deblan-mirror/lego
1
0
Fork 0
mirror of https://github.com/go-acme/lego synced 2026-03-14 14:35:48 +01:00
Code Issues Projects Releases Packages Wiki Activity

refactor: clean flag names (#2834)

Browse source
This commit is contained in:
Ludovic Fernandez 2026-01-30 19:27:06 +01:00 committed by GitHub
commit c74bcf02c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 417 additions and 286 deletions
Download patch file Download diff file Expand all files Collapse all files

407
cmd/flags.go
View file

@ -14,6 +14,18 @@ import (
"software.sslmate.com/src/go-pkcs12"
)
const (
categoryHTTP01Challenge = "Flags related to the HTTP-01 challenge:"
categoryTLSALPN01Challenge = "Flags related to the TLS-ALPN-01 challenge:"
categoryDNS01Challenge = "Flags related to the DNS-01 challenge:"
categoryStorage = "Flags related to the storage:"
categoryHooks = "Flags related to hooks:"
categoryEAB = "Flags related to External Account Binding:"
categoryACMEClient = "Flags related to the ACME client:"
categoryAdvanced = "Flags related to advanced options:"
categoryARI = "Flags related to ACME Renewal Information (ARI) Extension:"
)
// Flag names related to the account and domains.
const (
flgDomains = "domains"
@ -37,7 +49,7 @@ const (
flgAlwaysDeactivateAuthorizations = "always-deactivate-authorizations"
)
// Flag names related to the output.
// Flag names related to the storage.
const (
flgPath = "path"
flgPEM = "pem"
@ -53,11 +65,15 @@ const (
flgKeyType = "key-type"
flgHTTPTimeout = "http-timeout"
flgTLSSkipVerify = "tls-skip-verify"
flgCertTimeout = "cert.timeout"
flgOverallRequestLimit = "overall-request-limit"
flgUserAgent = "user-agent"
)
// Flag names related to certificates.
const (
flgCertTimeout = "cert.timeout"
)
// Flag names related to the network stack.
const (
flgIPv4Only = "ipv4only"
@ -141,7 +157,7 @@ const (
envServer = "LEGO_SERVER"
)
func CreateACMEClientFlags() []cli.Flag {
func createACMEClientFlags() []cli.Flag {
return []cli.Flag{
&cli.StringFlag{
Name: flgServer,
@ -152,8 +168,9 @@ func CreateACMEClientFlags() []cli.Flag {
Required: true,
},
&cli.BoolFlag{
Name: flgDisableCommonName,
Usage: "Disable the use of the common name in the CSR.",
Category: categoryAdvanced,
Name: flgDisableCommonName,
Usage: "Disable the use of the common name in the CSR.",
},
&cli.StringFlag{
Name: flgKeyType,
@ -162,183 +179,206 @@ func CreateACMEClientFlags() []cli.Flag {
Usage: "Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384.",
},
&cli.IntFlag{
Name: flgHTTPTimeout,
Usage: "Set the HTTP timeout value to a specific value in seconds.",
Category: categoryACMEClient,
Name: flgHTTPTimeout,
Usage: "Set the HTTP timeout value to a specific value in seconds.",
},
&cli.BoolFlag{
Name: flgTLSSkipVerify,
Usage: "Skip the TLS verification of the ACME server.",
Category: categoryACMEClient,
Name: flgTLSSkipVerify,
Usage: "Skip the TLS verification of the ACME server.",
},
&cli.IntFlag{
Name: flgCertTimeout,
Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.",
Value: 30,
Category: categoryAdvanced,
Name: flgCertTimeout,
Usage: "Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates.",
Value: 30,
},
&cli.IntFlag{
Name: flgOverallRequestLimit,
Usage: "ACME overall requests limit.",
Value: certificate.DefaultOverallRequestLimit,
Category: categoryACMEClient,
Name: flgOverallRequestLimit,
Usage: "ACME overall requests limit.",
Value: certificate.DefaultOverallRequestLimit,
},
&cli.StringFlag{
Name: flgUserAgent,
Usage: "Add to the user-agent sent to the CA to identify an application embedding lego-cli",
Category: categoryACMEClient,
Name: flgUserAgent,
Usage: "Add to the user-agent sent to the CA to identify an application embedding lego-cli",
},
}
}
func CreateChallengesFlags() []cli.Flag {
func createChallengesFlags() []cli.Flag {
var flags []cli.Flag
flags = append(flags, CreateHTTPChallengeFlags()...)
