Command line arguments
Here are all the command line arguments the program accepts.
Notes
- Make sure that you are familiar with the basics of renewal management before proceeding with unattended use.
- Arguments documented as such:
‑‑foo [‑‑bar baz|qux]mean that‑‑foois only applicable when‑‑baris set tobazorqux. - Arguments that start with a
-should be double escaped to be properly parsed. For example if your literal value for‑‑keyneeds to be-foothen typing‑‑key "-foo"will fail. Instead you need to type‑‑key "\"-foo\"".
Main
These are the main arguments used to control the programs unattended operation.
‑‑baseuri |
Address of the ACME server to use. The default endpoint can be modified in settings.json. | |
|---|---|---|
‑‑test |
Enables testing behaviours in the program which may help with troubleshooting. By default this also switches the ‑‑baseuri to the ACME test endpoint. The default endpoint for test mode can be modified in settings.json. | |
‑‑verbose |
Print additional log messages to console for troubleshooting and bug reports. | |
‑‑help |
Show information about all available command line options. | |
‑‑version |
Show version information. | |
‑‑config |
Output configuration information in JSON format. | |
‑‑renew |
Renew any certificates that are due. This argument is used by the scheduled task. Note that it's not possible to change certificate properties and renew at the same time. | |
‑‑force |
[‑‑renew] Always execute the renewal, disregarding the validity of the current certificates and the prefered schedule. | |
‑‑nocache |
Bypass the cache on certificate requests. Applies to both new requests and renewals. | |
‑‑register |
Create an ACME service account without creating a certificate. | |
‑‑cancel |
Cancel renewal specified by the ‑‑friendlyname or ‑‑id arguments. | |
‑‑revoke |
Revoke the most recently issued certificate for the renewal specified by the ‑‑friendlyname or ‑‑id arguments. | |
‑‑list |
List all created renewals in unattended mode. | |
‑‑encrypt |
Rewrites all renewal information using current EncryptConfig setting | |
‑‑id |
[‑‑source|‑‑cancel|‑‑renew|‑‑revoke] Id of a new or existing renewal, can be used to override the default when creating a new renewal or to specify a specific renewal for other commands. | |
‑‑friendlyname |
[‑‑source|‑‑cancel|‑‑renew|‑‑revoke] Friendly name of a new or existing renewal, can be used to override the default when creating a new renewal or to specify a specific renewal for other commands. In the latter case a pattern might be used. You may use a * for a range of any characters and a ? for any single character. For example: the pattern example.* will match example.net and example.com (but not my.example.com) and the pattern ?.example.com will match a.example.com and b.example.com (but not www.example.com). Note that multiple patterns can be combined by comma seperating them.
|
|
‑‑source |
Specify which source plugin to run, bypassing the main menu and triggering unattended mode. | |
‑‑validation |
Specify which validation plugin to run. If none is specified, SelfHosting validation will be chosen as the default. | |
‑‑validationmode |
Specify which validation mode to use. HTTP-01 is the default. | |
‑‑order |
Specify which order plugin to use. Single is the default. | |
‑‑csr |
Specify which CSR plugin to use. RSA is the default. | |
‑‑store |
Specify which store plugin to use. CertificateStore is the default. This may be a comma-separated list. | |
‑‑installation |
Specify which installation plugins to use (if any). This may be a comma-separated list. | |
‑‑closeonfinish |
[‑‑test] Close the application when complete, which usually does not happen when test mode is active. Useful to test unattended operation. | |
‑‑hidehttps |
Hide sites that have existing https bindings from interactive mode. | |
‑‑notaskscheduler |
Do not create (or offer to update) the scheduled task. | |
‑‑setuptaskscheduler |
Create or update the scheduled task according to the current settings. |
Account
These arguments are used to create a new account for the ACME client during an initial automated run.
