README
¶
Command lencr generates certificates from ACME-based CAs, such as Let's Encrypt.
Usage
Install the command:
go install go.growl.space/lencr@latest
Run lencr -h for details on usage. The output of lencr -h
from the time of writing is below.
usage: lencr [optional flags] [-a dir] [-d domain ...]
Required flags:
-a dir directory to write ACME HTTP-01 challenge files
-d domain domain to make certificate for (can be repeated)
Optional flags:
-c delete ACME challenge files on exit (default true)
-k file CA account key, PEM-encoded RSA (defaults to an ephemeral key)
-o dir output directory for cert.pem and key.pem files (default ".")
-u url CA directory endpoint (defaults to Let's Encrypt production)
-v log verbosely
The -a flag specifies the directory to which the command should write
ACME HTTP-01 challenge files. An external HTTP server should be running
to respond to the corresponding ACME challenge requests for each
specified domain.
The -d flag specifies the domain to generate the certificate for.
Multiple domains can be specified by repeating the flag (see example
below).
The order of domains specified on the command line effectively should
not matter for most use cases, because all specified domains will be
included in the certificate's SAN field; however note that the first
domain specified on the command line will be listed in the certificate's
CN field.
The command generates an ephemeral account key to use with the
certificate authority (CA) on each invocation. The optional -k flag
can be used to specify an existing account key. The key file, if
specified, must contain a PEM-encoded RSA private key.
The generated full chain certificate file (cert.pem) and key file
(key.pem) are written to the current directory by default. The output
directory can be controlled using the optional -o flag. The names of
the output files cannot be configured.
The certificates generated by the command are signed using the Let's
Encrypt production service. The optional -u flag can be used to
specify an alternate ACME-based CA directory endpoint; this CA's service
will be used to sign the certificate instead. For reference, the Let's
Encrypt production URL is https://acme-v02.api.letsencrypt.org/directory
and the Let's Encrypt staging URL is
https://acme-staging-v02.api.letsencrypt.org/directory. The staging
service should be used when testing your configuration; it also has more
lenient rate limits.
Example
The following example generates a certificate and key pair for three
domains, namely littleroot.org, growl.space, and blog.growl.space.
$ lencr -v -a $HOME/http/well-known/acme-challenge \
-d littleroot.org \
-d growl.space \
-d blog.growl.space
Documentation
Source Files