package module
v0.21.3 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2024 License: Apache-2.0 Imports: 47 Imported by: 419



Easy and Powerful TLS Automation

The same library used by the Caddy Web Server

Caddy's automagic TLS features—now for your own Go programs—in one powerful and easy-to-use library!

CertMagic is the most mature, robust, and powerful ACME client integration for Go... and perhaps ever.

With CertMagic, you can add one line to your Go application to serve securely over TLS, without ever having to touch certificates.

Instead of:

// plaintext HTTP, gross 🤢
http.ListenAndServe(":80", mux)

Use CertMagic:

// encrypted HTTPS with HTTP->HTTPS redirects - yay! 🔒😍
certmagic.HTTPS([]string{"example.com"}, mux)

That line of code will serve your HTTP router mux over HTTPS, complete with HTTP->HTTPS redirects. It obtains and renews the TLS certificates. It staples OCSP responses for greater privacy and security. As long as your domain name points to your server, CertMagic will keep its connections secure.

Compared to other ACME client libraries for Go, only CertMagic supports the full suite of ACME features, and no other library matches CertMagic's maturity and reliability.

CertMagic - Automatic HTTPS using Let's Encrypt



  • Fully automated certificate management including issuance and renewal
  • One-line, fully managed HTTPS servers
  • Full control over almost every aspect of the system
  • HTTP->HTTPS redirects
  • Multiple issuers supported: get certificates from multiple sources/CAs for redundancy and resiliency
  • Solves all 3 common ACME challenges: HTTP, TLS-ALPN, and DNS (and capable of others)
  • Most robust error handling of any ACME client
    • Challenges are randomized to avoid accidental dependence
    • Challenges are rotated to overcome certain network blockages
    • Robust retries for up to 30 days
    • Exponential backoff with carefully-tuned intervals
    • Retries with optional test/staging CA endpoint instead of production, to avoid rate limits
  • Written in Go, a language with memory-safety guarantees
  • Powered by ACMEz, the premier ACME client library for Go
  • All libdns DNS providers work out-of-the-box
  • Pluggable storage backends (default: file system)
  • Pluggable key sources
  • Wildcard certificates
  • Automatic OCSP stapling (done right) keeps your sites online!
  • Distributed solving of all challenges (works behind load balancers)
    • Highly efficient, coordinated management in a fleet
    • Active locking
    • Smart queueing
  • Supports "on-demand" issuance of certificates (during TLS handshakes!)
    • Caddy / CertMagic pioneered this technology
    • Custom decision functions to regulate and throttle on-demand behavior
  • Optional event hooks for observation
  • One-time private keys by default (new key for each cert) to discourage pinning and reduce scope of key compromise
  • Works with any certificate authority (CA) compliant with the ACME specification RFC 8555
  • Certificate revocation (please, only if private key is compromised)
  • Must-Staple (optional; not default)
  • Cross-platform support! Mac, Windows, Linux, BSD, Android...
  • Scales to hundreds of thousands of names/certificates per instance
  • Use in conjunction with your own certificates
  • Full support for draft-ietf-acme-ari (ACME Renewal Information; ARI) extension


  1. ACME server (can be a publicly-trusted CA, or your own)
  2. Public DNS name(s) you control
  3. Server reachable from public Internet
    • Or use the DNS challenge to waive this requirement
  4. Control over port 80 (HTTP) and/or 443 (HTTPS)
    • Or they can be forwarded to other ports you control
    • Or use the DNS challenge to waive this requirement
    • (This is a requirement of the ACME protocol, not a library limitation)
  5. Persistent storage
    • Typically the local file system (default)
    • Other integrations available/possible
  6. Go 1.21 or newer

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!


$ go get github.com/caddyserver/certmagic


Package Overview
Certificate authority

This library uses Let's Encrypt by default, but you can use any certificate authority that conforms to the ACME specification. Known/common CAs are provided as consts in the package, for example LetsEncryptStagingCA and LetsEncryptProductionCA.

The Config type

The certmagic.Config struct is how you can wield the power of this fully armed and operational battle station. However, an empty/uninitialized Config is not a valid one! In time, you will learn to use the force of certmagic.NewDefault() as I have.


The default Config value is called certmagic.Default. Change its fields to suit your needs, then call certmagic.NewDefault() when you need a valid Config value. In other words, certmagic.Default is a template and is not valid for use directly.

You can set the default values easily, for example: certmagic.Default.Issuer = ....

Similarly, to configure ACME-specific defaults, use certmagic.DefaultACME.

The high-level functions in this package (HTTPS(), Listen(), ManageSync(), and ManageAsync()) use the default config exclusively. This is how most of you will interact with the package. This is suitable when all your certificates are managed the same way. However, if you need to manage certificates differently depending on their name, you will need to make your own cache and configs (keep reading).

Providing an email address

Although not strictly required, this is highly recommended best practice. It allows you to receive expiration emails if your certificates are expiring for some reason, and also allows the CA's engineers to potentially get in touch with you if something is wrong. I recommend setting certmagic.DefaultACME.Email or always setting the Email field of a new Config struct.

Rate limiting

To avoid firehosing the CA's servers, CertMagic has built-in rate limiting. Currently, its default limit is up to 10 transactions (obtain or renew) every 1 minute (sliding window). This can be changed by setting the RateLimitEvents and RateLimitEventsWindow variables, if desired.

The CA may still enforce their own rate limits, and there's nothing (well, nothing ethical) CertMagic can do to bypass them for you.

Additionally, CertMagic will retry failed validations with exponential backoff for up to 30 days, with a reasonable maximum interval between attempts (an "attempt" means trying each enabled challenge type once).

Development and Testing

Note that Let's Encrypt imposes strict rate limits at its production endpoint, so using it while developing your application may lock you out for a few days if you aren't careful!

While developing your application and testing it, use their staging endpoint which has much higher rate limits. Even then, don't hammer it: but it's much safer for when you're testing. When deploying, though, use their production CA because their staging CA doesn't issue trusted certificates.

To use staging, set certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA or set CA of every ACMEIssuer struct.


There are many ways to use this library. We'll start with the highest-level (simplest) and work down (more control).

All these high-level examples use certmagic.Default and certmagic.DefaultACME for the config and the default cache and storage for serving up certificates.

First, we'll follow best practices and do the following:

// read and agree to your CA's legal documents
certmagic.DefaultACME.Agreed = true

// provide an email address
certmagic.DefaultACME.Email = "you@yours.com"

// use the staging endpoint while we're developing
certmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA

For fully-functional program examples, check out this Twitter thread (or read it unrolled into a single post). (Note that the package API has changed slightly since these posts.)

Serving HTTP handlers with HTTPS
err := certmagic.HTTPS([]string{"example.com", "www.example.com"}, mux)
if err != nil {
	return err

This starts HTTP and HTTPS listeners and redirects HTTP to HTTPS!

Starting a TLS listener
ln, err := certmagic.Listen([]string{"example.com"})
if err != nil {
	return err
Getting a tls.Config
tlsConfig, err := certmagic.TLS([]string{"example.com"})
if err != nil {
	return err
// be sure to customize NextProtos if serving a specific
// application protocol after the TLS handshake, for example:
tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
Advanced use

For more control (particularly, if you need a different way of managing each certificate), you'll make and use a Cache and a Config like so:

// First make a pointer to a Cache as we need to reference the same Cache in
// GetConfigForCert below.
var cache *certmagic.Cache
cache = certmagic.NewCache(certmagic.CacheOptions{
	GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
		// Here we use New to get a valid Config associated with the same cache.
		// The provided Config is used as a template and will be completed with
		// any defaults that are set in the Default config.
		return certmagic.New(cache, certmagic.Config{
			// ...
		}), nil

magic := certmagic.New(cache, certmagic.Config{
	// any customizations you need go here

myACME := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
	CA:     certmagic.LetsEncryptStagingCA,
	Email:  "you@yours.com",
	Agreed: true,
	// plus any other customizations you need

magic.Issuers = []certmagic.Issuer{myACME}

// this obtains certificates or renews them if necessary
err := magic.ManageSync(context.TODO(), []string{"example.com", "sub.example.com"})
if err != nil {
	return err

// to use its certificates and solve the TLS-ALPN challenge,
// you can get a TLS config to use in a TLS listener!
tlsConfig := magic.TLSConfig()

// be sure to customize NextProtos if serving a specific
// application protocol after the TLS handshake, for example:
tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)

//// OR ////

// if you already have a TLS config you don't want to replace,
// we can simply set its GetCertificate field and append the
// TLS-ALPN challenge protocol to the NextProtos
myTLSConfig.GetCertificate = magic.GetCertificate
myTLSConfig.NextProtos = append(myTLSConfig.NextProtos, acmez.ACMETLS1Protocol)

// the HTTP challenge has to be handled by your HTTP server;
// if you don't have one, you should have disabled it earlier
// when you made the certmagic.Config
httpMux = myACME.HTTPChallengeHandler(httpMux)

Great! This example grants you much more flexibility for advanced programs. However, the vast majority of you will only use the high-level functions described earlier, especially since you can still customize them by setting the package-level Default config.

Wildcard certificates

At time of writing (December 2018), Let's Encrypt only issues wildcard certificates with the DNS challenge. You can easily enable the DNS challenge with CertMagic for numerous providers (see the relevant section in the docs).

Behind a load balancer (or in a cluster)

CertMagic runs effectively behind load balancers and/or in cluster/fleet environments. In other words, you can have 10 or 1,000 servers all serving the same domain names, all sharing certificates and OCSP staples.

To do so, simply ensure that each instance is using the same Storage. That is the sole criteria for determining whether an instance is part of a cluster.

The default Storage is implemented using the file system, so mounting the same shared folder is sufficient (see Storage for more on that)! If you need an alternate Storage implementation, feel free to use one, provided that all the instances use the same one. :)

See Storage and the associated pkg.go.dev for more information!

The ACME Challenges

This section describes how to solve the ACME challenges. Challenges are how you demonstrate to the certificate authority some control over your domain name, thus authorizing them to grant you a certificate for that name. The great innovation of ACME is that verification by CAs can now be automated, rather than having to click links in emails (who ever thought that was a good idea??).

If you're using the high-level convenience functions like HTTPS(), Listen(), or TLS(), the HTTP and/or TLS-ALPN challenges are solved for you because they also start listeners. However, if you're making a Config and you start your own server manually, you'll need to be sure the ACME challenges can be solved so certificates can be renewed.

The HTTP and TLS-ALPN challenges are the defaults because they don't require configuration from you, but they require that your server is accessible from external IPs on low ports. If that is not possible in your situation, you can enable the DNS challenge, which will disable the HTTP and TLS-ALPN challenges and use the DNS challenge exclusively.

Technically, only one challenge needs to be enabled for things to work, but using multiple is good for reliability in case a challenge is discontinued by the CA. This happened to the TLS-SNI challenge in early 2018—many popular ACME clients such as Traefik and Autocert broke, resulting in downtime for some sites, until new releases were made and patches deployed, because they used only one challenge; Caddy, however—this library's forerunner—was unaffected because it also used the HTTP challenge. If multiple challenges are enabled, they are chosen randomly to help prevent false reliance on a single challenge type. And if one fails, any remaining enabled challenges are tried before giving up.

