A CommandBox module that wraps the Lego ACME client for easy SSL certificate generation
This module provides a convenient way to generate SSL certificates using Let's Encrypt directly from your CommandBox CLI. It integrates the Lego ACME client, allowing you to generate certificates using DNS challenges with support for multiple DNS providers.
Lego uses DNS-01 challenge for domain validation instead of the traditional HTTP-01 challenge (which uses the .well-known folder). This means:
- You must have your domain registered with a supported DNS provider (see list below)
- You need API credentials/tokens from your DNS provider
- Lego will automatically:
- Create required DNS records for verification
- Wait for DNS propagation
- Complete the Let's Encrypt challenge
- Clean up the temporary DNS records
- Issue your certificate
This method is more reliable than HTTP validation as it works even for internal/private domains and doesn't require public web server access.
- CommandBox 5.x+
- Lego binary installed and available in your system PATH
- Domain registered with a supported DNS provider
- API credentials for your DNS provider
- Using Scoop:
scoop install lego-
Using PowerShell Script (Recommended):
- Download and run the Install-Lego.ps1 script which:
- Finds your CommandBox installation
- Downloads the latest Lego binary
- Places it alongside your Box executable
- Adds the location to your PATH
- Download and run the Install-Lego.ps1 script which:
-
Manual Installation:
- Download the latest Windows binary from Lego Releases
- Extract the
lego.exeto a folder (e.g.,C:\Program Files\Lego\) - Add the folder to your PATH:
- Open System Properties → Advanced → Environment Variables
- Under System Variables, find and select "Path"
- Click Edit → New
- Add the folder path (e.g.,
C:\Program Files\Lego\) - Click OK to save
Using Homebrew:
brew install lego-
Using package managers:
For Ubuntu/Debian:
sudo snap install lego
For Arch Linux:
yay -S lego
-
Manual Installation:
# Download latest release curl -L "https://github.com/go-acme/lego/releases/download/v4.x.x/lego_v4.x.x_linux_amd64.tar.gz" -o lego.tar.gz # Extract tar xf lego.tar.gz # Move to system path sudo mv lego /usr/local/bin/ # Verify installation lego --version
After installation, verify Lego is available in your PATH:
lego --versionYou should see output like:
lego version x.x.x ...
If you get "command not found" or "lego is not recognized", either:
- Lego isn't installed
- It's not in your system PATH
# Check if lego exists in your current directory
dir lego.exe
# Check if lego exists in your PATH by seeing all locations
where lego# Check if lego exists in your PATH
which lego
# Check all folders in your PATH
echo $PATHIf Lego isn't found, ensure you've:
- Completed the installation steps above
- Added the installation directory to your PATH
- Restarted your terminal/command prompt after PATH changes
✓ Install Lego using your OS-specific method
✓ Verify Lego is in your PATH using lego --version
✓ Configure your DNS provider credentials
✓ Install the CommandBox module
Install this module by running the following command in CommandBox:
box install commandbox-cblegoThis module requires you to have:
- A domain registered with one of the supported DNS providers
- API credentials for your provider
- Proper environment variables set for authentication
You can find detailed information about required API keys, tokens, and environment variables for your specific DNS provider in the Lego DNS provider documentation.
This is a list of DNS providers supported by the lego ACME client{:target="_blank"}. Each provider link will open in a new tab.
