certmagic

packagemodule

v0.24.0Latest Latest

This package is not in the latest version of its module.

Go to latest Published: Aug 5, 2025 License:Apache-2.0Imports:50Imported by:600

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/caddyserver/certmagic

README ¶

Easy and Powerful TLS Automation

The same library used by theCaddy Web Server

Caddy'sautomagic TLS features—now for your own Go programs—in one powerful and easy-to-use library!

CertMagic is the most mature, robust, and powerful ACME client integration for Go... and perhaps ever.

With CertMagic, you can add one line to your Go application to serve securely over TLS, without ever having to touch certificates.

Instead of:

// plaintext HTTP, gross 🤢http.ListenAndServe(":80", mux)

Use CertMagic:

// encrypted HTTPS with HTTP->HTTPS redirects - yay! 🔒😍certmagic.HTTPS([]string{"example.com"}, mux)

That line of code will serve your HTTP routermux over HTTPS, complete with HTTP->HTTPS redirects. It obtains and renews the TLS certificates. It staples OCSP responses for greater privacy and security. As long as your domain name points to your server, CertMagic will keep its connections secure.

Compared to other ACME client libraries for Go, only CertMagic supports the full suite of ACME features, and no other library matches CertMagic's maturity and reliability.

CertMagic - Automatic HTTPS using Let's Encrypt

Features

Fully automated certificate management including issuance and renewal
One-line, fully managed HTTPS servers
Full control over almost every aspect of the system
HTTP->HTTPS redirects
Multiple issuers supported: get certificates from multiple sources/CAs for redundancy and resiliency
Solves all 3 common ACME challenges: HTTP, TLS-ALPN, and DNS (and capable of others)
Most robust error handling ofany ACME client
- Challenges are randomized to avoid accidental dependence
- Challenges are rotated to overcome certain network blockages
- Robust retries for up to 30 days
- Exponential backoff with carefully-tuned intervals
- Retries with optional test/staging CA endpoint instead of production, to avoid rate limits
Written in Go, a language with memory-safety guarantees
Powered byACMEz,the premier ACME client library for Go
Alllibdns DNS providers work out-of-the-box
Pluggable storage backends (default: file system)
Pluggable key sources
Wildcard certificates
Automatic OCSP stapling (done right)keeps your sites online!
- Willautomatically attempt to replacerevoked certificates!
- Staples stored to disk in case of responder outages
Distributed solving of all challenges (works behind load balancers)
- Highly efficient, coordinated management in a fleet
- Active locking
- Smart queueing
Supports "on-demand" issuance of certificates (during TLS handshakes!)
- Caddy / CertMagic pioneered this technology
- Custom decision functions to regulate and throttle on-demand behavior
Optional event hooks for observation
One-time private keys by default (new key for each cert) to discourage pinning and reduce scope of key compromise
Works with any certificate authority (CA) compliant with the ACME specification RFC 8555
Certificate revocation (please, only if private key is compromised)
Must-Staple (optional; not default)
Cross-platform support! Mac, Windows, Linux, BSD, Android...
Scales to hundreds of thousands of names/certificates per instance
Use in conjunction with your own certificates
Full support forRFC 9773 (ACME Renewal Information; ARI) extension

Requirements

ACME server (can be a publicly-trusted CA, or your own)
Public DNS name(s) you control
Server reachable from public Internet
- Or use the DNS challenge to waive this requirement
Control over port 80 (HTTP) and/or 443 (HTTPS)
- Or they can be forwarded to other ports you control
- Or use the DNS challenge to waive this requirement
- (This is a requirement of the ACME protocol, not a library limitation)
Persistent storage
- Typically the local file system (default)
- Other integrations available/possible
Go 1.21 or newer

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!

Installation

$ go get github.com/caddyserver/certmagic

Usage

Package Overview

Certificate authority

This library uses Let's Encrypt by default, but you can use any certificate authority that conforms to the ACME specification. Known/common CAs are provided as consts in the package, for exampleLetsEncryptStagingCA andLetsEncryptProductionCA.

The`Config` type

Thecertmagic.Config struct is how you can wield the power of this fully armed and operational battle station. However, an empty/uninitializedConfig isnot a valid one! In time, you will learn to use the force ofcertmagic.NewDefault() as I have.

Defaults

The defaultConfig value is calledcertmagic.Default. Change its fields to suit your needs, then callcertmagic.NewDefault() when you need a validConfig value. In other words,certmagic.Default is a template and is not valid for use directly.

You can set the default values easily, for example:certmagic.Default.Issuer = ....

Similarly, to configure ACME-specific defaults, usecertmagic.DefaultACME.

The high-level functions in this package (HTTPS(),Listen(),ManageSync(), andManageAsync()) use the default config exclusively. This is how most of you will interact with the package. This is suitable when all your certificates are managed the same way. However, if you need to manage certificates differently depending on their name, you will need to make your own cache and configs (keep reading).

Providing an email address

Although not strictly required, this is highly recommended best practice. It allows you to receive expiration emails if your certificates are expiring for some reason, and also allows the CA's engineers to potentially get in touch with you if something is wrong. I recommend settingcertmagic.DefaultACME.Email or always setting theEmail field of a newConfig struct.

Rate limiting

To avoid firehosing the CA's servers, CertMagic has built-in rate limiting. Currently, its default limit is up to 10 transactions (obtain or renew) every 1 minute (sliding window). This can be changed by setting theRateLimitEvents andRateLimitEventsWindow variables, if desired.

The CA may still enforce their own rate limits, and there's nothing (well, nothing ethical) CertMagic can do to bypass them for you.

Additionally, CertMagic will retry failed validations with exponential backoff for up to 30 days, with a reasonable maximum interval between attempts (an "attempt" means trying each enabled challenge type once).