HTTP Challenge

Per the ACME spec, the HTTP challenge requires port 80, or at least packet forwarding from port 80. It works by serving a specific HTTP response that only the genuine server would have to a normal HTTP request at a special endpoint.

If you are running an HTTP server, solving this challenge is very easy: just wrap your handler in HTTPChallengeHandler or call SolveHTTPChallenge() inside your own ServeHTTP() method.

For example, if you're using the standard library:

mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintf(w, "Lookit my cool website over HTTPS!")

http.ListenAndServe(":80", myACME.HTTPChallengeHandler(mux))

If wrapping your handler is not a good solution, try this inside your ServeHTTP() instead:

magic := certmagic.NewDefault()
myACME := certmagic.NewACMEIssuer(magic, certmagic.DefaultACME)

func ServeHTTP(w http.ResponseWriter, req *http.Request) {
	if myACME.HandleHTTPChallenge(w, r) {
		return // challenge handled; nothing else to do

If you are not running an HTTP server, you should disable the HTTP challenge or run an HTTP server whose sole job it is to solve the HTTP challenge.

TLS-ALPN Challenge

Per the ACME spec, the TLS-ALPN challenge requires port 443, or at least packet forwarding from port 443. It works by providing a special certificate using a standard TLS extension, Application Layer Protocol Negotiation (ALPN), having a special value. This is the most convenient challenge type because it usually requires no extra configuration and uses the standard TLS port which is where the certificates are used, also.

This challenge is easy to solve: just use the provided tls.Config when you make your TLS listener:

// use this to configure a TLS listener
tlsConfig := magic.TLSConfig()

Or make two simple changes to an existing tls.Config:

myTLSConfig.GetCertificate = magic.GetCertificate
myTLSConfig.NextProtos = append(myTLSConfig.NextProtos, acmez.ACMETLS1Protocol}

Then just make sure your TLS listener is listening on port 443:

ln, err := tls.Listen("tcp", ":443", myTLSConfig)
DNS Challenge

The DNS challenge is perhaps the most useful challenge because it allows you to obtain certificates without your server needing to be publicly accessible on the Internet, and it's the only challenge by which Let's Encrypt will issue wildcard certificates.

This challenge works by setting a special record in the domain's zone. To do this automatically, your DNS provider needs to offer an API by which changes can be made to domain names, and the changes need to take effect immediately for best results. CertMagic supports all DNS providers with libdns implementations! It always cleans up the temporary record after the challenge completes.

To enable it, just set the DNS01Solver field on a certmagic.ACMEIssuer struct, or set the default certmagic.ACMEIssuer.DNS01Solver variable. For example, if my domains' DNS was served by Cloudflare:

import "github.com/libdns/cloudflare"

certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
	DNSManager: certmagic.DNSManager{
		DNSProvider: &cloudflare.Provider{
			APIToken: "topsecret",

Now the DNS challenge will be used by default, and I can obtain certificates for wildcard domains, too. Enabling the DNS challenge disables the other challenges for that certmagic.ACMEIssuer instance.

On-Demand TLS

Normally, certificates are obtained and renewed before a listener starts serving, and then those certificates are maintained throughout the lifetime of the program. In other words, the certificate names are static. But sometimes you don't know all the names ahead of time, or you don't want to manage all the certificates up front. This is where On-Demand TLS shines.

Originally invented for use in Caddy (which was the first program to use such technology), On-Demand TLS makes it possible and easy to serve certificates for arbitrary or specific names during the lifetime of the server. When a TLS handshake is received, CertMagic will read the Server Name Indication (SNI) value and either load and present that certificate in the ServerHello, or if one does not exist, it will obtain it from a CA right then-and-there.

Of course, this has some obvious security implications. You don't want to DoS a CA or allow arbitrary clients to fill your storage with spammy TLS handshakes. That's why, when you enable On-Demand issuance, you should set limits or policy to allow getting certificates. CertMagic has an implicit whitelist built-in which is sufficient for nearly everyone, but also has a more advanced way to control on-demand issuance.

The simplest way to enable on-demand issuance is to set the OnDemand field of a Config (or the default package-level value):

certmagic.Default.OnDemand = new(certmagic.OnDemandConfig)

By setting this to a non-nil value, on-demand TLS is enabled for that config. For convenient security, CertMagic's high-level abstraction functions such as HTTPS(), TLS(), ManageSync(), ManageAsync(), and Listen() (which all accept a list of domain names) will whitelist those names automatically so only certificates for those names can be obtained when using the Default config. Usually this is sufficient for most users.

However, if you require advanced control over which domains can be issued certificates on-demand (for example, if you do not know which domain names you are managing, or just need to defer their operations until later), you should implement your own DecisionFunc:

// if the decision function returns an error, a certificate
// may not be obtained for that name at that time
certmagic.Default.OnDemand = &certmagic.OnDemandConfig{
	DecisionFunc: func(name string) error {
		if name != "example.com" {
			return fmt.Errorf("not allowed")
		return nil

The pkg.go.dev describes how to use this in full detail, so please check it out!


CertMagic relies on storage to store certificates and other TLS assets (OCSP staple cache, coordinating locks, etc). Persistent storage is a requirement when using CertMagic: ephemeral storage will likely lead to rate limiting on the CA-side as CertMagic will always have to get new certificates.

By default, CertMagic stores assets on the local file system in $HOME/.local/share/certmagic (and honors $XDG_DATA_HOME if set). CertMagic will create the directory if it does not exist. If writes are denied, things will not be happy, so make sure CertMagic can write to it!

The notion of a "cluster" or "fleet" of instances that may be serving the same site and sharing certificates, etc, is tied to storage. Simply, any instances that use the same storage facilities are considered part of the cluster. So if you deploy 100 instances of CertMagic behind a load balancer, they are all part of the same cluster if they share the same storage configuration. Sharing storage could be mounting a shared folder, or implementing some other distributed storage system such as a database server or KV store.

The easiest way to change the storage being used is to set certmagic.Default.Storage to a value that satisfies the Storage interface. Keep in mind that a valid Storage must be able to implement some operations atomically in order to provide locking and synchronization.

If you write a Storage implementation, please add it to the project wiki so people can find it!


All of the certificates in use are de-duplicated and cached in memory for optimal performance at handshake-time. This cache must be backed by persistent storage as described above.

Most applications will not need to interact with certificate caches directly. Usually, the closest you will come is to set the package-wide certmagic.Default.Storage variable (before attempting to create any Configs) which defines how the cache is persisted. However, if your use case requires using different storage facilities for different Configs (that's highly unlikely and NOT recommended! Even Caddy doesn't get that crazy), you will need to call certmagic.NewCache() and pass in the storage you want to use, then get new Config structs with certmagic.NewWithCache() and pass in the cache.

Again, if you're needing to do this, you've probably over-complicated your application design.


(Events are new and still experimental, so they may change.)

CertMagic emits events when possible things of interest happen. Set the OnEvent field of your Config to subscribe to events; ignore the ones you aren't interested in. Here are the events currently emitted along with their metadata you can use:

  • cached_unmanaged_cert An unmanaged certificate was cached
    • sans: The subject names on the certificate
  • cert_obtaining A certificate is about to be obtained
    • renewal: Whether this is a renewal
    • identifier: The name on the certificate
    • forced: Whether renewal is being forced (if renewal)
    • remaining: Time left on the certificate (if renewal)
    • issuer: The previous or current issuer
  • cert_obtained A certificate was successfully obtained
    • renewal: Whether this is a renewal
    • identifier: The name on the certificate
    • remaining: Time left on the certificate (if renewal)
    • issuer: The previous or current issuer
    • storage_path: The path to the folder containing the cert resources within storage
    • private_key_path: The path to the private key file in storage
    • certificate_path: The path to the public key file in storage
    • metadata_path: The path to the metadata file in storage
  • cert_failed An attempt to obtain a certificate failed
    • renewal: Whether this is a renewal
    • identifier: The name on the certificate
    • remaining: Time left on the certificate (if renewal)
    • issuers: The issuer(s) tried
    • error: The (final) error message
  • tls_get_certificate The GetCertificate phase of a TLS handshake is under way
    • client_hello: The tls.ClientHelloInfo struct
  • cert_ocsp_revoked A certificate's OCSP indicates it has been revoked
    • subjects: The subject names on the certificate
    • certificate: The Certificate struct
    • reason: The OCSP revocation reason
    • revoked_at: When the certificate was revoked

OnEvent can return an error. Some events may be aborted by returning an error. For example, returning an error from cert_obtained can cancel obtaining the certificate. Only return an error from OnEvent if you want to abort program flow.


ZeroSSL has both ACME and HTTP API services for getting certificates. CertMagic works with both of them.

To use ZeroSSL's ACME server, configure CertMagic with an ACMEIssuer like you would with any other ACME CA (just adjust the directory URL). External Account Binding (EAB) is required for ZeroSSL. You can use the ZeroSSL API to generate one, or your account dashboard.

To use ZeroSSL's API instead, use the ZeroSSLIssuer. Here is a simple example:

magic := certmagic.NewDefault()

magic.Issuers = []certmagic.Issuer{
		APIKey: "<your ZeroSSL API key>",

err := magic.ManageSync(ctx, []string{"example.com"})


Can I use some of my own certificates while using CertMagic?

Yes, just call the relevant method on the Config to add your own certificate to the cache:

Keep in mind that unmanaged certificates are (obviously) not renewed for you, so you'll have to replace them when you do. However, OCSP stapling is performed even for unmanaged certificates that qualify.

Does CertMagic obtain SAN certificates?

Technically all certificates these days are SAN certificates because CommonName is deprecated. But if you're asking whether CertMagic issues and manages certificates with multiple SANs, the answer is no. But it does support serving them, if you provide your own.

How can I listen on ports 80 and 443? Do I have to run as root?

On Linux, you can use setcap to grant your binary the permission to bind low ports:

$ sudo setcap cap_net_bind_service=+ep /path/to/your/binary

and then you will not need to run with root privileges.


We welcome your contributions! Please see our contributing guidelines for instructions.

Project History

CertMagic is the core of Caddy's advanced TLS automation code, extracted into a library. The underlying ACME client implementation is ACMEz. CertMagic's code was originally a central part of Caddy even before Let's Encrypt entered public beta in 2015.

In the years since then, Caddy's TLS automation techniques have been widely adopted, tried and tested in production, and served millions of sites and secured trillions of connections.

Now, CertMagic is the actual library used by Caddy. It's incredibly powerful and feature-rich, but also easy to use for simple Go programs: one line of code can enable fully-automated HTTPS applications with HTTP->HTTPS redirects.

