diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml index fe4dee42e..fff70d894 100644 --- a/docs/data/zz_cli_help.toml +++ b/docs/data/zz_cli_help.toml @@ -33,82 +33,81 @@ USAGE: lego run OPTIONS: - --accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service. - --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] - --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. + --accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service. [$LEGO_ACCEPT_TOS] + --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS] --email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL] --help, -h show help - --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") + --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE] --server string, -s string CA (ACME server). It can be either a URL or a shortcode. (available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER] Flags related to External Account Binding: - --eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB] - --hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC] - --kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID] + --eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB] + --eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC] + --eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID] Flags related to advanced options: - --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. - --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) - --csr string, -c string Certificate signing request filename, if an external CSR is to be used. - --disable-cn Disable the use of the common name in the CSR. - --ipv4only, -4 Use IPv4 only. - --ipv6only, -6 Use IPv6 only. - --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. - --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. - --not-after time Set the notAfter field in the certificate (RFC3339 format) - --not-before time Set the notBefore field in the certificate (RFC3339 format) - --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. - --private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated. - --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. + --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. [$LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS] + --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT] + --csr string, -c string Certificate signing request filename, if an external CSR is to be used. [$LEGO_CSR] + --enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN] + --ipv4only, -4 Use IPv4 only. [$LEGO_IPV4ONLY] + --ipv6only, -6 Use IPv6 only. [$LEGO_IPV6ONLY] + --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. [$LEGO_MUST_STAPLE] + --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. [$LEGO_NO_BUNDLE] + --not-after time Set the notAfter field in the certificate (RFC3339 format) [$LEGO_NOT_AFTER] + --not-before time Set the notBefore field in the certificate (RFC3339 format) [$LEGO_NOT_BEFORE] + --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. [$LEGO_PREFERRED_CHAIN] + --private-key string Path to a private key (in PEM encoding) for the certificate. By default, a private key is generated. [$LEGO_PRIVATE_KEY] + --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. [$LEGO_PROFILE] Flags related to hooks: - --deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. - --deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) + --deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. [$LEGO_DEPLOY_HOOK] + --deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) [$LEGO_DEPLOY_HOOK_TIMEOUT] Flags related to the ACME client: - --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) - --overall-request-limit int ACME overall requests limit. (default: 18) - --tls-skip-verify Skip the TLS verification of the ACME server. - --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli + --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT] + --overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT] + --tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY] + --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT] Flags related to the DNS-01 challenge: - --dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. - --dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) - --dns.disable-cp (deprecated) use dns.propagation-disable-ans instead. - --dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. - --dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record. - --dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) - --dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. + --dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. [$LEGO_DNS] + --dns.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PROPAGATION_DISABLE_ANS] + --dns.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PROPAGATION_DISABLE_RNS] + --dns.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PROPAGATION_WAIT] + --dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. [$LEGO_DNS_RESOLVERS] + --dns.timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) [$LEGO_DNS_TIMEOUT] Flags related to the HTTP-01 challenge: - --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. - --http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) - --http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. - --http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") - --http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") - --http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. - --http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge + --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_HTTP] + --http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_HTTP_DELAY] + --http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. [$LEGO_HTTP_MEMCACHED_HOST] + --http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") [$LEGO_HTTP_PORT] + --http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") [$LEGO_HTTP_PROXY_HEADER] + --http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. [$LEGO_HTTP_S3_BUCKET] + --http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge [$LEGO_HTTP_WEBROOT] Flags related to the TLS-ALPN-01 challenge: - --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. - --tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) - --tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") + --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_TLS] + --tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_TLS_DELAY] + --tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") [$LEGO_TLS_PORT] Flags related to the storage: - --path string Directory to use for storing the data. [$LEGO_PATH] - --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. - --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX] - --pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] - --pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD] + --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] + --path string Directory to use for storing the