Development and Testing

Note that Let's Encrypt imposesstrict rate limits at its production endpoint, so using it while developing your application may lock you out for a few days if you aren't careful!

While developing your application and testing it, usetheir staging endpoint which has much higher rate limits. Even then, don't hammer it: but it's much safer for when you're testing. When deploying, though, use their production CA because their staging CA doesn't issue trusted certificates.

To use staging, setcertmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA or setCA of everyACMEIssuer struct.

Examples

There are many ways to use this library. We'll start with the highest-level (simplest) and work down (more control).

All these high-level examples usecertmagic.Default andcertmagic.DefaultACME for the config and the default cache and storage for serving up certificates.

First, we'll follow best practices and do the following:

// read and agree to your CA's legal documentscertmagic.DefaultACME.Agreed = true// provide an email addresscertmagic.DefaultACME.Email = "you@yours.com"// use the staging endpoint while we're developingcertmagic.DefaultACME.CA = certmagic.LetsEncryptStagingCA

For fully-functional program examples, check outthis X thread (or read itunrolled into a single post). (Note that the package API has changed slightly since these posts.)

Serving HTTP handlers with HTTPS

err := certmagic.HTTPS([]string{"example.com", "www.example.com"}, mux)if err != nil {return err}

This starts HTTP and HTTPS listeners and redirects HTTP to HTTPS!

Starting a TLS listener

ln, err := certmagic.Listen([]string{"example.com"})if err != nil {return err}

Getting a tls.Config

tlsConfig, err := certmagic.TLS([]string{"example.com"})if err != nil {return err}// be sure to customize NextProtos if serving a specific// application protocol after the TLS handshake, for example:tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)

Advanced use

For more control (particularly, if you need a different way of managing each certificate), you'll make and use aCache and aConfig like so:

// First make a pointer to a Cache as we need to reference the same Cache in// GetConfigForCert below.var cache *certmagic.Cachecache = certmagic.NewCache(certmagic.CacheOptions{GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {// Here we use New to get a valid Config associated with the same cache.// The provided Config is used as a template and will be completed with// any defaults that are set in the Default config.return certmagic.New(cache, certmagic.Config{// ...}), nil},...})magic := certmagic.New(cache, certmagic.Config{// any customizations you need go here})myACME := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{CA:     certmagic.LetsEncryptStagingCA,Email:  "you@yours.com",Agreed: true,// plus any other customizations you need})magic.Issuers = []certmagic.Issuer{myACME}// this obtains certificates or renews them if necessaryerr := magic.ManageSync(context.TODO(), []string{"example.com", "sub.example.com"})if err != nil {return err}// to use its certificates and solve the TLS-ALPN challenge,// you can get a TLS config to use in a TLS listener!tlsConfig := magic.TLSConfig()// be sure to customize NextProtos if serving a specific// application protocol after the TLS handshake, for example:tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)//// OR ////// if you already have a TLS config you don't want to replace,// we can simply set its GetCertificate field and append the// TLS-ALPN challenge protocol to the NextProtosmyTLSConfig.GetCertificate = magic.GetCertificatemyTLSConfig.NextProtos = append(myTLSConfig.NextProtos, acmez.ACMETLS1Protocol)// the HTTP challenge has to be handled by your HTTP server;// if you don't have one, you should have disabled it earlier// when you made the certmagic.ConfighttpMux = myACME.HTTPChallengeHandler(httpMux)

Great! This example grants you much more flexibility for advanced programs. However,the vast majority of you will only use the high-level functions described earlier, especially since you can still customize them by setting the package-levelDefault config.

Wildcard certificates

At time of writing (December 2018), Let's Encrypt only issues wildcard certificates with the DNS challenge. You can easily enable the DNS challenge with CertMagic for numerous providers (see the relevant section in the docs).

Behind a load balancer (or in a cluster)

CertMagic runs effectively behind load balancers and/or in cluster/fleet environments. In other words, you can have 10 or 1,000 servers all serving the same domain names, all sharing certificates and OCSP staples.

To do so, simply ensure that each instance is using the same Storage. That is the sole criteria for determining whether an instance is part of a cluster.

The default Storage is implemented using the file system, so mounting the same shared folder is sufficient (seeStorage for more on that)! If you need an alternate Storage implementation, feel free to use one, provided that all the instances use thesame one. :)

SeeStorage and the associatedpkg.go.dev for more information!

The ACME Challenges

This section describes how to solve the ACME challenges. Challenges are how you demonstrate to the certificate authority some control over your domain name, thus authorizing them to grant you a certificate for that name.The great innovation of ACME is that verification by CAs can now be automated, rather than having to click links in emails (who ever thought that was a good idea??).

If you're using the high-level convenience functions likeHTTPS(),Listen(), orTLS(), the HTTP and/or TLS-ALPN challenges are solved for you because they also start listeners. However, if you're making aConfig and you start your own server manually, you'll need to be sure the ACME challenges can be solved so certificates can be renewed.

The HTTP and TLS-ALPN challenges are the defaults because they don't require configuration from you, but they require that your server is accessible from external IPs on low ports. If that is not possible in your situation, you can enable the DNS challenge, which will disable the HTTP and TLS-ALPN challenges and use the DNS challenge exclusively.

Technically, only one challenge needs to be enabled for things to work, but using multiple is good for reliability in case a challenge is discontinued by the CA. This happened to the TLS-SNI challenge in early 2018—many popular ACME clients such as Traefik and Autocert broke, resulting in downtime for some sites, until new releases were made and patches deployed, because they used only one challenge; Caddy, however—this library's forerunner—was unaffected because it also used the HTTP challenge. If multiple challenges are enabled, they are chosen randomly to help prevent false reliance on a single challenge type. And if one fails, any remaining enabled challenges are tried before giving up.