Caddy is known for its robust HTTPS+ACME features. When ACME certificate authorities have had outages, in some cases Caddy was the only major client that didn't experience any downtime. Caddy can weather OCSP outages lasting days, or CA outages lasting weeks, without taking your sites offline.

Caddy was also the first to sport "on-demand" issuance technology, which obtains certificates during the first TLS handshake for an allowed SNI name.

Consequently, CertMagic brings all these (and more) features and capabilities right into your own Go programs.

You can watch a 2016 dotGo talk by the author of this library about using ACME to automate certificate management in Go programs:

Matthew Holt speaking at dotGo 2016 about ACME in Go

Credits and License

CertMagic is a project by Matthew Holt, who is the author; and various contributors, who are credited in the commit history of either CertMagic or Caddy.

CertMagic is licensed under Apache 2.0, an open source license. For convenience, its main points are summarized as follows (but this is no replacement for the actual license text):

  • The author owns the copyright to this code
  • Use, distribute, and modify the software freely
  • Private and internal use is allowed
  • License text and copyright notices must stay intact and be included with distributions
  • Any and all changes to the code must be documented



Package certmagic automates the obtaining and renewal of TLS certificates, including TLS & HTTPS best practices such as robust OCSP stapling, caching, HTTP->HTTPS redirects, and more.

Its high-level API serves your HTTP handlers over HTTPS if you simply give the domain name(s) and the http.Handler; CertMagic will create and run the HTTPS server for you, fully managing certificates during the lifetime of the server. Similarly, it can be used to start TLS listeners or return a ready-to-use tls.Config -- whatever layer you need TLS for, CertMagic makes it easy. See the HTTPS, Listen, and TLS functions for that.

If you need more control, create a Cache using NewCache() and then make a Config using New(). You can then call Manage() on the config. But if you use this lower-level API, you'll have to be sure to solve the HTTP and TLS-ALPN challenges yourself (unless you disabled them or use the DNS challenge) by using the provided Config.GetCertificate function in your tls.Config and/or Config.HTTPChallangeHandler in your HTTP handler.

See the package's README for more instruction.




View Source
const (
	LetsEncryptStagingCA    = "https://acme-staging-v02.api.letsencrypt.org/directory" // https://letsencrypt.org/docs/staging-environment/
	LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory"         // https://letsencrypt.org/getting-started/
	ZeroSSLProductionCA     = "https://acme.zerossl.com/v2/DV90"                       // https://zerossl.com/documentation/acme/
	GoogleTrustStagingCA    = "https://dv.acme-v02.test-api.pki.goog/directory"        // https://cloud.google.com/certificate-manager/docs/public-ca-tutorial
	GoogleTrustProductionCA = "https://dv.acme-v02.api.pki.goog/directory"             // https://cloud.google.com/certificate-manager/docs/public-ca-tutorial

Some well-known CA endpoints available to use. See the documentation for each service; some may require External Account Binding (EAB) and possibly payment. COMPATIBILITY NOTICE: These constants refer to external resources and are thus subject to change or removal without a major version bump.

View Source
const (
	// UseFirstIssuer uses the first issuer that
	// successfully returns a certificate.
	UseFirstIssuer = "first"

	// UseFirstRandomIssuer shuffles the list of
	// configured issuers, then uses the first one
	// that successfully returns a certificate.
	UseFirstRandomIssuer = "first_random"

Supported issuer policies. These are subject to change.

View Source
const (
	// HTTPChallengePort is the officially-designated port for
	// the HTTP challenge according to the ACME spec.
	HTTPChallengePort = 80

	// TLSALPNChallengePort is the officially-designated port for
	// the TLS-ALPN challenge according to the ACME spec.
	TLSALPNChallengePort = 443
View Source
const (
	ED25519 = KeyType("ed25519")
	P256    = KeyType("p256")
	P384    = KeyType("p384")
	RSA2048 = KeyType("rsa2048")
	RSA4096 = KeyType("rsa4096")
	RSA8192 = KeyType("rsa8192")

Constants for all key types we support.

View Source
const (
	// DefaultRenewCheckInterval is how often to check certificates for expiration.
	// Scans are very lightweight, so this can be semi-frequent. This default should
	// be smaller than <Minimum Cert Lifetime>*DefaultRenewalWindowRatio/3, which
	// gives certificates plenty of chance to be renewed on time.
	DefaultRenewCheckInterval = 10 * time.Minute

	// DefaultRenewalWindowRatio is how much of a certificate's lifetime becomes the
	// renewal window. The renewal window is the span of time at the end of the
	// certificate's validity period in which it should be renewed. A default value
	// of ~1/3 is pretty safe and recommended for most certificates.
	DefaultRenewalWindowRatio = 1.0 / 3.0

	// DefaultOCSPCheckInterval is how often to check if OCSP stapling needs updating.
	DefaultOCSPCheckInterval = 1 * time.Hour
View Source
const ClientHelloInfoCtxKey helloInfoCtxKey = "certmagic:ClientHelloInfo"

ClientHelloInfoCtxKey is the key by which the ClientHelloInfo can be extracted from a context.Context within a DecisionFunc. However, be advised that it is best practice that the decision whether to obtain a certificate is be based solely on the name, not other properties of the specific connection/client requesting the connection. For example, it is not adviseable to use a client's IP address to decide whether to allow a certificate. Instead, the ClientHello can be useful for logging, etc.


View Source
var (

	// RateLimitEvents is how many new events can be allowed
	// in RateLimitEventsWindow.
	RateLimitEvents = 10

	// RateLimitEventsWindow is the size of the sliding
	// window that throttles events.
	RateLimitEventsWindow = 10 * time.Second

These internal rate limits are designed to prevent accidentally firehosing a CA's ACME endpoints. They are not intended to replace or replicate the CA's actual rate limits.

Let's Encrypt's rate limits can be found here: https://letsencrypt.org/docs/rate-limits/

Currently (as of December 2019), Let's Encrypt's most relevant rate limit for large deployments is 300 new orders per account per 3 hours (on average, or best case, that's about 1 every 36 seconds, or 2 every 72 seconds, etc.); but it's not reasonable to try to assume that our internal state is the same as the CA's (due to process restarts, config changes, failed validations, etc.) and ultimately, only the CA's actual rate limiter is the authority. Thus, our own rate limiters do not attempt to enforce external rate limits. Doing so causes problems when the domains are not in our control (i.e. serving customer sites) and/or lots of domains fail validation: they clog our internal rate limiter and nearly starve out (or at least slow down) the other domains that need certificates. Failed transactions are already retried with exponential backoff, so adding in rate limiting can slow things down even more.

Instead, the point of our internal rate limiter is to avoid hammering the CA's endpoint when there are thousands or even millions of certificates under management. Our goal is to allow small bursts in a relatively short timeframe so as to not block any one domain for too long, without unleashing thousands of requests to the CA at once.

View Source
var (
	UserAgent   string
	HTTPTimeout = 30 * time.Second

Some default values passed down to the underlying ACME client.

View Source
var (
	// HTTPPort is the port on which to serve HTTP
	// and, as such, the HTTP challenge (unless
	// Default.AltHTTPPort is set).
	HTTPPort = 80

	// HTTPSPort is the port on which to serve HTTPS
	// and, as such, the TLS-ALPN challenge
	// (unless Default.AltTLSALPNPort is set).
	HTTPSPort = 443

Port variables must remain their defaults unless you forward packets from the defaults to whatever these are set to; otherwise ACME challenges will fail.

View Source
var AttemptsCtxKey retryStateCtxKey

AttemptsCtxKey is the context key for the value that holds the attempt counter. The value counts how many times the operation has been attempted. A value of 0 means first attempt.

View Source
var Default = Config{
	RenewalWindowRatio: DefaultRenewalWindowRatio,
	Storage:            defaultFileStorage,
	KeySource:          DefaultKeyGenerator,
	Logger:             defaultLogger,

Default contains the package defaults for the various Config fields. This is used as a template when creating your own Configs with New() or NewDefault(), and it is also used as the Config by all the high-level functions in this package that abstract away most configuration (HTTPS(), TLS(), Listen(), etc).

The fields of this value will be used for Config fields which are unset. Feel free to modify these defaults, but do not use this Config by itself: it is only a template. Valid configurations can be obtained by calling New() (if you have your own certificate cache) or NewDefault() (if you only need a single config and want to use the default cache).

Even if the Issuers or Storage fields are not set, defaults will be applied in the call to New().

View Source
var DefaultACME = ACMEIssuer{
	CA:        LetsEncryptProductionCA,
	TestCA:    LetsEncryptStagingCA,
	Logger:    defaultLogger,
	HTTPProxy: http.ProxyFromEnvironment,

DefaultACME specifies default settings to use for ACMEIssuers. Using this value is optional but can be convenient.

View Source
var DefaultKeyGenerator = StandardKeyGenerator{KeyType: P256}

DefaultKeyGenerator is the default key source.

View Source
var ErrNoOCSPServerSpecified = errors.New("no OCSP server specified in certificate")

ErrNoOCSPServerSpecified indicates that OCSP information could not be stapled because the certificate does not support OCSP.


func CleanStorage

func CleanStorage(ctx context.Context, storage Storage, opts CleanStorageOptions) error

CleanStorage removes assets which are no longer useful, according to opts.

func CleanUpOwnLocks

func CleanUpOwnLocks(ctx context.Context, logger *zap.Logger)

CleanUpOwnLocks immediately cleans up all current locks obtained by this process. Since this does not cancel the operations that the locks are synchronizing, this should be called only immediately before process exit. Errors are only reported if a logger is given.

func HTTPS

func HTTPS(domainNames []string, mux http.Handler) error

HTTPS serves mux for all domainNames using the HTTP and HTTPS ports, redirecting all HTTP requests to HTTPS. It uses the Default config and a background context.

This high-level convenience function is opinionated and applies sane defaults for production use, including timeouts for HTTP requests and responses. To allow very long-lived connections, you should make your own http.Server values and use this package's Listen(), TLS(), or Config.TLSConfig() functions to customize to your needs. For example, servers which need to support large uploads or downloads with slow clients may need to use longer timeouts, thus this function is not suitable.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.


This is the simplest way for HTTP servers to use this package. Call HTTPS() with your domain names and your handler (or nil for the http.DefaultMux), and CertMagic will do the rest.

http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintf(w, "Hello, HTTPS visitor!")

err := HTTPS([]string{"example.com", "www.example.com"}, nil)
if err != nil {

func Listen

func Listen(domainNames []string) (net.Listener, error)

Listen manages certificates for domainName and returns a TLS listener. It uses the Default config.

