References

This section contains references to command, flags, and the configuration file.

May 13, 2026

Subsections of References

Configuration file

This describes the configuration file format.

lego looks for configuration files in the following paths from the current working directory:

  • .lego.yml
  • .lego.yaml

The configuration file can be validated with the JSON Schema: lego.jsonschema.json

Global configuration

# Path to the directory to use for storing the data.
#
# Default: .lego/
storage: /tmp/lego/

# The network stack to use.
# It can be:
# - ipv6only
# - ipv4only
#
# Default: both
networkStack: ipv6only

# The user agent to use when connecting to the ACME server.
#
# Default: information related to lego.
userAgent: foo

Certificates

# When a certificate definition is removed from the configuration file, the corresponding certificate files are archived.
# The archives are deleted after 30 days.
certificates:
  
  # The ID/Name of the certificate.
  myCert:
    # The challenge type.
    # It can be:
    # 1. `http-01` (This is a special name to use the default HTTP challenge provider)
    # 2. `tls-alpn-01` (This is a special name to use the default TLS-ALPN-01 challenge provider)
    # 3. a reference to the ID of a challenge provider defined in the configuration section `challenges`.
    #
    # Required.
    challenge: one
    
    # The account ID/Name.
    # If there is no account defined in the configuration file, the default account is used.
    # If there is only one account defined in the configuration file, the account ID can be omitted.
    #
    # Required.
    account: foo
    
    # The key type used to generate the certificate.
    # If not set, use the account key type, or EC256 if no account key type is defined.
    #
    # Required.
    keyType: RSA2048
    
    # The domains to request a certificate for.
    #
    # Mutually exclusive with `csr`.
    domains:
      - example.com
      - '*.example.com'
    
    # The path to a Certificate Signing Request (CSR) file.
    #
    # Mutually exclusive with `domains`.
    csr: /tmp/foo.csr

    # The preferred chain to use.
    #
    # Optional.
    preferredChain: "ISRG Root X1"
    
    # The ACME server profile
    #
    # Optional.
    profile: "tls"
    
    # Enable the use of the Common Name (CN) in the certificate.
    # CN is deprecated and should not be used.
    #
    # Optional.
    # Default: false
    enableCommonName: true
    
    # The notBefore field in the certificate.
    #
    # Optional.
    notBefore: ""

    # The notAfter field in the certificate.
    #
    # Optional.
    notAfter: ""
    
    # Do not create a certificate bundle by adding the issuers certificate to the new certificate.
    #
    # Default: false
    noBundle: true

    # Include the OCSP must staple TLS extension in the CSR and generated certificate.
    # Only works if the CSR is generated by lego.
    #
    # Default: false
    mustStaple: true
    
    # Force the authorizations to be relinquished even if the certificate request was successful.
    #
    # Default: false
    alwaysDeactivateAuthorizations: true
    
    # Options for the certificate renewal.
    #
    # Optional.
    renew:
      # Reuse the private key if it exists.
      #
      # Optional.
      # Default: false
      reuseKey: true
      
      
      # The number of days left on a certificate to renew it.
      # 
      # By default, compute dynamically, based on the lifetime of the certificate(s), when to renew:
      # use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates.
      days: 1
  
      # Do not add a random sleep before the renewal.
      #
      # We do not recommend using this option if you are doing your renewals in an automated way.
      #
      # Default: false
      disableRandomSleep: true
      
      # ARI configuration.
      #
      # Optional.
      ari:
        # Disable the ARI mechanism.
        #
        # Default: false
        disable: true
        
        # The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.
        # 
        # Default: 0s
        waitToRenewDuration: 1m
    
    # Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.
    # 
    # Optional.
    pfx:
      # The password used to encrypt the .pfx (PCKS#12) file.
      #
      # Required.
      password: xxx
      
      # The encoding format to use when encrypting the .pfx (PCKS#12) file.
      #
      # Supported:
      # - DES
      # - RC2
      # - SHA256
      # - PBMAC1
      #
      # Optional.
      # Default: RC2
      format: PBMAC1

Challenges

# The challenge configurations.
challenges:
  # The ID/Name of the challenge.
  #
  # Required.
  one:
    # The HTTP-01 challenge configuration.
    #
    # Optional.
    http:
      # The address to listen on.
      #
      # Default: ":80"
      address: ":80"
      
      # Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.
      #
      # Default: 0s
      delay: 6s
      
      # Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.
      #
      # Optional.
      proxyHeader: Host

      # The webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file.
      # This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge".
      #
      # Optional.
      webroot: /tmp/webroot

      # The memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
      #
      # Optional.
      memcachedHosts:
        - memcached:11211
      
      # The S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
      s3Bucket: 's3-bucket'

  # The ID/Name of the challenge.
  #
  # Required.
  two:
    # The TLS-ALPN-01 challenge configuration.
    #
    # Optional.
    tls:
      # The address to listen on.
      #
      # Default: ":443"
      address: ":443"

      # Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.
      #
      # Default: 0s
      delay: 6s

  # The ID/Name of the challenge.
  #
  # Required.
  three:
    # The DNS-01 challenge configuration.
    #
    # Optional.
    dns:
      # The DNS provider.
      #
      # Required.
      provider: cloudflare
      
      # The path to the dotenv file containing the credentials.
      #
      # Optional.
      envFile: /tmp/secrets/.env
      
      # The configuration related to propagation check.
      #
      # Optional.
      propagation:
        # By setting this option to true,
        # disables the need to await propagation of the TXT record to all authoritative name servers.
        #
        # Default: false
        disableAuthoritativeNameservers: true

        # By setting this option to true,
        # disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
        #
        # Default: false
        disableRecursiveNameservers: true

        # Disables all the propagation checks of the TXT record and uses a wait duration instead.
        #
        # This option is strongly discouraged.
        #
        # Default: 0
        wait: 5s

      # Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.
      #
      # Default: 10
      dnsTimeout: 30

      # Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination.
      #
      # For DNS-01 challenge verification, the authoritative DNS server is queried directly.
      #
      # Supported syntax: host:port.
      #
      # Optional.
      # The default is to use the system resolvers or Cloudflare's DNS resolvers if the system ones cannot be determined.
      resolvers:
        - 1.1.1.1:53

  # The ID/Name of the challenge.
  #
  # Required.
  four:
    # The DNS-PERSIST-01 challenge configuration.
    #
    # Optional.
    dnsPersist:
      # Override the issuer-domain-name to use for DNS-PERSIST-01 when multiple are offered.
      # Must be offered by the challenge.
      #
      # Optional.
      issuerDomainName: example.com

      # Set the optional `persistUntil` for DNS-PERSIST-01 records as an RFC3339 timestamp.
      #
      # Optional.
      persistUntil: 2020-01-01T00:00:00Z

      # The configuration related to propagation check.
      #
      # Optional.
      propagation:
        # By setting this option to true,
        # disables the need to await propagation of the TXT record to all authoritative name servers.
        #
        # Default: false
        disableAuthoritativeNameservers: true

        # By setting this option to true,
        # disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
        #
        # Default: false
        disableRecursiveNameservers: true

        # Disables all the propagation checks of the TXT record and uses a wait duration instead.
        #
        # This option is strongly discouraged.
        #
        # Default: 0
        wait: 5s

Accounts

Defining an account is optional: lego will create one for you by default on the Let’s Encrypt ACME server.

If you want to use a different ACME server, or if you want to customize the account, you can define it in the configuration file.

# When an account definition is removed from the configuration file, the corresponding account files are archived.
# The archives are deleted after 30 days.
accounts:
  # The ID/Name of the account.
  #
  # Required.
  myAccount:
    # The ACME server.
    #
    # It can be:
    # 1. a URL
    # 2. a short code (see the shortcode section)
    # 3. a reference to the ID of a server defined in the servers configuration section
    #
    # Default: https://acme-v02.api.letsencrypt.org/directory
    server: https://example.com/dir
    
    # The account email.
    #
    # Optional.
    email: foo@example.com
    
    # The key type used to generate the account private key.
    #
    # Default: EC256
    keyType: RSA2048
    
    # The acceptance of the terms of service.
    #
    # Default: false
    acceptsTermsOfService: true
    
    # The External Account Binding (EAB) configuration.
    #
    # Optional.
    eab:
      # The External Account Binding (EAB) KID.
      #
      # Required.
      kid: foo
      # The External Account Binding (EAB) HMAC key.
      #
      # Required.
      hmacKey: foo

