Provided by: letsencrypt_0.4.1-1_all bug


       letsencrypt - letsencrypt script documentation

            letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

          The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
          default, it will attempt to use a webserver both for obtaining and installing
          the cert. Major SUBCOMMANDS are:

            (default) run        Obtain & install a cert in your current webserver
            certonly             Obtain cert, but do not install it (aka "auth")
            install              Install a previously obtained cert in a server
            renew                Renew previously obtained certs that are near expiry
            revoke               Revoke a previously obtained certificate
            rollback             Rollback server configuration changes made during install
            config_changes       Show changes made to server config during installation
            plugins              Display information about installed plugins

          optional arguments:
            -h, --help            show this help message and exit
            -c CONFIG_FILE, --config CONFIG_FILE
                                  config file path (default: None)
            -v, --verbose         This flag can be used multiple times to incrementally
                                  increase the verbosity of output, e.g. -vvv. (default:
            -t, --text            Use the text output instead of the curses UI.
                                  (default: False)
            -n, --non-interactive, --noninteractive
                                  Run without ever asking for user input. This may
                                  require additional command line flags; the client will
                                  try to explain which ones are required if it finds one
                                  missing (default: False)
            --dry-run             Perform a test run of the client, obtaining test
                                  (invalid) certs but not saving them to disk. This can
                                  currently only be used with the 'certonly' subcommand.
                                  (default: False)
                                  Specifying this flag enables registering an account
                                  with no email address. This is strongly discouraged,
                                  because in the event of key loss or account compromise
                                  you will irrevocably lose access to your account. You
                                  will also be unable to receive notice about impending
                                  expiration or revocation of your certificates. Updates
                                  to the Subscriber Agreement will still affect you, and
                                  will be effective 14 days after posting an update to
                                  the web site. (default: False)
            -m EMAIL, --email EMAIL
                                  Email used for registration and recovery contact.
                                  (default: None)
            -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                                  Domain names to apply. For multiple domains you can
                                  use multiple -d flags or enter a comma separated list
                                  of domains as a parameter. (default: [])
            --user-agent USER_AGENT
                                  Set a custom user agent string for the client. User
                                  agent strings allow the CA to collect high level
                                  statistics about success rates by OS and plugin. If
                                  you wish to hide your server OS version from the Let's
                                  Encrypt server, set this to "". (default: None)

            Arguments for automating execution & other tweaks

            --keep-until-expiring, --keep, --reinstall
                                  If the requested cert matches an existing cert, always
                                  keep the existing one until it is due for renewal (for
                                  the 'run' subcommand this means reinstall the existing
                                  cert) (default: False)
            --expand              If an existing cert covers some subset of the
                                  requested names, always expand and replace it with the
                                  additional names. (default: False)
            --version             show program's version number and exit
            --force-renewal, --renew-by-default
                                  If a certificate already exists for the requested
                                  domains, renew it now, regardless of whether it is
                                  near expiry. (Often --keep-until-expiring is more
                                  appropriate). Also implies --expand. (default: False)
            --agree-tos           Agree to the Let's Encrypt Subscriber Agreement
                                  (default: False)
            --account ACCOUNT_ID  Account ID to use (default: None)
            --duplicate           Allow making a certificate lineage that duplicates an
                                  existing one (both can be renewed in parallel)
                                  (default: False)
            --os-packages-only    (letsencrypt-auto only) install OS package
                                  dependencies and then stop (default: False)
            --no-self-upgrade     (letsencrypt-auto only) prevent the letsencrypt-auto
                                  script from upgrading itself to newer released
                                  versions (default: False)

            The following flags are meant for testing purposes only! Do NOT change
            them, unless you really know what you're doing!

            --debug               Show tracebacks in case of errors, and allow
                                  letsencrypt-auto execution on experimental platforms
                                  (default: False)
            --no-verify-ssl       Disable SSL certificate verification. (default: False)
            --tls-sni-01-port TLS_SNI_01_PORT
                                  Port number to perform tls-sni-01 challenge. Boulder
                                  in testing mode defaults to 5001. (default: 443)
            --http-01-port HTTP01_PORT
                                  Port used in the SimpleHttp challenge. (default: 80)
            --break-my-certs      Be willing to replace or renew valid certs with
                                  invalid (testing/staging) certs (default: False)
            --test-cert, --staging
                                  Use the staging server to obtain test (invalid) certs;
                                  equivalent to --server https://acme-
                         (default: False)

            Security parameters & server settings

            --rsa-key-size N      Size of the RSA key. (default: 2048)
            --redirect            Automatically redirect all HTTP traffic to HTTPS for
                                  the newly authenticated vhost. (default: None)
            --no-redirect         Do not automatically redirect all HTTP traffic to
                                  HTTPS for the newly authenticated vhost. (default:
            --hsts                Add the Strict-Transport-Security header to every HTTP
                                  response. Forcing browser to use always use SSL for
                                  the domain. Defends against SSL Stripping. (default:
            --no-hsts             Do not automatically add the Strict-Transport-Security
                                  header to every HTTP response. (default: False)
            --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                                  requests" header to every HTTP response. Forcing the
                                  browser to use https:// for every http:// resource.
                                  (default: None)
            --no-uir              Do not automatically set the "Content-Security-Policy:
                                  upgrade-insecure-requests" header to every HTTP
                                  response. (default: None)
            --strict-permissions  Require that all configuration files are owned by the
                                  current user; only needed if your config is somewhere
                                  unsafe like /tmp/ (default: False)

            The 'renew' subcommand will attempt to renew all certificates (or more
            precisely, certificate lineages) you have previously obtained if they are
            close to expiry, and print a summary of the results. By default, 'renew'
            will reuse the options used to create obtain or most recently successfully
            renew each certificate lineage. You can try it with `--dry-run` first. For
            more fine-grained control, you can renew individual lineages with the
            `certonly` subcommand.

            Options for modifying how a cert is obtained

            --csr CSR             Path to a Certificate Signing Request (CSR) in DER
                                  format; note that the .csr file *must* contain a
                                  Subject Alternative Name field for each domain you
                                  want certified. Currently --csr only works with the
                                  'certonly' subcommand' (default: None)

            Options for modifying how a cert is deployed

            Options for revocation of certs

            Options for reverting config changes

            --checkpoints N       Revert configuration N number of checkpoints.
                                  (default: 1)

            Plugin options

            --init                Initialize plugins. (default: False)
            --prepare             Initialize and prepare plugins. (default: False)
            --authenticators      Limit to authenticator plugins only. (default: None)
            --installers          Limit to installer plugins only. (default: None)

            Arguments changing execution paths & servers

            --cert-path CERT_PATH
                                  Path to where cert is saved (with auth --csr),
                                  installed from or revoked. (default: None)
            --key-path KEY_PATH   Path to private key for cert installation or
                                  revocation (if account key is missing) (default: None)
            --fullchain-path FULLCHAIN_PATH
                                  Accompanying path to a full certificate chain (cert
                                  plus chain). (default: None)
            --chain-path CHAIN_PATH
                                  Accompanying path to a certificate chain. (default:
            --config-dir CONFIG_DIR
                                  Configuration directory. (default: /etc/letsencrypt)
            --work-dir WORK_DIR   Working directory. (default: /var/lib/letsencrypt)
            --logs-dir LOGS_DIR   Logs directory. (default: /var/log/letsencrypt)
            --server SERVER       ACME Directory Resource URI. (default:

            Let's Encrypt client supports an extensible plugins architecture. See
            'letsencrypt plugins' for a list of all installed plugins and their names.
            You can force a particular plugin by setting options provided below.
            Running --help <plugin_name> will list flags specific to that plugin.

            -a AUTHENTICATOR, --authenticator AUTHENTICATOR
                                  Authenticator plugin name. (default: None)
            -i INSTALLER, --installer INSTALLER
                                  Installer plugin name (also used to find domains).
                                  (default: None)
            --configurator CONFIGURATOR
                                  Name of the plugin that is both an authenticator and
                                  an installer. Should not be used together with
                                  --authenticator or --installer. (default: None)
            --apache              Obtain and install certs using Apache (default: False)
            --nginx               Obtain and install certs using Nginx (default: False)
            --standalone          Obtain certs using a "standalone" webserver. (default:
            --manual              Provide laborious manual instructions for obtaining a
                                  cert (default: False)
            --webroot             Obtain certs by placing files in a webroot directory.
                                  (default: False)

            Webroot Authenticator

            -w WEBROOT_PATH, --webroot-path WEBROOT_PATH
                                  public_html / webroot path. This can be specified
                                  multiple times to handle different domains; each
                                  domain will have the webroot path that preceded it.
                                  For instance: `-w /var/www/example -d -d
                         -w /var/www/thing -d -d
                        ` (default: [])
            --webroot-map WEBROOT_MAP
                                  JSON dictionary mapping domains to webroot paths; this
                                  implies -d for each entry. You may need to escape this
                                  from your shell. E.g.: --webroot-map
                                  '{",":"/www/eg1/", "":"/www/eg2"}'
                                  This option is merged with, but takes precedence over,
                                  -w / -d entries. At present, if you put webroot-map in
                                  a config file, it needs to be on a single line, like:
                                  webroot-map = {"":"/var/www"}. (default:

            Null Installer

            Manually configure an HTTP server

            --manual-test-mode    Test mode. Executes the manual command in subprocess.
                                  (default: False)
                                  Automatically allows public IP logging. (default:

            Automatically use a temporary webserver

            --standalone-supported-challenges STANDALONE_SUPPORTED_CHALLENGES
                                  Supported challenges. Preferred in the order they are
                                  listed. (default: tls-sni-01,http-01)


       Let's Encrypt


       2014-2015, Let's Encrypt Project