Because this convenience function returns only a TLS-enabled listener and does not presume HTTP is also being served, the HTTP challenge will be disabled. The package variable Default is modified so that the HTTP challenge is disabled.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func LooksLikeHTTPChallenge

func LooksLikeHTTPChallenge(r *http.Request) bool

LooksLikeHTTPChallenge returns true if r looks like an ACME HTTP challenge request from an ACME server.

func LooksLikeZeroSSLHTTPValidation added in v0.21.0

func LooksLikeZeroSSLHTTPValidation(r *http.Request) bool

LooksLikeZeroSSLHTTPValidation returns true if the request appears to be domain validation from a ZeroSSL/Sectigo CA. NOTE: This API is non-standard and is subject to change.

func ManageAsync

func ManageAsync(ctx context.Context, domainNames []string) error

ManageAsync is the same as ManageSync, except that certificates are managed asynchronously. This means that the function will return before certificates are ready, and errors that occur during certificate obtain or renew operations are only logged. It is vital that you monitor the logs if using this method, which is only recommended for automated/non-interactive environments.

func ManageSync

func ManageSync(ctx context.Context, domainNames []string) error

ManageSync obtains certificates for domainNames and keeps them renewed using the Default config.

This is a slightly lower-level function; you will need to wire up support for the ACME challenges yourself. You can obtain a Config to help you do that by calling NewDefault().

You will need to ensure that you use a TLS config that gets certificates from this Config and that the HTTP and TLS-ALPN challenges can be solved. The easiest way to do this is to use NewDefault().TLSConfig() as your TLS config and to wrap your HTTP handler with NewDefault().HTTPChallengeHandler(). If you don't have an HTTP server, you will need to disable the HTTP challenge.

If you already have a TLS config you want to use, you can simply set its GetCertificate field to NewDefault().GetCertificate.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func MatchWildcard added in v0.10.5

func MatchWildcard(subject, wildcard string) bool

MatchWildcard returns true if subject (a candidate DNS name) matches wildcard (a reference DNS name), mostly according to RFC 6125-compliant wildcard rules. See also RFC 2818 which states that IP addresses must match exactly, but this function does not attempt to distinguish IP addresses from internal or external DNS names that happen to look like IP addresses. It uses DNS wildcard matching logic and is case-insensitive. https://tools.ietf.org/html/rfc2818#section-3.1

func PEMDecodePrivateKey added in v0.15.4

func PEMDecodePrivateKey(keyPEMBytes []byte) (crypto.Signer, error)

PEMDecodePrivateKey loads a PEM-encoded ECC/RSA private key from an array of bytes. Borrowed from Go standard library, to handle various private key and PEM block types.

func PEMEncodePrivateKey added in v0.15.4

func PEMEncodePrivateKey(key crypto.PrivateKey) ([]byte, error)

PEMEncodePrivateKey marshals a private key into a PEM-encoded block. The private key must be one of *ecdsa.PrivateKey, *rsa.PrivateKey, or *ed25519.PrivateKey.

func SolveHTTPChallenge added in v0.13.0

func SolveHTTPChallenge(logger *zap.Logger, w http.ResponseWriter, r *http.Request, challenge acme.Challenge) bool

SolveHTTPChallenge solves the HTTP challenge. It should be used only on HTTP requests that are from ACME servers trying to validate an identifier (i.e. LooksLikeHTTPChallenge() == true). It returns true if the request criteria check out and it answered with key authentication, in which case no further handling of the request is necessary.

func SubjectIsIP added in v0.13.0

func SubjectIsIP(subj string) bool

SubjectIsIP returns true if subj is an IP address.

func SubjectIsInternal added in v0.13.0

func SubjectIsInternal(subj string) bool

SubjectIsInternal returns true if subj is an internal-facing hostname or address, including localhost/loopback hosts. Ports are ignored, if present.

func SubjectQualifiesForCert added in v0.10.2

func SubjectQualifiesForCert(subj string) bool

SubjectQualifiesForCert returns true if subj is a name which, as a quick sanity check, looks like it could be the subject of a certificate. Requirements are: - must not be empty - must not start or end with a dot (RFC 1034; RFC 6066 section 3) - must not contain common accidental special characters

func SubjectQualifiesForPublicCert added in v0.10.1

func SubjectQualifiesForPublicCert(subj string) bool

SubjectQualifiesForPublicCert returns true if the subject name appears eligible for automagic TLS with a public CA such as Let's Encrypt. For example: internal IP addresses and localhost are not eligible because we cannot obtain certs for those names with a public CA. Wildcard names are allowed, as long as they conform to CABF requirements (only one wildcard label, and it must be the left-most label).

func TLS

func TLS(domainNames []string) (*tls.Config, error)

TLS enables management of certificates for domainNames and returns a valid tls.Config. It uses the Default config.

Because this is a convenience function that returns only a tls.Config, it does not assume HTTP is being served on the HTTP port, so the HTTP challenge is disabled (no HTTPChallengeHandler is necessary). The package variable Default is modified so that the HTTP challenge is disabled.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.


type ACMEIssuer added in v0.16.0

type ACMEIssuer struct {
	// The endpoint of the directory for the ACME
	// CA we are to use
	CA string

	// TestCA is the endpoint of the directory for
	// an ACME CA to use to test domain validation,
	// but any certs obtained from this CA are
	// discarded
	TestCA string

	// The email address to use when creating or
	// selecting an existing ACME server account
	Email string

	// The PEM-encoded private key of the ACME
	// account to use; only needed if the account
	// is already created on the server and
	// can be looked up with the ACME protocol
	AccountKeyPEM string

	// Set to true if agreed to the CA's
	// subscriber agreement
	Agreed bool

	// An optional external account to associate
	// with this ACME account
	ExternalAccount *acme.EAB

	// Optionally specify the validity period of
	// the certificate(s) here as offsets from the
	// approximate time of certificate issuance,
	// but note that not all CAs support this
	// (EXPERIMENTAL: Subject to change)
	NotBefore, NotAfter time.Duration

	// Disable all HTTP challenges
	DisableHTTPChallenge bool

	// Disable all TLS-ALPN challenges
	DisableTLSALPNChallenge bool

	// The host (ONLY the host, not port) to listen
	// on if necessary to start a listener to solve
	// an ACME challenge
	ListenHost string

	// The alternate port to use for the ACME HTTP
	// challenge; if non-empty, this port will be
	// used instead of HTTPChallengePort to spin up
	// a listener for the HTTP challenge
	AltHTTPPort int

	// The alternate port to use for the ACME
	// TLS-ALPN challenge; the system must forward
	// TLSALPNChallengePort to this port for
	// challenge to succeed
	AltTLSALPNPort int

	// The solver for the dns-01 challenge;
	// usually this is a DNS01Solver value
	// from this package
	DNS01Solver acmez.Solver

	// TrustedRoots specifies a pool of root CA
	// certificates to trust when communicating
	// over a network to a peer.
	TrustedRoots *x509.CertPool

	// The maximum amount of time to allow for
	// obtaining a certificate. If empty, the
	// default from the underlying ACME lib is
	// used. If set, it must not be too low so
	// as to cancel challenges too early.
	CertObtainTimeout time.Duration

	// Address of custom DNS resolver to be used
	// when communicating with ACME server
	Resolver string

	// Callback function that is called before a
	// new ACME account is registered with the CA;
	// it allows for last-second config changes
	// of the ACMEIssuer and the Account.
	// (TODO: this feature is still EXPERIMENTAL and subject to change)
	NewAccountFunc func(context.Context, *ACMEIssuer, acme.Account) (acme.Account, error)

	// Preferences for selecting alternate
	// certificate chains
	PreferredChains ChainPreference

	// Set a logger to configure logging; a default
	// logger must always be set; if no logging is
	// desired, set this to zap.NewNop().
	Logger *zap.Logger

	// Set a http proxy to use when issuing a certificate.
	// Default is http.ProxyFromEnvironment
	HTTPProxy func(*http.Request) (*url.URL, error)
	// contains filtered or unexported fields

ACMEIssuer gets certificates using ACME. It implements the PreChecker, Issuer, and Revoker interfaces.

It is NOT VALID to use an ACMEIssuer without calling NewACMEIssuer(). It fills in any default values from DefaultACME as well as setting up internal state that is necessary for valid use. Always call NewACMEIssuer() to get a valid ACMEIssuer value.

func NewACMEIssuer added in v0.16.0

func NewACMEIssuer(cfg *Config, template ACMEIssuer) *ACMEIssuer

NewACMEIssuer constructs a valid ACMEIssuer based on a template configuration; any empty values will be filled in by defaults in DefaultACME, and if any required values are still empty, sensible defaults will be used.

Typically, you'll create the Config first with New() or NewDefault(), then call NewACMEIssuer(), then assign the return value to the Issuers field of the Config.

func (*ACMEIssuer) GetAccount added in v0.16.0

func (am *ACMEIssuer) GetAccount(ctx context.Context, privateKeyPEM []byte) (acme.Account, error)

GetAccount first tries loading the account with the associated private key from storage. If it does not exist in storage, it will be retrieved from the ACME server and added to storage. The account must already exist; it does not create a new account.

func (*ACMEIssuer) GetRenewalInfo added in v0.21.3

func (iss *ACMEIssuer) GetRenewalInfo(ctx context.Context, cert Certificate) (acme.RenewalInfo, error)

GetRenewalInfo gets the ACME Renewal Information (ARI) for the certificate.

func (*ACMEIssuer) HTTPChallengeHandler added in v0.16.0

func (am *ACMEIssuer) HTTPChallengeHandler(h http.Handler) http.Handler

HTTPChallengeHandler wraps h in a handler that can solve the ACME HTTP challenge. cfg is required, and it must have a certificate cache backed by a functional storage facility, since that is where the challenge state is stored between initiation and solution.

If a request is not an ACME HTTP challenge, h will be invoked.

func (*ACMEIssuer) HandleHTTPChallenge added in v0.16.0

func (am *ACMEIssuer) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool

HandleHTTPChallenge uses am to solve challenge requests from an ACME server that were initiated by this instance or any other instance in this cluster (being, any instances using the same storage am does).

If the HTTP challenge is disabled, this function is a no-op.

If am is nil or if am does not have a certificate cache backed by usable storage, solving the HTTP challenge will fail.

It returns true if it handled the request; if so, the response has already been written. If false is returned, this call was a no-op and the request has not been handled.

func (*ACMEIssuer) Issue added in v0.16.0

Issue implements the Issuer interface. It obtains a certificate for the given csr using the ACME configuration am.

func (*ACMEIssuer) IssuerKey added in v0.16.0

func (am *ACMEIssuer) IssuerKey() string

IssuerKey returns the unique issuer key for the confgured CA endpoint.

func (*ACMEIssuer) PreCheck added in v0.16.0

func (am *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error

PreCheck performs a few simple checks before obtaining or renewing a certificate with ACME, and returns whether this batch is eligible for certificates. It also ensures that an email address is available if possible.

IP certificates via ACME are defined in RFC 8738.

func (*ACMEIssuer) Revoke added in v0.16.0

func (am *ACMEIssuer) Revoke(ctx context.Context, cert CertificateResource, reason int) error

Revoke implements the Revoker interface. It revokes the given certificate.

type Cache

type Cache struct {
	// contains filtered or unexported fields

Cache is a structure that stores certificates in memory. A Cache indexes certificates by name for quick access during TLS handshakes, and avoids duplicating certificates in memory. Generally, there should only be one per process. However, that is not a strict requirement; but using more than one is a code smell, and may indicate an over-engineered design.