Servers

servers:
  # The ID/Name of the server.
  #
  # Required.
  myServer:
    # The ACME server URL.
    #
    # Required.
    url: https://example.com/dir

    # ACME overall requests limit.
    #
    # Default: 18
    overallRequestLimit: 7

    # Skip the TLS verification of the ACME server.
    #
    # Default: false
    tlsSkipVerify: true

    # The HTTP timeout value to a specific value in seconds.
    #
    # Default: 30
    httpTimeout: 60

    # The certificate timeout value to a specific value in seconds.
    # Only used when getting certificates.
    #
    # Default: 30
    certTimeout: 60

Logging

# Logging configuration.
#
# Optional.
log:
  # The logging level.
  #
  # Default: info
  level: debug
  
  # The logging format.
  #
  # Supported:
  # - text
  # - json
  # - colored
  #
  # Default: colored
  format: json

Hooks

# Hooks configuration.
#
# Optional.
hooks:
  # The pre-hook.
  #
  # Optional.
  pre:
    # The command to execute.
    #
    # Required.
    command: "./my-pre-hook.sh"
    
    # The timeout of the command.
    #
    # optional.
    # Default: 2 minutes.
    timeout: 3s
  
  # The deploy-hook.
  #
  # Optional.
  deploy:
    # The command to execute.
    #
    # Required.
    command: "./my-deploy-hook.sh"

    # The timeout of the command.
    #
    # optional.
    # Default: 2 minutes.
    timeout: 3s
  
  # The post-hook.
  #
  # Optional.
  post:
    # The command to execute.
    #
    # Required.
    command: "./my-post-hook.sh"

    # The timeout of the command.
    #
    # optional.
    # Default: 2 minutes.
    timeout: 3s
May 14, 2026

Commands & Flags

This page lists all the available commands and flags.

Table of Contents

lego

Get or renew a certificate with a configuration file

Usage

lego [options]

Global Options

Flag Env Var Usage
--help, -h show help
Flag Env Var Usage
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Back on Top

lego run

Get or renew a certificate

Usage

lego run [options]

