signercli -letsencrypt
Let’s Encrypt SSL/TLS Certificate Management
1. Overview
The signercli -letsencrypt command provides full lifecycle management of Let’s Encrypt certificates inside the Signer platform.
It supports:
- Issuing new certificates (HTTP-01 and DNS-01 challenges)
- Wildcard certificates (
.example.com) via DNS-01 - Automatic DNS provider integration (Cloudflare, Route 53, GoDaddy, Custom Script)
- Manual DNS-01 challenge flow
- Certificate download in multiple formats
- Certificate renewal (automatic or manual)
- Auto-renewal configuration
- Activating a certificate for the Signer server’s HTTPS endpoint
This command is intended for platform operators and system administrators.
2. Basic Syntax
signercli -letsencrypt <command> [options]
3. Command Summary
| Command | Purpose |
|---|---|
list | List issued Let’s Encrypt certificates |
get <id> | View detailed information for a certificate |
download <id> | Download certificate files |
request | Request a new certificate |
dns-request | Start manual DNS-01 challenge |
dns-complete | Complete manual DNS-01 challenge |
dns-providers | List configured DNS providers |
renew <id> | Renew a certificate automatically |
renew-dns <id> | Renew using manual DNS-01 |
auto-renewal <id> | Enable or disable auto-renewal |
activate <id> | Activate certificate for Signer HTTPS |
delete <id> | Delete a certificate |
help | Show help |
4. Authentication Methods
You can authenticate in two ways.
4.1 Login Token (Interactive Use)
Best for operators working manually.
signercli -login <username>
signercli -letsencrypt list
- Login token is stored locally
- No API key required afterward
4.2 API Key (Automation / CI / Cron)
Best for scripts and unattended jobs.
signercli -letsencrypt list -api-key cdk_xxx -host https://server:7443
Requirements
- API key must include:
SYSTEM_ADMINrole or- Explicit
LETSENCRYPTpermission
5. Environments: Staging vs Production
Understanding environments is critical.
5.1 Staging (Default)
- ❌ Not trusted by browsers
- ✅ No strict rate limits
- ✅ Ideal for testing
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos
Use staging when
- Testing DNS / HTTP routing
- Validating automation pipelines
- Debugging challenge failures
5.2 Production
- ✅ Trusted by all browsers
- ⚠ Strict rate limits
- 🚨 Cannot convert from staging
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos \
-env production
Important
- Staging and production certificates are issued by different CAs
- You must re-issue for production
6. Listing and Searching Certificates
6.1 List All Certificates
signercli -letsencrypt list
6.2 JSON Output (Automation)
signercli -letsencrypt list -format json
Useful for:
- Expiration monitoring
- Alerting systems
- CI/CD pipelines
6.3 Filter by Environment
signercli -letsencrypt list -env staging
signercli -letsencrypt list -env production
6.4 Filter by Domain Pattern
signercli -letsencrypt list -domain example.com
signercli -letsencrypt list -domain "*.example.com"
- Partial matching is supported
- Useful in multi-tenant environments
7. Viewing Certificate Details
signercli -letsencrypt get 6789abc
Check the following fields carefully:
- Environment (staging / production)
- Expiration date
- Challenge type (HTTP-01 / DNS-01)
- Subject Alternative Names (SAN)
- Auto-renewal status
- Activation status
8. Downloading Certificate Files
8.1 Download Fullchain Only
signercli -letsencrypt download 6789abc \
-type fullchain \
-o /etc/ssl
Used when:
- Web server requires
fullchain.pem
8.2 Download All Files
signercli -letsencrypt download 6789abc \
-type all \
-o /etc/ssl
Includes:
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
⚠ Ensure strict file permissions for private keys.