flags = append(flags, CreateTLSChallengeFlags()...)
flags = append(flags, CreateDNSChallengeFlags()...)
flags = append(flags, CreateNetworkStackFlags()...)
flags = append(flags, createHTTPChallengeFlags()...)
flags = append(flags, createTLSChallengeFlags()...)
flags = append(flags, createDNSChallengeFlags()...)
flags = append(flags, createNetworkStackFlags()...)
return flags
}
func CreateNetworkStackFlags() []cli.Flag {
func createNetworkStackFlags() []cli.Flag {
return []cli.Flag{
&cli.BoolFlag{
Name: flgIPv4Only,
Aliases: []string{"4"},
Usage: "Use IPv4 only.",
Category: categoryAdvanced,
Name: flgIPv4Only,
Aliases: []string{"4"},
Usage: "Use IPv4 only.",
},
&cli.BoolFlag{
Name: flgIPv6Only,
Aliases: []string{"6"},
Usage: "Use IPv6 only.",
Category: categoryAdvanced,
Name: flgIPv6Only,
Aliases: []string{"6"},
Usage: "Use IPv6 only.",
},
}
}
func CreateHTTPChallengeFlags() []cli.Flag {
func createHTTPChallengeFlags() []cli.Flag {
return []cli.Flag{
&cli.BoolFlag{
Name: flgHTTP,
Usage: "Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.",
Category: categoryHTTP01Challenge,
Name: flgHTTP,
Usage: "Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.",
},
&cli.StringFlag{
Name: flgHTTPPort,
Usage: "Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":80",
Category: categoryHTTP01Challenge,
Name: flgHTTPPort,
Usage: "Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":80",
},
&cli.DurationFlag{
Name: flgHTTPDelay,
Usage: "Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.",
Value: 0,
Category: categoryHTTP01Challenge,
Name: flgHTTPDelay,
Usage: "Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge.",
Value: 0,
},
&cli.StringFlag{
Name: flgHTTPProxyHeader,
Usage: "Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.",
Value: "Host",
Category: categoryHTTP01Challenge,
Name: flgHTTPProxyHeader,
Usage: "Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy.",
Value: "Host",
},
&cli.StringFlag{
Name: flgHTTPWebroot,
Category: categoryHTTP01Challenge,
Name: flgHTTPWebroot,
Usage: "Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file." +
" This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge",
},
&cli.StringSliceFlag{
Name: flgHTTPMemcachedHost,
Usage: "Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.",
Category: categoryHTTP01Challenge,
Name: flgHTTPMemcachedHost,
Usage: "Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.",
},
&cli.StringFlag{
Name: flgHTTPS3Bucket,
Usage: "Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.",
Category: categoryHTTP01Challenge,
Name: flgHTTPS3Bucket,
Usage: "Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.",
},
}
}
func CreateTLSChallengeFlags() []cli.Flag {
func createTLSChallengeFlags() []cli.Flag {
return []cli.Flag{
&cli.BoolFlag{
Name: flgTLS,
Usage: "Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.",
Category: categoryTLSALPN01Challenge,
Name: flgTLS,
Usage: "Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.",
},
&cli.StringFlag{
Name: flgTLSPort,
Usage: "Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":443",
Category: categoryTLSALPN01Challenge,
Name: flgTLSPort,
Usage: "Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port.",
Value: ":443",
},
&cli.DurationFlag{
Name: flgTLSDelay,
Usage: "Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.",
Value: 0,
Category: categoryTLSALPN01Challenge,
Name: flgTLSDelay,
Usage: "Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge.",
Value: 0,
},
}
}
func CreateDNSChallengeFlags() []cli.Flag {
func createDNSChallengeFlags() []cli.Flag {
return []cli.Flag{
&cli.StringFlag{
Name: flgDNS,
Usage: "Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.",
Category: categoryDNS01Challenge,
Name: flgDNS,
Usage: "Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.",
},
&cli.BoolFlag{
Name: flgDNSDisableCP,
Usage: fmt.Sprintf("(deprecated) use %s instead.", flgDNSPropagationDisableANS),
Category: categoryDNS01Challenge,
Name: flgDNSDisableCP,
Usage: fmt.Sprintf("(deprecated) use %s instead.", flgDNSPropagationDisableANS),
},
&cli.BoolFlag{
Name: flgDNSPropagationDisableANS,
Usage: "By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.",
Category: categoryDNS01Challenge,
Name: flgDNSPropagationDisableANS,