Options

Flag Env Var Usage
--accept-tos, -a LEGO_ACCEPT_TOS By setting this flag to true, you indicate that you accept the current CA terms of service.
--domains string, -d string LEGO_DOMAINS Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--email string, -m string LEGO_EMAIL Email used for registration and recovery contact.
--help, -h show help
--key-type string, -k string LEGO_KEY_TYPE Key type to use for private keys. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192.
(Default: “EC256”)
--server string, -s string LEGO_SERVER CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl)
(Default: “https://acme-v02.api.letsencrypt.org/directory")
Flag Env Var Usage
--eab LEGO_EAB Use External Account Binding for account registration. Requires eab.kid and eab.hmac.
--eab.hmac string LEGO_EAB_HMAC MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.
--eab.kid string LEGO_EAB_KID Key identifier for External Account Binding.
Flag Env Var Usage
--always-deactivate-authorizations string LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS Force the authorizations to be relinquished even if the certificate request was successful.
--cert.timeout int LEGO_CERT_TIMEOUT Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.
(Default: 30)
--csr string LEGO_CSR Certificate signing request filename, if an external CSR is to be used.
--enable-cn LEGO_ENABLE_CN Enable the use of the common name. (Not recommended)
--ipv4only, -4 LEGO_IPV4ONLY Use IPv4 only.
--ipv6only, -6 LEGO_IPV6ONLY Use IPv6 only.
--must-staple LEGO_MUST_STAPLE Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--no-bundle LEGO_NO_BUNDLE Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--not-after time LEGO_NOT_AFTER Set the notAfter field in the certificate (RFC3339 format)
--not-before time LEGO_NOT_BEFORE Set the notBefore field in the certificate (RFC3339 format)
--preferred-chain string LEGO_PREFERRED_CHAIN If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--private-key string LEGO_PRIVATE_KEY Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated.
--profile string LEGO_PROFILE If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
Flag Env Var Usage
--ari-disable LEGO_ARI_DISABLE (ARI) Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.
--ari-wait-to-renew-duration duration LEGO_ARI_WAIT_TO_RENEW_DURATION (ARI) The maximum duration you’re willing to sleep for a renewal time returned by the renewalInfo endpoint.
(Default: 0s)
--force-cert-domains LEGO_FORCE_CERT_DOMAINS Check and ensure that the cert’s domain list matches those passed in the domains argument.
--no-random-sleep LEGO_NO_RANDOM_SLEEP Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way.
--renew-days int LEGO_RENEW_DAYS The number of days left on a certificate to renew it.
By default, compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates).
(Default: 0)
--renew-force LEGO_RENEW_FORCE Force the renewal of the certificate even if it is not due for renewal yet.
--reuse-key LEGO_REUSE_KEY Used to indicate you want to reuse the current certificate private key for the new certificate.
Flag Env Var Usage
--deploy-hook string LEGO_DEPLOY_HOOK Define a hook. The hook runs, after the creation or the renewal, in cases where a certificate is successfully created/renewed.
--deploy-hook-timeout duration LEGO_DEPLOY_HOOK_TIMEOUT Define the timeout for the deploy-hook execution.
(Default: 2m0s)
--post-hook string LEGO_POST_HOOK Define a post-hook. This hook runs, after the creation or the renewal, in cases where a certificate is created/renewed, regardless of whether any errors occurred.
--post-hook-timeout duration LEGO_POST_HOOK_TIMEOUT Define the timeout for the post-hook execution.
(Default: 2m0s)
--pre-hook string LEGO_PRE_HOOK Define a pre-hook. This hook runs, before the creation or the renewal, in cases where a certificate will be effectively created/renewed.
--pre-hook-timeout duration LEGO_PRE_HOOK_TIMEOUT Define the timeout for the pre-hook execution.
(Default: 2m0s)
Flag Env Var Usage
--http-timeout int LEGO_HTTP_TIMEOUT Set the HTTP timeout value to a specific value in seconds.
(Default: 0)
--overall-request-limit int LEGO_OVERALL_REQUEST_LIMIT ACME overall requests limit.
(Default: 18)
--tls-skip-verify LEGO_TLS_SKIP_VERIFY Skip the TLS verification of the ACME server.
--user-agent string LEGO_USER_AGENT Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flag Env Var Usage
--dns string LEGO_DNS Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run ’lego dnshelp’ for help on usage.
--dns.propagation.disable-ans LEGO_DNS_PROPAGATION_DISABLE_ANS By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation.disable-rns LEGO_DNS_PROPAGATION_DISABLE_RNS By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
--dns.propagation.wait duration LEGO_DNS_PROPAGATION_WAIT By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead.
(Default: 0s)
--dns.resolvers string LEGO_DNS_RESOLVERS Set the nameservers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system nameservers, or Cloudflare’s nameservers if the system’s cannot be determined.
--dns.timeout int LEGO_DNS_TIMEOUT Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.
(Default: 10)
Flag Env Var Usage
--dns-persist LEGO_DNS_PERSIST Use the DNS-PERSIST-01 challenge to solve challenges. Manual verification only. Can be mixed with other types of challenges.
--dns-persist.issuer-domain-name string LEGO_DNS_PERSIST_ISSUER_DOMAIN_NAME Override the issuer-domain-name to use for DNS-PERSIST-01 when multiple are offered. Must be offered by the challenge.
--dns-persist.persist-until time LEGO_DNS_PERSIST_PERSIST_UNTIL Set the optional persistUntil for DNS-PERSIST-01 records as an RFC3339 timestamp (for example, 2026-03-01T00:00:00Z).
--dns-persist.propagation.disable-ans LEGO_DNS_PERSIST_PROPAGATION_DISABLE_ANS By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns-persist.propagation.disable-rns LEGO_DNS_PERSIST_PROPAGATION_DISABLE_RNS By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).
--dns-persist.propagation.wait duration LEGO_DNS_PERSIST_PROPAGATION_WAIT By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead.
(Default: 0s)
--dns-persist.resolvers string LEGO_DNS_PERSIST_RESOLVERS Set the resolvers to use for DNS-PERSIST-01 TXT lookups. Supported: host:port. The default is to use the system nameservers, or Cloudflare’s nameservers if the system’s cannot be determined.
--dns-persist.timeout int LEGO_DNS_PERSIST_TIMEOUT Set the DNS timeout value to a specific value in seconds. Used for DNS-PERSIST-01 lookups.
(Default: 0)
Flag Env Var Usage
--http LEGO_HTTP Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.
--http.address string LEGO_HTTP_ADDRESS Set the address to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port.
(Default: “:80”)
--http.delay duration LEGO_HTTP_DELAY Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.
(Default: 0s)
--http.memcached-host string LEGO_HTTP_MEMCACHED_HOST Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
--http.proxy-header string LEGO_HTTP_PROXY_HEADER Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.
(Default: “Host”)
--http.s3-bucket string LEGO_HTTP_S3_BUCKET Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
--http.webroot string LEGO_HTTP_WEBROOT Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
Flag Env Var Usage
--tls LEGO_TLS Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.address string LEGO_TLS_ADDRESS Set the address to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port.
(Default: “:443”)
--tls.delay duration LEGO_TLS_DELAY Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.
(Default: 0s)
Flag Env Var Usage
--account-id string LEGO_ACCOUNT_ID Account identifier (The email is used if the account ID is undefined).
--cert.name string, -c string LEGO_CERT_NAME The certificate ID/Name, used to store and retrieve a certificate. By default, it uses the first domain name.
--env-file string LEGO_ENV_FILE The path to the dotenv file.
--path string LEGO_PATH Directory to use for storing the data.
--pem LEGO_PEM Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx LEGO_PFX Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.
--pfx.format string LEGO_PFX_FORMAT The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: DES, RC2, SHA256, PBMAC1.
(Default: “RC2”)
--pfx.password string LEGO_PFX_PASSWORD The password used to encrypt the .pfx (PCKS#12) file.
(Default: “changeit”)