An empty cache is INVALID and must not be used. Be sure to call NewCache to get a valid value.

These should be very long-lived values and must not be copied. Before all references leave scope to be garbage collected, ensure you call Stop() to stop maintenance on the certificates stored in this cache and release locks.

Caches are not usually manipulated directly; create a Config value with a pointer to a Cache, and then use the Config to interact with the cache. Caches are agnostic of any particular storage or ACME config, since each certificate may be managed and stored differently.

func NewCache

func NewCache(opts CacheOptions) *Cache

NewCache returns a new, valid Cache for efficiently accessing certificates in memory. It also begins a maintenance goroutine to tend to the certificates in the cache. Call Stop() when you are done with the cache so it can clean up locks and stuff.

Most users of this package will not need to call this because a default certificate cache is created for you. Only advanced use cases require creating a new cache.

This function panics if opts.GetConfigForCert is not set. The reason is that a cache absolutely needs to be able to get a Config with which to manage TLS assets, and it is not safe to assume that the Default config is always the correct one, since you have created the cache yourself.

See the godoc for Cache to use it properly. When no longer needed, caches should be stopped with Stop() to clean up resources even if the process is being terminated, so that it can clean up any locks for other processes to unblock!

func (*Cache) AllMatchingCertificates

func (certCache *Cache) AllMatchingCertificates(name string) []Certificate

AllMatchingCertificates returns a list of all certificates that could be used to serve the given SNI name, including exact SAN matches and wildcard matches.

func (*Cache) Remove added in v0.19.0

func (certCache *Cache) Remove(hashes []string)

Remove removes certificates with the given hashes from the cache. This is effectively used to unload manually-loaded certificates.

func (*Cache) RemoveManaged added in v0.19.0

func (certCache *Cache) RemoveManaged(subjects []SubjectIssuer)

RemoveManaged removes managed certificates for the given subjects from the cache. This effectively stops maintenance of those certificates. If an IssuerKey is specified alongside the subject, only certificates for that subject from the specified issuer will be removed.

func (*Cache) RenewManagedCertificates

func (certCache *Cache) RenewManagedCertificates(ctx context.Context) error

RenewManagedCertificates renews managed certificates, including ones loaded on-demand. Note that this is done automatically on a regular basis; normally you will not need to call this. This method assumes non-interactive mode (i.e. operating in the background).

func (*Cache) SetOptions added in v0.19.0

func (certCache *Cache) SetOptions(opts CacheOptions)

func (*Cache) Stop

func (certCache *Cache) Stop()

Stop stops the maintenance goroutine for certificates in certCache. It blocks until stopping is complete. Once a cache is stopped, it cannot be reused.

type CacheOptions

type CacheOptions struct {
	// REQUIRED. A function that returns a configuration
	// used for managing a certificate, or for accessing
	// that certificate's asset storage (e.g. for
	// OCSP staples, etc). The returned Config MUST
	// be associated with the same Cache as the caller,
	// use New to obtain a valid Config.
	// The reason this is a callback function, dynamically
	// returning a Config (instead of attaching a static
	// pointer to a Config on each certificate) is because
	// the config for how to manage a domain's certificate
	// might change from maintenance to maintenance. The
	// cache is so long-lived, we cannot assume that the
	// host's situation will always be the same; e.g. the
	// certificate might switch DNS providers, so the DNS
	// challenge (if used) would need to be adjusted from
	// the last time it was run ~8 weeks ago.
	GetConfigForCert ConfigGetter

	// How often to check certificates for renewal;
	// if unset, DefaultOCSPCheckInterval will be used.
	OCSPCheckInterval time.Duration

	// How often to check certificates for renewal;
	// if unset, DefaultRenewCheckInterval will be used.
	RenewCheckInterval time.Duration

	// Maximum number of certificates to allow in the cache.
	// If reached, certificates will be randomly evicted to
	// make room for new ones. 0 means unlimited.
	Capacity int

	// Set a logger to enable logging
	Logger *zap.Logger

CacheOptions is used to configure certificate caches. Once a cache has been created with certain options, those settings cannot be changed.

type Certificate

type Certificate struct {

	// Names is the list of subject names this
	// certificate is signed for.
	Names []string

	// Optional; user-provided, and arbitrary.
	Tags []string
	// contains filtered or unexported fields

Certificate is a tls.Certificate with associated metadata tacked on. Even if the metadata can be obtained by parsing the certificate, we are more efficient by extracting the metadata onto this struct, but at the cost of slightly higher memory use.

func DefaultCertificateSelector added in v0.10.7

func DefaultCertificateSelector(hello *tls.ClientHelloInfo, choices []Certificate) (Certificate, error)

DefaultCertificateSelector is the default certificate selection logic given a choice of certificates. If there is at least one certificate in choices, it always returns a certificate without error. It chooses the first non-expired certificate that the client supports if possible, otherwise it returns an expired certificate that the client supports, otherwise it just returns the first certificate in the list of choices.

func (Certificate) Empty added in v0.15.4

func (cert Certificate) Empty() bool

Empty returns true if the certificate struct is not filled out; at least the tls.Certificate.Certificate field is expected to be set.

func (Certificate) Expired added in v0.12.0

func (cert Certificate) Expired() bool

Expired returns true if the certificate has expired.

func (Certificate) HasTag added in v0.10.7

func (cert Certificate) HasTag(tag string) bool

HasTag returns true if cert.Tags has tag.

func (Certificate) Hash added in v0.19.0

func (cert Certificate) Hash() string

Hash returns a checksum of the certificate chain's DER-encoded bytes.

func (Certificate) NeedsRenewal

func (cert Certificate) NeedsRenewal(cfg *Config) bool

NeedsRenewal returns true if the certificate is expiring soon (according to ARI and/or cfg) or has expired.

type CertificateResource

type CertificateResource struct {
	// The list of names on the certificate;
	// for convenience only.
	SANs []string `json:"sans,omitempty"`

	// The PEM-encoding of DER-encoded ASN.1 data
	// for the cert or chain.
	CertificatePEM []byte `json:"-"`

	// The PEM-encoding of the certificate's private key.
	PrivateKeyPEM []byte `json:"-"`

	// Any extra information associated with the certificate,
	// usually provided by the issuer implementation.
	IssuerData json.RawMessage `json:"issuer_data,omitempty"`
	// contains filtered or unexported fields

CertificateResource associates a certificate with its private key and other useful information, for use in maintaining the certificate.

func (*CertificateResource) NamesKey

func (cr *CertificateResource) NamesKey() string

NamesKey returns the list of SANs as a single string, truncated to some ridiculously long size limit. It can act as a key for the set of names on the resource.

type CertificateSelector

type CertificateSelector interface {
	SelectCertificate(*tls.ClientHelloInfo, []Certificate) (Certificate, error)

CertificateSelector is a type which can select a certificate to use given multiple choices.

type ChainPreference added in v0.13.0

type ChainPreference struct {
	// Prefer chains with the fewest number of bytes.
	Smallest *bool

	// Select first chain having a root with one of
	// these common names.
	RootCommonName []string

	// Select first chain that has any issuer with one
	// of these common names.
	AnyCommonName []string

ChainPreference describes the client's preferred certificate chain, useful if the CA offers alternate chains. The first matching chain will be selected.

type Challenge added in v0.13.0

type Challenge struct {
	// contains filtered or unexported fields

Challenge is an ACME challenge, but optionally paired with data that can make it easier or more efficient to solve.

func GetACMEChallenge added in v0.13.0

func GetACMEChallenge(identifier string) (Challenge, bool)

GetACMEChallenge returns an active ACME challenge for the given identifier, or false if no active challenge for that identifier is known.

type CleanStorageOptions

type CleanStorageOptions struct {
	// Optional custom logger.
	Logger *zap.Logger

	// Optional ID of the instance initiating the cleaning.
	InstanceID string

	// If set, cleaning will be skipped if it was performed
	// more recently than this interval.
	Interval time.Duration

	// Whether to clean cached OCSP staples.
	OCSPStaples bool

	// Whether to cleanup expired certificates, and if so,
	// how long to let them stay after they've expired.
	ExpiredCerts           bool
	ExpiredCertGracePeriod time.Duration

CleanStorageOptions specifies how to clean up a storage unit.

type Config

type Config struct {
	// How much of a certificate's lifetime becomes the
	// renewal window, which is the span of time at the
	// end of the certificate's validity period in which
	// it should be renewed; for most certificates, the
	// global default is good, but for extremely short-
	// lived certs, you may want to raise this to ~0.5.
	// Ratio is remaining:total lifetime.
	RenewalWindowRatio float64

	// An optional event callback clients can set
	// to subscribe to certain things happening
	// internally by this config; invocations are
	// synchronous, so make them return quickly!
	// Functions should honor context cancellation.
	// An error should only be returned to advise
	// the emitter to abort or cancel an upcoming
	// event. Some events, especially those that have
	// already happened, cannot be aborted. For example,
	// cert_obtaining can be canceled, but
	// cert_obtained cannot. Emitters may choose to
	// ignore returned errors.
	OnEvent func(ctx context.Context, event string, data map[string]any) error

	// DefaultServerName specifies a server name
	// to use when choosing a certificate if the
	// ClientHello's ServerName field is empty.
	DefaultServerName string

	// FallbackServerName specifies a server name
	// to use when choosing a certificate if the
	// ClientHello's ServerName field doesn't match
	// any available certificate.
	// EXPERIMENTAL: Subject to change or removal.
	FallbackServerName string

	// The state needed to operate on-demand TLS;
	// if non-nil, on-demand TLS is enabled and
	// certificate operations are deferred to
	// TLS handshakes (or as-needed).
	// TODO: Can we call this feature "Reactive/Lazy/Passive TLS" instead?
	OnDemand *OnDemandConfig

	// Adds the must staple TLS extension to the CSR.
	MustStaple bool

	// Sources for getting new, managed certificates;
	// the default Issuer is ACMEIssuer. If multiple
	// issuers are specified, they will be tried in
	// turn until one succeeds.
	Issuers []Issuer

	// How to select which issuer to use.
	// Default: UseFirstIssuer (subject to change).
	IssuerPolicy IssuerPolicy

	// If true, private keys already existing in storage
	// will be reused. Otherwise, a new key will be
	// created for every new certificate to mitigate
	// pinning and reduce the scope of key compromise.
	// Default: false (do not reuse keys).
	ReusePrivateKeys bool

	// The source of new private keys for certificates;
	// the default KeySource is StandardKeyGenerator.
	KeySource KeyGenerator

	// CertSelection chooses one of the certificates
	// with which the ClientHello will be completed;
	// if not set, DefaultCertificateSelector will
	// be used.
	CertSelection CertificateSelector

	// OCSP configures how OCSP is handled. By default,
	// OCSP responses are fetched for every certificate
	// with a responder URL, and cached on disk. Changing
	// these defaults is STRONGLY discouraged unless you
	// have a compelling reason to put clients at greater
	// risk and reduce their privacy.

