gitmyhub

certmagic

Go ★ 5.6k updated 5d ago

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

CertMagic is a Go library that fully automates HTTPS certificate management, requesting, installing, and renewing TLS certificates from Let's Encrypt with a single function call, no certificate files to manage.

GoACME protocolLet's Encryptsetup: easycomplexity 2/5

CertMagic is a Go library that handles automatic HTTPS certificate management for any Go program. Getting a website to run over HTTPS normally involves requesting a certificate from a certificate authority, verifying that you own the domain, downloading and installing the certificate file, and repeating the renewal process every 90 days. CertMagic takes care of all of that in the background.

The library works through a protocol called ACME, which is the same standard used by Let's Encrypt, the free certificate authority behind most of the web's HTTPS connections. You point your domain name at your server, call a single function in your Go code, and CertMagic contacts Let's Encrypt, proves domain ownership, retrieves a certificate, installs it, and renews it automatically before it ever expires. The whole process happens without you touching certificate files at all.

To prove you own a domain, the library supports three methods. The HTTP challenge places a temporary file on your server that Let's Encrypt fetches. The TLS-ALPN challenge works at the connection level without needing port 80 open. The DNS challenge lets you add a record to your domain's DNS settings, which is useful when your server is behind a firewall and cannot be reached from the public internet.

Beyond the basics, CertMagic supports wildcard certificates (which cover all subdomains at once), on-demand issuance (certificates created the moment someone first connects to a new domain), distributed operation behind load balancers, and pluggable storage backends so certificates can be saved somewhere other than the local file system. Error handling includes automatic retries for up to 30 days with exponential backoff, and the library can switch to a test environment during development to avoid hitting Let's Encrypt rate limits.

This is the same library that powers the Caddy web server internally. It scales to hundreds of thousands of certificates per instance and works on Mac, Windows, Linux, and other platforms. The project requires Go 1.21 or newer. The full README is longer than what was shown.

Where it fits