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego certificates revoke

Revoke a certificate

Usage

lego certificates revoke [options]

Options

Flag Env Var Usage
--cert.name string, -c string LEGO_CERT_NAME The certificate IDs/Names, used to retrieve the certificates.
--email string, -m string LEGO_EMAIL Email used for registration and recovery contact.
--help, -h show help
--keep LEGO_KEEP Keep the certificates after the revocation instead of archiving them.
--key-type string, -k string LEGO_KEY_TYPE Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192.
(Default: “EC256”)
--reason uint LEGO_REASON Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1.
Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise).
(Default: 0)
--server string, -s string LEGO_SERVER CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl)
(Default: “https://acme-v02.api.letsencrypt.org/directory")
Flag Env Var Usage
--eab LEGO_EAB Use External Account Binding for account registration. Requires eab.kid and eab.hmac.
--eab.hmac string LEGO_EAB_HMAC MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.
--eab.kid string LEGO_EAB_KID Key identifier for External Account Binding.
Flag Env Var Usage
--cert.timeout int LEGO_CERT_TIMEOUT Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.
(Default: 30)
--enable-cn LEGO_ENABLE_CN Enable the use of the common name. (Not recommended)
Flag Env Var Usage
--http-timeout int LEGO_HTTP_TIMEOUT Set the HTTP timeout value to a specific value in seconds.
(Default: 0)
--overall-request-limit int LEGO_OVERALL_REQUEST_LIMIT ACME overall requests limit.
(Default: 18)
--tls-skip-verify LEGO_TLS_SKIP_VERIFY Skip the TLS verification of the ACME server.
--user-agent string LEGO_USER_AGENT Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Flag Env Var Usage
--account-id string LEGO_ACCOUNT_ID Account identifier (The email is used if the account ID is undefined).
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego certificates list

Display information about certificates.

Usage

lego certificates list [options]

Options

Flag Env Var Usage
--help, -h show help
--json Format the output as JSON.
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Flag Env Var Usage
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego accounts register

Register an account.