Usage: "By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.",
},
&cli.BoolFlag{
Name: flgDNSPropagationRNS,
Usage: "By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.",
Category: categoryDNS01Challenge,
Name: flgDNSPropagationRNS,
Usage: "By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.",
},
&cli.DurationFlag{
Name: flgDNSPropagationWait,
Usage: "By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead.",
Category: categoryDNS01Challenge,
Name: flgDNSPropagationWait,
Usage: "By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead.",
},
&cli.StringSliceFlag{
Name: flgDNSResolvers,
Category: categoryDNS01Challenge,
Name: flgDNSResolvers,
Usage: "Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination." +
" For DNS-01 challenge verification, the authoritative DNS server is queried directly." +
" Supported: host:port." +
" The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.",
},
&cli.IntFlag{
Name: flgDNSTimeout,
Usage: "Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.",
Value: 10,
Category: categoryDNS01Challenge,
Name: flgDNSTimeout,
Usage: "Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.",
Value: 10,
},
}
}
func CreateOutputFlags() []cli.Flag {
func createStorageFlags() []cli.Flag {
return []cli.Flag{
CreatePathFlag(true),
createPathFlag(true),
&cli.BoolFlag{
Name: flgPEM,
Usage: "Generate an additional .pem (base64) file by concatenating the .key and .crt files together.",
Category: categoryStorage,
Name: flgPEM,
Usage: "Generate an additional .pem (base64) file by concatenating the .key and .crt files together.",
},
&cli.BoolFlag{
Name: flgPFX,
Usage: "Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.",
Sources: cli.EnvVars(envPFX),
Category: categoryStorage,
Name: flgPFX,
Usage: "Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together.",
Sources: cli.EnvVars(envPFX),
},
&cli.StringFlag{
Name: flgPFXPass,
Usage: "The password used to encrypt the .pfx (PCKS#12) file.",
Value: pkcs12.DefaultPassword,
Sources: cli.EnvVars(envPFXPassword),
Category: categoryStorage,
Name: flgPFXPass,
Usage: "The password used to encrypt the .pfx (PCKS#12) file.",
Value: pkcs12.DefaultPassword,
Sources: cli.EnvVars(envPFXPassword),
},
&cli.StringFlag{
Name: flgPFXFormat,
Usage: "The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256.",
Value: "RC2",
Sources: cli.EnvVars(envPFXFormat),
Category: categoryStorage,
Name: flgPFXFormat,
Usage: "The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256.",
Value: "RC2",
Sources: cli.EnvVars(envPFXFormat),
},
}
}
func CreateAccountFlags() []cli.Flag {
func createAccountFlags() []cli.Flag {
return []cli.Flag{
&cli.BoolFlag{
Name: flgAcceptTOS,
Aliases: []string{"a"},
Usage: "By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.",
},
&cli.StringFlag{
Name: flgEmail,
Aliases: []string{"m"},
@ -352,105 +392,114 @@ func CreateAccountFlags() []cli.Flag {
Usage: "Account identifier (The email is used if there is account ID is undefined).",
},
&cli.BoolFlag{
Name: flgEAB,
Sources: cli.EnvVars(envEAB),
Usage: "Use External Account Binding for account registration. Requires --kid and --hmac.",
Category: categoryEAB,
Name: flgEAB,
Sources: cli.EnvVars(envEAB),
Usage: "Use External Account Binding for account registration. Requires --kid and --hmac.",
},
&cli.StringFlag{
Name: flgKID,
Sources: cli.EnvVars(envEABKID),
Usage: "Key identifier from External CA. Used for External Account Binding.",
Category: categoryEAB,
Name: flgKID,
Sources: cli.EnvVars(envEABKID),
Usage: "Key identifier from External CA. Used for External Account Binding.",
},
&cli.StringFlag{
Name: flgHMAC,
Sources: cli.EnvVars(envEABHMAC),
Usage: "MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.",
Category: categoryEAB,
Name: flgHMAC,
Sources: cli.EnvVars(envEABHMAC),
Usage: "MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.",
},
}
}
func CreateObtainFlags() []cli.Flag {
func createObtainFlags() []cli.Flag {
return []cli.Flag{
&cli.StringFlag{
Name: flgCSR,
Aliases: []string{"c"},
Usage: "Certificate signing request filename, if an external CSR is to be used.",
Category: categoryAdvanced,
Name: flgCSR,
Aliases: []string{"c"},