‑‑accepttos |
Accept the ACME terms of service. | |
|---|---|---|
‑‑emailaddress |
Email address to link to your ACME account. | |
‑‑eab-key-identifier |
Key identifier to use for external account binding. | |
‑‑eab-key |
Key to use for external account binding. Must be base64url encoded.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑eab-algorithm |
Algorithm to use for external account binding. Valid values are HS256 (default), HS384, and HS512. | |
‑‑account |
Optionally provide a name for the account. Using different names for different renewals enables you to managed multiple accounts for a single ACME endpoint. Unless you have a specific need to do this, we recommend to not use this. |
Source
➡️ Custom CSR
[--source csr]
(documentation)
‑‑csrfile |
Specify the location of a CSR file to make a certificate for | |
|---|---|---|
‑‑pkfile |
Specify the location of the private key corresponding to the CSR |
➡️ IIS bindings
[--source iis]
(documentation)
‑‑siteid |
Identifiers of one or more sites to include. This may be a comma-separated list. | |
|---|---|---|
‑‑host |
Host name to filter. This parameter may be used to target specific bindings. This may be a comma-separated list. | |
‑‑host-pattern |
Pattern filter for host names. Can be used to dynamically include bindings based on their match with the pattern.You may use a * for a range of any characters and a ? for any single character. For example: the pattern example.* will match example.net and example.com (but not my.example.com) and the pattern ?.example.com will match a.example.com and b.example.com (but not www.example.com). Note that multiple patterns can be combined by comma seperating them.
|
|
‑‑host-regex |
Regex pattern filter for host names. Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. | |
‑‑commonname |
Specify the common name of the certificate that should be requested for the source. By default this will be the first binding that is enumerated. | |
‑‑excludebindings |
Exclude host names from the certificate. This may be a comma-separated list. | |
‑‑host-type |
Specify which types of bindings to consider. May be set to http, ftp or both (comma separated) |
➡️ Manual input
[--source manual]
(documentation)
‑‑commonname |
Specify the common name of the certificate. If not provided the first host name will be used. | |
|---|---|---|
‑‑host |
A host name to get a certificate for. This may be a comma-separated list. |
HTTP validation
➡️ Filesystem
[--validation filesystem]
(documentation)
‑‑validationsiteid |
Specify IIS site to use for handling validation requests. This will be used to choose the web root path. | |
|---|---|---|
‑‑webroot |
Root path of the site that will serve the HTTP validation requests. | |
‑‑manualtargetisiis |
Copy default web.config to the .well-known directory. |
➡️ FTP(S)
[--validation ftp]
(documentation)
‑‑username |
Username for remote server | |
|---|---|---|
‑‑password |
Password for remote server
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑webroot |
Root path of the site that will serve the HTTP validation requests. | |
‑‑manualtargetisiis |
Copy default web.config to the .well-known directory. |
➡️ REST request
These arguments are for a plugin that requires an additional download.
[--validation rest]
(documentation)
‑‑rest-securitytoken |
The bearer token needed to authenticate with the REST API on the server for PUT / DELETE requests.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
|---|---|---|
‑‑rest-usehttps |
If HTTPS should be used instead of HTTP. Must be true if the server has HTTP to HTTPS redirection configured, as the redirected request always uses the GET method. |
➡️ Self-hosting
[--validation selfhosting]
(documentation)
‑‑validationport |
Port to use for listening to validation requests. Note that the ACME server will always send requests to port 80. This option is only useful in combination with a port forwarding. | |
|---|---|---|
‑‑validationprotocol |
Protocol to use to handle validation requests. Defaults to http but may be set to https if you have automatic redirects setup in your infrastructure before requests hit the web server. |
➡️ SFTP
[--validation sftp]
(documentation)
‑‑username |
Username for remote server | |
|---|---|---|
‑‑password |
Password for remote server
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑webroot |
Root path of the site that will serve the HTTP validation requests. | |
‑‑manualtargetisiis |
Copy default web.config to the .well-known directory. |
➡️ WebDav
[--validation webdav]
(documentation)
‑‑username |
Username for remote server | |
|---|---|---|
‑‑password |
Password for remote server
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑webroot |
Root path of the site that will serve the HTTP validation requests. | |
‑‑manualtargetisiis |
Copy default web.config to the .well-known directory. |
DNS validation
➡️ acme-dns
[--validation acme-dns]
(documentation)
‑‑acmednsserver |
Root URI of the acme-dns service |
|---|
➡️ Aliyun
These arguments are for a plugin that requires an additional download.