HTTP Challenge

Per the ACME spec, the HTTP challenge requires port 80, or at least packet forwarding from port 80. It works by serving a specific HTTP response that only the genuine server would have to a normal HTTP request at a special endpoint.

If you are running an HTTP server, solving this challenge is very easy: just wrap your handler inHTTPChallengeHandleror callSolveHTTPChallenge() inside your ownServeHTTP() method.

For example, if you're using the standard library:

mux := http.NewServeMux()mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {fmt.Fprintf(w, "Lookit my cool website over HTTPS!")})http.ListenAndServe(":80", myACME.HTTPChallengeHandler(mux))

If wrapping your handler is not a good solution, try this inside yourServeHTTP() instead:

magic := certmagic.NewDefault()myACME := certmagic.NewACMEIssuer(magic, certmagic.DefaultACME)func ServeHTTP(w http.ResponseWriter, req *http.Request) {if myACME.HandleHTTPChallenge(w, r) {return // challenge handled; nothing else to do}...}

If you are not running an HTTP server, you should disable the HTTP challengeor run an HTTP server whose sole job it is to solve the HTTP challenge.

TLS-ALPN Challenge

Per the ACME spec, the TLS-ALPN challenge requires port 443, or at least packet forwarding from port 443. It works by providing a special certificate using a standard TLS extension, Application Layer Protocol Negotiation (ALPN), having a special value. This is the most convenient challenge type because it usually requires no extra configuration and uses the standard TLS port which is where the certificates are used, also.

This challenge is easy to solve: just use the providedtls.Config when you make your TLS listener:

// use this to configure a TLS listenertlsConfig := magic.TLSConfig()

Or make two simple changes to an existingtls.Config:

myTLSConfig.GetCertificate = magic.GetCertificatemyTLSConfig.NextProtos = append(myTLSConfig.NextProtos, acmez.ACMETLS1Protocol}

Then just make sure your TLS listener is listening on port 443:

ln, err := tls.Listen("tcp", ":443", myTLSConfig)

DNS Challenge

The DNS challenge is perhaps the most useful challenge because it allows you to obtain certificates without your server needing to be publicly accessible on the Internet, and it's the only challenge by which Let's Encrypt will issue wildcard certificates.

This challenge works by setting a special record in the domain's zone. To do this automatically, your DNS provider needs to offer an API by which changes can be made to domain names, and the changes need to take effect immediately for best results. CertMagic supportsall DNS providers withlibdns implementations! It always cleans up the temporary record after the challenge completes.

To enable it, just set theDNS01Solver field on acertmagic.ACMEIssuer struct, or set the defaultcertmagic.ACMEIssuer.DNS01Solver variable. For example, if my domains' DNS was served by Cloudflare:

import "github.com/libdns/cloudflare"certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{DNSManager: certmagic.DNSManager{DNSProvider: &cloudflare.Provider{APIToken: "topsecret",},},}

Now the DNS challenge will be used by default, and I can obtain certificates for wildcard domains, too. Enabling the DNS challenge disables the other challenges for thatcertmagic.ACMEIssuer instance.

On-Demand TLS

Normally, certificates are obtained and renewed before a listener starts serving, and then those certificates are maintained throughout the lifetime of the program. In other words, the certificate names are static. But sometimes you don't know all the names ahead of time, or you don't want to manage all the certificates up front. This is where On-Demand TLS shines.

Originally invented for use in Caddy (which was the first program to use such technology), On-Demand TLS makes it possible and easy to serve certificates for arbitrary or specific names during the lifetime of the server. When a TLS handshake is received, CertMagic will read the Server Name Indication (SNI) value and either load and present that certificate in the ServerHello, or if one does not exist, it will obtain it from a CA right then-and-there.

Of course, this has some obvious security implications. You don't want to DoS a CA or allow arbitrary clients to fill your storage with spammy TLS handshakes. That's why, when you enable On-Demand issuance, you should set limits or policy to allow getting certificates. CertMagic has an implicit whitelist built-in which is sufficient for nearly everyone, but also has a more advanced way to control on-demand issuance.

The simplest way to enable on-demand issuance is to set the OnDemand field of a Config (or the default package-level value):

certmagic.Default.OnDemand = new(certmagic.OnDemandConfig)

By setting this to a non-nil value, on-demand TLS is enabled for that config. For convenient security, CertMagic's high-level abstraction functions such asHTTPS(),TLS(),ManageSync(),ManageAsync(), andListen() (which all accept a list of domain names) will whitelist those names automatically so only certificates for those names can be obtained when using the Default config. Usually this is sufficient for most users.

However, if you require advanced control over which domains can be issued certificates on-demand (for example, if you do not know which domain names you are managing, or just need to defer their operations until later), you should implement your own DecisionFunc:

// if the decision function returns an error, a certificate// may not be obtained for that name at that timecertmagic.Default.OnDemand = &certmagic.OnDemandConfig{DecisionFunc: func(name string) error {if name != "example.com" {return fmt.Errorf("not allowed")}return nil},}

Thepkg.go.dev describes how to use this in full detail, so please check it out!

Storage

CertMagic relies on storage to store certificates and other TLS assets (OCSP staple cache, coordinating locks, etc). Persistent storage is a requirement when using CertMagic: ephemeral storage will likely lead to rate limiting on the CA-side as CertMagic will always have to get new certificates.

By default, CertMagic stores assets on the local file system in$HOME/.local/share/certmagic (and honors$XDG_DATA_HOME if set). CertMagic will create the directory if it does not exist. If writes are denied, things will not be happy, so make sure CertMagic can write to it!