Usage: "Certificate signing request filename, if an external CSR is to be used.",
},
&cli.BoolFlag{
Name: flgNoBundle,
Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
Category: categoryAdvanced,
Name: flgNoBundle,
Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
},
&cli.BoolFlag{
Name: flgMustStaple,
Category: categoryAdvanced,
Name: flgMustStaple,
Usage: "Include the OCSP must staple TLS extension in the CSR and generated certificate." +
" Only works if the CSR is generated by lego.",
},
&cli.TimestampFlag{
Name: flgNotBefore,
Usage: "Set the notBefore field in the certificate (RFC3339 format)",
Category: categoryAdvanced,
Name: flgNotBefore,
Usage: "Set the notBefore field in the certificate (RFC3339 format)",
Config: cli.TimestampConfig{
Layouts: []string{time.RFC3339},
},
},
&cli.TimestampFlag{
Name: flgNotAfter,
Usage: "Set the notAfter field in the certificate (RFC3339 format)",
Category: categoryAdvanced,
Name: flgNotAfter,
Usage: "Set the notAfter field in the certificate (RFC3339 format)",
Config: cli.TimestampConfig{
Layouts: []string{time.RFC3339},
},
},
&cli.StringFlag{
Name: flgPreferredChain,
Category: categoryAdvanced,
Name: flgPreferredChain,
Usage: "If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name." +
" If no match, the default offered chain will be used.",
},
&cli.StringFlag{
Name: flgProfile,
Usage: "If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.",
Category: categoryAdvanced,
Name: flgProfile,
Usage: "If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.",
},
&cli.StringFlag{
Name: flgAlwaysDeactivateAuthorizations,
Usage: "Force the authorizations to be relinquished even if the certificate request was successful.",
Category: categoryAdvanced,
Name: flgAlwaysDeactivateAuthorizations,
Usage: "Force the authorizations to be relinquished even if the certificate request was successful.",
},
}
}
func CreateHookFlags() []cli.Flag {
func createHookFlags() []cli.Flag {
return []cli.Flag{
&cli.StringFlag{
Name: flgDeployHook,
Usage: "Define a hook. The hook is executed only when the certificates are effectively created/renewed.",
Category: categoryHooks,
Name: flgDeployHook,
Usage: "Define a hook. The hook is executed only when the certificates are effectively created/renewed.",
},
&cli.DurationFlag{
Name: flgDeployHookTimeout,
Usage: "Define the timeout for the hook execution.",
Value: 2 * time.Minute,
Category: categoryHooks,
Name: flgDeployHookTimeout,
Usage: "Define the timeout for the hook execution.",
Value: 2 * time.Minute,
},
}
}
func CreateBaseFlags() []cli.Flag {
var flags []cli.Flag
flags = append(flags, CreateDomainFlag())
flags = append(flags, CreateAccountFlags()...)
flags = append(flags, CreateACMEClientFlags()...)
flags = append(flags, CreateOutputFlags()...)
return flags
}
func createRunFlags() []cli.Flag {
flags := CreateBaseFlags()
flags := []cli.Flag{
createDomainFlag(),
}
flags = append(flags, CreateChallengesFlags()...)
flags = append(flags, CreateObtainFlags()...)
flags = append(flags, CreateHookFlags()...)
flags = append(flags, createAccountFlags()...)
flags = append(flags, createACMEClientFlags()...)
flags = append(flags, createStorageFlags()...)
flags = append(flags, createAcceptFlag())
flags = append(flags, createChallengesFlags()...)
flags = append(flags, createObtainFlags()...)
flags = append(flags, createHookFlags()...)
flags = append(flags,
&cli.StringFlag{
Name: flgPrivateKey,
Usage: "Path to private key (in PEM encoding) for the certificate. By default, the private key is generated.",
Category: categoryAdvanced,
Name: flgPrivateKey,
Usage: "Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated.",
},
)
@ -458,11 +507,16 @@ func createRunFlags() []cli.Flag {
}
func createRenewFlags() []cli.Flag {
flags := CreateBaseFlags()
flags := []cli.Flag{
createDomainFlag(),
}
flags = append(flags, CreateChallengesFlags()...)
flags = append(flags, CreateObtainFlags()...)
flags = append(flags, CreateHookFlags()...)
flags = append(flags, createAccountFlags()...)
flags = append(flags, createACMEClientFlags()...)
flags = append(flags, createStorageFlags()...)
flags = append(flags, createChallengesFlags()...)
flags = append(flags, createObtainFlags()...)
flags = append(flags, createHookFlags()...)