[--validation aliyun]
(documentation)
‑‑aliyunserver |
DNS Server Domain Name. Refer: https://api.aliyun.com/product/Alidns | |
|---|---|---|
‑‑aliyunapiid |
API ID for ALiYun.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑aliyunapisecret |
API Secret for ALiYun.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Azure DNS
These arguments are for a plugin that requires an additional download.
[--validation azure]
(documentation)
‑‑azuresubscriptionid |
Subscription ID to login into Microsoft Azure DNS (blank to use default). | |
|---|---|---|
‑‑azurehostedzone |
Hosted zone (blank to find best match) | |
‑‑azureenvironment |
This can be used to specify a specific Azure endpoint. Valid inputs are AzureCloud (default), AzureChinaCloud, AzureGermanCloud, AzureUSGovernment or a specific URI for an Azure Stack implementation. | |
‑‑azureusemsi |
Use Managed Service Identity for authentication. | |
‑‑azuretenantid |
Directory/tenant identifier. Found in Entra ID > Properties. | |
‑‑azureclientid |
Application/client identifier. Found/created in Entra ID > App registrations. | |
‑‑azuresecret |
Client secret. Found/created under Entra ID > App registrations.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Cloud DNS
These arguments are for a plugin that requires an additional download.
[--validation gcpdns]
(documentation)
‑‑serviceaccountkey |
Path to Service Account Key to authenticate with GCP. | |
|---|---|---|
‑‑projectid |
Project ID that is hosting Cloud DNS. |
➡️ Cloudflare
These arguments are for a plugin that requires an additional download.
[--validation cloudflare]
(documentation)
‑‑cloudflareapitoken |
API Token for Cloudflare.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ Custom script
[--validation script]
(documentation)
‑‑dnsscript |
Path to script that creates and deletes validation records, depending on its parameters. If this parameter is provided then ‑‑dnscreatescript and ‑‑dnsdeletescript are ignored. | |
|---|---|---|
‑‑dnscreatescript |
Path to script that creates the validation TXT record. | |
‑‑dnscreatescriptarguments |
Default parameters passed to the script are "create {Identifier} {RecordName} {Token}", but that can be customized using this argument. | |
‑‑dnsdeletescript |
Path to script to remove TXT record. | |
‑‑dnsdeletescriptarguments |
Default parameters passed to the script are "delete {Identifier} {RecordName} {Token}", but that can be customized using this argument. | |
‑‑dnsscriptparallelism |
Configure parallelism mode. 0 is fully serial (default), 1 allows multiple records to be created simultaneously, 2 allows multiple records to be validated simultaneously and 3 is a combination of both forms of parallelism. |
➡️ DigitalOcean
These arguments are for a plugin that requires an additional download.
[--validation digitalocean]
(documentation)
‑‑digitaloceanapitoken |
The API token to authenticate against the DigitalOcean API.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ DNS Made Easy
These arguments are for a plugin that requires an additional download.
[--validation dnsmadeeasy]
(documentation)
‑‑apikey |
DnsMadeEasy API key. | |
|---|---|---|
‑‑apisecret |
DnsMadeEasy API secret.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ DNSExit
These arguments are for a plugin that requires an additional download.
[--validation dnsexit]
(documentation)
‑‑apikey |
DnsExit API key.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ Domeneshop
These arguments are for a plugin that requires an additional download.