	// The storage to access when storing or loading
	// TLS assets. Default is the local file system.
	Storage Storage

	// CertMagic will verify the storage configuration
	// is acceptable before obtaining a certificate
	// to avoid information loss after an expensive
	// operation. If you are absolutely 100% sure your
	// storage is properly configured and has sufficient
	// space, you can disable this check to reduce I/O
	// if that is expensive for you.
	// EXPERIMENTAL: Subject to change or removal.
	DisableStorageCheck bool

	// SubjectTransformer is a hook that can transform the
	// subject (SAN) of a certificate being loaded or issued.
	// For example, a common use case is to replace the
	// left-most label with an asterisk (*) to become a
	// wildcard certificate.
	// EXPERIMENTAL: Subject to change or removal.
	SubjectTransformer func(ctx context.Context, domain string) string

	// Set a logger to enable logging. If not set,
	// a default logger will be created.
	Logger *zap.Logger
	// contains filtered or unexported fields

Config configures a certificate manager instance. An empty Config is not valid: use New() to obtain a valid Config.

func New

func New(certCache *Cache, cfg Config) *Config

New makes a new, valid config based on cfg and uses the provided certificate cache. certCache MUST NOT be nil or this function will panic.

Use this method when you have an advanced use case that requires a custom certificate cache and config that may differ from the Default. For example, if not all certificates are managed/renewed the same way, you need to make your own Cache value with a GetConfigForCert callback that returns the correct configuration for each certificate. However, for the vast majority of cases, there will be only a single Config, thus the default cache (which always uses the default Config) and default config will suffice, and you should use NewDefault() instead.

func NewDefault

func NewDefault() *Config

NewDefault makes a valid config based on the package Default config. Most users will call this function instead of New() since most use cases require only a single config for any and all certificates.

If your requirements are more advanced (for example, multiple configs depending on the certificate), then use New() instead. (You will need to make your own Cache first.) If you only need a single Config to manage your certs (even if that config changes, as long as it is the only one), customize the Default package variable before calling NewDefault().

All calls to NewDefault() will return configs that use the same, default certificate cache. All configs returned by NewDefault() are based on the values of the fields of Default at the time it is called.

This is the only way to get a config that uses the default certificate cache.

func (*Config) CacheManagedCertificate

func (cfg *Config) CacheManagedCertificate(ctx context.Context, domain string) (Certificate, error)

CacheManagedCertificate loads the certificate for domain into the cache, from the TLS storage for managed certificates. It returns a copy of the Certificate that was put into the cache.

This is a lower-level method; normally you'll call Manage() instead.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMBytes

func (cfg *Config) CacheUnmanagedCertificatePEMBytes(ctx context.Context, certBytes, keyBytes []byte, tags []string) (string, error)

CacheUnmanagedCertificatePEMBytes makes a certificate out of the PEM bytes of the certificate and key, then caches it in memory, and returns the hash, which is useful for removing from the cache.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMFile

func (cfg *Config) CacheUnmanagedCertificatePEMFile(ctx context.Context, certFile, keyFile string, tags []string) (string, error)

CacheUnmanagedCertificatePEMFile loads a certificate for host using certFile and keyFile, which must be in PEM format. It stores the certificate in the in-memory cache and returns the hash, useful for removing from the cache.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedTLSCertificate

func (cfg *Config) CacheUnmanagedTLSCertificate(ctx context.Context, tlsCert tls.Certificate, tags []string) (string, error)

CacheUnmanagedTLSCertificate adds tlsCert to the certificate cache

and returns the hash, useful for removing from the cache.

It staples OCSP if possible.

This method is safe for concurrent use.

func (*Config) ClientCredentials added in v0.13.0

func (cfg *Config) ClientCredentials(ctx context.Context, identifiers []string) ([]tls.Certificate, error)

ClientCredentials returns a list of TLS client certificate chains for the given identifiers. The return value can be used in a tls.Config to enable client authentication using managed certificates. Any certificates that need to be obtained or renewed for these identifiers will be managed accordingly.

func (*Config) GetCertificate

func (cfg *Config) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate gets a certificate to satisfy clientHello. In getting the certificate, it abides the rules and settings defined in the Config that matches clientHello.ServerName. It tries to get certificates in this order:

1. Exact match in the in-memory cache 2. Wildcard match in the in-memory cache 3. Managers (if any) 4. Storage (if on-demand is enabled) 5. Issuers (if on-demand is enabled)

This method is safe for use as a tls.Config.GetCertificate callback.

GetCertificate will run in a new context, use GetCertificateWithContext to provide a context.

func (*Config) GetCertificateWithContext added in v0.18.0

func (cfg *Config) GetCertificateWithContext(ctx context.Context, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

func (*Config) ManageAsync

func (cfg *Config) ManageAsync(ctx context.Context, domainNames []string) error

ManageAsync is the same as ManageSync, except that ACME operations are performed asynchronously (in the background). This method returns before certificates are ready. It is crucial that the administrator monitors the logs and is notified of any errors so that corrective action can be taken as soon as possible. Any errors returned from this method occurred before ACME transactions started.

As long as logs are monitored, this method is typically recommended for non-interactive environments.

If there are failures loading, obtaining, or renewing a certificate, it will be retried with exponential backoff for up to about 30 days, with a maximum interval of about 24 hours. Cancelling ctx will cancel retries and shut down any goroutines spawned by ManageAsync.

func (*Config) ManageSync

func (cfg *Config) ManageSync(ctx context.Context, domainNames []string) error

ManageSync causes the certificates for domainNames to be managed according to cfg. If cfg.OnDemand is not nil, then this simply allowlists the domain names and defers the certificate operations to when they are needed. Otherwise, the certificates for each name are loaded from storage or obtained from the CA if not already in the cache associated with the Config. If loaded from storage, they are renewed if they are expiring or expired. It then caches the certificate in memory and is prepared to serve them up during TLS handshakes. To change how an already-loaded certificate is managed, update the cache options relating to getting a config for a cert.

Note that name allowlisting for on-demand management only takes effect if cfg.OnDemand.DecisionFunc is not set (is nil); it will not overwrite an existing DecisionFunc, nor will it overwrite its decision; i.e. the implicit allowlist is only used if no DecisionFunc is set.

This method is synchronous, meaning that certificates for all domainNames must be successfully obtained (or renewed) before it returns. It returns immediately on the first error for any of the given domainNames. This behavior is recommended for interactive use (i.e. when an administrator is present) so that errors can be reported and fixed immediately.

func (*Config) ObtainCertAsync added in v0.14.0

func (cfg *Config) ObtainCertAsync(ctx context.Context, name string) error

ObtainCertAsync is the same as ObtainCertSync(), except it runs in the background; i.e. non-interactively, and with retries if it fails.

func (*Config) ObtainCertSync added in v0.14.0

func (cfg *Config) ObtainCertSync(ctx context.Context, name string) error

ObtainCertSync generates a new private key and obtains a certificate for name using cfg in the foreground; i.e. interactively and without retries. It stows the renewed certificate and its assets in storage if successful. It DOES NOT load the certificate into the in-memory cache. This method is a no-op if storage already has a certificate for name.

func (*Config) RenewCertAsync added in v0.14.0

func (cfg *Config) RenewCertAsync(ctx context.Context, name string, force bool) error

RenewCertAsync is the same as RenewCertSync(), except it runs in the background; i.e. non-interactively, and with retries if it fails.

func (*Config) RenewCertSync added in v0.14.0

func (cfg *Config) RenewCertSync(ctx context.Context, name string, force bool) error

RenewCertSync renews the certificate for name using cfg in the foreground; i.e. interactively and without retries. It stows the renewed certificate and its assets in storage if successful. It DOES NOT update the in-memory cache with the new certificate. The certificate will not be renewed if it is not close to expiring unless force is true.

func (*Config) RevokeCert

func (cfg *Config) RevokeCert(ctx context.Context, domain string, reason int, interactive bool) error

RevokeCert revokes the certificate for domain via ACME protocol. It requires that cfg.Issuers is properly configured with the same issuer that issued the certificate being revoked. See RFC 5280 §5.3.1 for reason codes.

The certificate assets are deleted from storage after successful revocation to prevent reuse.

func (*Config) TLSConfig

func (cfg *Config) TLSConfig() *tls.Config

TLSConfig is an opinionated method that returns a recommended, modern TLS configuration that can be used to configure TLS listeners. Aside from safe, modern defaults, this method sets two critical fields on the TLS config which are required to enable automatic certificate management: GetCertificate and NextProtos.

The GetCertificate field is necessary to get certificates from memory or storage, including both manual and automated certificates. You should only change this field if you know what you are doing.

The NextProtos field is pre-populated with a special value to enable solving the TLS-ALPN ACME challenge. Because this method does not assume any particular protocols after the TLS handshake is completed, you will likely need to customize the NextProtos field by prepending your application's protocols to the slice. For example, to serve HTTP, you will need to prepend "h2" and "http/1.1" values. Be sure to leave the acmez.ACMETLS1Protocol value intact, however, or TLS-ALPN challenges will fail (which may be acceptable if you are not using ACME, or specifically, the TLS-ALPN challenge).

Unlike the package TLS() function, this method does not, by itself, enable certificate management for any domain names.

type ConfigGetter

type ConfigGetter func(Certificate) (*Config, error)

ConfigGetter is a function that returns a prepared, valid config that should be used when managing the given certificate or its assets.

type DNS01Solver added in v0.12.0

type DNS01Solver struct {

DNS01Solver is a type that makes libdns providers usable as ACME dns-01 challenge solvers. See https://github.com/libdns/libdns

Note that challenges may be solved concurrently by some clients (such as acmez, which CertMagic uses), meaning that multiple TXT records may be created in a DNS zone simultaneously, and in some cases distinct TXT records may have the same name. For example, solving challenges for both example.com and *.example.com create a TXT record named _acme_challenge.example.com, but with different tokens as their values. This solver distinguishes between different records with the same name by looking at their values. DNS provider APIs and implementations of the libdns interfaces must also support multiple same-named TXT records.

func (*DNS01Solver) CleanUp added in v0.12.0

func (s *DNS01Solver) CleanUp(ctx context.Context, challenge acme.Challenge) error

CleanUp deletes the DNS TXT record created in Present().

