Examples

CLI Examples

Assumes the lego binary has permission to bind to ports 80 and 443. You can get a pre-built binary from the releases page. If your environment does not allow you to bind to these ports, please read Port Usage.

Obtain a certificate

lego --email="foo@bar.com" --domains="example.com" --http run

(Find your certificate in the .lego folder of current working directory.)

Obtain a certificate (and hook)

The hook is executed only when the certificates are effectively created.

lego --email="foo@bar.com" --domains="example.com" --http run --run-hook="./myscript.sh"

Some information are added to the environment variables when the hook is used:

  • LEGO_ACCOUNT_EMAIL: the email of the account.
  • LEGO_CERT_DOMAIN: the main domain of the certificate.
  • LEGO_CERT_PATH: the path of the certificate.
  • LEGO_CERT_KEY_PATH: the path of the certificate key.

To renew the certificate

lego --email="foo@bar.com" --domains="example.com" --http renew

To renew the certificate only if it expires within 45 days

lego --email="foo@bar.com" --domains="example.com" --http renew --days 45

To renew the certificate (and hook)

The hook is executed only when the certificates are effectively renewed.

lego --email="foo@bar.com" --domains="example.com" --http renew --renew-hook="./myscript.sh"

Some information are added to the environment variables when the hook is used:

  • LEGO_ACCOUNT_EMAIL: the email of the account.
  • LEGO_CERT_DOMAIN: the main domain of the certificate.
  • LEGO_CERT_PATH: the path of the certificate.
  • LEGO_CERT_KEY_PATH: the path of the certificate key.

Obtain a certificate using the DNS challenge

AWS_REGION=us-east-1 \
AWS_ACCESS_KEY_ID=my_id \
AWS_SECRET_ACCESS_KEY=my_key \
lego --email="foo@bar.com" --domains="example.com" --dns="route53" run

Obtain a certificate given a certificate signing request (CSR) generated by something else

lego --email="foo@bar.com" --http --csr=/path/to/csr.pem run

(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR’s Common Name and optional SubjectAltNames are set correctly.)

Misc HTTP-01 CLI Examples

Write HTTP-01 token to already “served” directory

If you have an existing server running on port 80 the --http option needs to also use the --http.webroot option. This just writes the token to the given directory in the folder .well-known/acme-challenge and does not start a server.

The given directory should be publicly served as / on the domain(s) for the validation to complete.

If the given directory is not publicly served you will have to support rewriting the request to the directory;

You could also implement a rewrite to rewrite .well-known/acme-challenge to the given directory .well-known/acme-challenge.

You should be able to run an existing webserver on port 80 and have lego write the token file with the HTTP-01 challenge key authorization to <webroot dir>/.well-known/acme-challenge/ by running something like:

lego --accept-tos -m foo@bar.com --http --http.webroot /path/to/webroot -d example.com run