LEGO
LEGO is a Let's Encrypt ACME client written in go.
API Keys
If you haven't already, setup an API key for your subdomain in the console. Save your subdomain information and credentials to a JSON file like this:
{
"username": "<yourApiKeyId>",
"password": "<yourApiKeySecret>",
"fulldomain": "<yourSubdomain>.localhostcert.net",
"subdomain": "<yourSubdomain>",
"server_url": "https://api.getlocalcert.net/api/v1/acme-dns-compat",
"allowfrom": []
}
LEGO uses a slightly different format to manage these keys:
{
"<yourSubdomain>.localhostcert.net": {
"username": "<yourApiKeyId>",
"password": "<yourApiKeySecret>",
"fulldomain": "<yourSubdomain>.localhostcert.net",
"subdomain": "<yourSubdomain>",
"server_url": "https://api.getlocalcert.net/api/v1/acme-dns-compat",
"allowfrom": []
}
}
You can convert from a credentials.json
file to a lego-creds.json
file using:
This instructs LEGO to use your subdomain as the verification domain.
Protect these files as they contain secrets.
Register a subdomain and issue a certificate
As you begin, start with Let's Encrypt's staging environment as the --server
.
Let's Encrypt's production environment has rate limits, so it's best to avoid using it until you've tested in the staging environment.
The following command issues a certificate that's valid for both your subdomain and all child subdomains (I.E. a wildcard certificate).
export ACME_DNS_API_BASE=https://api.getlocalcert.net/api/v1/acme-dns-compat
export ACMEDNS_FULLDOMAIN=subdomain.localhostcert.net
export ACMEDNS_EMAIL=[email protected]
export ACME_DNS_STORAGE_PATH=creds.json
./lego \
--accept-tos \
--email ${ACMEDNS_EMAIL} \
--dns acme-dns \
--domains ${ACMEDNS_FULLDOMAIN} \
--domains *.${ACMEDNS_FULLDOMAIN} \
--server https://acme-staging-v02.api.letsencrypt.org/directory \
run
If everything succeeded, you'll see that a certificate was issued.
You can now run again without the --server
argument to use the Let's Encrypt production environment.
Check out the LEGO docs for more information about copying these certificates to your web server and automating certificate renewals.
You can see our integration test example here.