Lego — ACME Client and Library for Automated TLS Certificates

Introduction

Lego is an ACME client and Go library for automating TLS certificate issuance and renewal. It supports Let's Encrypt, ZeroSSL, and other ACME-compliant certificate authorities. With built-in support for over 100 DNS providers, lego handles DNS-01 challenges for wildcard certificates without manual intervention, making it a building block for automated infrastructure.

What Lego Does

• Obtains TLS certificates from Let's Encrypt and other ACME certificate authorities automatically
• Supports HTTP-01, TLS-ALPN-01, and DNS-01 challenge types for domain validation
• Handles wildcard certificate issuance via DNS-01 challenges with 100+ DNS provider integrations
• Renews certificates before expiration with a single command or as a library call
• Provides both a CLI tool and a Go library for embedding certificate management in applications

Architecture Overview

Lego is written in Go and implements the ACME v2 protocol (RFC 8555). The CLI wraps the library to provide a command-line interface for common operations. The DNS provider system uses a plugin-like architecture where each provider implements a standard interface for creating and cleaning up TXT records. Certificates and account keys are stored in a local directory structure. When used as a library, developers can integrate certificate management directly into Go applications.

Self-Hosting & Configuration

• Install via go install, download prebuilt binaries, or use the Docker image
• Register an account with lego --email=you@example.com --accept-tos run
• Configure DNS provider credentials via environment variables for DNS-01 challenges
• Set up a cron job or systemd timer with lego renew for automatic certificate renewal
• Store certificates in a custom directory with --path and hook into deployment scripts with --renew-hook

Key Features

• Over 100 DNS providers supported including Cloudflare, AWS Route 53, Google Cloud DNS, and DigitalOcean
• Wildcard certificate support via automated DNS-01 challenge resolution
• Usable as both a standalone CLI and an importable Go library
• OCSP stapling support for certificates that include OCSP responder URLs
• Automatic retry and error handling for transient DNS propagation delays

Comparison with Similar Tools

• Certbot — Python-based official Let's Encrypt client; lego is a single Go binary with broader DNS provider support
• acme.sh — Shell-based ACME client; lego offers a typed Go library for programmatic integration
• Caddy — Web server with built-in ACME; lego provides standalone certificate management without a web server
• cert-manager — Kubernetes-native certificate manager; lego works outside Kubernetes as a general-purpose tool
• step-ca — Private CA server; lego is a client for public ACME CAs, not a CA itself

FAQ

Q: Does lego support Let's Encrypt staging for testing? A: Yes. Pass --server=https://acme-staging-v02.api.letsencrypt.org/directory to use the staging environment.

Q: Can I use lego for wildcard certificates? A: Yes. Wildcard certificates require DNS-01 validation. Configure a supported DNS provider and use --domains="*.example.com".

Q: How do I automate renewals? A: Run lego renew --days 30 in a cron job or systemd timer. It only renews if the certificate expires within the specified number of days.

Q: Can I use lego as a Go library in my application? A: Yes. Import github.com/go-acme/lego/v4 and use the client API to request, renew, and revoke certificates programmatically.

Sources

• https://github.com/go-acme/lego
• https://go-acme.github.io/lego/