[--validation domeneshop]
(documentation)
‑‑clientid |
Domeneshop ClientID (token). | |
|---|---|---|
‑‑clientsecret |
Domeneshop Client Secret. |
➡️ DreamHost
These arguments are for a plugin that requires an additional download.
[--validation dreamhost]
(documentation)
‑‑apikey |
Dreamhost API key.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ GoDaddy
These arguments are for a plugin that requires an additional download.
[--validation godaddy]
(documentation)
‑‑apikey |
GoDaddy API key. | |
|---|---|---|
‑‑apisecret |
GoDaddy API secret.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Hetzner
These arguments are for a plugin that requires an additional download.
[--validation hetzner]
(documentation)
‑‑hetznerapitoken |
API Token for Hetzner.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
|---|---|---|
‑‑hetznerzoneid |
OPTIONAL: ID of zone the record is associated with. |
➡️ Infomaniak
These arguments are for a plugin that requires an additional download.
[--validation infomaniak]
(documentation)
‑‑apitoken |
Infomaniak API token.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ Linode
These arguments are for a plugin that requires an additional download.
[--validation linode]
(documentation)
‑‑apitoken |
Linode Personal Access Token.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|---|
➡️ LuaDNS
These arguments are for a plugin that requires an additional download.
[--validation luadns]
(documentation)
‑‑luadnsusername |
LuaDNS account username (email address). | |
|---|---|---|
‑‑luadnsapikey |
LuaDNS API key.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ NS1/NSONE
These arguments are for a plugin that requires an additional download.
[--validation ns1]
(documentation)
‑‑apikey |
NS1 API key. |
|---|
➡️ RFC2136
These arguments are for a plugin that requires an additional download.
[--validation rfc2136]
(documentation)
‑‑serverhost |
DNS server host/ip | |
|---|---|---|
‑‑serverport |
DNS server port | |
‑‑tsigkeyname |
TSIG key name | |
‑‑tsigkeysecret |
TSIG key secret (Base64 encoded)
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑tsigkeyalgorithm |
TSIG key algorithm |
➡️ Route 53
These arguments are for a plugin that requires an additional download.
[--validation route53]
(documentation)
‑‑route53iamrole |
AWS IAM role for the current EC2 instance to login into Amazon Route 53. Note that you should provide the IAM name instead of the ARN. | |
|---|---|---|
‑‑route53accesskeyid |
Access key ID to login into Amazon Route 53. | |
‑‑route53secretaccesskey |
Secret access key to login into Amazon Route 53.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Simply.com
These arguments are for a plugin that requires an additional download.
[--validation simply]
(documentation)
‑‑account |
Simply Account. | |
|---|---|---|
‑‑apikey |
Simply API key.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Tencent Cloud
These arguments are for a plugin that requires an additional download.
[--validation tencent]
(documentation)
‑‑tencentapiid |
API ID for Tencent.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
|---|---|---|
‑‑tencentapikey |
API Key for Tencent.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ TransIP
These arguments are for a plugin that requires an additional download.
[--validation transip]
(documentation)
‑‑transip-login |
Login name at TransIp. | |
|---|---|---|
‑‑transip-privatekey |
Private key generated in the control panel (replace enters by spaces and use quotes).
You may pass the secret in plain text, but can also use a reference to the secret vault like |
|
‑‑transip-privatekeyfile |
Private key generated in the control panel (saved to a file on disk). |
TLS validation
➡️ Self-hosting
[--validationmode tls-alpn-01 --validation selfhosting]
(documentation)
‑‑validationport |
Port to use for listening to validation requests. Note that the ACME server will always send requests to port 443. This option is only useful in combination with a port forwarding. |
|---|
CSR
➡️ Elliptic Curve
[--csr ec]
(documentation)
‑‑ocsp-must-staple |
Enable OCSP Must Staple extension on certificate. | |
|---|---|---|
‑‑reuse-privatekey |
Reuse the same private key for each renewal. |
➡️ RSA
[--csr rsa]
(documentation)
‑‑ocsp-must-staple |
Enable OCSP Must Staple extension on certificate. | |
|---|---|---|
‑‑reuse-privatekey |
Reuse the same private key for each renewal. |
Store
➡️ Azure Key Vault
These arguments are for a plugin that requires an additional download.
