English | 简体中文
ACME client for Go version, supports ACMEv2 protocol, supports ECC certificate, supports wildcard SSL certificate
Challenge method supports HTTP/HTTPS file path, HTTP/HTTPS port forwarding, DNS challenge (wildcard SSL certificate)
-
Download the binary file of the corresponding platform acme-lego/releases/latest into the executable directory(for Linux is
/usr/local/bin/
directory), and renamelego
-
Create Lego default config file
/etc/lego/config.toml
, or if it is created in another directory, to executelego
, you need to pass in theconfig
parameter as the configuration file path(theconfig
parameter default value is/etc/lego/config.toml
)
Create a config.toml
configuration file in the configuration directory as follows
### Base Config
email = "[email protected]" # Email used for account registration
expire-days = 30 # How many days will the renewal be executed before expiration
key-type = ["rsa2048", "ec256"] # Globally supported certificate types
challenge = "http-path" # Globally supported challenge methods
after-renew = "systemctl reload nginx" # The command executed after the overall renewal is successful
# Domain Config
[domain-group."a.example.com"]
options.public = "/web-path/certificate/acme" # For http-path challenge, verify the location of the file
- After create the configuration file, then execute
lego reg # register account
lego run # Execution obtain certificate
You can obtain for a certificate with the configured domain
- It can also be executed manually if the configuration file does not exist
lego reg --email="[email protected]" # Execution register account using the params email
- Ignore the configuration and execution a single certificate obtain for a single domain
lego run --domain="c.example.com" # execution c.example.com domain certificate obtain
- Domain certificate renewal, because the execution file is not guarded in the background as a service, you need to manually add crontab tasks and execute the following commands regularly
lego renew
Or single domain certificate renewal
lego renew --domain="c.example.com"
lego
writes the challenge file returned by the ACME server into the configured path to support HTTP request to http://a.example.com/.well-known/acme-challenge/xxxxxx
to verify
For example, there is Nginx
configuration
server {
listen 80;
server_name a.example.com;
root /public/demo/www;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /public/demo/challenge/;
}
}
You need to configure the options.public
of the corresponding domain as the corresponding root directory in nginx
options.public = "/public/demo/challenge"
The HTTPS request is similar to the above, except that the challenge has changed to visit https://a.example.com/.well-known/acme-challenge/xxxxxx
to verify, the configuration remains unchanged
lego
start a web server to support challenge. It is recommended to configure on Nginx to forward /.well-known/acme-challenge/
requests to the lego server
The nginx configuration is as follows, where proxy_pass
is modified according to forwarding requirements
server {
listen 80;
server_name a.example.com;
root /public/demo/www;
location ^~ /.well-known/acme-challenge/ {
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8013$request_uri;
}
}
You need to configure the options.server
of the corresponding domain as the corresponding forwarding server port in nginx
options.server = ":8013"
The HTTPS request is similar to the above, except that the challenge has changed to visit https://a.example.com/.well-known/acme-challenge/xxxxxx
to verify, the configuration remains unchanged
If the domain is managed by Cloudflare, it can be verified by configuring options.token
as Cloudflare Token, Cloudflare Token Docs
The directory where the default configuration file $PATH/config.toml
is located. $PATH/
is the configuration directory for all certificates and account information, which can be modified to other directories through the root-dir
parameter
The configuration parameters that the configuration file also supports are
root-dir = "/etc/lego" # Configuration directory, the default is the directory where the configuration file is located
log-level = "info" # Log level, the possible values from high to low are panic, fatal, error, warn, info, debug
dev = true # development mode, the development mode can customize the ACME service address, requesting the ACME address will ignore the HTTPS certificate verification
acme-url = "https://127.0.0.1:14000/dir" # Effective in development mode, request the service address of ACME
The default level of log under dev is debug, and under non-dev is info
lego/
account/
account.json # Account information
account.key # Account private key
certificates/
a.example.com/ # Separate directory for each domain
fullchain.ecdsa-256.crt # ecc public key
fullchain.rsa-2048.crt # rsa public key
meta.ecdsa-256.json # ecc data file
meta.rsa-2048.json # rsa data file
privkey.ecdsa-256.key # ecc private key
privkey.rsa-2048.key # rsa private key
b.example.com/
More function reference /config/config.template.toml file
The Go language is used to write similar tools and it is very convenient to use. You only need to download the compiled binary file and place it on the server for execution. It does not rely on other environments and does not need to install the Go language environment.
github.com/go-acme/lego based development
Copyright (c) 2020-present, AlphaTr