Concert is a console based certificate generation tool for
Failed to load latest commit information.
LICENSE Initial commit Mar 22, 2016
options.go gen: Generate certificates in bundle for --sub-domains. Apr 1, 2016
renew.go Add missing license headers. Mar 28, 2016

Concert Gitter

Concert is a console based certificate generation tool for Let’s Encrypt is a free (as in free beer), automated, and open certificate authority.


  • A valid domain name purchased from any domain registrar.
  • root access to the server pointed by the domain name.
  • Working email address for the domain.


We STRONGLY RECOMMEND installing concert from source, because it requires root access. Download pre-built binaries from here.

Compile from Source (RECOMMENDED)

We are assuming that you have installed golang already, run the following command to download and install concert from source.

go get -u

How to generate a certificate?

To generate a certificate and key for, run the following command on server as root, under my-certs directory.

sudo concert gen --dir my-certs
sudo ls my-certs
certs.json public.crt private.key

NOTE: Generated certificates are valid only for a maximum of 90 days. Please visit the following link for more details -

How to generate a certificate bundle for various sub domains?

To generate certificates for and its sub domains ‘www’, ‘ftp’ and ‘mail’, use sub-domains command line option. You need to run this command as root on the server.

sudo concert gen --sub-domains www,ftp,mail

Successfully generated bundled certs for sub domains ‘www’, ‘ftp’ and ‘mail’.

sudo ls certs
certs.json public.crt private.key

How to renew a certificate?

To renew a certificate for under ‘certs’ directory. New certs are generated and saved in the same directory as before.

sudo concert renew

How to automatically renew certificates?

You can run concert in server mode to automatically renew certificates, once in every 45 days.

sudo concert server --dir my-certs

How to automatically renew certificates for various sub domains?

To automatically renew cerificates for and its sub domains ‘www’, ‘ftp’ and ‘mail’, use sub-domains command line option.

sudo concert server --sub-domains www,ftp,mail


  • Why concert requires root access?

ACME protocol requires root access to verify authenticity of the domain ownership. During the certification generation phase, concert temporarily listens on port 80 or 443 to allow service connect and verify the ownership. Only root is allowed to bind to any port below 1024.

  • Can I run concert as non-root?

On GNU/Linux, it is possible to run as non-root by granting bind only access to concert.

sudo setcap cap_net_bind_service=+ep `which concert`