The notion of a "cluster" or "fleet" of instances that may be serving the same site and sharing certificates, etc, is tied to storage. Simply, any instances that use the same storage facilities are considered part of the cluster. So if you deploy 100 instances of CertMagic behind a load balancer, they are all part of the same cluster if they share the same storage configuration. Sharing storage could be mounting a shared folder, or implementing some other distributed storage system such as a database server or KV store.

The easiest way to change the storage being used is to setcertmagic.Default.Storage to a value that satisfies theStorage interface. Keep in mind that a validStorage must be able to implement some operations atomically in order to provide locking and synchronization.

If you write a Storage implementation, please add it to theproject wiki so people can find it!

Cache

All of the certificates in use are de-duplicated and cached in memory for optimal performance at handshake-time. This cache must be backed by persistent storage as described above.

Most applications will not need to interact with certificate caches directly. Usually, the closest you will come is to set the package-widecertmagic.Default.Storage variable (before attempting to create any Configs) which defines how the cache is persisted. However, if your use case requires using different storage facilities for different Configs (that's highly unlikely and NOT recommended! Even Caddy doesn't get that crazy), you will need to callcertmagic.NewCache() and pass in the storage you want to use, then get newConfig structs withcertmagic.NewWithCache() and pass in the cache.

Again, if you're needing to do this, you've probably over-complicated your application design.

Events

(Events are new and still experimental, so they may change.)

CertMagic emits events when possible things of interest happen. Set theOnEvent field of yourConfig to subscribe to events; ignore the ones you aren't interested in. Here are the events currently emitted along with their metadata you can use:

cached_unmanaged_cert An unmanaged certificate was cached
- sans: The subject names on the certificate
cert_obtaining A certificate is about to be obtained
- renewal: Whether this is a renewal
- identifier: The name on the certificate
- forced: Whether renewal is being forced (if renewal)
- remaining: Time left on the certificate (if renewal)
- issuer: The previous or current issuer
cert_obtained A certificate was successfully obtained
- renewal: Whether this is a renewal
- identifier: The name on the certificate
- remaining: Time left on the certificate (if renewal)
- issuer: The previous or current issuer
- storage_path: The path to the folder containing the cert resources within storage
- private_key_path: The path to the private key file in storage
- certificate_path: The path to the public key file in storage
- metadata_path: The path to the metadata file in storage
cert_failed An attempt to obtain a certificate failed
- renewal: Whether this is a renewal
- identifier: The name on the certificate
- remaining: Time left on the certificate (if renewal)
- issuers: The issuer(s) tried
- error: The (final) error message
tls_get_certificate The GetCertificate phase of a TLS handshake is under way
- client_hello: The tls.ClientHelloInfo struct
cert_ocsp_revoked A certificate's OCSP indicates it has been revoked
- subjects: The subject names on the certificate
- certificate: The Certificate struct
- reason: The OCSP revocation reason
- revoked_at: When the certificate was revoked

OnEvent can return an error. Some events may be aborted by returning an error. For example, returning an error fromcert_obtained can cancel obtaining the certificate. Only return an error fromOnEvent if you want to abort program flow.

ZeroSSL

ZeroSSL has both ACME and HTTP API services for getting certificates. CertMagic works with both of them.

To use ZeroSSL's ACME server, configure CertMagic with anACMEIssuer like you would with any other ACME CA (just adjust the directory URL). External Account Binding (EAB) is required for ZeroSSL. You can use theZeroSSL API to generate one, or your account dashboard.

To use ZeroSSL's API instead, use theZeroSSLIssuer. Here is a simple example:

magic := certmagic.NewDefault()magic.Issuers = []certmagic.Issuer{certmagic.ZeroSSLIssuer{APIKey: "<your ZeroSSL API key>",}),}err := magic.ManageSync(ctx, []string{"example.com"})

FAQ

Can I use some of my own certificates while using CertMagic?

Yes, just call the relevant method on theConfig to add your own certificate to the cache:

Keep in mind that unmanaged certificates are (obviously) not renewed for you, so you'll have to replace them when you do. However, OCSP stapling is performed even for unmanaged certificates that qualify.

Does CertMagic obtain SAN certificates?

Technically all certificates these days are SAN certificates because CommonName is deprecated. But if you're asking whether CertMagic issues and manages certificates with multiple SANs, the answer is no. But it does support serving them, if you provide your own.

How can I listen on ports 80 and 443? Do I have to run as root?

On Linux, you can usesetcap to grant your binary the permission to bind low ports:

$ sudo setcap cap_net_bind_service=+ep /path/to/your/binary

and then you will not need to run with root privileges.

Contributing

We welcome your contributions! Please see ourcontributing guidelines for instructions.

Project History

CertMagic is the core of Caddy's advanced TLS automation code, extracted into a library. The underlying ACME client implementation isACMEz. CertMagic's code was originally a central part of Caddy even before Let's Encrypt entered public beta in 2015.

In the years since then, Caddy's TLS automation techniques have been widely adopted, tried and tested in production, and served millions of sites and secured trillions of connections.

Now, CertMagic isthe actual library used by Caddy. It's incredibly powerful and feature-rich, but also easy to use for simple Go programs: one line of code can enable fully-automated HTTPS applications with HTTP->HTTPS redirects.

Caddy is known for its robust HTTPS+ACME features. When ACME certificate authorities have had outages, in some cases Caddy was the only major client that didn't experience any downtime. Caddy can weather OCSP outages lasting days, or CA outages lasting weeks, without taking your sites offline.

Caddy was also the first to sport "on-demand" issuance technology, which obtains certificates during the first TLS handshake for an allowed SNI name.

Consequently, CertMagic brings all these (and more) features and capabilities right into your own Go programs.

You canwatch a 2016 dotGo talk by the author of this library about using ACME to automate certificate management in Go programs:

Credits and License

CertMagic is a project byMatthew Holt, who is the author; and various contributors, who are credited in the commit history of either CertMagic or Caddy.

