基于Go的Let's Encrypt的客户端程序lego

在本地机器上，首先安装Go环境。然后，

cd $GOPATH

go get -u -v github.com/go-acme/lego/cmd/lego/

可执行文件lego就会生成在$GOBIN/内。

Usage

 CLI help

When using the standard --path option, all certificates and account configurations are saved to a folder .lego in the current working directory.

Let’s Encrypt ACME server

lego defaults to communicating with the production Let’s Encrypt ACME server. If you’d like to test something without issuing real certificates, consider using the staging endpoint instead:

lego --server=https://acme-staging-v02.api.letsencrypt.org/directory …

Sudo

The CLI does not require root permissions but needs to bind to port 80 and 443 for certain challenges. To run the CLI without sudo, you have four options:

• Use setcap ‘cap_net_bind_service=+ep’ /path/to/program
• Pass the --http.port or/and the --tls.port option and specify a custom port to bind to. In this case you have to forward port 80⁄443 to these custom ports (see Port Usage).
• Pass the --http.webroot option and specify the path to your webroot folder. In this case the challenge will be written in a file in .well-known/acme-challenge/ inside your webroot.
• Pass the --dns option and specify a DNS provider.

Port Usage

By default lego assumes it is able to bind to ports 80 and 443 to solve challenges. If this is not possible in your environment, you can use the --http.port and --tls.port options to instruct lego to listen on that interface:port for any incoming challenges.

If you are using this option, make sure you proxy all of the following traffic to these ports.

HTTP Port: All plaintext HTTP requests to port 80 which begin with a request path of /.well-known/acme-challenge/ for the HTTP challenge.1

TLS Port: All TLS handshakes on port 443 for the TLS-ALPN challenge.

This traffic redirection is only needed as long as lego solves challenges. As soon as you have received your certificates you can deactivate the forwarding.

---

1. You must ensure that incoming validation requests containt the correct value for the HTTP Host header. If you operate lego behind a non-transparent reverse proxy (such as Apache or NGINX), you might need to alter the header field using --http.proxy-header X-Forwarded-Host. [return]

frm https://go-acme.github.io/lego/usage/cli/

---------------------------------

lego

Let's Encrypt client written in Go.

  

Features

• Register with CA
• Obtain certificates, both from scratch or with an existing CSR
• Renew certificates
• Revoke certificates
• Robust implementation of all ACME challenges
  • HTTP (http-01)
  • DNS (dns-01)
  • TLS (tls-alpn-01)
• SAN certificate support
• Comes with multiple optional DNS providers
• Custom challenge solvers
• Certificate bundling
• OCSP helper function

lego introduced support for ACME v2 in v1.0.0. If you still need to utilize ACME v1, you can do so by using the v0.5.0 version.

Installation

How to install.

Usage

• as a CLI

Documentation

Documentation is hosted live at https://go-acme.github.io/lego/.

DNS providers

Detailed documentation is available here.

Alibaba Cloud DNS	Amazon Lightsail	Amazon Route 53	Aurora DNS
Autodns	Azure	Bindman	Bluecat
Checkdomain	Cloudflare	ClouDNS	CloudXNS
ConoHa	Constellix	Designate DNSaaS for Openstack	Digital Ocean
DNS Made Easy	DNSimple	DNSPod	Domain Offensive (do.de)
DreamHost	Duck DNS	Dyn	Dynu
EasyDNS	Exoscale	External program	FastDNS
Gandi Live DNS (v5)	Gandi	Glesys	Go Daddy
Google Cloud	Hosting.de	HTTP request	Internet Initiative Japan
INWX	Joker	Joohoi's ACME-DNS	Linode (deprecated)
Linode (v4)	Liquid Web	Manual	MyDNS.jp
Name.com	Namecheap	Namesilo	Netcup
NIFCloud	NS1	Open Telekom Cloud	Oracle Cloud
OVH	PowerDNS	Rackspace	reg.ru
RFC2136	RimuHosting	Sakura Cloud	Scaleway
Selectel	Servercow	Stackpath	TransIP
VegaDNS	Versio.[nl/eu/uk]	Vscale	Vultr
Zone.ee	Zonomi

frm https://github.com/go-acme/lego