deblan-mirror/lego
1
0
Fork 0
mirror of https://github.com/go-acme/lego synced 2026-03-14 14:35:48 +01:00
Code Issues Projects Releases Packages Wiki Activity

feat: flag names and environment variables (#2847)

Browse source
This commit is contained in:
Ludovic Fernandez 2026-02-12 19:19:56 +01:00 committed by GitHub
commit b770f7dc5b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
15 changed files with 412 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

2
challenge/dns01/client_nameservers.go
View file

@ -47,7 +47,7 @@ func (c *Client) checkNameserversPropagationCustom(ctx context.Context, fqdn, va
}
if !found {
return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, " ,"))
return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, ", "))
}
}

2
challenge/dns01/client_nameservers_test.go
View file

@ -42,7 +42,7 @@ func TestClient_checkNameserversPropagationCustom_authoritativeNss(t *testing.T)
fakeTXT("8.8.8.8.asn.routeviews.org.", "24"),
),
),
expectedError: "did not return the expected TXT record [fqdn: 8.8.8.8.asn.routeviews.org., value: fe01=]: 15169 ,8.8.8.0 ,24",
expectedError: "did not return the expected TXT record [fqdn: 8.8.8.8.asn.routeviews.org., value: fe01=]: 15169, 8.8.8.0, 24",
},
{
desc: "No TXT RR",

4
challenge/dns01/dns_challenge.go
View file

@ -112,7 +112,7 @@ func (c *Challenge) Solve(ctx context.Context, authz acme.Authorization) error {
timeout, interval = DefaultPropagationTimeout, DefaultPollingInterval
}
log.Info("acme: Checking DNS record propagation.",
log.Info("acme: waiting for DNS record propagation.",
log.DomainAttr(domain),
slog.String("nameservers", strings.Join(DefaultClient().recursiveNameservers, ",")),
)
@ -122,7 +122,7 @@ func (c *Challenge) Solve(ctx context.Context, authz acme.Authorization) error {
err = wait.For("propagation", timeout, interval, func() (bool, error) {
stop, errP := c.preCheck.call(ctx, domain, info.EffectiveFQDN, info.Value)
if !stop || errP != nil {
log.Info("acme: Waiting for DNS record propagation.", log.DomainAttr(domain))
log.Info("acme: waiting for DNS record propagation.", log.DomainAttr(domain))
}
return stop, errP

14
challenge/dns01/dns_challenge_options.go
View file

@ -2,7 +2,10 @@ package dns01
import (
"context"
"log/slog"
"time"
"github.com/go-acme/lego/v5/log"
)
type ChallengeOption func(*Challenge) error
@ -26,15 +29,22 @@ func DisableAuthoritativeNssPropagationRequirement() ChallengeOption {
}
}
func RecursiveNSsPropagationRequirement() ChallengeOption {
func DisableRecursiveNSsPropagationRequirement() ChallengeOption {
return func(chlg *Challenge) error {
chlg.preCheck.requireRecursiveNssPropagation = true
chlg.preCheck.requireRecursiveNssPropagation = false
return nil
}
}
func PropagationWait(wait time.Duration, skipCheck bool) ChallengeOption {
return WrapPreCheck(func(ctx context.Context, domain, fqdn, value string, check PreCheckFunc) (bool, error) {
if skipCheck {
log.Info("acme: the active propagation check is disabled, waiting for the propagation instead.",
slog.Duration("wait", wait),
log.DomainAttr(domain),
)
}
time.Sleep(wait)
if skipCheck {

1
challenge/dns01/dns_challenge_precheck.go
View file

@ -36,6 +36,7 @@ type preCheck struct {
func newPreCheck() preCheck {
return preCheck{
requireAuthoritativeNssPropagation: true,
requireRecursiveNssPropagation: true,
}
}

72
challenge/dns01/dns_challenge_precheck_test.go
View file

@ -11,7 +11,9 @@ import (
func Test_preCheck_checkDNSPropagation(t *testing.T) {
mockDefault(t,
dnsmock.NewServer().
// This line is here to produce an error if the calls don't go on the right DNS server.
Query("acme-staging.api.example.com. SOA", dnsmock.Error(dns.RcodeNameError)).
// This line is here to produce an error if the calls don't go on the right DNS server.
Query("api.example.com. SOA", dnsmock.Error(dns.RcodeNameError)).
Query("example.com. SOA", dnsmock.SOA("")).
Query("example.com. NS",
@ -24,9 +26,9 @@ func Test_preCheck_checkDNSPropagation(t *testing.T) {
mockResolver(
dnsmock.NewServer().
Query("ns0.lego.localhost. A",
dnsmock.Answer(fakeA("ns0.lego.localhost.", "127.0.0.1"))).
dnsmock.Answer(fakeA("ns0.lego.localhost."))).
Query("ns1.lego.localhost. A",
dnsmock.Answer(fakeA("ns1.lego.localhost.", "127.0.0.1"))).
dnsmock.Answer(fakeA("ns1.lego.localhost."))).
Query("example.com. TXT",
dnsmock.Answer(
fakeTXT("example.com.", "one"),
@ -55,7 +57,71 @@ func Test_preCheck_checkDNSPropagation(t *testing.T) {
desc: "no matching TXT record",
fqdn: "acme-staging.api.example.com.",
value: "fe01=",
expectedError: "did not return the expected TXT record [fqdn: acme-staging.api.example.com., value: fe01=]: one ,two ,three ,four ,five",
expectedError: "did not return the expected TXT record [fqdn: acme-staging.api.example.com., value: fe01=]: one, two, three, four, five",
},
}
for _, test := range testCases {
t.Run(test.desc, func(t *testing.T) {
DefaultClient().ClearFqdnCache()
check := newPreCheck()
check.requireRecursiveNssPropagation = false
ok, err := check.checkDNSPropagation(t.Context(), test.fqdn, test.value)
if test.expectedError != "" {
assert.ErrorContainsf(t, err, test.expectedError, "PreCheckDNS must fail for %s", test.fqdn)
assert.False(t, ok, "PreCheckDNS must fail for %s", test.fqdn)
} else {
assert.NoErrorf(t, err, "PreCheckDNS failed for %s", test.fqdn)
assert.True(t, ok, "PreCheckDNS failed for %s", test.fqdn)
}
})
}
}
func Test_preCheck_checkDNSPropagation_requireRecursiveNssPropagation(t *testing.T) {
// The 2 DNS servers must have the same data as we required full propagation.
builder := dnsmock.NewServer().
Query("ns0.lego.localhost. A",
dnsmock.Answer(fakeA("ns0.lego.localhost."))).
Query("ns1.lego.localhost. A",
dnsmock.Answer(fakeA("ns1.lego.localhost."))).
Query("example.com. TXT",
dnsmock.Answer(
fakeTXT("example.com.", "one"),
fakeTXT("example.com.", "two"),
fakeTXT("example.com.", "three"),
fakeTXT("example.com.", "four"),
fakeTXT("example.com.", "five"),
),
).
Query("example.com. SOA", dnsmock.SOA("")).
Query("example.com. NS",
dnsmock.Answer(
fakeNS("example.com.", "ns0.lego.localhost."),
fakeNS("example.com.", "ns1.lego.localhost."),
),
)
mockDefault(t, builder.Build(t), mockResolver(builder.Build(t)))
testCases := []struct {
desc string
fqdn string
value string
expectedError string
}{
{
desc: "success",
fqdn: "example.com.",
value: "four",
},
{
desc: "no matching TXT record",
fqdn: "acme-staging.api.example.com.",
value: "fe01=",
expectedError: "did not return the expected TXT record [fqdn: acme-staging.api.example.com., value: fe01=]: one, two, three, four, five",
},
}

11
challenge/dns01/mock_test.go
View file

@ -6,6 +6,7 @@ import (
"testing"
"time"
"github.com/go-acme/lego/v5/challenge"
"github.com/miekg/dns"
"github.com/stretchr/testify/require"
)
@ -17,10 +18,10 @@ func fakeNS(name, ns string) *dns.NS {
}
}
func fakeA(name, ip string) *dns.A {
func fakeA(name string) *dns.A {
return &dns.A{
Hdr: dns.RR_Header{Name: name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 10},
A: net.ParseIP(ip),
A: net.ParseIP("127.0.0.1"),
}
}
@ -37,6 +38,8 @@ func mockResolver(authoritativeNS net.Addr) func(t *testing.T, client *Client) {
return func(t *testing.T, client *Client) {
t.Helper()
t.Log("authoritativeNS", authoritativeNS)
_, port, err := net.SplitHostPort(authoritativeNS.String())
require.NoError(t, err)
@ -68,7 +71,9 @@ func mockDefault(t *testing.T, recursiveNS net.Addr, opts ...func(t *testing.T,
SetDefaultClient(backup)
})
client := NewClient(&Options{RecursiveNameservers: []string{recursiveNS.String()}})
t.Log("recursiveNS", recursiveNS)
client := NewClient(&Options{RecursiveNameservers: []string{recursiveNS.String()}, NetworkStack: challenge.IPv4Only})
for _, opt := range opts {
opt(t, client)

6
cmd/cmd_register.go
View file

@ -83,11 +83,11 @@ func registerAccount(ctx context.Context, cmd *cli.Command, client *lego.Client)
}
if cmd.Bool(flgEAB) {
kid := cmd.String(flgKID)
hmacEncoded := cmd.String(flgHMAC)
kid := cmd.String(flgEABKID)
hmacEncoded := cmd.String(flgEABHMAC)
if kid == "" || hmacEncoded == "" {
log.Fatal(fmt.Sprintf("Requires arguments --%s and --%s.", flgKID, flgHMAC))
log.Fatal(fmt.Sprintf("Requires arguments --%s and --%s.", flgEABKID, flgEABHMAC))
}
return client.Registration.RegisterWithExternalAccountBinding(ctx, registration.RegisterEABOptions{

30
cmd/cmd_renew.go
View file

@ -158,7 +158,9 @@ func renewForDomains(ctx context.Context, cmd *cli.Command, lazyClient lzSetUp,
certDomains := certcrypto.ExtractDomains(cert)
if ariRenewalTime == nil && !needRenewal(cert, domain, cmd.Int(flgRenewDays), cmd.Bool(flgRenewDynamic)) &&
days := getFlagRenewDays(cmd)
if ariRenewalTime == nil && !needRenewal(cert, domain, days, cmd.Bool(flgRenewForce)) &&
(!forceDomains || slices.Equal(certDomains, domains)) {
return nil
}
@ -295,7 +297,9 @@ func renewForCSR(ctx context.Context, cmd *cli.Command, lazyClient lzSetUp, cert
}
}
if ariRenewalTime == nil && !needRenewal(cert, domain, cmd.Int(flgRenewDays), cmd.Bool(flgRenewDynamic)) {
days := getFlagRenewDays(cmd)
if ariRenewalTime == nil && !needRenewal(cert, domain, days, cmd.Bool(flgRenewForce)) {
return nil
}
@ -337,16 +341,34 @@ func renewForCSR(ctx context.Context, cmd *cli.Command, lazyClient lzSetUp, cert
return hook.Launch(ctx, cmd.String(flgDeployHook), cmd.Duration(flgDeployHookTimeout), meta)
}
func needRenewal(x509Cert *x509.Certificate, domain string, days int, dynamic bool) bool {
func getFlagRenewDays(cmd *cli.Command) int {
if cmd.IsSet(flgRenewDays) {
return cmd.Int(flgRenewDays)
}
return -math.MaxInt
}
func needRenewal(x509Cert *x509.Certificate, domain string, days int, force bool) bool {
if x509Cert.IsCA {
log.Fatal("Certificate bundle starts with a CA certificate.", log.DomainAttr(domain))
}
if dynamic {
if force {
return true
}
// Default behavior
if days == -math.MaxInt {
return needRenewalDynamic(x509Cert, domain, time.Now())
}
return needRenewalDays(x509Cert, domain, days)
}
func needRenewalDays(x509Cert *x509.Certificate, domain string, days int) bool {
if days < 0 {
// if the number of days is negative: always renew the certificate.
return true
}

166
cmd/flags.go
View file

@ -2,12 +2,14 @@ package cmd
import (
"context"
"errors"
"fmt"
"log/slog"
"os"
"path/filepath"
"strings"
"time"
"unicode"
"github.com/go-acme/lego/v5/acme"
"github.com/go-acme/lego/v5/certificate"
@ -30,19 +32,20 @@ const (
categoryARI = "Flags related to ACME Renewal Information (ARI) Extension:"
)
// Flag names related to the account and domains.
// Flag names related to the account.
const (
flgDomains = "domains"
flgAcceptTOS = "accept-tos"
flgEmail = "email"
flgKeyType = "key-type"
flgAccountID = "account-id"
flgEAB = "eab"
flgKID = "kid"
flgHMAC = "hmac"
flgEABKID = "eab.kid"
flgEABHMAC = "eab.hmac"
)
// Flag names related to Obtain certificates.
const (
flgDomains = "domains"
flgCSR = "csr"
flgNoBundle = "no-bundle"
flgMustStaple = "must-staple"
@ -65,8 +68,7 @@ const (
// Flag names related to the ACME client.
const (
flgServer = "server"
flgDisableCommonName = "disable-cn"
flgKeyType = "key-type"
flgEnableCommonName = "enable-cn"
flgHTTPTimeout = "http-timeout"
flgTLSSkipVerify = "tls-skip-verify"
flgOverallRequestLimit = "overall-request-limit"
@ -105,12 +107,11 @@ const (
// Flag names related to DNS-01 challenge.
const (
flgDNS = "dns"
flgDNSDisableCP = "dns.disable-cp"
flgDNSPropagationWait = "dns.propagation-wait"
flgDNSPropagationDisableANS = "dns.propagation-disable-ans"
flgDNSPropagationRNS = "dns.propagation-rns"
flgDNSPropagationWait = "dns.propagation.wait"
flgDNSPropagationDisableANS = "dns.propagation.disable-ans"
flgDNSPropagationDisableRNS = "dns.propagation.disable-rns"
flgDNSResolvers = "dns.resolvers"
flgDNSTimeout = "dns-timeout"
flgDNSTimeout = "dns.timeout"
)
// Flags names related to hooks.
@ -126,8 +127,8 @@ const (
// Flag names related to the specific renew command.
const (
flgRenewDays = "days"
flgRenewDynamic = "dynamic"
flgRenewDays = "renew-days"
flgRenewForce = "renew-force"
flgARIDisable = "ari-disable"
flgARIWaitToRenewDuration = "ari-wait-to-renew-duration"
flgReuseKey = "reuse-key"
@ -147,19 +148,13 @@ const (
flgNames = "names"
)
// Environment variable names.
const (
envEAB = "LEGO_EAB"
envEABHMAC = "LEGO_EAB_HMAC"
envEABKID = "LEGO_EAB_KID"
envEmail = "LEGO_EMAIL"
envAccountID = "LEGO_ACCOUNT_ID"
envPath = "LEGO_PATH"
envPFX = "LEGO_PFX"
envPFXFormat = "LEGO_PFX_FORMAT"
envPFXPassword = "LEGO_PFX_PASSWORD"
envServer = "LEGO_SERVER"
)
func toEnvName(flg string) string {
fields := strings.FieldsFunc(flg, func(r rune) bool {
return !unicode.IsLetter(r) && !unicode.IsNumber(r)
})
return "LEGO_" + strings.ToUpper(strings.Join(fields, "_"))
}
func createACMEClientFlags() []cli.Flag {
return []cli.Flag{
@ -167,7 +162,7 @@ func createACMEClientFlags() []cli.Flag {
// NOTE(ldez): if Required is true, then the default value is not display in the help.
Name: flgServer,
Aliases: []string{"s"},
Sources: cli.EnvVars(envServer),
Sources: cli.EnvVars(toEnvName(flgServer)),
Usage: fmt.Sprintf("CA (ACME server). It can be either a URL or a shortcode."+
"\n\t(available shortcodes: %s)", strings.Join(lego.GetAllCodes(), ", ")),
Value: lego.DirectoryURLLetsEncrypt,
@ -184,40 +179,47 @@ func createACMEClientFlags() []cli.Flag {
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgDisableCommonName,
Usage: "Disable the use of the common name in the CSR.",
Name: flgEnableCommonName,
Sources: cli.EnvVars(toEnvName(flgEnableCommonName)),
Usage: "Enable the use of the common name. (Not recommended)",
},
&cli.StringFlag{
Name: flgKeyType,
Aliases: []string{"k"},
Sources: cli.EnvVars(toEnvName(flgKeyType)),
Value: "ec256",
Usage: "Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384.",
},
&cli.IntFlag{
Category: categoryACMEClient,
Name: flgHTTPTimeout,
Sources: cli.EnvVars(toEnvName(flgHTTPTimeout)),
Usage: "Set the HTTP timeout value to a specific value in seconds.",
},
&cli.BoolFlag{
Category: categoryACMEClient,
Name: flgTLSSkipVerify,
Sources: cli.EnvVars(toEnvName(flgTLSSkipVerify)),
Usage: "Skip the TLS verification of the ACME server.",
},
&cli.IntFlag{
Category: categoryAdvanced,
Name: flgCertTimeout,
Sources: cli.EnvVars(toEnvName(flgCertTimeout)),
Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.",
Value: 30,
},
&cli.IntFlag{
Category: categoryACMEClient,
Name: flgOverallRequestLimit,
Sources: cli.EnvVars(toEnvName(flgOverallRequestLimit)),
Usage: "ACME overall requests limit.",
Value: certificate.DefaultOverallRequestLimit,
},
&cli.StringFlag{
Category: categoryACMEClient,
Name: flgUserAgent,
Sources: cli.EnvVars(toEnvName(flgUserAgent)),
Usage: "Add to the user-agent sent to the CA to identify an application embedding lego-cli",
},
}
@ -240,12 +242,14 @@ func createNetworkStackFlags() []cli.Flag {
Category: categoryAdvanced,
Name: flgIPv4Only,
Aliases: []string{"4"},
Sources: cli.EnvVars(toEnvName(flgIPv4Only)),
Usage: "Use IPv4 only.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgIPv6Only,
Aliases: []string{"6"},
Sources: cli.EnvVars(toEnvName(flgIPv6Only)),
Usage: "Use IPv6 only.",
},
}
@ -256,40 +260,47 @@ func createHTTPChallengeFlags() []cli.Flag {
&cli.BoolFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTP,
Sources: cli.EnvVars(toEnvName(flgHTTP)),
Usage: "Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.",
},
&cli.StringFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPPort,
Sources: cli.EnvVars(toEnvName(flgHTTPPort)),
Usage: "Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":80",
},
&cli.DurationFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPDelay,
Sources: cli.EnvVars(toEnvName(flgHTTPDelay)),
Usage: "Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.",
Value: 0,
},
&cli.StringFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPProxyHeader,
Sources: cli.EnvVars(toEnvName(flgHTTPProxyHeader)),
Usage: "Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.",
Value: "Host",
},
&cli.StringFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPWebroot,
Sources: cli.EnvVars(toEnvName(flgHTTPWebroot)),
Usage: "Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file." +
" This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge",
},
&cli.StringSliceFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPMemcachedHost,
Sources: cli.EnvVars(toEnvName(flgHTTPMemcachedHost)),
Usage: "Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.",
},
&cli.StringFlag{
Category: categoryHTTP01Challenge,
Name: flgHTTPS3Bucket,
Sources: cli.EnvVars(toEnvName(flgHTTPS3Bucket)),
Usage: "Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.",
},
}
@ -300,17 +311,20 @@ func createTLSChallengeFlags() []cli.Flag {
&cli.BoolFlag{
Category: categoryTLSALPN01Challenge,
Name: flgTLS,
Sources: cli.EnvVars(toEnvName(flgTLS)),
Usage: "Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.",
},
&cli.StringFlag{
Category: categoryTLSALPN01Challenge,
Name: flgTLSPort,
Sources: cli.EnvVars(toEnvName(flgTLSPort)),
Usage: "Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":443",
},
&cli.DurationFlag{
Category: categoryTLSALPN01Challenge,
Name: flgTLSDelay,
Sources: cli.EnvVars(toEnvName(flgTLSDelay)),
Usage: "Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.",
Value: 0,
},
@ -322,31 +336,38 @@ func createDNSChallengeFlags() []cli.Flag {
&cli.StringFlag{
Category: categoryDNS01Challenge,
Name: flgDNS,
Sources: cli.EnvVars(toEnvName(flgDNS)),
Usage: "Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.",
},
&cli.BoolFlag{
Category: categoryDNS01Challenge,
Name: flgDNSDisableCP,
Usage: fmt.Sprintf("(deprecated) use %s instead.", flgDNSPropagationDisableANS),
},
&cli.BoolFlag{
Category: categoryDNS01Challenge,
Name: flgDNSPropagationDisableANS,
Sources: cli.EnvVars(toEnvName(flgDNSPropagationDisableANS)),
Usage: "By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.",
},
&cli.BoolFlag{
Category: categoryDNS01Challenge,
Name: flgDNSPropagationRNS,
Usage: "By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.",
Name: flgDNSPropagationDisableRNS,
Sources: cli.EnvVars(toEnvName(flgDNSPropagationDisableRNS)),
Usage: "By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers).",
},
&cli.DurationFlag{
Category: categoryDNS01Challenge,
Name: flgDNSPropagationWait,
Sources: cli.EnvVars(toEnvName(flgDNSPropagationWait)),
Usage: "By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead.",
Validator: func(d time.Duration) error {
if d < 0 {
return errors.New("it cannot be negative")
}
return nil
},
},
&cli.StringSliceFlag{
Category: categoryDNS01Challenge,
Name: flgDNSResolvers,
Sources: cli.EnvVars(toEnvName(flgDNSResolvers)),
Usage: "Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination." +
" For DNS-01 challenge verification, the authoritative DNS server is queried directly." +
" Supported: host:port." +
@ -355,6 +376,7 @@ func createDNSChallengeFlags() []cli.Flag {
&cli.IntFlag{
Category: categoryDNS01Challenge,
Name: flgDNSTimeout,
Sources: cli.EnvVars(toEnvName(flgDNSTimeout)),
Usage: "Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.",
Value: 10,
},
@ -367,27 +389,28 @@ func createStorageFlags() []cli.Flag {
&cli.BoolFlag{
Category: categoryStorage,
Name: flgPEM,
Sources: cli.EnvVars(toEnvName(flgPEM)),
Usage: "Generate an additional .pem (base64) file by concatenating the .key and .crt files together.",
},
&cli.BoolFlag{
Category: categoryStorage,
Name: flgPFX,
Sources: cli.EnvVars(toEnvName(flgPFX)),
Usage: "Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.",
Sources: cli.EnvVars(envPFX),
},
&cli.StringFlag{
Category: categoryStorage,
Name: flgPFXPass,
Sources: cli.EnvVars(toEnvName(flgPFXPass)),
Usage: "The password used to encrypt the .pfx (PCKS#12) file.",
Value: pkcs12.DefaultPassword,
Sources: cli.EnvVars(envPFXPassword),
},
&cli.StringFlag{
Category: categoryStorage,
Name: flgPFXFormat,
Sources: cli.EnvVars(toEnvName(flgPFXFormat)),
Usage: "The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256.",
Value: "RC2",
Sources: cli.EnvVars(envPFXFormat),
},
}
}
@ -397,32 +420,33 @@ func createAccountFlags() []cli.Flag {
&cli.StringFlag{
Name: flgEmail,
Aliases: []string{"m"},
Sources: cli.EnvVars(envEmail),
Sources: cli.EnvVars(toEnvName(flgEmail)),
Usage: "Email used for registration and recovery contact.",
},
&cli.StringFlag{
Name: flgAccountID,
Aliases: []string{"a"},
Sources: cli.EnvVars(envAccountID),
Usage: "Account identifier (The email is used if there is account ID is undefined).",
Category: categoryStorage,
Name: flgAccountID,
Aliases: []string{"a"},
Sources: cli.EnvVars(toEnvName(flgAccountID)),
Usage: "Account identifier (The email is used if there is account ID is undefined).",
},
&cli.BoolFlag{
Category: categoryEAB,
Name: flgEAB,
Sources: cli.EnvVars(envEAB),
Usage: "Use External Account Binding for account registration. Requires --kid and --hmac.",
Sources: cli.EnvVars(toEnvName(flgEAB)),
Usage: fmt.Sprintf("Use External Account Binding for account registration. Requires %s and %s.", flgEABKID, flgEABHMAC),
},
&cli.StringFlag{
Category: categoryEAB,
Name: flgKID,
Sources: cli.EnvVars(envEABKID),
Usage: "Key identifier from External CA. Used for External Account Binding.",
Name: flgEABKID,
Sources: cli.EnvVars(toEnvName(flgEABKID)),
Usage: "Key identifier for External Account Binding.",
},
&cli.StringFlag{
Category: categoryEAB,
Name: flgHMAC,
Sources: cli.EnvVars(envEABHMAC),
Usage: "MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.",
Name: flgEABHMAC,
Sources: cli.EnvVars(toEnvName(flgEABHMAC)),
Usage: "MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format.",
},
}
}
@ -433,22 +457,26 @@ func createObtainFlags() []cli.Flag {
Category: categoryAdvanced,
Name: flgCSR,
Aliases: []string{"c"},
Sources: cli.EnvVars(toEnvName(flgCSR)),
Usage: "Certificate signing request filename, if an external CSR is to be used.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgNoBundle,
Sources: cli.EnvVars(toEnvName(flgNoBundle)),
Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgMustStaple,
Sources: cli.EnvVars(toEnvName(flgMustStaple)),
Usage: "Include the OCSP must staple TLS extension in the CSR and generated certificate." +
" Only works if the CSR is generated by lego.",
},
&cli.TimestampFlag{
Category: categoryAdvanced,
Name: flgNotBefore,
Sources: cli.EnvVars(toEnvName(flgNotBefore)),
Usage: "Set the notBefore field in the certificate (RFC3339 format)",
Config: cli.TimestampConfig{
Layouts: []string{time.RFC3339},
@ -457,6 +485,7 @@ func createObtainFlags() []cli.Flag {
&cli.TimestampFlag{
Category: categoryAdvanced,
Name: flgNotAfter,
Sources: cli.EnvVars(toEnvName(flgNotAfter)),
Usage: "Set the notAfter field in the certificate (RFC3339 format)",
Config: cli.TimestampConfig{
Layouts: []string{time.RFC3339},
@ -465,17 +494,20 @@ func createObtainFlags() []cli.Flag {
&cli.StringFlag{
Category: categoryAdvanced,
Name: flgPreferredChain,
Sources: cli.EnvVars(toEnvName(flgPreferredChain)),
Usage: "If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name." +
" If no match, the default offered chain will be used.",
},
&cli.StringFlag{
Category: categoryAdvanced,
Name: flgProfile,
Sources: cli.EnvVars(toEnvName(flgProfile)),
Usage: "If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.",
},
&cli.StringFlag{
Category: categoryAdvanced,
Name: flgAlwaysDeactivateAuthorizations,
Sources: cli.EnvVars(toEnvName(flgAlwaysDeactivateAuthorizations)),
Usage: "Force the authorizations to be relinquished even if the certificate request was successful.",
},
}
@ -486,11 +518,13 @@ func createHookFlags() []cli.Flag {
&cli.StringFlag{
Category: categoryHooks,
Name: flgDeployHook,
Sources: cli.EnvVars(toEnvName(flgDeployHook)),
Usage: "Define a hook. The hook is executed only when the certificates are effectively created/renewed.",
},
&cli.DurationFlag{
Category: categoryHooks,
Name: flgDeployHookTimeout,
Sources: cli.EnvVars(toEnvName(flgDeployHookTimeout)),
Usage: "Define the timeout for the hook execution.",
Value: 2 * time.Minute,
},
@ -514,6 +548,7 @@ func createRunFlags() []cli.Flag {
&cli.StringFlag{
Category: categoryAdvanced,
Name: flgPrivateKey,
Sources: cli.EnvVars(toEnvName(flgPrivateKey)),
Usage: "Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated.",
},
)
@ -535,40 +570,45 @@ func createRenewFlags() []cli.Flag {
flags = append(flags,
&cli.IntFlag{
Name: flgRenewDays,
Value: 30,
Usage: "The number of days left on a certificate to renew it.",
Name: flgRenewDays,
Sources: cli.EnvVars(toEnvName(flgRenewDays)),
Usage: "The number of days left on a certificate to renew it." +
"\n\tBy default, compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates).",
},
// TODO(ldez): in v5, remove this flag, use this behavior as default.
&cli.BoolFlag{
Name: flgRenewDynamic,
Value: false,
Usage: "Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5.",
Name: flgRenewForce,
Sources: cli.EnvVars(toEnvName(flgRenewForce)),
Usage: "Force the renewal of the certificate even if it is not due for renewal yet.",
},
&cli.BoolFlag{
Category: categoryARI,
Name: flgARIDisable,
Sources: cli.EnvVars(toEnvName(flgARIDisable)),
Usage: "Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.",
},
&cli.DurationFlag{
Category: categoryARI,
Name: flgARIWaitToRenewDuration,
Sources: cli.EnvVars(toEnvName(flgARIWaitToRenewDuration)),
Usage: "The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgReuseKey,
Sources: cli.EnvVars(toEnvName(flgReuseKey)),
Usage: "Used to indicate you want to reuse your current private key for the new certificate.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgNoRandomSleep,
Sources: cli.EnvVars(toEnvName(flgNoRandomSleep)),
Usage: "Do not add a random sleep before the renewal." +
" We do not recommend using this flag if you are doing your renewals in an automated way.",
},
&cli.BoolFlag{
Category: categoryAdvanced,
Name: flgForceCertDomains,
Sources: cli.EnvVars(toEnvName(flgForceCertDomains)),
Usage: "Check and ensure that the cert's domain list matches those passed in the domains argument.",
},
)
@ -582,10 +622,12 @@ func createRevokeFlags() []cli.Flag {
&cli.BoolFlag{
Name: flgKeep,
Aliases: []string{"k"},
Sources: cli.EnvVars(toEnvName(flgKeep)),
Usage: "Keep the certificates after the revocation instead of archiving them.",
},
&cli.UintFlag{
Name: flgReason,
Name: flgReason,
Sources: cli.EnvVars(toEnvName(flgReason)),
Usage: "Identifies the reason for the certificate revocation." +
" See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1." +
" Valid values are:" +
@ -635,6 +677,7 @@ func createAcceptFlag() cli.Flag {
return &cli.BoolFlag{
Name: flgAcceptTOS,
Aliases: []string{"a"},
Sources: cli.EnvVars(toEnvName(flgAcceptTOS)),
Usage: "By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.",
}
}
@ -643,6 +686,7 @@ func createDomainFlag() cli.Flag {
return &cli.StringSliceFlag{
Name: flgDomains,
Aliases: []string{"d"},
Sources: cli.EnvVars(toEnvName(flgDomains)),
Usage: "Add a domain. For multiple domains either repeat the option or provide a comma-separated list.",
}
}
@ -651,7 +695,7 @@ func createPathFlag(forceCreation bool) cli.Flag {
return &cli.StringFlag{
Category: categoryStorage,
Name: flgPath,
Sources: cli.NewValueSourceChain(cli.EnvVar(envPath), &defaultPathValueSource{}),
Sources: cli.NewValueSourceChain(cli.EnvVar(toEnvName(flgPath)), &defaultPathValueSource{}),
Usage: "Directory to use for storing the data.",
Validator: func(s string) error {
if !forceCreation {

46
cmd/flags_test.go Normal file
View file

@ -0,0 +1,46 @@
package cmd
import (
"testing"
"github.com/stretchr/testify/assert"
)
func Test_toEnvName(t *testing.T) {
testCases := []struct {
desc string
flag string
expected string
}{
{
desc: "only letters",
flag: flgServer,
expected: "LEGO_SERVER",
},
{
desc: "letters and digits",
flag: flgIPv6Only,
expected: "LEGO_IPV6ONLY",
},
{
desc: "hyphen",
flag: flgHTTPPort,
expected: "LEGO_HTTP_PORT",
},
{
desc: "dot, hyphen",
flag: flgDNSPropagationDisableRNS,
expected: "LEGO_DNS_PROPAGATION_DISABLE_RNS",
},
}
for _, test := range testCases {
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
envName := toEnvName(test.flag)
assert.Equal(t, test.expected, envName)
})
}
}

2
cmd/setup.go
View file

@ -43,7 +43,7 @@ func newClientConfig(cmd *cli.Command, account registration.User, keyType certcr
KeyType: keyType,
Timeout: time.Duration(cmd.Int(flgCertTimeout)) * time.Second,
OverallRequestLimit: cmd.Int(flgOverallRequestLimit),
EnableCommonName: !cmd.Bool(flgDisableCommonName),
EnableCommonName: cmd.Bool(flgEnableCommonName),
}
config.UserAgent = getUserAgent(cmd)

47
cmd/setup_challenges.go
View file

@ -164,16 +164,11 @@ func setupTLSProvider(cmd *cli.Command) challenge.Provider {
}
func setupDNS(cmd *cli.Command, client *lego.Client) error {
err := checkPropagationExclusiveOptions(cmd)
err := validatePropagationExclusiveOptions(cmd)
if err != nil {
return err
}
wait := cmd.Duration(flgDNSPropagationWait)
if wait < 0 {
return fmt.Errorf("'%s' cannot be negative", flgDNSPropagationWait)
}
provider, err := dns.NewDNSChallengeProviderByName(cmd.String(flgDNS))
if err != nil {
return err
@ -189,42 +184,38 @@ func setupDNS(cmd *cli.Command, client *lego.Client) error {
dns01.SetDefaultClient(dns01.NewClient(opts))
shouldWait := cmd.IsSet(flgDNSPropagationWait)
err = client.Challenge.SetDNS01Provider(provider,
dns01.CondOption(cmd.Bool(flgDNSDisableCP) || cmd.Bool(flgDNSPropagationDisableANS),
dns01.CondOption(shouldWait,
dns01.PropagationWait(cmd.Duration(flgDNSPropagationWait), true)),
dns01.CondOption(!shouldWait && cmd.Bool(flgDNSPropagationDisableANS),
dns01.DisableAuthoritativeNssPropagationRequirement()),
dns01.CondOption(cmd.Duration(flgDNSPropagationWait) > 0,
// TODO(ldez): inside the next major version we will use flgDNSDisableCP here.
// This will change the meaning of this flag to really disable all propagation checks.
dns01.PropagationWait(wait, true)),
dns01.CondOption(cmd.Bool(flgDNSPropagationRNS),
dns01.RecursiveNSsPropagationRequirement()),
dns01.CondOption(!shouldWait && cmd.Bool(flgDNSPropagationDisableRNS),
dns01.DisableRecursiveNSsPropagationRequirement()),
)
return err
}
func checkPropagationExclusiveOptions(cmd *cli.Command) error {
if cmd.IsSet(flgDNSDisableCP) {
log.Warnf(log.LazySprintf("The flag '%s' is deprecated use '%s' instead.", flgDNSDisableCP, flgDNSPropagationDisableANS))
func validatePropagationExclusiveOptions(cmd *cli.Command) error {
if !cmd.IsSet(flgDNSPropagationWait) {
return nil
}
if (isSetBool(cmd, flgDNSDisableCP) || isSetBool(cmd, flgDNSPropagationDisableANS)) && cmd.IsSet(flgDNSPropagationWait) {
return fmt.Errorf("'%s' and '%s' are mutually exclusive", flgDNSPropagationDisableANS, flgDNSPropagationWait)
if isSetBool(cmd, flgDNSPropagationDisableANS) {
return fmt.Errorf("'%s' and '%s' are mutually exclusive",
flgDNSPropagationWait, flgDNSPropagationDisableANS)
}
if isSetBool(cmd, flgDNSPropagationRNS) && cmd.IsSet(flgDNSPropagationWait) {
return fmt.Errorf("'%s' and '%s' are mutually exclusive", flgDNSPropagationRNS, flgDNSPropagationWait)
if isSetBool(cmd, flgDNSPropagationDisableRNS) {
return fmt.Errorf("'%s' and '%s' are mutually exclusive",
flgDNSPropagationWait, flgDNSPropagationDisableRNS)
}
return nil
}
func isSetBool(cmd *cli.Command, name string) bool {
return cmd.IsSet(name) && cmd.Bool(name)
}
func getNetworkStack(cmd *cli.Command) challenge.NetworkStack {
switch {
case cmd.Bool(flgIPv4Only):
@ -237,3 +228,7 @@ func getNetworkStack(cmd *cli.Command) challenge.NetworkStack {
return challenge.DualStack
}
}
func isSetBool(cmd *cli.Command, name string) bool {
return cmd.IsSet(name) && cmd.Bool(name)
}

231
docs/data/zz_cli_help.toml generated
View file

@ -33,82 +33,81 @@ USAGE:
lego run
OPTIONS:
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service. [$LEGO_ACCEPT_TOS]
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--disable-cn Disable the use of the common name in the CSR.
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. [$LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS]
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--csr string, -c string Certificate signing request filename, if an external CSR is to be used. [$LEGO_CSR]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
--ipv4only, -4 Use IPv4 only. [$LEGO_IPV4ONLY]
--ipv6only, -6 Use IPv6 only. [$LEGO_IPV6ONLY]
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. [$LEGO_MUST_STAPLE]
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. [$LEGO_NO_BUNDLE]
--not-after time Set the notAfter field in the certificate (RFC3339 format) [$LEGO_NOT_AFTER]
--not-before time Set the notBefore field in the certificate (RFC3339 format) [$LEGO_NOT_BEFORE]
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. [$LEGO_PREFERRED_CHAIN]
--private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated. [$LEGO_PRIVATE_KEY]
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. [$LEGO_PROFILE]
Flags related to hooks:
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. [$LEGO_DEPLOY_HOOK]
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) [$LEGO_DEPLOY_HOOK_TIMEOUT]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the DNS-01 challenge:
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. [$LEGO_DNS]
--dns.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PROPAGATION_DISABLE_ANS]
--dns.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PROPAGATION_DISABLE_RNS]
--dns.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PROPAGATION_WAIT]
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. [$LEGO_DNS_RESOLVERS]
--dns.timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) [$LEGO_DNS_TIMEOUT]
Flags related to the HTTP-01 challenge:
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s)
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_HTTP]
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_HTTP_DELAY]
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. [$LEGO_HTTP_MEMCACHED_HOST]
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") [$LEGO_HTTP_PORT]
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") [$LEGO_HTTP_PROXY_HEADER]
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. [$LEGO_HTTP_S3_BUCKET]
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge [$LEGO_HTTP_WEBROOT]
Flags related to the TLS-ALPN-01 challenge:
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_TLS]
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_TLS_DELAY]
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") [$LEGO_TLS_PORT]
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. [$LEGO_PEM]
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASS]
"""
[[command]]
@ -121,90 +120,90 @@ USAGE:
lego renew
OPTIONS:
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--days int The number of days left on a certificate to renew it. (default: 30)
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5.
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE]
--renew-days int The number of days left on a certificate to renew it.
By default, compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). (default: 0) [$LEGO_RENEW_DAYS]
--renew-force Force the renewal of the certificate even if it is not due for renewal yet. [$LEGO_RENEW_FORCE]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to ACME Renewal Information (ARI) Extension:
--ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.
--ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
--ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. [$LEGO_ARI_DISABLE]
--ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) [$LEGO_ARI_WAIT_TO_RENEW_DURATION]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--disable-cn Disable the use of the common name in the CSR.
--force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument.
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way.
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
--reuse-key Used to indicate you want to reuse your current private key for the new certificate.
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. [$LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS]
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--csr string, -c string Certificate signing request filename, if an external CSR is to be used. [$LEGO_CSR]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
--force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. [$LEGO_FORCE_CERT_DOMAINS]
--ipv4only, -4 Use IPv4 only. [$LEGO_IPV4ONLY]
--ipv6only, -6 Use IPv6 only. [$LEGO_IPV6ONLY]
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. [$LEGO_MUST_STAPLE]
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. [$LEGO_NO_BUNDLE]
--no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. [$LEGO_NO_RANDOM_SLEEP]
--not-after time Set the notAfter field in the certificate (RFC3339 format) [$LEGO_NOT_AFTER]
--not-before time Set the notBefore field in the certificate (RFC3339 format) [$LEGO_NOT_BEFORE]
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. [$LEGO_PREFERRED_CHAIN]
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. [$LEGO_PROFILE]
--reuse-key Used to indicate you want to reuse your current private key for the new certificate. [$LEGO_REUSE_KEY]
Flags related to hooks:
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. [$LEGO_DEPLOY_HOOK]
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) [$LEGO_DEPLOY_HOOK_TIMEOUT]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the DNS-01 challenge:
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. [$LEGO_DNS]
--dns.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PROPAGATION_DISABLE_ANS]
--dns.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PROPAGATION_DISABLE_RNS]
--dns.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PROPAGATION_WAIT]
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. [$LEGO_DNS_RESOLVERS]
--dns.timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) [$LEGO_DNS_TIMEOUT]
Flags related to the HTTP-01 challenge:
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s)
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_HTTP]
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_HTTP_DELAY]
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. [$LEGO_HTTP_MEMCACHED_HOST]
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") [$LEGO_HTTP_PORT]
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") [$LEGO_HTTP_PROXY_HEADER]
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. [$LEGO_HTTP_S3_BUCKET]
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge [$LEGO_HTTP_WEBROOT]
Flags related to the TLS-ALPN-01 challenge:
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_TLS]
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_TLS_DELAY]
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") [$LEGO_TLS_PORT]
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. [$LEGO_PEM]
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASS]
"""
[[command]]
@ -217,37 +216,37 @@ USAGE:
lego revoke
OPTIONS:
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS]
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--keep, -k Keep the certificates after the revocation instead of archiving them.
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0)
--keep, -k Keep the certificates after the revocation instead of archiving them. [$LEGO_KEEP]
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE]
--reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) [$LEGO_REASON]
--server string, -s string CA (ACME server). It can be either a URL or a shortcode.
(available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB]
--eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC]
--eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--disable-cn Disable the use of the common name in the CSR.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT]
--enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN]
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT]
--overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT]
--tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY]
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT]
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--path string Directory to use for storing the data. [$LEGO_PATH]
"""
[[command]]

2
e2e/dnschallenge/dns_challenges_test.go
View file

@ -63,7 +63,7 @@ func TestChallengeDNS_Run(t *testing.T) {
"--accept-tos",
"--dns", "exec",
"--dns.resolvers", ":8053",
"--dns.disable-cp",
"--dns.propagation.wait", "0",
"-s", "https://localhost:15000/dir",
"-d", testDomain2,
"-d", testDomain1,