CertMagic is licensed under Apache 2.0, an open source license. For convenience, its main points are summarized as follows (but this is no replacement for the actual license text):

The author owns the copyright to this code
Use, distribute, and modify the software freely
Private and internal use is allowed
License text and copyright notices must stay intact and be included with distributions
Any and all changes to the code must be documented

Documentation¶

Overview¶

Package certmagic automates the obtaining and renewal of TLS certificates,including TLS & HTTPS best practices such as robust OCSP stapling, caching,HTTP->HTTPS redirects, and more.

Its high-level API serves your HTTP handlers over HTTPS if you simply givethe domain name(s) and the http.Handler; CertMagic will create and runthe HTTPS server for you, fully managing certificates during the lifetimeof the server. Similarly, it can be used to start TLS listeners or returna ready-to-use tls.Config -- whatever layer you need TLS for, CertMagicmakes it easy. See the HTTPS, Listen, and TLS functions for that.

If you need more control, create a Cache using NewCache() and then makea Config using New(). You can then call Manage() on the config. But ifyou use this lower-level API, you'll have to be sure to solve the HTTPand TLS-ALPN challenges yourself (unless you disabled them or use theDNS challenge) by using the provided Config.GetCertificate functionin your tls.Config and/or Config.HTTPChallengeHandler in your HTTPhandler.

See the package's README for more instruction.

Index¶

Examples¶

HTTPS

Constants¶

View Source

const (LetsEncryptStagingCA    = "https://acme-staging-v02.api.letsencrypt.org/directory"//https://letsencrypt.org/docs/staging-environment/LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory"//https://letsencrypt.org/getting-started/ZeroSSLProductionCA     = "https://acme.zerossl.com/v2/DV90"//https://zerossl.com/documentation/acme/GoogleTrustStagingCA    = "https://dv.acme-v02.test-api.pki.goog/directory"//https://cloud.google.com/certificate-manager/docs/public-ca-tutorialGoogleTrustProductionCA = "https://dv.acme-v02.api.pki.goog/directory"//https://cloud.google.com/certificate-manager/docs/public-ca-tutorial)

Some well-known CA endpoints available to use. Seethe documentation for each service; some may requireExternal Account Binding (EAB) and possibly payment.COMPATIBILITY NOTICE: These constants refer to externalresources and are thus subject to change or removalwithout a major version bump.

View Source

const (// UseFirstIssuer uses the first issuer that// successfully returns a certificate.UseFirstIssuer = "first"// UseFirstRandomIssuer shuffles the list of// configured issuers, then uses the first one// that successfully returns a certificate.UseFirstRandomIssuer = "first_random")

Supported issuer policies. These are subject to change.

View Source

const (// HTTPChallengePort is the officially-designated port for// the HTTP challenge according to the ACME spec.HTTPChallengePort = 80// TLSALPNChallengePort is the officially-designated port for// the TLS-ALPN challenge according to the ACME spec.TLSALPNChallengePort = 443)

View Source

const (ED25519 =KeyType("ed25519")P256    =KeyType("p256")P384    =KeyType("p384")RSA2048 =KeyType("rsa2048")RSA4096 =KeyType("rsa4096")RSA8192 =KeyType("rsa8192"))

Constants for all key types we support.

View Source

const (// DefaultRenewCheckInterval is how often to check certificates for expiration.// Scans are very lightweight, so this can be semi-frequent. This default should// be smaller than <Minimum Cert Lifetime>*DefaultRenewalWindowRatio/3, which// gives certificates plenty of chance to be renewed on time.DefaultRenewCheckInterval = 10 *time.Minute// DefaultRenewalWindowRatio is how much of a certificate's lifetime becomes the// renewal window. The renewal window is the span of time at the end of the// certificate's validity period in which it should be renewed. A default value// of ~1/3 is pretty safe and recommended for most certificates.DefaultRenewalWindowRatio = 1.0 / 3.0// DefaultOCSPCheckInterval is how often to check if OCSP stapling needs updating.DefaultOCSPCheckInterval = 1 *time.Hour)

View Source

const ClientHelloInfoCtxKey helloInfoCtxKey = "certmagic:ClientHelloInfo"

ClientHelloInfoCtxKey is the key by which the ClientHelloInfo can be extracted froma context.Context within a DecisionFunc. However, be advised that it is best practicethat the decision whether to obtain a certificate is be based solely on the name,not other properties of the specific connection/client requesting the connection.For example, it is not advisable to use a client's IP address to decide whether toallow a certificate. Instead, the ClientHello can be useful for logging, etc.

Variables¶

View Source

var (// RateLimitEvents is how many new events can be allowed// in RateLimitEventsWindow.RateLimitEvents = 10// RateLimitEventsWindow is the size of the sliding// window that throttles events.RateLimitEventsWindow = 10 *time.Second)

These internal rate limits are designed to prevent accidentallyfirehosing a CA's ACME endpoints. They are not intended toreplace or replicate the CA's actual rate limits.

Let's Encrypt's rate limits can be found here:https://letsencrypt.org/docs/rate-limits/

Currently (as of December 2019), Let's Encrypt's most relevantrate limit for large deployments is 300 new orders per accountper 3 hours (on average, or best case, that's about 1 every 36seconds, or 2 every 72 seconds, etc.); but it's not reasonableto try to assume that our internal state is the same as the CA's(due to process restarts, config changes, failed validations,etc.) and ultimately, only the CA's actual rate limiter is theauthority. Thus, our own rate limiters do not attempt to enforceexternal rate limits. Doing so causes problems when the domainsare not in our control (i.e. serving customer sites) and/or lotsof domains fail validation: they clog our internal rate limiterand nearly starve out (or at least slow down) the other domainsthat need certificates. Failed transactions are already retriedwith exponential backoff, so adding in rate limiting can slowthings down even more.

