lego/docs/content/usage/cli/examples.md

---
title: "Examples"
date: 2019-11-15T23:25:46+01:00
draft: false
---

## CLI Examples

Assumes the `lego` binary has permission to bind to ports 80 and 443.
You can get a pre-built binary from the [releases](https://github.com/go-acme/lego/releases) page.
If your environment does not allow you to bind to these ports, please read [Port Usage](usage/cli#port-usage).

### Obtain a certificate

```bash
lego --email="foo@bar.com" --domains="example.com" --http run
```

(Find your certificate in the `.lego` folder of current working directory.)

### To renew the certificate

```bash
lego --email="foo@bar.com" --domains="example.com" --http renew
```

### To renew the certificate only if it expires within 45 days

```bash
lego --email="foo@bar.com" --domains="example.com" --http renew --days 45
```

### To renew the certificate (and hook)

The hook is executed only when the certificates are effectively renewed.

```bash
lego --email="foo@bar.com" --domains="example.com" --http renew --renew-hook="./myscript.sh"
```

### Obtain a certificate using the DNS challenge

```bash
AWS_REGION=us-east-1 \
AWS_ACCESS_KEY_ID=my_id \
AWS_SECRET_ACCESS_KEY=my_key \
lego --email="foo@bar.com" --domains="example.com" --dns="route53" run
```

### Obtain a certificate given a certificate signing request (CSR) generated by something else

```bash
lego --email="foo@bar.com" --http --csr=/path/to/csr.pem run
```

(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR's Common Name and optional SubjectAltNames are set correctly.)

## Misc HTTP-01 CLI Examples

### Write HTTP-01 token to already "served" directory

If you have an existing server running on port 80 the `--http` option needs to also use the `--http.webroot` option.
This just writes the token to the given directory in the folder `.well-known/acme-challenge` and does not start a server.

The given directory **should** be publicly served as `/` on the domain(s) for the validation to complete. 

If the given directory is not publicly served you will have to support rewriting the request to the directory;

You could also implement a rewrite to rewrite `.well-known/acme-challenge` to the given directory `.well-known/acme-challenge`.

You should be able to run an existing webserver on port 80 and have lego write the token file with the HTTP-01 challenge key authorization to `<webroot dir>/.well-known/acme-challenge/` by running something like:

```bash
lego --accept-tos -m foo@bar.com --http --http.webroot /path/to/webroot -d example.com run
```
Automatic generation of documentation (#818) * generate a detailed CLI help * generate a documentation site * new readme 2019-03-08 18:47:06 +00:00			`---`
			`title: "Examples"`
Update examples to explain http.webroot (#1012) 2019-11-19 00:43:07 +00:00			`date: 2019-11-15T23:25:46+01:00`
Automatic generation of documentation (#818) * generate a detailed CLI help * generate a documentation site * new readme 2019-03-08 18:47:06 +00:00			`draft: false`
			`---`

			`## CLI Examples`

			Assumes the `lego` binary has permission to bind to ports 80 and 443.
chore: migrate to new org. (#824) 2019-03-11 16:56:48 +00:00			`You can get a pre-built binary from the [releases](https://github.com/go-acme/lego/releases) page.`
Automatic generation of documentation (#818) * generate a detailed CLI help * generate a documentation site * new readme 2019-03-08 18:47:06 +00:00			`If your environment does not allow you to bind to these ports, please read [Port Usage](usage/cli#port-usage).`

			`### Obtain a certificate`

			```bash
			`lego --email="foo@bar.com" --domains="example.com" --http run`
			```

			(Find your certificate in the `.lego` folder of current working directory.)

			`### To renew the certificate`

			```bash
			`lego --email="foo@bar.com" --domains="example.com" --http renew`
			```

			`### To renew the certificate only if it expires within 45 days`

			```bash
			`lego --email="foo@bar.com" --domains="example.com" --http renew --days 45`
			```

Adds renew hook (#845) * chore: update golangci-lint. * feat: support renew-hook. 2019-04-02 16:38:23 +00:00			`### To renew the certificate (and hook)`

			`The hook is executed only when the certificates are effectively renewed.`

			```bash
			`lego --email="foo@bar.com" --domains="example.com" --http renew --renew-hook="./myscript.sh"`
			```

Automatic generation of documentation (#818) * generate a detailed CLI help * generate a documentation site * new readme 2019-03-08 18:47:06 +00:00			`### Obtain a certificate using the DNS challenge`

			```bash
			`AWS_REGION=us-east-1 \`
			`AWS_ACCESS_KEY_ID=my_id \`
			`AWS_SECRET_ACCESS_KEY=my_key \`
			`lego --email="foo@bar.com" --domains="example.com" --dns="route53" run`
			```

			`### Obtain a certificate given a certificate signing request (CSR) generated by something else`

			```bash
			`lego --email="foo@bar.com" --http --csr=/path/to/csr.pem run`
			```

			`(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR's Common Name and optional SubjectAltNames are set correctly.)`
Update examples to explain http.webroot (#1012) 2019-11-19 00:43:07 +00:00
			`## Misc HTTP-01 CLI Examples`

			`### Write HTTP-01 token to already "served" directory`

			If you have an existing server running on port 80 the `--http` option needs to also use the `--http.webroot` option.
			This just writes the token to the given directory in the folder `.well-known/acme-challenge` and does not start a server.

			The given directory should be publicly served as `/` on the domain(s) for the validation to complete.

			`If the given directory is not publicly served you will have to support rewriting the request to the directory;`

			You could also implement a rewrite to rewrite `.well-known/acme-challenge` to the given directory `.well-known/acme-challenge`.

			You should be able to run an existing webserver on port 80 and have lego write the token file with the HTTP-01 challenge key authorization to `<webroot dir>/.well-known/acme-challenge/` by running something like:

			```bash
			`lego --accept-tos -m foo@bar.com --http --http.webroot /path/to/webroot -d example.com run`
			```