We ignore the context because cleanup is often/likely performed after a context cancellation, and properly-implemented DNS providers should honor cancellation, which would result in cleanup being aborted. Cleanup must always occur.

func (*DNS01Solver) Present added in v0.12.0

func (s *DNS01Solver) Present(ctx context.Context, challenge acme.Challenge) error

Present creates the DNS TXT record for the given ACME challenge.

func (*DNS01Solver) Wait added in v0.12.0

func (s *DNS01Solver) Wait(ctx context.Context, challenge acme.Challenge) error

Wait blocks until the TXT record created in Present() appears in authoritative lookups, i.e. until it has propagated, or until timeout, whichever is first.

type DNSManager added in v0.21.0

type DNSManager struct {
	// The implementation that interacts with the DNS
	// provider to set or delete records. (REQUIRED)
	DNSProvider DNSProvider

	// The TTL for the temporary challenge records.
	TTL time.Duration

	// How long to wait before starting propagation checks.
	// Default: 0 (no wait).
	PropagationDelay time.Duration

	// Maximum time to wait for temporary DNS record to appear.
	// Set to -1 to disable propagation checks.
	// Default: 2 minutes.
	PropagationTimeout time.Duration

	// Preferred DNS resolver(s) to use when doing DNS lookups.
	Resolvers []string

	// Override the domain to set the TXT record on. This is
	// to delegate the challenge to a different domain. Note
	// that the solver doesn't follow CNAME/NS record.
	OverrideDomain string

	// An optional logger.
	Logger *zap.Logger
	// contains filtered or unexported fields

DNSManager is a type that makes libdns providers usable for performing DNS verification. See https://github.com/libdns/libdns

Note that records may be manipulated concurrently by some clients (such as acmez, which CertMagic uses), meaning that multiple records may be created in a DNS zone simultaneously, and in some cases distinct records of the same type may have the same name. For example, solving ACME challenges for both example.com and *.example.com create a TXT record named _acme_challenge.example.com, but with different tokens as their values. This solver distinguishes between different records with the same type and name by looking at their values.

type DNSProvider added in v0.21.0

type DNSProvider interface {

DNSProvider defines the set of operations required for ACME challenges or other sorts of domain verification. A DNS provider must be able to append and delete records in order to solve ACME challenges. Find one you can use at https://github.com/libdns. If your provider isn't implemented yet, feel free to contribute!

type ErrNoRetry

type ErrNoRetry struct{ Err error }

ErrNoRetry is an error type which signals to stop retries early.

func (ErrNoRetry) Error

func (e ErrNoRetry) Error() string

func (ErrNoRetry) Unwrap

func (e ErrNoRetry) Unwrap() error

Unwrap makes it so that e wraps e.Err.

type FileStorage

type FileStorage struct {
	Path string

FileStorage facilitates forming file paths derived from a root directory. It is used to get file paths in a consistent, cross-platform way or persisting ACME assets on the file system. The presence of a lock file for a given key indicates a lock is held and is thus unavailable.

Locks are created atomically by relying on the file system to enforce the O_EXCL flag. Acquirers that are forcefully terminated will not have a chance to clean up their locks before they exit, so locks may become stale. That is why, while a lock is actively held, the contents of the lockfile are updated with the current timestamp periodically. If another instance tries to acquire the lock but fails, it can see if the timestamp within is still fresh. If so, it patiently waits by polling occasionally. Otherwise, the stale lockfile is deleted, essentially forcing an unlock.

While locking is atomic, unlocking is not perfectly atomic. File systems offer native atomic operations when creating files, but not necessarily when deleting them. It is theoretically possible for two instances to discover the same stale lock and both proceed to delete it, but if one instance is able to delete the lockfile and create a new one before the other one calls delete, then the new lock file created by the first instance will get deleted by mistake. This does mean that mutual exclusion is not guaranteed to be perfectly enforced in the presence of stale locks. One alternative is to lock the unlock operation by using ".unlock" files; and we did this for some time, but those files themselves may become stale, leading applications into infinite loops if they always expect the unlock file to be deleted by the instance that created it. We instead prefer the simpler solution that implies imperfect mutual exclusion if locks become stale, but that is probably less severe a consequence than infinite loops.

See https://github.com/caddyserver/caddy/issues/4448 for discussion. See commit 468bfd25e452196b140148928cdd1f1a2285ae4b for where we switched away from using .unlock files.

func (*FileStorage) Delete

func (s *FileStorage) Delete(_ context.Context, key string) error

Delete deletes the value at key.

func (*FileStorage) Exists

func (s *FileStorage) Exists(_ context.Context, key string) bool

Exists returns true if key exists in s.

func (*FileStorage) Filename

func (s *FileStorage) Filename(key string) string

Filename returns the key as a path on the file system prefixed by s.Path.

func (*FileStorage) List

func (s *FileStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error)

List returns all keys that match prefix.

func (*FileStorage) Load

func (s *FileStorage) Load(_ context.Context, key string) ([]byte, error)

Load retrieves the value at key.

func (*FileStorage) Lock

func (s *FileStorage) Lock(ctx context.Context, name string) error

Lock obtains a lock named by the given name. It blocks until the lock can be obtained or an error is returned.

func (*FileStorage) Stat

func (s *FileStorage) Stat(_ context.Context, key string) (KeyInfo, error)

Stat returns information about key.

func (*FileStorage) Store

func (s *FileStorage) Store(_ context.Context, key string, value []byte) error

Store saves value at key.

func (*FileStorage) String

func (s *FileStorage) String() string

func (*FileStorage) Unlock

func (s *FileStorage) Unlock(_ context.Context, name string) error

Unlock releases the lock for name.

type IssuedCertificate

type IssuedCertificate struct {
	// The PEM-encoding of DER-encoded ASN.1 data.
	Certificate []byte

	// Any extra information to serialize alongside the
	// certificate in storage. It MUST be serializable
	// as JSON in order to be preserved.
	Metadata any

IssuedCertificate represents a certificate that was just issued.

type Issuer

type Issuer interface {
	// Issue obtains a certificate for the given CSR. It
	// must honor context cancellation if it is long-running.
	// It can also use the context to find out if the current
	// call is part of a retry, via AttemptsCtxKey.
	Issue(ctx context.Context, request *x509.CertificateRequest) (*IssuedCertificate, error)

	// IssuerKey must return a string that uniquely identifies
	// this particular configuration of the Issuer such that
	// any certificates obtained by this Issuer will be treated
	// as identical if they have the same SANs.
	// Certificates obtained from Issuers with the same IssuerKey
	// will overwrite others with the same SANs. For example, an
	// Issuer might be able to obtain certificates from different
	// CAs, say A and B. It is likely that the CAs have different
	// use cases and purposes (e.g. testing and production), so
	// their respective certificates should not overwrite eaach
	// other.
	IssuerKey() string

Issuer is a type that can issue certificates.

type IssuerPolicy added in v0.18.1

type IssuerPolicy string

IssuerPolicy is a type that enumerates how to choose which issuer to use. EXPERIMENTAL and subject to change.

type KeyBuilder

type KeyBuilder struct{}

KeyBuilder provides a namespace for methods that build keys and key prefixes, for addressing items in a Storage implementation.

var StorageKeys KeyBuilder

StorageKeys provides methods for accessing keys and key prefixes for items in a Storage. Typically, you will not need to use this because accessing storage is abstracted away for most cases. Only use this if you need to directly access TLS assets in your application.

func (KeyBuilder) CertsPrefix

func (keys KeyBuilder) CertsPrefix(issuerKey string) string

CertsPrefix returns the storage key prefix for the given certificate issuer.

func (KeyBuilder) CertsSitePrefix

func (keys KeyBuilder) CertsSitePrefix(issuerKey, domain string) string

CertsSitePrefix returns a key prefix for items associated with the site given by domain using the given issuer key.

func (KeyBuilder) OCSPStaple

func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string

OCSPStaple returns a key for the OCSP staple associated with the given certificate. If you have the PEM bundle handy, pass that in to save an extra encoding step.

func (KeyBuilder) Safe

func (keys KeyBuilder) Safe(str string) string

Safe standardizes and sanitizes str for use as a single component of a storage key. This method is idempotent.

func (KeyBuilder) SiteCert

func (keys KeyBuilder) SiteCert(issuerKey, domain string) string

SiteCert returns the path to the certificate file for domain that is associated with the issuer with the given issuerKey.

func (KeyBuilder) SiteMeta

func (keys KeyBuilder) SiteMeta(issuerKey, domain string) string

SiteMeta returns the path to the metadata file for domain that is associated with the certificate from the given issuer with the given issuerKey.

func (KeyBuilder) SitePrivateKey

func (keys KeyBuilder) SitePrivateKey(issuerKey, domain string) string

SitePrivateKey returns the path to the private key file for domain that is associated with the certificate from the given issuer with the given issuerKey.

type KeyGenerator

type KeyGenerator interface {
	// GenerateKey generates a private key. The returned
	// PrivateKey must be able to expose its associated
	// public key.
	GenerateKey() (crypto.PrivateKey, error)

KeyGenerator can generate a private key.

type KeyInfo

type KeyInfo struct {
	Key        string
	Modified   time.Time
	Size       int64
	IsTerminal bool // false for directories (keys that act as prefix for other keys)

KeyInfo holds information about a key in storage. Key and IsTerminal are required; Modified and Size are optional if the storage implementation is not able to get that information. Setting them will make certain operations more consistent or predictable, but it is not crucial to basic functionality.

type KeyType

type KeyType string

KeyType enumerates the known/supported key types.

type Locker

type Locker interface {
	// Lock acquires the lock for name, blocking until the lock
	// can be obtained or an error is returned. Only one lock
	// for the given name can exist at a time. A call to Lock for
	// a name which already exists blocks until the named lock
	// is released or becomes stale.
	// If the named lock represents an idempotent operation, callers
	// should always check to make sure the work still needs to be
	// completed after acquiring the lock. You never know if another
	// process already completed the task while you were waiting to
	// acquire it.
	// Implementations should honor context cancellation.
	Lock(ctx context.Context, name string) error

	// Unlock releases named lock. This method must ONLY be called
	// after a successful call to Lock, and only after the critical
	// section is finished, even if it errored or timed out. Unlock
	// cleans up any resources allocated during Lock. Unlock should
	// only return an error if the lock was unable to be released.
	Unlock(ctx context.Context, name string) error

Locker facilitates synchronization across machines and networks. It essentially provides a distributed named-mutex service so that multiple consumers can coordinate tasks and share resources.

If possible, a Locker should implement a coordinated distributed locking mechanism by generating fencing tokens (see https://martin.kleppmann.com/2016/02/08/how-to-do-distributed-locking.html). This typically requires a central server or consensus algorithm However, if that is not feasible, Lockers may implement an alternative mechanism that uses timeouts to detect node or network failures and avoid deadlocks. For example, the default FileStorage writes a timestamp to the lock file every few seconds, and if another node acquiring the lock sees that timestamp is too old, it may assume the lock is stale.

As not all Locker implementations use fencing tokens, code relying upon Locker must be tolerant of some mis-synchronizations but can expect them to be rare.

This interface should only be used for coordinating expensive operations across nodes in a cluster; not for internal, extremely short-lived, or high-contention locks.

type Manager added in v0.16.0

type Manager interface {
	// GetCertificate returns the certificate to use to complete the handshake.
	// Since this is called during every TLS handshake, it must be very fast and not block.
	// Returning any non-nil value indicates that this Manager manages a certificate
	// for the described handshake. Returning (nil, nil) is valid and is simply treated as
	// a no-op Return (nil, nil) when the Manager has no certificate for this handshake.
	// Return an error or a certificate only if the Manager is supposed to get a certificate
	// for this handshake. Returning (nil, nil) other Managers or Issuers to try to get
	// a certificate for the handshake.
	GetCertificate(context.Context, *tls.ClientHelloInfo) (*tls.Certificate, error)

Manager is a type that manages certificates (keeps them renewed) such that we can get certificates during TLS handshakes to immediately serve to clients.