| Provider | Website |
|---|---|
| Active24 | active24 |
| Akamai EdgeDNS | edgedns |
| Alibaba Cloud DNS | alidns |
| all-inkl | allinkl |
| Amazon Lightsail | lightsail |
| Amazon Route 53 | route53 |
| ArvanCloud | arvancloud |
| Aurora DNS | auroradns |
| Autodns | autodns |
| Axelname | axelname |
| Azure (deprecated) | azure |
| Azure DNS | azuredns |
| Baidu Cloud | baiducloud |
| Bindman | bindman |
| Bluecat | bluecat |
| BookMyName | bookmyname |
| Brandit (deprecated) | brandit |
| Bunny | bunny |
| Checkdomain | checkdomain |
| Civo | civo |
| Cloud.ru | cloudru |
| CloudDNS | clouddns |
| Cloudflare | cloudflare |
| ClouDNS | cloudns |
| CloudXNS (Deprecated) | cloudxns |
| ConoHa | conoha |
| Constellix | constellix |
| Core-Networks | corenetworks |
| CPanel/WHM | cpanel |
| Derak Cloud | derak |
| deSEC.io | desec |
| Designate DNSaaS for Openstack | designate |
| Digital Ocean | digitalocean |
| DirectAdmin | directadmin |
| DNS Made Easy | dnsmadeeasy |
| dnsHome.de | dnshomede |
| DNSimple | dnsimple |
| DNSPod (deprecated) | dnspod |
| Domain Offensive (do.de) | dode |
| Domeneshop | domeneshop |
| DreamHost | dreamhost |
| Duck DNS | duckdns |
| Dyn | dyn |
| Dynu | dynu |
| EasyDNS | easydns |
| Efficient IP | efficientip |
| Epik | epik |
| Exoscale | exoscale |
| External program | exec |
| F5 XC | f5xc |
| freemyip.com | freemyip |
| G-Core | gcore |
| Gandi | gandi |
| Gandi Live DNS (v5) | gandiv5 |
| Glesys | glesys |
| Go Daddy | godaddy |
| Google Cloud | gcloud |
| Google Domains | googledomains |
| Hetzner | hetzner |
| Hosting.de | hostingde |
| Hosttech | hosttech |
| HTTP request | httpreq |
| http.net | httpnet |
| Huawei Cloud | huaweicloud |
| Hurricane Electric DNS | hurricane |
| HyperOne | hyperone |
| IBM Cloud (SoftLayer) | ibmcloud |
| IIJ DNS Platform Service | iijdpf |
| Infoblox | infoblox |
| Infomaniak | infomaniak |
| Internet Initiative Japan | iij |
| Internet.bs | internetbs |
| INWX | inwx |
| Ionos | ionos |
| IPv64 | ipv64 |
| iwantmyname | iwantmyname |
| Joker | joker |
| Joohoi's ACME-DNS | acme-dns |
| Liara | liara |
| Lima-City | limacity |
| Linode (v4) | linode |
| Liquid Web | liquidweb |
| Loopia | loopia |
| LuaDNS | luadns |
| Mail-in-a-Box | mailinabox |
| ManageEngine CloudDNS | manageengine |
| Manual | manual |
| Metaname | metaname |
| Metaregistrar | metaregistrar |
| mijn.host | mijnhost |
| Mittwald | mittwald |
| myaddr.{tools,dev,io} | myaddr |
| MyDNS.jp | mydnsjp |
| MythicBeasts | mythicbeasts |
| Name.com | namedotcom |
| Namecheap | namecheap |
| Namesilo | namesilo |
| NearlyFreeSpeech.NET | nearlyfreespeech |
| Netcup | netcup |
| Netlify | netlify |
| Nicmanager | nicmanager |
| NIFCloud | nifcloud |
| Njalla | njalla |
| Nodion | nodion |
| NS1 | ns1 |
| Open Telekom Cloud | otc |
| Oracle Cloud | oraclecloud |
| OVH | ovh |
| plesk.com | plesk |
| Porkbun | porkbun |
| PowerDNS | pdns |
| Rackspace | rackspace |
| Rain Yun/雨云 | rainyun |
| RcodeZero | rcodezero |
| reg.ru | regru |
| Regfish | regfish |
| RFC2136 | rfc2136 |
| RimuHosting | rimuhosting |
| Sakura Cloud | sakuracloud |
| Scaleway | scaleway |
| Selectel | selectel |
| Selectel v2 | selectelv2 |
| SelfHost.(de|eu) | selfhostde |
| Servercow | servercow |
| Shellrent | shellrent |
| Simply.com | simply |
| Sonic | sonic |
| Spaceship | spaceship |
| Stackpath | stackpath |
| Technitium | technitium |
| Tencent Cloud DNS | tencentcloud |
| Timeweb Cloud | timewebcloud |
| TransIP | transip |
| UKFast SafeDNS | safedns |
| Ultradns | ultradns |
| Variomedia | variomedia |
| VegaDNS | vegadns |
| Vercel | vercel |
| Versio.[nl|eu|uk] | versio |
| VinylDNS | vinyldns |
| VK Cloud | vkcloud |
| Volcano Engine/火山引擎 | volcengine |
| Vscale | vscale |
| Vultr | vultr |
| Webnames | webnames |
| Websupport | websupport |
| WEDOS | wedos |
| West.cn/西部数码 | westcn |
| Yandex 360 | yandex360 |
| Yandex Cloud | yandexcloud |
| Yandex PDD | yandex |
| Zone.ee | zoneee |
| Zonomi | zonomi |
Here are examples for common DNS providers:
# Using Token Authentication (Recommended)
export CLOUDFLARE_DNS_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export CLOUDFLARE_ZONE_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Or using a single token with both permissions
export CLOUDFLARE_DNS_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Using Email+Key Authentication (Legacy)
export CLOUDFLARE_EMAIL=you@example.com
export CLOUDFLARE_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Optional: Specify Zone Name (useful for troubleshooting)
export CLOUDFLARE_ZONE_NAME=yourdomain.com
# Optional: Set propagation timeout (in seconds)
export CLOUDFLARE_PROPAGATION_TIMEOUT=300# Using direct values
export EASYDNS_TOKEN=XXXXXXXXXXXXXXXX
export EASYDNS_KEY=XXXXXXXXXXXXXXXX
# Or using files
export EASYDNS_TOKEN_FILE=/path/to/token/file
export EASYDNS_KEY_FILE=/path/to/key/filecblego --accept-tos \
--email you@example.com \
--dns easydns \
-d example.com \
runEASYDNS_TOKEN=XXXXXXXXXXXXXXXX \
EASYDNS_KEY=XXXXXXXXXXXXXXXX \
cblego --accept-tos \
--email you@example.com \
--dns easydns \
-d '*.example.com' \
runNote:
- The wildcard syntax MUST use single quotes: '*.example.com'
- A wildcard certificate (*.example.com) only covers first-level subdomains (like sub.example.com)
- Wildcards do NOT cover the root domain (example.com) or deeper subdomain levels (sub.sub.example.com)
- If you need both root and subdomains, use: -d 'example.com' -d '*.example.com'
- DNS validation is required for wildcard certificates
cblego --accept-tos \
--server https://acme-staging-v02.api.letsencrypt.org/directory \
--email you@example.com \
--dns easydns \
--domains dev.example.com \
--path ./dev-certs \
runIf you're experiencing DNS propagation issues, you can specify custom DNS resolvers:
cblego --accept-tos \
--email you@example.com \
--dns cloudflare \
--dns.resolvers="1.1.1.1:53" \
-d example.com \
runFor EasyDNS specifically, you might want to use their own nameservers:
cblego --accept-tos \
--email you@example.com \
--dns easydns \
--dns.resolvers="dns1.easydns.com:53,dns2.easydns.com:53" \
-d example.com \
runThis is particularly helpful when:
- Your DNS provider has propagation delays
- You're in a "hidden master" DNS setup
- You're behind a corporate firewall that affects DNS resolution
- Let's Encrypt can't resolve your domain properly
- You have multi-part TLDs (like .co.uk domains) with EasyDNS
If you encounter authentication issues, follow these steps:
- Verify Environment Variables
# For easyDNS
echo $EASYDNS_TOKEN
echo $EASYDNS_KEY
# For Cloudflare
echo $CLOUDFLARE_DNS_API_TOKEN
echo $CLOUDFLARE_EMAIL- Common Issues and Solutions:
- Double-check your API tokens/keys for typos
- Ensure you're using the correct credential type (some providers have multiple API key types)
- Verify the credentials have sufficient permissions for DNS management
- Check if your account has DNS zone management permissions
- Verify the domain is properly set up in your DNS provider
- Ensure your API tokens have access to the specific domain
- Generate new API credentials
- Check if your provider requires token renewal
- Verify your account is in good standing
- Use the staging environment for testing
- Implement a delay between requests
- Check if your provider has rate limit tiers
- Ensure the domain/zone is properly added to your Cloudflare account
- Create a new API token with explicit Zone:Read and DNS:Edit permissions
- Try adding
CLOUDFLARE_ZONE_NAME=yourdomain.comto your environment - Verify that your API token has access to the specific zone
- Provider-Specific Validation
For easyDNS:
# Test API access
curl -H "Authorization: Basic $(echo -n "XXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXX" | base64)" \
https://rest.easydns.net/domain/list
# Test with custom resolvers
EASYDNS_TOKEN=XXXXXXXXXXXXXXXX \
EASYDNS_KEY=XXXXXXXXXXXXXXXX \
cblego --accept-tos \
--email you@example.com \
--dns easydns \
--dns.resolvers="dns1.easydns.com:53,dns2.easydns.com:53" \
-d example.com \
runIf you have domains with multi-part TLDs (like .co.uk domains), using EasyDNS's own nameservers as resolvers can help avoid permission errors.