Instead, the point of our internal rate limiter is to avoidhammering the CA's endpoint when there are thousands or evenmillions of certificates under management. Our goal is toallow small bursts in a relatively short timeframe so as tonot block any one domain for too long, without unleashingthousands of requests to the CA at once.

View Source

var (UserAgentstringHTTPTimeout = 30 *time.Second)

Some default values passed down to the underlying ACME client.

View Source

var (// HTTPPort is the port on which to serve HTTP// and, as such, the HTTP challenge (unless// Default.AltHTTPPort is set).HTTPPort = 80// HTTPSPort is the port on which to serve HTTPS// and, as such, the TLS-ALPN challenge// (unless Default.AltTLSALPNPort is set).HTTPSPort = 443)

Port variables must remain their defaults unless youforward packets from the defaults to whatever theseare set to; otherwise ACME challenges will fail.

View Source

var AttemptsCtxKey retryStateCtxKey

AttemptsCtxKey is the context key for the valuethat holds the attempt counter. The value countshow many times the operation has been attempted.A value of 0 means first attempt.

View Source

var Default =Config{RenewalWindowRatio:DefaultRenewalWindowRatio,Storage:            defaultFileStorage,KeySource:DefaultKeyGenerator,Logger:             defaultLogger,}

Default contains the package defaults for thevarious Config fields. This is used as a templatewhen creating your own Configs with New() orNewDefault(), and it is also used as the Configby all the high-level functions in this packagethat abstract away most configuration (HTTPS(),TLS(), Listen(), etc).

The fields of this value will be used for Configfields which are unset. Feel free to modify thesedefaults, but do not use this Config by itself: itis only a template. Valid configurations can beobtained by calling New() (if you have your owncertificate cache) or NewDefault() (if you onlyneed a single config and want to use the defaultcache).

Even if the Issuers or Storage fields are not set,defaults will be applied in the call to New().

View Source

var DefaultACME =ACMEIssuer{CA:LetsEncryptProductionCA,TestCA:LetsEncryptStagingCA,Logger:    defaultLogger,HTTPProxy:http.ProxyFromEnvironment,}

DefaultACME specifies default settings to use for ACMEIssuers.Using this value is optional but can be convenient.

View Source

var DefaultKeyGenerator =StandardKeyGenerator{KeyType:P256}

DefaultKeyGenerator is the default key source.

View Source

var ErrNoOCSPServerSpecified =errors.New("no OCSP server specified in certificate")

ErrNoOCSPServerSpecified indicates that OCSP information could not bestapled because the certificate does not support OCSP.

Functions¶

funcCleanStorage ¶

func CleanStorage(ctxcontext.Context, storageStorage, optsCleanStorageOptions)error

CleanStorage removes assets which are no longer useful,according to opts.

funcCleanUpOwnLocks ¶

func CleanUpOwnLocks(ctxcontext.Context, logger *zap.Logger)

CleanUpOwnLocks immediately cleans up allcurrent locks obtained by this process. Sincethis does not cancel the operations thatthe locks are synchronizing, this should becalled only immediately before process exit.Errors are only reported if a logger is given.

funcFindZoneByFQDN ¶added inv0.22.0

func FindZoneByFQDN(ctxcontext.Context, logger *zap.Logger, fqdnstring, nameservers []string) (string,error)

FindZoneByFQDN determines the zone apex for the given fully-qualifieddomain name (FQDN) by recursing up the domain labels until the nameserverreturns a SOA record in the answer section. The logger must be non-nil.

EXPERIMENTAL: This API was previously unexported, and may be changed orunexported again in the future. Do not rely on it at this time.

funcHTTPS ¶

func HTTPS(domainNames []string, muxhttp.Handler)error

HTTPS serves mux for all domainNames using the HTTPand HTTPS ports, redirecting all HTTP requests to HTTPS.It uses the Default config and a background context.

This high-level convenience function is opinionated andapplies sane defaults for production use, includingtimeouts for HTTP requests and responses. To allow verylong-lived connections, you should make your ownhttp.Server values and use this package's Listen(), TLS(),or Config.TLSConfig() functions to customize to your needs.For example, servers which need to support large uploads ordownloads with slow clients may need to use longer timeouts,thus this function is not suitable.

Calling this function signifies your acceptance tothe CA's Subscriber Agreement and/or Terms of Service.

Example¶

This is the simplest way for HTTP servers to use this package.Call HTTPS() with your domain names and your handler (or nilfor the http.DefaultMux), and CertMagic will do the rest.

http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {fmt.Fprintf(w, "Hello, HTTPS visitor!")})err := HTTPS([]string{"example.com", "www.example.com"}, nil)if err != nil {log.Fatal(err)}

funcListen ¶

func Listen(domainNames []string) (net.Listener,error)

Listen manages certificates for domainName and returns aTLS listener. It uses the Default config.

Because this convenience function returns only a TLS-enabledlistener and does not presume HTTP is also being served,the HTTP challenge will be disabled. The package variableDefault is modified so that the HTTP challenge is disabled.

Calling this function signifies your acceptance tothe CA's Subscriber Agreement and/or Terms of Service.

funcLooksLikeHTTPChallenge ¶

func LooksLikeHTTPChallenge(r *http.Request)bool

LooksLikeHTTPChallenge returns true if r looks like an ACMEHTTP challenge request from an ACME server.

funcLooksLikeZeroSSLHTTPValidation ¶added inv0.21.0

func LooksLikeZeroSSLHTTPValidation(r *http.Request)bool

LooksLikeZeroSSLHTTPValidation returns true if the request appears to bedomain validation from a ZeroSSL/Sectigo CA. NOTE: This API isnon-standard and is subject to change.

funcManageAsync ¶

func ManageAsync(ctxcontext.Context, domainNames []string)error

ManageAsync is the same as ManageSync, except thatcertificates are managed asynchronously. This meansthat the function will return before certificatesare ready, and errors that occur during certificateobtain or renew operations are only logged. It isvital that you monitor the logs if using this method,which is only recommended for automated/non-interactiveenvironments.

funcManageSync ¶

func ManageSync(ctxcontext.Context, domainNames []string)error

ManageSync obtains certificates for domainNames and keeps themrenewed using the Default config.