flags = append(flags,
&cli.IntFlag{
@ -477,25 +531,30 @@ func createRenewFlags() []cli.Flag {
Usage: "Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5.",
},
&cli.BoolFlag{
Name: flgARIDisable,
Usage: "Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.",
Category: categoryARI,
Name: flgARIDisable,
Usage: "Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.",
},
&cli.DurationFlag{
Name: flgARIWaitToRenewDuration,
Usage: "The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.",
Category: categoryARI,
Name: flgARIWaitToRenewDuration,
Usage: "The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint.",
},
&cli.BoolFlag{
Name: flgReuseKey,
Usage: "Used to indicate you want to reuse your current private key for the new certificate.",
Category: categoryAdvanced,
Name: flgReuseKey,
Usage: "Used to indicate you want to reuse your current private key for the new certificate.",
},
&cli.BoolFlag{
Name: flgNoRandomSleep,
Category: categoryAdvanced,
Name: flgNoRandomSleep,
Usage: "Do not add a random sleep before the renewal." +
" We do not recommend using this flag if you are doing your renewals in an automated way.",
},
&cli.BoolFlag{
Name: flgForceCertDomains,
Usage: "Check and ensure that the cert's domain list matches those passed in the domains argument.",
Category: categoryAdvanced,
Name: flgForceCertDomains,
Usage: "Check and ensure that the cert's domain list matches those passed in the domains argument.",
},
)
@ -504,7 +563,7 @@ func createRenewFlags() []cli.Flag {
func createRevokeFlags() []cli.Flag {
flags := []cli.Flag{
CreatePathFlag(false),
createPathFlag(false),
&cli.BoolFlag{
Name: flgKeep,
Aliases: []string{"k"},
@ -522,9 +581,9 @@ func createRevokeFlags() []cli.Flag {
},
}
flags = append(flags, CreateDomainFlag())
flags = append(flags, CreateAccountFlags()...)
flags = append(flags, CreateACMEClientFlags()...)
flags = append(flags, createDomainFlag())
flags = append(flags, createAccountFlags()...)
flags = append(flags, createACMEClientFlags()...)
return flags
}
@ -541,34 +600,44 @@ func createListFlags() []cli.Flag {
Aliases: []string{"n"},
Usage: "Display certificate names only.",
},
CreatePathFlag(false),
createPathFlag(false),
}
}
func createRegisterFlags() []cli.Flag {
flags := []cli.Flag{
CreatePathFlag(true),
createPathFlag(true),
createAcceptFlag(),
}
flags = append(flags, CreateACMEClientFlags()...)
flags = append(flags, CreateAccountFlags()...)
flags = append(flags, createACMEClientFlags()...)
flags = append(flags, createAccountFlags()...)
return flags
}
func CreateDomainFlag() cli.Flag {
return &cli.StringSliceFlag{
Name: flgDomains,
Aliases: []string{"d"},
Usage: "Add a domain to the process. Can be specified multiple times or use comma as a separator.",
func createAcceptFlag() cli.Flag {
return &cli.BoolFlag{
Name: flgAcceptTOS,
Aliases: []string{"a"},
Usage: "By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.",
}
}
func CreatePathFlag(forceCreation bool) cli.Flag {
func createDomainFlag() cli.Flag {
return &cli.StringSliceFlag{
Name: flgDomains,
Aliases: []string{"d"},
Usage: "Add a domain. For multiple domains either repeat the option or provide a comma-separated list.",
}
}
func createPathFlag(forceCreation bool) cli.Flag {
return &cli.StringFlag{
Name: flgPath,
Sources: cli.NewValueSourceChain(cli.EnvVar(envPath), &defaultPathValueSource{}),
Usage: "Directory to use for storing the data.",
Category: categoryStorage,
Name: flgPath,
Sources: cli.NewValueSourceChain(cli.EnvVar(envPath), &defaultPathValueSource{}),
Usage: "Directory to use for storing the data.",
Validator: func(s string) error {
if !forceCreation {
return nil

302
docs/data/zz_cli_help.toml generated
View file

@ -33,57 +33,81 @@ USAGE:
lego run
OPTIONS:
--domains string, -d string [ --domains string, -d string ] Add a domain to the process. Can be specified multiple times or use comma as a separator.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
--disable-cn Disable the use of the common name in the CSR.
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--tls-skip-verify Skip the TLS verification of the ACME server.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--overall-request-limit int ACME overall requests limit. (default: 18)
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--disable-cn Disable the use of the common name in the CSR.
