lego
by go-acme
Lego is a Go-based ACME client and library that automates obtaining, renewing, and managing TLS certificates from Let's Encrypt and other ACME-compatible CAs.
Let's Encrypt/ACME client and library written in Go
Primary Use Case
This tool is primarily used by developers, system administrators, and DevOps engineers to automate the lifecycle of TLS certificates, enabling secure HTTPS for websites and services. It supports integration as both a CLI tool and a Go library, making it suitable for automated certificate management in diverse environments.
- Full support for ACME v2 protocol (RFC 8555) and related extensions
- Integration with approximately 150 DNS providers for DNS-01 challenge automation
- Supports HTTP-01, DNS-01, and TLS-ALPN-01 ACME challenges
- Certificate issuance from scratch or using an existing CSR
- Certificate renewal and revocation capabilities
- SAN (Subject Alternative Name) certificate support
- Custom challenge solvers for flexible validation
- OCSP helper functions and certificate bundling
Installation
- Refer to https://go-acme.github.io/lego/installation/ for detailed installation steps
- Install via Go modules: go get github.com/go-acme/lego/v4
- Use the official Docker image: docker pull goacme/lego
Usage
>_ lego --helpDisplays help information and available commands for the CLI.
>_ lego --email [email protected] --domains example.com --http runObtain a certificate for example.com using the HTTP-01 challenge.
>_ lego --email [email protected] --domains example.com --dns cloudflare runObtain a certificate for example.com using the DNS-01 challenge with Cloudflare DNS provider.
>_ lego renewRenew all certificates that are near expiration.
>_ lego revoke --cert path/to/cert.pemRevoke a previously issued certificate.
- Integrate lego into CI/CD pipelines to automate TLS certificate issuance and renewal, reducing human error and improving security posture.
- Use lego's DNS-01 challenge automation to securely validate domain ownership without exposing HTTP endpoints, enhancing defense against domain hijacking.
- Leverage lego's custom challenge solvers to adapt certificate issuance workflows to complex or proprietary environments.
- Combine lego with monitoring tools to detect certificate expiry proactively and prevent service outages or security warnings.
- Employ lego as part of a purple team exercise to simulate attacker attempts to manipulate certificate issuance and test detection and response capabilities.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about lego. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
vaultwarden
dani-garcia/vaultwarden
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
authelia
authelia/authelia
The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™
keepassxc
keepassxreboot/keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “KeePass Password Safe”.
infisical
Infisical/infisical
Infisical is the open-source platform for secrets, certificates, and privileged access management.
authentik
goauthentik/authentik
The authentication glue you need.
teleport
gravitational/teleport
The easiest, and most secure way to access and protect all of your infrastructure.