait-to-renew-duration duration (ARI) The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) [$LEGO_ARI_WAIT_TO_RENEW_DURATION]
--force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. [$LEGO_FORCE_CERT_DOMAINS]
--no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. [$LEGO_NO_RANDOM_SLEEP]
--renew-days int The number of days left on a certificate to renew it.
By default, compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). (default: 0) [$LEGO_RENEW_DAYS]
--renew-force Force the renewal of the certificate even if it is not due for renewal yet. [$LEGO_RENEW_FORCE]
--reuse-key Used to indicate you want to reuse the current certificate private key for the new certificate. [$LEGO_REUSE_KEY]
Flags related to hooks:
--deploy-hook string Define a hook. The hook runs, after the creation or the renewal, in cases where a certificate is successfully created/renewed. [$LEGO_DEPLOY_HOOK]
--deploy-hook-timeout duration Define the timeout for the deploy-hook execution. (default: 2m0s) [$LEGO_DEPLOY_HOOK_TIMEOUT]
--post-hook string Define a post-hook. This hook runs, after the creation or the renewal, in cases where a certificate is created/renewed, regardless of whether any errors occurred. [$LEGO_POST_HOOK]
--post-hook-timeout duration Define the timeout for the post-hook execution. (default: 2m0s) [$LEGO_POST_HOOK_TIMEOUT]
--pre-hook string Define a pre-hook. This hook runs, before the creation or the renewal, in cases where a certificate will be effectively created/renewed. [$LEGO_PRE_HOOK]
--pre-hook-timeout duration Define the timeout for the pre-hook execution. (default: 2m0s) [$LEGO_PRE_HOOK_TIMEOUT]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the DNS-01 challenge:
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. [$LEGO_DNS]
--dns.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PROPAGATION_DISABLE_ANS]
--dns.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PROPAGATION_DISABLE_RNS]
--dns.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PROPAGATION_WAIT]
--dns.resolvers string [ --dns.resolvers string ] Set the nameservers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system nameservers, or Cloudflare's nameservers if the system's cannot be determined. [$LEGO_DNS_RESOLVERS]
--dns.timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) [$LEGO_DNS_TIMEOUT]
Flags related to the DNS-PERSIST-01 challenge:
--dns-persist Use the DNS-PERSIST-01 challenge to solve challenges. Manual verification only. Can be mixed with other types of challenges. [$LEGO_DNS_PERSIST]
--dns-persist.issuer-domain-name string Override the issuer-domain-name to use for DNS-PERSIST-01 when multiple are offered. Must be offered by the challenge. [$LEGO_DNS_PERSIST_ISSUER_DOMAIN_NAME]
--dns-persist.persist-until time Set the optional persistUntil for DNS-PERSIST-01 records as an RFC3339 timestamp (for example, 2026-03-01T00:00:00Z). [$LEGO_DNS_PERSIST_PERSIST_UNTIL]
--dns-persist.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PERSIST_PROPAGATION_DISABLE_ANS]
--dns-persist.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PERSIST_PROPAGATION_DISABLE_RNS]
--dns-persist.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PERSIST_PROPAGATION_WAIT]
--dns-persist.resolvers string [ --dns-persist.resolvers string ] Set the resolvers to use for DNS-PERSIST-01 TXT lookups. Supported: host:port. The default is to use the system nameservers, or Cloudflare's nameservers if the system's cannot be determined. [$LEGO_DNS_PERSIST_RESOLVERS]
--dns-persist.timeout int Set the DNS timeout value to a specific value in seconds. Used for DNS-PERSIST-01 lookups. (default: 0) [$LEGO_DNS_PERSIST_TIMEOUT]
Flags related to the HTTP-01 challenge:
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_HTTP]
--http.address string Set the address to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") [$LEGO_HTTP_ADDRESS]
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_HTTP_DELAY]
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. [$LEGO_HTTP_MEMCACHED_HOST]
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") [$LEGO_HTTP_PROXY_HEADER]
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. [$LEGO_HTTP_S3_BUCKET]
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge [$LEGO_HTTP_WEBROOT]
Flags related to the TLS-ALPN-01 challenge:
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_TLS]
--tls.address string Set the address to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") [$LEGO_TLS_ADDRESS]
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_TLS_DELAY]
Flags related to the storage:
