Lego – LetsEncrypt client
Lego is a Let’s Encrypt client and ACME library written in Go.
https://go-acme.github.io/lego/
Install Lego
To install go to the release page, download the latest version.
1 2 3 4 5 |
cd /tmp wget https://github.com/go-acme/lego/releases/download/v4.4.0/lego_v4.4.0_linux_amd64.tar.gz tar xvf lego_v4.4.0_linux_amd64.tar.gz mv lego /usr/bin rm -f lego_v4.4.0_linux_amd64.tar.gz CHANGELOG.md LICENSE |
Create SSL certificate
To create an SSL certificate standalone (built-in webserver), run
1 |
lego --accept-tos --http --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" run |
If you need to verify using port 443, use “–tls” instead of “–http”
Verify SSL using webroot (existing webserver)
1 |
lego --accept-tos --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" run |
Renew SSL certificate
To renew the SSL certificate, use the same command as SSL creation with “run” replaced with
1 |
renew --days 30 |
–days 30 means SSL will be renewed if the expiry date is with 30 days. If you need to force renew SSL, use –days 90.
Now run
1 |
lego --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" renew --days 30 |
You need to restart the webserver after running this command.
Renew Hook
If you need to execute a script after SSL renewal, you can add
1 |
--renew-hook="./myscript.sh" |
Example
1 |
lego --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" renew --days 30 --renew-hook="./myscript.sh" |
If you are using the standalone method, you need to stop the webserver before running the lego command.
SSL certificates will be in the directory
1 |
/etc/lego/certificates/ |
Make it readable by the web server with the command
1 |
chmod -R 755 /etc/lego/ |
See letsencrypt