explaingit

caddyserver/certmagic

5,557GoAudience · developerComplexity · 2/5Setup · easy

TLDR

CertMagic is a Go library that fully automates HTTPS certificate management, requesting, installing, and renewing TLS certificates from Let's Encrypt with a single function call, no certificate files to manage.

Mindmap

mindmap
  root((CertMagic))
    What it does
      Auto HTTPS setup
      Certificate renewal
      Domain validation
    Validation methods
      HTTP challenge
      TLS-ALPN challenge
      DNS challenge
    Features
      Wildcard certs
      On-demand issuance
      Load balancer support
    Audience
      Go developers
      Web server builders
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add automatic HTTPS to any Go web server with a single function call, no certificate files to create or renew manually

USE CASE 2

Issue certificates on demand the first time someone visits a new domain, useful for multi-tenant SaaS apps

USE CASE 3

Manage HTTPS for hundreds of thousands of domains behind a load balancer with a shared certificate storage backend

USE CASE 4

Get TLS certificates for a server behind a firewall using DNS-based domain validation instead of HTTP

Tech stack

GoACME protocolLet's Encrypt

Getting it running

Difficulty · easy Time to first run · 30min

Domain must point to a publicly reachable server, use the staging environment during development to avoid Let's Encrypt rate limits.

In plain English

CertMagic is a Go library that handles automatic HTTPS certificate management for any Go program. Getting a website to run over HTTPS normally involves requesting a certificate from a certificate authority, verifying that you own the domain, downloading and installing the certificate file, and repeating the renewal process every 90 days. CertMagic takes care of all of that in the background. The library works through a protocol called ACME, which is the same standard used by Let's Encrypt, the free certificate authority behind most of the web's HTTPS connections. You point your domain name at your server, call a single function in your Go code, and CertMagic contacts Let's Encrypt, proves domain ownership, retrieves a certificate, installs it, and renews it automatically before it ever expires. The whole process happens without you touching certificate files at all. To prove you own a domain, the library supports three methods. The HTTP challenge places a temporary file on your server that Let's Encrypt fetches. The TLS-ALPN challenge works at the connection level without needing port 80 open. The DNS challenge lets you add a record to your domain's DNS settings, which is useful when your server is behind a firewall and cannot be reached from the public internet. Beyond the basics, CertMagic supports wildcard certificates (which cover all subdomains at once), on-demand issuance (certificates created the moment someone first connects to a new domain), distributed operation behind load balancers, and pluggable storage backends so certificates can be saved somewhere other than the local file system. Error handling includes automatic retries for up to 30 days with exponential backoff, and the library can switch to a test environment during development to avoid hitting Let's Encrypt rate limits. This is the same library that powers the Caddy web server internally. It scales to hundreds of thousands of certificates per instance and works on Mac, Windows, Linux, and other platforms. The project requires Go 1.21 or newer. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
I am building a Go HTTP server. Show me the minimal code to use CertMagic to automatically get and renew a Let's Encrypt certificate for my domain example.com.
Prompt 2
I need CertMagic to use the DNS challenge instead of the HTTP challenge because my server is behind a firewall on port 80. How do I configure it with a DNS provider plugin?
Prompt 3
I want on-demand TLS with CertMagic so new customer domains get HTTPS the first time they connect. Show me how to enable it and add a callback that approves only known domains.
Prompt 4
How do I configure CertMagic to use a shared storage backend so multiple server instances behind a load balancer all have access to the same certificates?
Open on GitHub → Explain another repo

← caddyserver on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.