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
Flags related to hooks:
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flags related to the DNS-01 challenge:
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
Flags related to the HTTP-01 challenge:
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s)
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
--private-key string Path to private key (in PEM encoding) for the certificate. By default, the private key is generated.
--help, -h show help
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
Flags related to the TLS-ALPN-01 challenge:
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
"""
[[command]]
@ -96,63 +120,89 @@ USAGE:
lego renew
OPTIONS:
--domains string, -d string [ --domains string, -d string ] Add a domain to the process. Can be specified multiple times or use comma as a separator.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
--disable-cn Disable the use of the common name in the CSR.
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--tls-skip-verify Skip the TLS verification of the ACME server.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--overall-request-limit int ACME overall requests limit. (default: 18)
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--days int The number of days left on a certificate to renew it. (default: 30)
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
Flags related to ACME Renewal Information (ARI) Extension:
--ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.
--ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--disable-cn Disable the use of the common name in the CSR.
--force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument.
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way.
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
--reuse-key Used to indicate you want to reuse your current private key for the new certificate.
Flags related to hooks:
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flags related to the DNS-01 challenge:
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
Flags related to the HTTP-01 challenge:
--http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s)
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
--http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts.
--http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80")
--http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host")
--http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns.disable-cp (deprecated) use dns.propagation-disable-ans instead.
--dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers.
--dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record.
--dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s)
--dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10)
--ipv4only, -4 Use IPv4 only.
--ipv6only, -6 Use IPv6 only.
--csr string, -c string Certificate signing request filename, if an external CSR is to be used.
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
--must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.
--not-before time Set the notBefore field in the certificate (RFC3339 format)
--not-after time Set the notAfter field in the certificate (RFC3339 format)
--preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
--profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one.
--always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful.
--deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed.
--deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s)
--days int The number of days left on a certificate to renew it. (default: 30)
--dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5.
--ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed.
--ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
--reuse-key Used to indicate you want to reuse your current private key for the new certificate.
--no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way.
--force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument.
--help, -h show help
--http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
Flags related to the TLS-ALPN-01 challenge:
--tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges.
--tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s)
--tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443")
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
--pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together.
--pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX]
--pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT]
--pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD]
"""
[[command]]
@ -165,25 +215,36 @@ USAGE:
lego revoke
OPTIONS:
--path string Directory to use for storing the data. [$LEGO_PATH]
--keep, -k Keep the certificates after the revocation instead of archiving them.
--reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0)
--domains string, -d string [ --domains string, -d string ] Add a domain to the process. Can be specified multiple times or use comma as a separator.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID]
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
--disable-cn Disable the use of the common name in the CSR.
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--tls-skip-verify Skip the TLS verification of the ACME server.
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--overall-request-limit int ACME overall requests limit. (default: 18)
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
--domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list.
--email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL]
--help, -h show help
--keep, -k Keep the certificates after the revocation instead of archiving them.
--key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0)
--server string, -s string CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. [$LEGO_SERVER]
Flags related to External Account Binding:
--eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB]
--hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC]
--kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID]
Flags related to advanced options:
--cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--disable-cn Disable the use of the common name in the CSR.
Flags related to the ACME client:
--http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0)
--overall-request-limit int ACME overall requests limit. (default: 18)
--tls-skip-verify Skip the TLS verification of the ACME server.
--user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
"""
[[command]]
@ -197,9 +258,12 @@ USAGE:
OPTIONS:
--accounts, -a Display accounts.
--names, -n Display certificate names only.
--path string Directory to use for storing the data. [$LEGO_PATH]
--help, -h show help
--names, -n Display certificate names only.
Flags related to the storage:
--path string Directory to use for storing the data. [$LEGO_PATH]
"""
[[command]]

2
e2e/challenges_test.go
View file

@ -171,7 +171,6 @@ func TestChallengeTLS_Run_Revoke(t *testing.T) {
err = load.RunLego(t.Context(),
"revoke",
"-m", testEmail1,
"--accept-tos",
"-s", "https://localhost:14000/dir",
"-d", testDomain2,
)
@ -199,7 +198,6 @@ func TestChallengeTLS_Run_Revoke_Non_ASCII(t *testing.T) {
err = load.RunLego(t.Context(),
"revoke",
"-m", testEmail1,
"--accept-tos",
"-s", "https://localhost:14000/dir",
"-d", testDomain4,
)