[--store keyvault]
(documentation)
‑‑vaultname |
The name of the vault | |
|---|---|---|
‑‑certificatename |
The name of the certificate | |
‑‑azureenvironment |
This can be used to specify a specific Azure endpoint. Valid inputs are AzureCloud (default), AzureChinaCloud, AzureGermanCloud, AzureUSGovernment or a specific URI for an Azure Stack implementation. | |
‑‑azureusemsi |
Use Managed Service Identity for authentication. | |
‑‑azuretenantid |
Directory/tenant identifier. Found in Entra ID > Properties. | |
‑‑azureclientid |
Application/client identifier. Found/created in Entra ID > App registrations. | |
‑‑azuresecret |
Client secret. Found/created under Entra ID > App registrations.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ Central Certificate Store
[--store centralssl]
(documentation)
‑‑centralsslstore |
Location of the IIS Central Certificate Store. | |
|---|---|---|
‑‑pfxpassword |
Password to set for .pfx files exported to the IIS Central Certificate Store.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ P7B file
[--store p7bfile]
(documentation)
‑‑p7bfilepath |
Path to write the .p7b file to. | |
|---|---|---|
‑‑p7bfilename |
Prefix to use for the .p7b file, defaults to the common name. |
➡️ PEM files
[--store pemfiles]
(documentation)
‑‑pemfilespath |
.pem files are exported to this folder. | |
|---|---|---|
‑‑pemfilesname |
Prefix to use for the .pem files, defaults to the common name. | |
‑‑pempassword |
Password to set for the private key .pem file.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ PFX file
[--store pfxfile]
(documentation)
‑‑pfxfilepath |
Path to write the .pfx file to. | |
|---|---|---|
‑‑pfxfilename |
Prefix to use for the .pfx file, defaults to the common name. | |
‑‑pfxpassword |
Password to set for .pfx file exported to the folder.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
➡️ User Store
These arguments are for a plugin that requires an additional download.
[--store userstore]
(documentation)
‑‑keepexisting |
While renewing, do not remove the previous certificate. |
|---|
➡️ Windows Certificate Store
[--store certificatestore]
(documentation)
‑‑certificatestore |
This setting can be used to save the certificate in a specific store. By default it will go to 'WebHosting' store on modern versions of Windows. | |
|---|---|---|
‑‑keepexisting |
While renewing, do not remove the previous certificate. | |
‑‑acl-fullcontrol |
List of additional principals (besides the owners of the store) that should get full control permissions on the private key of the certificate. Will not work when UseNextGenerationCryptoApi is set to true.
|
|
‑‑acl-read |
List of additional principals (besides the owners of the store) that should get read permissions on the private key of the certificate. Will not work when UseNextGenerationCryptoApi is set to true.
|
Installation
➡️ Custom script
[--installation script]
(documentation)
‑‑script |
Path to script file to run after retrieving the certificate. This may be any executable file or a Powershell (.ps1) script. | |
|---|---|---|
‑‑scriptparameters |
Parameters for the script to run after retrieving the certificate. Refer to /reference/plugins/installation/script for further instructions. |
➡️ Manage IIS bindings
[--installation iis]
(documentation)
‑‑installationsiteid |
Specify site to install new bindings to. Defaults to the source if that is an IIS site. | |
|---|---|---|
‑‑sslport |
Port number to use for newly created HTTPS bindings. Defaults to 443. | |
‑‑sslipaddress |
IP address to use for newly created HTTPS bindings. Defaults to *. |
Looking for win-acme?
simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.