Usage

lego accounts register [options]

Options

Flag Env Var Usage
--accept-tos, -a LEGO_ACCEPT_TOS By setting this flag to true, you indicate that you accept the current CA terms of service.
--email string, -m string LEGO_EMAIL Email used for registration and recovery contact.
--help, -h show help
--key-type string, -k string LEGO_KEY_TYPE Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192.
(Default: “EC256”)
--server string, -s string LEGO_SERVER CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl)
(Default: “https://acme-v02.api.letsencrypt.org/directory")
Flag Env Var Usage
--eab LEGO_EAB Use External Account Binding for account registration. Requires eab.kid and eab.hmac.
--eab.hmac string LEGO_EAB_HMAC MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.
--eab.kid string LEGO_EAB_KID Key identifier for External Account Binding.
Flag Env Var Usage
--cert.timeout int LEGO_CERT_TIMEOUT Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.
(Default: 30)
--enable-cn LEGO_ENABLE_CN Enable the use of the common name. (Not recommended)
Flag Env Var Usage
--http-timeout int LEGO_HTTP_TIMEOUT Set the HTTP timeout value to a specific value in seconds.
(Default: 0)
--overall-request-limit int LEGO_OVERALL_REQUEST_LIMIT ACME overall requests limit.
(Default: 18)
--tls-skip-verify LEGO_TLS_SKIP_VERIFY Skip the TLS verification of the ACME server.
--user-agent string LEGO_USER_AGENT Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flag Env Var Usage
--account-id string LEGO_ACCOUNT_ID Account identifier (The email is used if the account ID is undefined).
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego accounts recover

Recover/import an account from the private key.

Usage

lego accounts recover [options]

Options

Flag Env Var Usage
--email string, -m string LEGO_EMAIL Email used for registration and recovery contact.
--help, -h show help
--key-type string, -k string LEGO_KEY_TYPE Key type to use for the private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192.
(Default: “EC256”)
--private-key string LEGO_PRIVATE_KEY Path to the account private key (PEM encoded).
--server string, -s string LEGO_SERVER CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl)
(Default: “https://acme-v02.api.letsencrypt.org/directory")
Flag Env Var Usage
--eab LEGO_EAB Use External Account Binding for account registration. Requires eab.kid and eab.hmac.
--eab.hmac string LEGO_EAB_HMAC MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.
--eab.kid string LEGO_EAB_KID Key identifier for External Account Binding.
Flag Env Var Usage
--cert.timeout int LEGO_CERT_TIMEOUT Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.
(Default: 30)
--enable-cn LEGO_ENABLE_CN Enable the use of the common name. (Not recommended)
Flag Env Var Usage
--http-timeout int LEGO_HTTP_TIMEOUT Set the HTTP timeout value to a specific value in seconds.
(Default: 0)
--overall-request-limit int LEGO_OVERALL_REQUEST_LIMIT ACME overall requests limit.
(Default: 18)
--tls-skip-verify LEGO_TLS_SKIP_VERIFY Skip the TLS verification of the ACME server.
--user-agent string LEGO_USER_AGENT Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flag Env Var Usage
--account-id string LEGO_ACCOUNT_ID Account identifier (The email is used if the account ID is undefined).
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego accounts keyrollover

Update the account private key.

Usage

lego accounts keyrollover [options]

Options

Flag Env Var Usage
--email string, -m string LEGO_EMAIL Email used for registration and recovery contact.
--help, -h show help
--key-type string, -k string LEGO_KEY_TYPE Key type to use for the new private key of the account. Supported: EC256, EC384, RSA2048, RSA3072, RSA4096, RSA8192.
(Default: “EC256”)
--private-key string LEGO_PRIVATE_KEY Path to the new account private key (PEM encoded). If not specified, the private key will be generated.
--server string, -s string LEGO_SERVER CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl)
(Default: “https://acme-v02.api.letsencrypt.org/directory")
Flag Env Var Usage
--eab LEGO_EAB Use External Account Binding for account registration. Requires eab.kid and eab.hmac.
--eab.hmac string LEGO_EAB_HMAC MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.
--eab.kid string LEGO_EAB_KID Key identifier for External Account Binding.
Flag Env Var Usage
--cert.timeout int LEGO_CERT_TIMEOUT Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.
(Default: 30)
--enable-cn LEGO_ENABLE_CN Enable the use of the common name. (Not recommended)
Flag Env Var Usage
--http-timeout int LEGO_HTTP_TIMEOUT Set the HTTP timeout value to a specific value in seconds.
(Default: 0)
--overall-request-limit int LEGO_OVERALL_REQUEST_LIMIT ACME overall requests limit.
(Default: 18)
--tls-skip-verify LEGO_TLS_SKIP_VERIFY Skip the TLS verification of the ACME server.
--user-agent string LEGO_USER_AGENT Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flag Env Var Usage
--account-id string LEGO_ACCOUNT_ID Account identifier (The email is used if the account ID is undefined).
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego accounts list

Display information about accounts.

