CA servers - Lego — ContextQMD

This page describes the usage of CA servers (ACME servers).

{{% notice note %}} Any CA server that follow RFC 8555 can be used with lego. {{% /notice %}}

Let's Encrypt ACME server

lego defaults to communicating with the production Let's Encrypt ACME server.

If you'd like to test something without issuing real certificates, consider using the staging endpoint instead:

bash

lego run --server='letsencrypt-staging' …

To ease the usage of the CA server in most of cases, we provide a short-code for each already known CA server.

Name	Code	Directory URL
Actalis	`actalis`	https://acme-api.actalis.com/acme/directory
Digicert	`digicert`	https://one.digicert.com/mpki/api/v1/acme/v2/directory
FreeSSL	`freessl`	https://acmepro.freessl.cn/v2/DV
GlobalSign	`globalsign`	https://emea.acme.atlas.globalsign.com/directory
Google Trust	`googletrust`	https://dv.acme-v02.api.pki.goog/directory
Google Trust staging	`googletrust-staging`	https://dv.acme-v02.test-api.pki.goog/directory
Let's Encrypt	`letsencrypt`	https://acme-v02.api.letsencrypt.org/directory
Let's Encrypt staging	`letsencrypt-staging`	https://acme-staging-v02.api.letsencrypt.org/directory
LiteSSL	`litessl`	https://acme.litessl.com/acme/v2/directory
PeeringHub	`peeringhub`	https://stica.peeringhub.io/acme
SSL.com ECDSA	`sslcomecc`	https://acme.ssl.com/sslcom-dv-ecc
SSL.com RSA	`sslcomrsa`	https://acme.ssl.com/sslcom-dv-rsa
Sectigo DV (Domain Validation)	`sectigo`	https://acme.sectigo.com/v2/DV
Sectigo EV (Extended Validation)	`sectigoev`	https://acme.sectigo.com/v2/EV
Sectigo OV (Organization Validation)	`sectigoov`	https://acme.sectigo.com/v2/OV
ZeroSSL	`zerossl`	https://acme.zerossl.com/v2/DV90

lego supports three different ways to authenticate with ZeroSSL.

Access key: if the environment variable ZERO_SSL_ACCESS_KEY is set.
Email: if the email address is set and the environment variable ZERO_SSL_ACCESS_KEY is not set.
External Account Binding (EAB): if none of the above elements are defined.