This is a slightly lower-level function; you will need towire up support for the ACME challenges yourself. You canobtain a Config to help you do that by calling NewDefault().

You will need to ensure that you use a TLS config that getscertificates from this Config and that the HTTP and TLS-ALPNchallenges can be solved. The easiest way to do this is touse NewDefault().TLSConfig() as your TLS config and to wrapyour HTTP handler with NewDefault().HTTPChallengeHandler().If you don't have an HTTP server, you will need to disablethe HTTP challenge.

If you already have a TLS config you want to use, you cansimply set its GetCertificate field toNewDefault().GetCertificate.

Calling this function signifies your acceptance tothe CA's Subscriber Agreement and/or Terms of Service.

funcMatchWildcard ¶added inv0.10.5

func MatchWildcard(subject, wildcardstring)bool

MatchWildcard returns true if subject (a candidate DNS name)matches wildcard (a reference DNS name), mostly according toRFC 6125-compliant wildcard rules. See alsoRFC 2818 whichstates that IP addresses must match exactly, but this functiondoes not attempt to distinguish IP addresses from internal orexternal DNS names that happen to look like IP addresses.It uses DNS wildcard matching logic and is case-insensitive.https://tools.ietf.org/html/rfc2818#section-3.1

funcPEMDecodePrivateKey ¶added inv0.15.4

func PEMDecodePrivateKey(keyPEMBytes []byte) (crypto.Signer,error)

PEMDecodePrivateKey loads a PEM-encoded ECC/RSA private key from an array of bytes.Borrowed from Go standard library, to handle various private key and PEM block types.

funcPEMEncodePrivateKey ¶added inv0.15.4

func PEMEncodePrivateKey(keycrypto.PrivateKey) ([]byte,error)

PEMEncodePrivateKey marshals a private key into a PEM-encoded block.The private key must be one of *ecdsa.PrivateKey, *rsa.PrivateKey, or*ed25519.PrivateKey.

funcRecursiveNameservers ¶added inv0.22.0

func RecursiveNameservers(custom []string) []string

RecursiveNameservers are used to pre-check DNS propagation. Itpicks user-configured nameservers (custom) OR the defaultsobtained from resolv.conf and defaultNameservers if none isconfigured and ensures that all server addresses have a port value.

EXPERIMENTAL: This API was previously unexported, and may bebe unexported again in the future. Do not rely on it at this time.

funcSolveHTTPChallenge ¶added inv0.13.0

func SolveHTTPChallenge(logger *zap.Logger, whttp.ResponseWriter, r *http.Request, challengeacme.Challenge)bool

SolveHTTPChallenge solves the HTTP challenge. It should be used only on HTTP requests that arefrom ACME servers trying to validate an identifier (i.e. LooksLikeHTTPChallenge() == true). Itreturns true if the request criteria check out and it answered with key authentication, in whichcase no further handling of the request is necessary.

funcSubjectIsIP ¶added inv0.13.0

func SubjectIsIP(subjstring)bool

SubjectIsIP returns true if subj is an IP address.

funcSubjectIsInternal ¶added inv0.13.0

func SubjectIsInternal(subjstring)bool

SubjectIsInternal returns true if subj is an internal-facinghostname or address, including localhost/loopback hosts.Ports are ignored, if present.

funcSubjectQualifiesForCert ¶added inv0.10.2

func SubjectQualifiesForCert(subjstring)bool

SubjectQualifiesForCert returns true if subj is a name which,as a quick sanity check, looks like it could be the subjectof a certificate. Requirements are:- must not be empty- must not start or end with a dot (RFC 1034;RFC 6066 section 3)- must not contain common accidental special characters

funcSubjectQualifiesForPublicCert ¶added inv0.10.1

func SubjectQualifiesForPublicCert(subjstring)bool

SubjectQualifiesForPublicCert returns true if the subjectname appears eligible for automagic TLS with a publicCA such as Let's Encrypt. For example: internal IP addressesand localhost are not eligible because we cannot obtain certsfor those names with a public CA. Wildcard names areallowed, as long as they conform to CABF requirements (onlyone wildcard label, and it must be the left-most label).

funcTLS ¶

func TLS(domainNames []string) (*tls.Config,error)

TLS enables management of certificates for domainNamesand returns a valid tls.Config. It uses the Defaultconfig.

Because this is a convenience function that returnsonly a tls.Config, it does not assume HTTP is beingserved on the HTTP port, so the HTTP challenge isdisabled (no HTTPChallengeHandler is necessary). Thepackage variable Default is modified so that theHTTP challenge is disabled.

Calling this function signifies your acceptance tothe CA's Subscriber Agreement and/or Terms of Service.