8.3 Filename Styles
# Default Let’s Encrypt naming
signercli -letsencrypt download 6789abc -type all -naming letsencrypt
# Domain-based naming
signercli -letsencrypt download 6789abc -type all -naming domain
When to use domain naming
- Multiple domains in same directory
- Easier manual identification
9. Requesting Certificates
9.1 HTTP-01 Challenge (Default)
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos
Requirements
- Port 80 must be reachable from the internet
- HTTP traffic must reach Signer challenge endpoint
Best for
- Public web services
- Simple single-domain setups
9.2 Production HTTP-01
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos \
-env production
9.3 SAN (Multiple Domains)
signercli -letsencrypt request \
-domain example.com \
-san "www.example.com,api.example.com" \
-email admin@example.com \
-agree-tos \
-env production
Reduces certificate sprawl.
9.4 DNS-01 (Automatic Provider)
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos \
-challenge dns-01
Advantages
- No need for port 80
- Works behind firewalls
- Required for wildcard certificates
9.5 DNS-01 with Specific Provider
signercli -letsencrypt request \
-domain example.com \
-email admin@example.com \
-agree-tos \
-challenge dns-01 \
-provider-id 6789abc
Used when multiple DNS providers are configured.
9.6 Wildcard Certificates
signercli -letsencrypt request \
-domain "*.example.com" \
-email admin@example.com \
-agree-tos \
-challenge dns-01 \
-env production
Notes
- HTTP-01 is not allowed for wildcards
- DNS-01 is mandatory
10. Manual DNS-01 Flow
10.1 Two-Step Mode
# Step 1
signercli -letsencrypt dns-request \
-domain example.com \
-email admin@example.com \
-agree-tos
Output includes:
- TXT record name/value
challenge-id
After adding TXT record:
# Step 2
signercli -letsencrypt dns-complete -challenge-id <challenge-id>
10.2 Interactive Mode
signercli -letsencrypt dns-request \
-domain example.com \
-email admin@example.com \
-agree-tos \
-interactive
The CLI waits until you confirm DNS propagation.
11. DNS Providers
signercli -letsencrypt dns-providers
Lists:
- Provider IDs
- Provider type
- Integration status
12. Certificate Renewal
12.1 Automatic Renewal
signercli -letsencrypt renew 6789abc
Works for:
- HTTP-01 certificates
- DNS-01 certificates with provider integration
12.2 Manual DNS Renewal
signercli -letsencrypt renew-dns 6789abc
signercli -letsencrypt dns-complete -challenge-id <id>
Or interactive:
signercli -letsencrypt renew-dns 6789abc -interactive
13. Auto-Renewal Configuration
signercli -letsencrypt auto-renewal 6789abc -enable
signercli -letsencrypt auto-renewal 6789abc -disable
Best practice
- Enable auto-renewal for DNS-01 with provider integration
- Monitor renewals via alerts
14. Activating Certificate for Signer HTTPS
signercli -letsencrypt activate 6789abc
Important Notes
- This does not enable or disable the certificate itself
- It selects which certificate the Signer server uses for HTTPS
- All certificates remain valid
- Signer server restart is required
Recommendation
- Always activate a production certificate for public HTTPS access
15. Deleting Certificates
signercli -letsencrypt delete 6789abc
⚠ Deletion is permanent.
Ensure a replacement certificate exists before deleting production certificates.
16. Recommended Operational Workflow
First-Time Setup
- Issue staging certificate
- Verify challenge success
- Issue production certificate
- Enable auto-renewal
- Activate for Signer HTTPS (if needed)
- Configure monitoring
Multi-Tenant SaaS Best Practice
- Use wildcard certificates
- DNS-01 with provider auto-integration
- Auto-renewal enabled
- Domain-based naming for downloads
17. Quick Reference Examples
# Staging test
signercli -letsencrypt request -domain example.com -email admin@example.com -agree-tos
# Production wildcard
signercli -letsencrypt request -domain "*.example.com" -email admin@example.com -agree-tos -challenge dns-01 -env production
# Enable auto-renewal
signercli -letsencrypt auto-renewal 6789abc -enable
# Download
signercli -letsencrypt download 6789abc -type all -o /etc/ssl