# Lego — ACME Client and Library for Automated TLS Certificates > A Go-based ACME client and library that automates obtaining, renewing, and managing TLS certificates from Let's Encrypt and other ACME-compatible certificate authorities. Supports 100+ DNS providers for wildcard certificate validation. ## Install Save as a script file and run: # Lego — ACME Client and Library for Automated TLS Certificates ## Quick Use ```bash # Install via Go go install github.com/go-acme/lego/v4/cmd/lego@latest # Obtain a certificate using HTTP challenge lego --email="you@example.com" --domains="example.com" --http run # Obtain a wildcard certificate using DNS challenge (Cloudflare example) CLOUDFLARE_DNS_API_TOKEN=xxx lego --email="you@example.com" --domains="*.example.com" --dns cloudflare run ``` ## Introduction Lego is an ACME client and Go library for automating TLS certificate issuance and renewal. It supports Let's Encrypt, ZeroSSL, and other ACME-compliant certificate authorities. With built-in support for over 100 DNS providers, lego handles DNS-01 challenges for wildcard certificates without manual intervention, making it a building block for automated infrastructure. ## What Lego Does - Obtains TLS certificates from Let's Encrypt and other ACME certificate authorities automatically - Supports HTTP-01, TLS-ALPN-01, and DNS-01 challenge types for domain validation - Handles wildcard certificate issuance via DNS-01 challenges with 100+ DNS provider integrations - Renews certificates before expiration with a single command or as a library call - Provides both a CLI tool and a Go library for embedding certificate management in applications ## Architecture Overview Lego is written in Go and implements the ACME v2 protocol (RFC 8555). The CLI wraps the library to provide a command-line interface for common operations. The DNS provider system uses a plugin-like architecture where each provider implements a standard interface for creating and cleaning up TXT records. Certificates and account keys are stored in a local directory structure. When used as a library, developers can integrate certificate management directly into Go applications. ## Self-Hosting & Configuration - Install via `go install`, download prebuilt binaries, or use the Docker image - Register an account with `lego --email=you@example.com --accept-tos run` - Configure DNS provider credentials via environment variables for DNS-01 challenges - Set up a cron job or systemd timer with `lego renew` for automatic certificate renewal - Store certificates in a custom directory with `--path` and hook into deployment scripts with `--renew-hook` ## Key Features - Over 100 DNS providers supported including Cloudflare, AWS Route 53, Google Cloud DNS, and DigitalOcean - Wildcard certificate support via automated DNS-01 challenge resolution - Usable as both a standalone CLI and an importable Go library - OCSP stapling support for certificates that include OCSP responder URLs - Automatic retry and error handling for transient DNS propagation delays ## Comparison with Similar Tools - **Certbot** — Python-based official Let's Encrypt client; lego is a single Go binary with broader DNS provider support - **acme.sh** — Shell-based ACME client; lego offers a typed Go library for programmatic integration - **Caddy** — Web server with built-in ACME; lego provides standalone certificate management without a web server - **cert-manager** — Kubernetes-native certificate manager; lego works outside Kubernetes as a general-purpose tool - **step-ca** — Private CA server; lego is a client for public ACME CAs, not a CA itself ## FAQ **Q: Does lego support Let's Encrypt staging for testing?** A: Yes. Pass `--server=https://acme-staging-v02.api.letsencrypt.org/directory` to use the staging environment. **Q: Can I use lego for wildcard certificates?** A: Yes. Wildcard certificates require DNS-01 validation. Configure a supported DNS provider and use `--domains="*.example.com"`. **Q: How do I automate renewals?** A: Run `lego renew --days 30` in a cron job or systemd timer. It only renews if the certificate expires within the specified number of days. **Q: Can I use lego as a Go library in my application?** A: Yes. Import `github.com/go-acme/lego/v4` and use the client API to request, renew, and revoke certificates programmatically. ## Sources - https://github.com/go-acme/lego - https://go-acme.github.io/lego/ --- Source: https://tokrepo.com/en/workflows/asset-99a3da17 Author: Script Depot