Skip to content

Commit 030c6b2

Browse files
hslatmanhslatman
authored
Merge pull request #382 from ldez/feat/lego-cli
feat: add lego as CLI client
2 parents 18ca0d5 + 471b67a commit 030c6b2

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

tutorials/acme-protocol-acme-clients.mdx

+34
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,7 @@ Choose a renewal period that is two-thirds of the entire certificate's lifetime,
9595

9696
* [Certbot](#certbot)
9797
* [acme.sh](#acmesh)
98+
* [lego](#lego)
9899
* [win-acme](#win-acme)
99100
* [Caddy v2](#caddy-v2)
100101
* [NGINX](#nginx)
@@ -198,6 +199,39 @@ Renewals are slightly easier since `acme.sh` remembers to use the right root cer
198199
0 */8 * * * root "/home/<user>/.acme.sh"/acme.sh --cron --home "/home/<user>/.acme.sh" --force > /dev/null
199200
```
200201

202+
### lego
203+
204+
[lego](https://go-acme.github.io/lego/) is another popular command-line ACME client.
205+
It's written completely in Go and works on all platforms (Windows, Linux, Mac).
206+
207+
To get a certificate from `step-ca` using `lego` you need to:
208+
209+
1. Point `lego` at your ACME directory URL using the `--server` flag
210+
2. Tell `lego` to trust your root certificate using the `LEGO_CA_CERTIFICATES` environment variable
211+
212+
For example:
213+
214+
```
215+
sudo LEGO_CA_CERTIFICATES="$(step path)/certs/root_ca.crt" \
216+
lego --email="you@example.com" -d foo.internal \
217+
-s https://ca.internal/acme/acme/directory --http run
218+
```
219+
220+
Like `certbot`, `lego` can solve the `http-01` challenge in [_standalone_ mode](https://go-acme.github.io/lego/usage/cli/obtain-a-certificate/index.html#using-the-built-in-web-server) and [_webroot_ mode](hhttps://go-acme.github.io/lego/usage/cli/obtain-a-certificate/index.html#using-an-existing-running-web-server).
221+
It can also solve the `dns-01` challenge for [many DNS providers](https://go-acme.github.io/lego/dns/index.html).
222+
223+
You can [renew the certificates](https://go-acme.github.io/lego/usage/cli/renew-a-certificate/index.html) you've installed using `lego` by running:
224+
225+
```shell
226+
sudo LEGO_CA_CERTIFICATES="$(step path)/certs/root_ca.crt" lego --email=you@example.com -d foo.internal --http renew
227+
```
228+
229+
You can automate renewal with a simple `cron` entry:
230+
231+
```shell
232+
*/15 * * * * root LEGO_CA_CERTIFICATES="$(step path)/certs/root_ca.crt" lego --email=you@example.com -d foo.internal --http renew
233+
```
234+
201235
### win-acme
202236

203237
[win-acme][] (`wacs.exe`) is a popular ACME client for Windows.

0 commit comments

Comments
 (0)