TODO: This is an EXPERIMENTAL API. It is subject to change/removal.

type OCSPConfig added in v0.13.0

type OCSPConfig struct {
	// Disable automatic OCSP stapling; strongly
	// discouraged unless you have a good reason.
	// Disabling this puts clients at greater risk
	// and reduces their privacy.
	DisableStapling bool

	// A map of OCSP responder domains to replacement
	// domains for querying OCSP servers. Used for
	// overriding the OCSP responder URL that is
	// embedded in certificates. Mapping to an empty
	// URL will disable OCSP from that responder.
	ResponderOverrides map[string]string

	// Optionally specify a function that can return the URL
	// for an HTTP proxy to use for OCSP-related HTTP requests.
	HTTPProxy func(*http.Request) (*url.URL, error)

OCSPConfig configures how OCSP is handled.

type OnDemandConfig

type OnDemandConfig struct {
	// If set, this function will be called to determine
	// whether a certificate can be obtained or renewed
	// for the given name. If an error is returned, the
	// request will be denied.
	DecisionFunc func(ctx context.Context, name string) error

	// Sources for getting new, unmanaged certificates.
	// They will be invoked only during TLS handshakes
	// before on-demand certificate management occurs,
	// for certificates that are not already loaded into
	// the in-memory cache.
	// TODO: EXPERIMENTAL: subject to change and/or removal.
	Managers []Manager
	// contains filtered or unexported fields

OnDemandConfig configures on-demand TLS (certificate operations as-needed, like during TLS handshakes, rather than immediately).

When this package's high-level convenience functions are used (HTTPS, Manage, etc., where the Default config is used as a template), this struct regulates certificate operations using an implicit whitelist containing the names passed into those functions if no DecisionFunc is set. This ensures some degree of control by default to avoid certificate operations for aribtrary domain names. To override this whitelist, manually specify a DecisionFunc. To impose rate limits, specify your own DecisionFunc.

type PreChecker

type PreChecker interface {
	PreCheck(ctx context.Context, names []string, interactive bool) error

PreChecker is an interface that can be optionally implemented by Issuers. Pre-checks are performed before each call (or batch of identical calls) to Issue(), giving the issuer the option to ensure it has all the necessary information/state.

type RenewalInfoGetter added in v0.21.3

type RenewalInfoGetter interface {
	GetRenewalInfo(context.Context, Certificate) (acme.RenewalInfo, error)

RenewalInfoGetter is a type that can get ACME Renewal Information (ARI). Users of this package that wrap the ACMEIssuer or use any other issuer that supports ARI will need to implement this so that CertMagic can update ARI which happens outside the normal issuance flow and is thus not required by the Issuer interface (a type assertion is performed).

type Revoker

type Revoker interface {
	Revoke(ctx context.Context, cert CertificateResource, reason int) error

Revoker can revoke certificates. Reason codes are defined by RFC 5280 §5.3.1: https://tools.ietf.org/html/rfc5280#section-5.3.1 and are available as constants in our ACME library.

type RingBufferRateLimiter

type RingBufferRateLimiter struct {
	// contains filtered or unexported fields

RingBufferRateLimiter uses a ring to enforce rate limits consisting of a maximum number of events within a single sliding window of a given duration. An empty value is not valid; use NewRateLimiter to get one.

func NewRateLimiter

func NewRateLimiter(maxEvents int, window time.Duration) *RingBufferRateLimiter

NewRateLimiter returns a rate limiter that allows up to maxEvents in a sliding window of size window. If maxEvents and window are both 0, or if maxEvents is non-zero and window is 0, rate limiting is disabled. This function panics if maxEvents is less than 0 or if maxEvents is 0 and window is non-zero, which is considered to be an invalid configuration, as it would never allow events.

func (*RingBufferRateLimiter) Allow

func (r *RingBufferRateLimiter) Allow() bool

Allow returns true if the event is allowed to happen right now. It does not wait. If the event is allowed, a ticket is claimed.

func (*RingBufferRateLimiter) MaxEvents

func (r *RingBufferRateLimiter) MaxEvents() int

MaxEvents returns the maximum number of events that are allowed within the sliding window.

func (*RingBufferRateLimiter) SetMaxEvents

func (r *RingBufferRateLimiter) SetMaxEvents(maxEvents int)

SetMaxEvents changes the maximum number of events that are allowed in the sliding window. If the new limit is lower, the oldest events will be forgotten. If the new limit is higher, the window will suddenly have capacity for new reservations. It panics if maxEvents is 0 and window size is not zero; if setting both the events limit and the window size to 0, call SetWindow() first.

func (*RingBufferRateLimiter) SetWindow

func (r *RingBufferRateLimiter) SetWindow(window time.Duration)

SetWindow changes r's sliding window duration to window. Goroutines that are already blocked on a call to Wait() will not be affected. It panics if window is non-zero but the max event limit is 0.

func (*RingBufferRateLimiter) Stop

func (r *RingBufferRateLimiter) Stop()

Stop cleans up r's scheduling goroutine.

func (*RingBufferRateLimiter) Wait

Wait blocks until the event is allowed to occur. It returns an error if the context is cancelled.

func (*RingBufferRateLimiter) Window

func (r *RingBufferRateLimiter) Window() time.Duration

Window returns the size of the sliding window.

type StandardKeyGenerator

type StandardKeyGenerator struct {
	// The type of keys to generate.
	KeyType KeyType

StandardKeyGenerator is the standard, in-memory key source that uses crypto/rand.

func (StandardKeyGenerator) GenerateKey

func (kg StandardKeyGenerator) GenerateKey() (crypto.PrivateKey, error)

GenerateKey generates a new private key according to kg.KeyType.

type Storage

type Storage interface {
	// Locker enables the storage backend to synchronize
	// operational units of work.
	// The use of Locker is NOT employed around every
	// Storage method call (Store, Load, etc), as these
	// should already be thread-safe. Locker is used for
	// high-level jobs or transactions that need
	// synchronization across a cluster; it's a simple
	// distributed lock. For example, CertMagic uses the
	// Locker interface to coordinate the obtaining of
	// certificates.

	// Store puts value at key. It creates the key if it does
	// not exist and overwrites any existing value at this key.
	Store(ctx context.Context, key string, value []byte) error

	// Load retrieves the value at key.
	Load(ctx context.Context, key string) ([]byte, error)

	// Delete deletes the named key. If the name is a
	// directory (i.e. prefix of other keys), all keys
	// prefixed by this key should be deleted. An error
	// should be returned only if the key still exists
	// when the method returns.
	Delete(ctx context.Context, key string) error

	// Exists returns true if the key exists either as
	// a directory (prefix to other keys) or a file,
	// and there was no error checking.
	Exists(ctx context.Context, key string) bool

	// List returns all keys in the given path.
	// If recursive is true, non-terminal keys
	// will be enumerated (i.e. "directories"
	// should be walked); otherwise, only keys
	// prefixed exactly by prefix will be listed.
	List(ctx context.Context, path string, recursive bool) ([]string, error)

	// Stat returns information about key.
	Stat(ctx context.Context, key string) (KeyInfo, error)

Storage is a type that implements a key-value store with basic file system (folder path) semantics. Keys use the forward slash '/' to separate path components and have no leading or trailing slashes.

A "prefix" of a key is defined on a component basis, e.g. "a" is a prefix of "a/b" but not "ab/c".

A "file" is a key with a value associated with it.

A "directory" is a key with no value, but which may be the prefix of other keys.

Keys passed into Load and Store always have "file" semantics, whereas "directories" are only implicit by leading up to the file.

The Load, Delete, List, and Stat methods should return fs.ErrNotExist if the key does not exist.

Processes running in a cluster should use the same Storage value (with the same configuration) in order to share certificates and other TLS resources with the cluster.

Implementations of Storage MUST be safe for concurrent use and honor context cancellations. Methods should block until their operation is complete; that is, Load() should always return the value from the last call to Store() for a given key, and concurrent calls to Store() should not corrupt a file.

For simplicity, this is not a streaming API and is not suitable for very large files.

type SubjectIssuer added in v0.21.0

type SubjectIssuer struct {
	Subject, IssuerKey string

SubjectIssuer pairs a subject name with an issuer ID/key.

type ZeroSSLIssuer added in v0.21.0

type ZeroSSLIssuer struct {
	// The API key (or "access key") for using the ZeroSSL API.
	APIKey string

	// Where to store verification material temporarily.
	// All instances in a cluster should have the same
	// Storage value to enable distributed verification.
	// REQUIRED. (TODO: Make it optional for those not
	// operating in a cluster. For now, it's simpler to
	// put info in storage whether distributed or not.)
	Storage Storage

	// How many days the certificate should be valid for.
	ValidityDays int

	// The host to bind to when opening a listener for
	// verifying domain names (or IPs).
	ListenHost string

	// If HTTP is forwarded from port 80, specify the
	// forwarded port here.
	AltHTTPPort int

	// To use CNAME validation instead of HTTP
	// validation, set this field.
	CNAMEValidation *DNSManager

	// An optional (but highly recommended) logger.
	Logger *zap.Logger

ZeroSSLIssuer can get certificates from ZeroSSL's API. (To use ZeroSSL's ACME endpoint, use the ACMEIssuer instead.) Note that use of the API is restricted by payment tier.

func (*ZeroSSLIssuer) HTTPValidationHandler added in v0.21.0

func (iss *ZeroSSLIssuer) HTTPValidationHandler(h http.Handler) http.Handler

HTTPValidationHandler wraps the ZeroSSL HTTP validation handler such that it can pass verification checks from ZeroSSL's API.

If a request is not a ZeroSSL HTTP validation request, h will be invoked.

func (*ZeroSSLIssuer) HandleZeroSSLHTTPValidation added in v0.21.0

func (iss *ZeroSSLIssuer) HandleZeroSSLHTTPValidation(w http.ResponseWriter, r *http.Request) bool

HandleZeroSSLHTTPValidation is to ZeroSSL API HTTP validation requests like HandleHTTPChallenge is to ACME HTTP challenge requests.

func (*ZeroSSLIssuer) Issue added in v0.21.0

Issue obtains a certificate for the given csr.

func (*ZeroSSLIssuer) IssuerKey added in v0.21.0

func (iss *ZeroSSLIssuer) IssuerKey() string

IssuerKey returns the unique issuer key for ZeroSSL.

func (*ZeroSSLIssuer) Revoke added in v0.21.0

func (iss *ZeroSSLIssuer) Revoke(ctx context.Context, cert CertificateResource, reason int) error

Revoke revokes the given certificate. Only do this if there is a security or trust concern with the certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL