diff --git a/cmd/cmd_list.go b/cmd/cmd_list.go index 3d1de2588..5b1c015e0 100644 --- a/cmd/cmd_list.go +++ b/cmd/cmd_list.go @@ -119,7 +119,7 @@ func listAccount(_ context.Context, cmd *cli.Command) error { } if len(matches) == 0 { - fmt.Println("No accounts found.") + fmt.Println("No accounts were found.") return nil } diff --git a/cmd/flags.go b/cmd/flags.go index 77ca4faef..de8e7f6a7 100644 --- a/cmd/flags.go +++ b/cmd/flags.go @@ -2,6 +2,8 @@ package cmd import ( "fmt" + "os" + "path/filepath" "github.com/go-acme/lego/v5/certificate" "github.com/go-acme/lego/v5/lego" @@ -64,6 +66,13 @@ const ( ) func CreateFlags(defaultPath string) []cli.Flag { + if defaultPath == "" { + cwd, err := os.Getwd() + if err == nil { + defaultPath = filepath.Join(cwd, ".lego") + } + } + return []cli.Flag{ &cli.StringSliceFlag{ Name: flgDomains, diff --git a/cmd/lego/main.go b/cmd/lego/main.go index b5e719706..4ebcc2df4 100644 --- a/cmd/lego/main.go +++ b/cmd/lego/main.go @@ -6,7 +6,6 @@ import ( "context" "fmt" "os" - "path/filepath" "runtime" "github.com/go-acme/lego/v5/cmd" @@ -15,19 +14,12 @@ import ( ) func main() { - var defaultPath string - - cwd, err := os.Getwd() - if err == nil { - defaultPath = filepath.Join(cwd, ".lego") - } - app := &cli.Command{ Name: "lego", Usage: "Let's Encrypt client written in Go", Version: getVersion(), EnableShellCompletion: true, - Flags: cmd.CreateFlags(defaultPath), + Flags: cmd.CreateFlags(""), Before: cmd.Before, Commands: cmd.CreateCommands(), } @@ -38,9 +30,7 @@ func main() { app.Commands = cmd.CreateCommands() - ctx := context.Background() - - err = app.Run(ctx, os.Args) + err := app.Run(context.Background(), os.Args) if err != nil { log.Fatal("Error", "error", err) } diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml index 3d3043690..ac124e891 100644 --- a/docs/data/zz_cli_help.toml +++ b/docs/data/zz_cli_help.toml @@ -8,7 +8,7 @@ NAME: lego - Let's Encrypt client written in Go USAGE: - lego [global options] command [command options] + lego [global options] [command [command options]] COMMANDS: run Register an account, then create and install a certificate @@ -19,45 +19,45 @@ COMMANDS: help, h Shows a list of commands or help for one command GLOBAL OPTIONS: - --domains value, -d value [ --domains value, -d value ] Add a domain to the process. Can be specified multiple times. - --server value, -s value CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER] - --accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service. (default: false) - --email value, -m value Email used for registration and recovery contact. [$LEGO_EMAIL] - --disable-cn Disable the use of the common name in the CSR. (default: false) - --csr value, -c value Certificate signing request filename, if an external CSR is to be used. - --eab Use External Account Binding for account registration. Requires --kid and --hmac. (default: false) [$LEGO_EAB] - --kid value Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID] - --hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC] - --key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") - --filename value (deprecated) Filename of the generated certificate. - --path value Directory to use for storing the data. (default: "./.lego") [$LEGO_PATH] - --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. (default: false) - --http.port value Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") - --http.delay value Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) - --http.proxy-header value Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") - --http.webroot value Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge - --http.memcached-host value [ --http.memcached-host value ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. - --http.s3-bucket value Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. - --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. (default: false) - --tls.port value Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") - --tls.delay value Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) - --dns value Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. - --dns.disable-cp (deprecated) use dns.propagation-disable-ans instead. (default: false) - --dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. (default: false) - --dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record. (default: false) - --dns.propagation-wait value By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) - --dns.resolvers value [ --dns.resolvers value ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. - --http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0) - --tls-skip-verify Skip the TLS verification of the ACME server. (default: false) - --dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) - --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. (default: false) - --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. (default: false) [$LEGO_PFX] - --pfx.pass value The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD] - --pfx.format value The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] - --cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) - --overall-request-limit value ACME overall requests limit. (default: 18) - --user-agent value Add to the user-agent sent to the CA to identify an application embedding lego-cli - --help, -h show help + --domains string, -d string [ --domains string, -d string ] Add a domain to the process. Can be specified multiple times. + --server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER] + --accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service. + --email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL] + --disable-cn Disable the use of the common name in the CSR. + --csr string, -c string Certificate signing request filename, if an external CSR is to be used. + --eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB] + --kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID] + --hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC] + --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") + --filename string (deprecated) Filename of the generated certificate. + --path string Directory to use for storing the data. (default: "./.lego") [$LEGO_PATH] + --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. + --http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") + --http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) + --http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") + --http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge + --http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. + --http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. + --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. + --tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") + --tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) + --dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. + --dns.disable-cp (deprecated) use dns.propagation-disable-ans instead. + --dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. + --dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record. + --dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) + --dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. + --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) + --tls-skip-verify Skip the TLS verification of the ACME server. + --dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) + --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. + --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX] + --pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD] + --pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] + --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) + --overall-request-limit int ACME overall requests limit. (default: 18) + --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli + --help, -h show help """ [[command]] @@ -67,20 +67,20 @@ NAME: lego run - Register an account, then create and install a certificate USAGE: - lego run [command options] + lego run OPTIONS: - --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false) - --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. (default: false) - --not-before value Set the notBefore field in the certificate (RFC3339 format) - --not-after value Set the notAfter field in the certificate (RFC3339 format) - --private-key value Path to private key (in PEM encoding) for the certificate. By default, the private key is generated. - --preferred-chain value If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. - --profile value If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. - --always-deactivate-authorizations value Force the authorizations to be relinquished even if the certificate request was successful. - --run-hook value Define a hook. The hook is executed when the certificates are effectively created. - --run-hook-timeout value Define the timeout for the hook execution. (default: 2m0s) - --help, -h show help + --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. + --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. + --not-before time Set the notBefore field in the certificate (RFC3339 format) + --not-after time Set the notAfter field in the certificate (RFC3339 format) + --private-key string Path to private key (in PEM encoding) for the certificate. By default, the private key is generated. + --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. + --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. + --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. + --run-hook string Define a hook. The hook is executed when the certificates are effectively created. + --run-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) + --help, -h show help """ [[command]] @@ -90,26 +90,26 @@ NAME: lego renew - Renew a certificate USAGE: - lego renew [command options] + lego renew OPTIONS: - --days value The number of days left on a certificate to renew it. (default: 30) - --dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. (default: false) - --ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. (default: false) - --ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) - --reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false) - --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false) - --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. (default: false) - --not-before value Set the notBefore field in the certificate (RFC3339 format) - --not-after value Set the notAfter field in the certificate (RFC3339 format) - --preferred-chain value If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. - --profile value If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. - --always-deactivate-authorizations value Force the authorizations to be relinquished even if the certificate request was successful. - --renew-hook value Define a hook. The hook is executed only when the certificates are effectively renewed. - --renew-hook-timeout value Define the timeout for the hook execution. (default: 2m0s) - --no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. (default: false) - --force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. (default: false) - --help, -h show help + --days int The number of days left on a certificate to renew it. (default: 30) + --dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. + --ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. + --ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) + --reuse-key Used to indicate you want to reuse your current private key for the new certificate. + --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. + --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. + --not-before time Set the notBefore field in the certificate (RFC3339 format) + --not-after time Set the notAfter field in the certificate (RFC3339 format) + --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. + --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. + --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. + --renew-hook string Define a hook. The hook is executed only when the certificates are effectively renewed. + --renew-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) + --no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. + --force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. + --help, -h show help """ [[command]] @@ -119,12 +119,12 @@ NAME: lego revoke - Revoke a certificate USAGE: - lego revoke [command options] + lego revoke OPTIONS: - --keep, -k Keep the certificates after the revocation instead of archiving them. (default: false) - --reason value Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) - --help, -h show help + --keep, -k Keep the certificates after the revocation instead of archiving them. + --reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) + --help, -h show help """ [[command]] @@ -134,11 +134,11 @@ NAME: lego list - Display certificates and accounts information. USAGE: - lego list [command options] + lego list OPTIONS: - --accounts, -a Display accounts. (default: false) - --names, -n Display certificate common names only. (default: false) + --accounts, -a Display accounts. + --names, -n Display certificate common names only. --help, -h show help """