For Cloudflare:
# Test API token validity
curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
-H "Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \
-H "Content-Type:application/json"
# Test zone access
curl -X GET "https://api.cloudflare.com/client/v4/zones?name=yourdomain.com" \
-H "Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \
-H "Content-Type:application/json"- Debug Mode If you're still having issues, run with debug output:
LEGO_DEBUG=1 cblego --accept-tos \
--email you@example.com \
--dns easydns \
--domains example.com \
run- Common Resolution Steps:
- Clear any existing environment variables and reset them
- Generate new API credentials from your provider's dashboard
- Verify DNS propagation tools can see your domain
- Check provider's API status page for service issues
- Ensure your system time is accurately synchronized
- Verify your account has no outstanding billing issues
The module supports over 80 DNS providers that Lego supports, including:
- Amazon Route 53
- Cloudflare
- DigitalOcean
- Google Cloud DNS
- Azure DNS
- And many more...
Check if your DNS provider is supported by visiting the Lego DNS provider documentation
After successful certificate generation, you'll find the following files in your .lego directory:
certificates/domain.com.crt- Server certificate (including CA certificate)certificates/domain.com.key- Private keycertificates/domain.com.issuer.crt- CA certificatecertificates/domain.com.json- Certificate metadata
Install this module by running the following command in CommandBox:
box install commandbox-cblegoFor cloudflare
cblego run envfile=cloudflare.env staging=staging|prod path=Optinal|Path To Store Lego certificateExample cloudflare.env file:
# Cloudflare API Configuration
CLOUDFLARE_DNS_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CLOUDFLARE_EMAIL=your_email@example.com
CLOUDFLARE_ZONE_NAME=yourdomain.com
CLOUDFLARE_PROPAGATION_TIMEOUT=300
DNS_PROVIDER=cloudflare
# For wildcard certificates, use the wildcard domain
# A wildcard covers only first-level subdomains (e.g., *.example.com covers sub.example.com but NOT sub.sub.example.com)
# Note: Wildcards do NOT cover the root domain (example.com)
DOMAINS=*.yourdomain.com
# If you need both root domain and subdomains:
# DOMAINS=yourdomain.com,*.yourdomain.com
# For specific domains without wildcards, list each required domain
# DOMAINS=yourdomain.com,www.yourdomain.com,api.yourdomain.com
LEGO_EMAIL=your_email@example.com
For easydns
cblego run envfile=easydns.env staging=staging|prod path=Optinal|Path To Store Lego certificateExample easydns.env file:
# EasyDNS API Configuration
EASYDNS_TOKEN=XXXXXXXXXXXXXXXX
EASYDNS_KEY=XXXXXXXXXXXXXXXX
# Optional: Increase propagation timeout for multi-part TLDs
EASYDNS_PROPAGATION_TIMEOUT=300
# Optional: Use EasyDNS endpoint (sandbox for testing)
EASYDNS_ENDPOINT=https://sandbox.rest.easydns.net
DNS_PROVIDER=easydns
# For wildcard certificates, use the wildcard domain
# A wildcard covers only first-level subdomains (e.g., *.example.com covers sub.example.com but NOT sub.sub.example.com)
# Note: Wildcards do NOT cover the root domain (example.com)
DOMAINS=*.yourdomain.com
# If you need both root domain and subdomains:
# DOMAINS=yourdomain.com,*.yourdomain.com
# For specific domains without wildcards, list each required domain
# DOMAINS=yourdomain.com,www.yourdomain.com,admin.yourdomain.com
LEGO_EMAIL=your_email@example.com
We welcome contributions! Please see our Contributing Guide for details.
This project is licensed under the MIT License - see the LICENSE file for details.