data. [$LEGO_PATH] + --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. [$LEGO_PEM] + --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX] + --pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] + --pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASS] """ [[command]] @@ -121,90 +120,90 @@ USAGE: lego renew OPTIONS: - --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] - --days int The number of days left on a certificate to renew it. (default: 30) - --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. - --dynamic Compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). This supersedes --days and will be the default behavior in Lego v5. + --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS] --email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL] --help, -h show help - --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") + --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE] + --renew-days int The number of days left on a certificate to renew it. + By default, compute dynamically, based on the lifetime of the certificate(s), when to renew: use 1/3rd of the lifetime left, or 1/2 of the lifetime for short-lived certificates). (default: 0) [$LEGO_RENEW_DAYS] + --renew-force Force the renewal of the certificate even if it is not due for renewal yet. [$LEGO_RENEW_FORCE] --server string, -s string CA (ACME server). It can be either a URL or a shortcode. (available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER] Flags related to ACME Renewal Information (ARI) Extension: - --ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. - --ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) + --ari-disable Do not use the renewalInfo endpoint (RFC9773) to check if a certificate should be renewed. [$LEGO_ARI_DISABLE] + --ari-wait-to-renew-duration duration The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) [$LEGO_ARI_WAIT_TO_RENEW_DURATION] Flags related to External Account Binding: - --eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB] - --hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC] - --kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID] + --eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB] + --eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC] + --eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID] Flags related to advanced options: - --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. - --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) - --csr string, -c string Certificate signing request filename, if an external CSR is to be used. - --disable-cn Disable the use of the common name in the CSR. - --force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. - --ipv4only, -4 Use IPv4 only. - --ipv6only, -6 Use IPv6 only. - --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. - --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. - --no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. - --not-after time Set the notAfter field in the certificate (RFC3339 format) - --not-before time Set the notBefore field in the certificate (RFC3339 format) - --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. - --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. - --reuse-key Used to indicate you want to reuse your current private key for the new certificate. + --always-deactivate-authorizations string Force the authorizations to be relinquished even if the certificate request was successful. [$LEGO_ALWAYS_DEACTIVATE_AUTHORIZATIONS] + --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT] + --csr string, -c string Certificate signing request filename, if an external CSR is to be used. [$LEGO_CSR] + --enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN] + --force-cert-domains Check and ensure that the cert's domain list matches those passed in the domains argument. [$LEGO_FORCE_CERT_DOMAINS] + --ipv4only, -4 Use IPv4 only. [$LEGO_IPV4ONLY] + --ipv6only, -6 Use IPv6 only. [$LEGO_IPV6ONLY] + --must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego. [$LEGO_MUST_STAPLE] + --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. [$LEGO_NO_BUNDLE] + --no-random-sleep Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. [$LEGO_NO_RANDOM_SLEEP] + --not-after time Set the notAfter field in the certificate (RFC3339 format) [$LEGO_NOT_AFTER] + --not-before time Set the notBefore field in the certificate (RFC3339 format) [$LEGO_NOT_BEFORE] + --preferred-chain string If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. [$LEGO_PREFERRED_CHAIN] + --profile string If the CA offers multiple certificate profiles (draft-ietf-acme-profiles), choose this one. [$LEGO_PROFILE] + --reuse-key Used to indicate you want to reuse your current private key for the new certificate. [$LEGO_REUSE_KEY] Flags related to hooks: - --deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. - --deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) + --deploy-hook string Define a hook. The hook is executed only when the certificates are effectively created/renewed. [$LEGO_DEPLOY_HOOK] + --deploy-hook-timeout duration Define the timeout for the hook execution. (default: 2m0s) [$LEGO_DEPLOY_HOOK_TIMEOUT] Flags related to the ACME client: - --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) - --overall-request-limit int ACME overall requests limit. (default: 18) - --tls-skip-verify Skip the TLS verification of the ACME server. - --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli + --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT] + --overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT] + --tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY] + --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT] Flags related to the DNS-01 challenge: - --dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. - --dns-timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) - --dns.disable-cp (deprecated) use dns.propagation-disable-ans instead. - --dns.propagation-disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. - --dns.propagation-rns By setting this flag to true, use all the recursive nameservers to check the propagation of the TXT record. - --dns.propagation-wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) - --dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. + --dns string Solve a DNS-01 challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage. [$LEGO_DNS] + --dns.propagation.disable-ans By setting this flag to true, disables the need to await propagation of the TXT record to all authoritative name servers. [$LEGO_DNS_PROPAGATION_DISABLE_ANS] + --dns.propagation.disable-rns By setting this flag to true, disables the need to await propagation of the TXT record to all recursive name servers (aka resolvers). [$LEGO_DNS_PROPAGATION_DISABLE_RNS] + --dns.propagation.wait duration By setting this flag, disables all the propagation checks of the TXT record and uses a wait duration instead. (default: 0s) [$LEGO_DNS_PROPAGATION_WAIT] + --dns.resolvers string [ --dns.resolvers string ] Set the resolvers to use for performing (recursive) CNAME resolving and apex domain determination. For DNS-01 challenge verification, the authoritative DNS server is queried directly. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined. [$LEGO_DNS_RESOLVERS] + --dns.timeout int Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries. (default: 10) [$LEGO_DNS_TIMEOUT] Flags related to the HTTP-01 challenge: - --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. - --http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) - --http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. - --http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") - --http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") - --http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. - --http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge + --http Use the HTTP-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_HTTP] + --http.delay duration Delay between the starts of the HTTP server (use for HTTP-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_HTTP_DELAY] + --http.memcached-host string [ --http.memcached-host string ] Set the memcached host(s) to use for HTTP-01 based challenges. Challenges will be written to all specified hosts. [$LEGO_HTTP_MEMCACHED_HOST] + --http.port string Set the port and interface to use for HTTP-01 based challenges to listen on. Supported: interface:port or :port. (default: ":80") [$LEGO_HTTP_PORT] + --http.proxy-header string Validate against this HTTP header when solving HTTP-01 based challenges behind a reverse proxy. (default: "Host") [$LEGO_HTTP_PROXY_HEADER] + --http.s3-bucket string Set the S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket. [$LEGO_HTTP_S3_BUCKET] + --http.webroot string Set the webroot folder to use for HTTP-01 based challenges to write directly to the .well-known/acme-challenge file. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge [$LEGO_HTTP_WEBROOT] Flags related to the TLS-ALPN-01 challenge: - --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. - --tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) - --tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") + --tls Use the TLS-ALPN-01 challenge to solve challenges. Can be mixed with other types of challenges. [$LEGO_TLS] + --tls.delay duration Delay between the start of the TLS listener (use for TLSALPN-01 based challenges) and the validation of the challenge. (default: 0s) [$LEGO_TLS_DELAY] + --tls.port string Set the port and interface to use for TLS-ALPN-01 based challenges to listen on. Supported: interface:port or :port. (default: ":443") [$LEGO_TLS_PORT] Flags related to the storage: - --path string Directory to use for storing the data. [$LEGO_PATH] - --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. - --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX] - --pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] - --pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASSWORD] + --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] + --path string Directory to use for storing the data. [$LEGO_PATH] + --pem Generate an additional .pem (base64) file by concatenating the .key and .crt files together. [$LEGO_PEM] + --pfx Generate an additional .pfx (PKCS#12) file by concatenating the .key and .crt and issuer .crt files together. [$LEGO_PFX] + --pfx.format string The encoding format to use when encrypting the .pfx (PCKS#12) file. Supported: RC2, DES, SHA256. (default: "RC2") [$LEGO_PFX_FORMAT] + --pfx.pass string The password used to encrypt the .pfx (PCKS#12) file. (default: "changeit") [$LEGO_PFX_PASS] """ [[command]] @@ -217,37 +216,37 @@ USAGE: lego revoke OPTIONS: - --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] - --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. + --domains string, -d string [ --domains string, -d string ] Add a domain. For multiple domains either repeat the option or provide a comma-separated list. [$LEGO_DOMAINS] --email string, -m string Email used for registration and recovery contact. [$LEGO_EMAIL] --help, -h show help - --keep, -k Keep the certificates after the revocation instead of archiving them. - --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") - --reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) + --keep, -k Keep the certificates after the revocation instead of archiving them. [$LEGO_KEEP] + --key-type string, -k string Key type to use for private keys. Supported: rsa2048, rsa3072, rsa4096, rsa8192, ec256, ec384. (default: "ec256") [$LEGO_KEY_TYPE] + --reason uint Identifies the reason for the certificate revocation. See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1. Valid values are: 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), or 10 (aACompromise). (default: 0) [$LEGO_REASON] --server string, -s string CA (ACME server). It can be either a URL or a shortcode. (available shortcodes: actalis, digicert, freessl, globalsign, googletrust, googletrust-staging, letsencrypt, letsencrypt-staging, litessl, peeringhub, sslcomecc, sslcomrsa, sectigo, sectigoev, sectigoov, zerossl) (default: "https://acme-v02.api.letsencrypt.org/directory") [$LEGO_SERVER] Flags related to External Account Binding: - --eab Use External Account Binding for account registration. Requires --kid and --hmac. [$LEGO_EAB] - --hmac string MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. [$LEGO_EAB_HMAC] - --kid string Key identifier from External CA. Used for External Account Binding. [$LEGO_EAB_KID] + --eab Use External Account Binding for account registration. Requires eab.kid and eab.hmac. [$LEGO_EAB] + --eab.hmac string MAC key for External Account Binding. Should be in Base64 URL Encoding without padding format. [$LEGO_EAB_HMAC] + --eab.kid string Key identifier for External Account Binding. [$LEGO_EAB_KID] Flags related to advanced options: - --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) - --disable-cn Disable the use of the common name in the CSR. + --cert.timeout int Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30) [$LEGO_CERT_TIMEOUT] + --enable-cn Enable the use of the common name. (Not recommended) [$LEGO_ENABLE_CN] Flags related to the ACME client: - --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) - --overall-request-limit int ACME overall requests limit. (default: 18) - --tls-skip-verify Skip the TLS verification of the ACME server. - --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli + --http-timeout int Set the HTTP timeout value to a specific value in seconds. (default: 0) [$LEGO_HTTP_TIMEOUT] + --overall-request-limit int ACME overall requests limit. (default: 18) [$LEGO_OVERALL_REQUEST_LIMIT] + --tls-skip-verify Skip the TLS verification of the ACME server. [$LEGO_TLS_SKIP_VERIFY] + --user-agent string Add to the user-agent sent to the CA to identify an application embedding lego-cli [$LEGO_USER_AGENT] Flags related to the storage: - --path string Directory to use for storing the data. [$LEGO_PATH] + --account-id string, -a string Account identifier (The email is used if there is account ID is undefined). [$LEGO_ACCOUNT_ID] + --path string Directory to use for storing the data. [$LEGO_PATH] """ [[command]]