--account-id string Account identifier (The email is used if the account ID is undefined). [$LEGO_ACCOUNT_ID]
--cert.name string, -c string The certificate ID/Name, used to store and retrieve a certificate. By default, it uses the first domain name. [$LEGO_CERT_NAME]
--env-file string The path to the dotenv file. [$LEGO_ENV_FILE]
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. [$LEGO_PEM]
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: DES, RC2, SHA256, PBMAC1. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.password string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]certificates revoke command
NAME:
lego certificates revoke - Revoke a certificate
USAGE:
lego certificates revoke [options]
OPTIONS:
--cert.name string, -c string [ --cert.name string, -c string ] The certificate IDs/Names, used to retrieve the certificates. [$LEGO_CERT_NAME]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--keep Keep the certificates after the revocation instead of archiving them. [$LEGO_KEEP]
--key-type string, -k string Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192. (default: "EC256") [$LEGO_KEY_TYPE]
--reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1.
Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) [$LEGO_REASON]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the configuration file:
--config string Path to the configuration file. [$LEGO_CONFIG]
Flags related to the storage:
--account-id string Account identifier (The email is used if the account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]certificates list command
NAME:
lego certificates list - Display information about certificates.
USAGE:
lego certificates list [options]
OPTIONS:
--help, -h show help
--json Format the output as JSON.
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]accounts register command
NAME:
lego accounts register - Register an account.
USAGE:
lego accounts register [options]
OPTIONS:
--accept-tos, -a By setting this flag to true, you indicate that you accept the current CA terms of service. [$LEGO_ACCEPT_TOS]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192. (default: "EC256") [$LEGO_KEY_TYPE]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the storage:
--account-id string Account identifier (The email is used if the account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]accounts recover command
NAME:
lego accounts recover - Recover/import an account from the private key.
USAGE:
lego accounts recover [options]
OPTIONS:
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192. (default: "EC256") [$LEGO_KEY_TYPE]
--private-key string Path to the account private key (PEM encoded). [$LEGO_PRIVATE_KEY]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the storage:
--account-id string Account identifier (The email is used if the account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]accounts keyrollover command
NAME:
lego accounts keyrollover - Update the account private key.
USAGE:
lego accounts keyrollover [options]
OPTIONS:
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for the new private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192. (default: "EC256") [$LEGO_KEY_TYPE]
--private-key string Path to the new account private key (PEM encoded). If not specified, the private key will be generated. [$LEGO_PRIVATE_KEY]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the storage:
--account-id string Account identifier (The email is used if the account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]accounts list command
NAME:
lego accounts list - Display information about accounts.
USAGE:
lego accounts list [options]
OPTIONS:
--help, -h show help
--json Format the output as JSON.
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]archives restore command
NAME:
lego archives restore - Restore an archive.
USAGE:
lego archives restore [options]
OPTIONS:
--help, -h show help
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]archives list command
NAME:
lego archives list - List all archives.
USAGE:
lego archives list [options]
OPTIONS:
--help, -h show help
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]migrate command
NAME:
lego migrate - Migrate certificates and accounts.
USAGE:
lego migrate [options]
OPTIONS:
--account-only Only migrate accounts. [$LEGO_ACCOUNT_ONLY]
--help, -h show help
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
GLOBAL OPTIONS:
--log.level string Set the logging level. Supported values: 'debug', 'info', 'warn', 'error'. (default: "info") [$LEGO_LOG_LEVEL]
--log.format string Set the logging format. Supported values: 'colored', 'text', 'json'. (default: "colored") [$LEGO_LOG_FORMAT]