lego binary has permission to bind to ports 80 and 443.
You can get a pre-built binary from the releases page.
If your environment does not allow you to bind to these ports, please read Port Usage.
lego --email="email@example.com" --domains="example.com" --http run
(Find your certificate in the
.lego folder of current working directory.)
lego --email="firstname.lastname@example.org" --domains="example.com" --http renew
lego --email="email@example.com" --domains="example.com" --http renew --days 45
The hook is executed only when the certificates are effectively renewed.
lego --email="firstname.lastname@example.org" --domains="example.com" --http renew --renew-hook="./myscript.sh"
AWS_REGION=us-east-1 \ AWS_ACCESS_KEY_ID=my_id \ AWS_SECRET_ACCESS_KEY=my_key \ lego --email="email@example.com" --domains="example.com" --dns="route53" run
lego --email="firstname.lastname@example.org" --http --csr=/path/to/csr.pem run
(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR’s Common Name and optional SubjectAltNames are set correctly.)
If you have an existing server running on port 80 the
--http option needs to also use the
This just writes the token to the given directory in the folder
.well-known/acme-challenge and does not start a server.
The given directory should be publicly served as
/ on the domain(s) for the validation to complete.
If the given directory is not publicly served you will have to support rewriting the request to the directory;
You could also implement a rewrite to rewrite
.well-known/acme-challenge to the given directory
You should be able to run an existing webserver on port 80 and have lego write the token file with the HTTP-01 challenge key authorization to
<webroot dir>/.well-known/acme-challenge/ by running something like:
lego --accept-tos -m email@example.com --http --http.webroot /path/to/webroot -d example.com run