Usage

lego accounts list [options]

Options

Flag Env Var Usage
--help, -h show help
--json Format the output as JSON.
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Flag Env Var Usage
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego archives restore

Restore an archive.

Usage

lego archives restore [options]

Options

Flag Env Var Usage
--help, -h show help
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Flag Env Var Usage
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego archives list

List all archives.

Usage

lego archives list [options]

Options

Flag Env Var Usage
--help, -h show help
Flag Env Var Usage
--config string LEGO_CONFIG Path to the configuration file.
Flag Env Var Usage
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego dnshelp

Shows additional help for the ‘–dns’ global option

Usage

lego dnshelp [options]

Options

Flag Env Var Usage
--code string, -c string DNS code: abion, acmedns, active24, alidns, aliesa, allinkl, alwaysdata, anexia, artfiles, arvancloud, auroradns, autodns, axelname, azion, azuredns, baiducloud, beget, binarylane, bindman, bluecat, bluecatv2, bookmyname, bunny, checkdomain, civo, clouddns, cloudflare, cloudns, cloudru, com35, connbyte, conoha, conohav3, constellix, corenetworks, cpanel, curanet, czechia, dandomain, ddnss, derak, desec, designate, digitalocean, dinahosting, directadmin, dns51, dnscale, dnsexit, dnshomede, dnsimple, dnsla, dnsmadeeasy, dnsservices, dnsupdate, dode, domeneshop, dreamhost, duckdns, dyn, dynadot, dyndnsfree, dynu, easydns, edgecenter, edgedns, edgeone, efficientip, epik, eurodns, euserv, excedo, exec, exoscale, f5xc, fornex, freemyip, gandi, gandiv5, gcloud, gcore, gehirn, gigahostno, glesys, gname, godaddy, gravity, hetzner, hostingde, hostinger, hostingnl, hosttech, hostup, httpnet, httpreq, huaweicloud, hurricane, hyperone, ibmcloud, iijdpf, infoblox, infomaniak, internetbs, inwx, ionos, ionoscloud, ipv64, ispconfig, ispconfigddns, jdcloud, joker, katapult, keyhelp, leaseweb, liara, lightsail, limacity, linode, liquidweb, loopia, luadns, mailinabox, manageengine, manual, metaname, metaregistrar, mijnhost, mittwald, myaddr, mydnsjp, mythicbeasts, namecheap, namedotcom, namesilo, namesurfer, nearlyfreespeech, nederhost, neodigit, netcup, netlify, netnod, ngenix, nicmanager, nicru, nifcloud, njalla, nodion, ns1, octenium, omglol, onecloudru, onlinenet, opusdns, oraclecloud, otc, ovh, pdns, plesk, pointdns, porkbun, rackspace, rage4, rainyun, rcodezero, regfish, regru, rimuhosting, route53, safedns, sakuracloud, scaleway, scannet, selectel, selectelv2, selfhostde, servercow, shellrent, simply, sonic, spaceship, stackpath, syse, technitium, tele3, tencentcloud, timewebcloud, todaynic, transip, ucloud, ultradns, uniteddomains, variomedia, veesp, vegadns, vercel, versio, vinyldns, virtualname, vkcloud, volcengine, vscale, vultr, wannafind, webnamesca, webnamesru, websupport, wedos, westcn, xinnet, yandex, yandex360, yandexcloud, zilore, zoneedit, zoneee, zonomi
--help, -h show help

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top

lego migrate

Migrate certificates and accounts.

Usage

lego migrate [options]

Options

Flag Env Var Usage
--account-only LEGO_ACCOUNT_ONLY Only migrate accounts.
--help, -h show help
Flag Env Var Usage
--path string LEGO_PATH Directory to use for storing the data.

Global Options

Flag Env Var Usage
--log.level string LEGO_LOG_LEVEL Set the logging level. Supported values: ‘debug’, ‘info’, ‘warn’, ’error’.
(Default: “info”)
--log.format string LEGO_LOG_FORMAT Set the logging format. Supported values: ‘colored’, ’text’, ‘json’.
(Default: “colored”)
Back on Top