Types¶

typeACMEIssuer ¶added inv0.16.0

type ACMEIssuer struct {// The endpoint of the directory for the ACME// CA we are to useCAstring// TestCA is the endpoint of the directory for// an ACME CA to use to test domain validation,// but any certs obtained from this CA are// discarded; it should perform real and valid// ACME verifications, but probably should not// issue real, publicly-trusted certificatesTestCAstring// The email address to use when creating or// selecting an existing ACME server accountEmailstring// The PEM-encoded private key of the ACME// account to use; only needed if the account// is already created on the server and// can be looked up with the ACME protocolAccountKeyPEMstring// Set to true if agreed to the CA's// subscriber agreementAgreedbool// An optional external account to associate// with this ACME accountExternalAccount *acme.EAB// Optionally select an ACME profile offered// by the ACME server. The list of supported// profile names can be obtained from the ACME// server's directory endpoint. For details://https://datatracker.ietf.org/doc/draft-aaron-acme-profiles///// (EXPERIMENTAL: Subject to change.)Profilestring// Optionally specify the validity period of// the certificate(s) here as offsets from the// approximate time of certificate issuance,// but note that not all CAs support this// (EXPERIMENTAL: Subject to change)NotBefore, NotAftertime.Duration// Disable all HTTP challengesDisableHTTPChallengebool// Disable all TLS-ALPN challengesDisableTLSALPNChallengebool// The host (ONLY the host, not port) to listen// on if necessary to start a listener to solve// an ACME challengeListenHoststring// The alternate port to use for the ACME HTTP// challenge; if non-empty, this port will be// used instead of HTTPChallengePort to spin up// a listener for the HTTP challengeAltHTTPPortint// The alternate port to use for the ACME// TLS-ALPN challenge; the system must forward// TLSALPNChallengePort to this port for// challenge to succeedAltTLSALPNPortint// The solver for the dns-01 challenge;// usually this is a DNS01Solver value// from this packageDNS01Solver acmez.Solver// TrustedRoots specifies a pool of root CA// certificates to trust when communicating// over a network to a peer.TrustedRoots *x509.CertPool// The maximum amount of time to allow for// obtaining a certificate. If empty, the// default from the underlying ACME lib is// used. If set, it must not be too low so// as to cancel challenges too early.CertObtainTimeouttime.Duration// Address of custom DNS resolver to be used// when communicating with ACME serverResolverstring// Callback function that is called before a// new ACME account is registered with the CA;// it allows for last-second config changes// of the ACMEIssuer and the Account.// (TODO: this feature is still EXPERIMENTAL and subject to change)NewAccountFunc func(context.Context, *ACMEIssuer,acme.Account) (acme.Account,error)// Preferences for selecting alternate// certificate chainsPreferredChainsChainPreference// Set a logger to configure logging; a default// logger must always be set; if no logging is// desired, set this to zap.NewNop().Logger *zap.Logger// Set a http proxy to use when issuing a certificate.// Default is http.ProxyFromEnvironmentHTTPProxy func(*http.Request) (*url.URL,error)// contains filtered or unexported fields}

ACMEIssuer gets certificates using ACME. It implements the PreChecker,Issuer, and Revoker interfaces.

It is NOT VALID to use an ACMEIssuer without calling NewACMEIssuer().It fills in any default values from DefaultACME as well as setting upinternal state that is necessary for valid use. Always callNewACMEIssuer() to get a valid ACMEIssuer value.

funcNewACMEIssuer ¶added inv0.16.0

func NewACMEIssuer(cfg *Config, templateACMEIssuer) *ACMEIssuer

NewACMEIssuer constructs a valid ACMEIssuer based on a templateconfiguration; any empty values will be filled in by defaults inDefaultACME, and if any required values are still empty, sensibledefaults will be used.

Typically, you'll create the Config first with New() or NewDefault(),then call NewACMEIssuer(), then assign the return value to the Issuersfield of the Config.

func (*ACMEIssuer)GetAccount ¶added inv0.16.0

func (am *ACMEIssuer) GetAccount(ctxcontext.Context, privateKeyPEM []byte) (acme.Account,error)

GetAccount first tries loading the account with the associated private key from storage.If it does not exist in storage, it will be retrieved from the ACME server and added to storage.The account must already exist; it does not create a new account.

func (*ACMEIssuer)GetRenewalInfo ¶added inv0.21.3

func (iss *ACMEIssuer) GetRenewalInfo(ctxcontext.Context, certCertificate) (acme.RenewalInfo,error)

GetRenewalInfo gets the ACME Renewal Information (ARI) for the certificate.

func (*ACMEIssuer)HTTPChallengeHandler ¶added inv0.16.0

func (am *ACMEIssuer) HTTPChallengeHandler(hhttp.Handler)http.Handler

HTTPChallengeHandler wraps h in a handler that can solve the ACMEHTTP challenge. cfg is required, and it must have a certificatecache backed by a functional storage facility, since that is wherethe challenge state is stored between initiation and solution.

If a request is not an ACME HTTP challenge, h will be invoked.

func (*ACMEIssuer)HandleHTTPChallenge ¶added inv0.16.0

func (am *ACMEIssuer) HandleHTTPChallenge(whttp.ResponseWriter, r *http.Request)bool

HandleHTTPChallenge uses am to solve challenge requests from an ACMEserver that were initiated by this instance or any other instance inthis cluster (being, any instances using the same storage am does).

If the HTTP challenge is disabled, this function is a no-op.

If am is nil or if am does not have a certificate cache backed byusable storage, solving the HTTP challenge will fail.

It returns true if it handled the request; if so, the response hasalready been written. If false is returned, this call was a no-op andthe request has not been handled.

func (*ACMEIssuer)Issue ¶added inv0.16.0

func (am *ACMEIssuer) Issue(ctxcontext.Context, csr *x509.CertificateRequest) (*IssuedCertificate,error)

Issue implements the Issuer interface. It obtains a certificate for the given csr usingthe ACME configuration am.

func (*ACMEIssuer)IssuerKey ¶added inv0.16.0

func (am *ACMEIssuer) IssuerKey()string

IssuerKey returns the unique issuer key for theconfigured CA endpoint.

func (*ACMEIssuer)PreCheck ¶added inv0.16.0

func (am *ACMEIssuer) PreCheck(ctxcontext.Context, names []string, interactivebool)error

PreCheck performs a few simple checks before obtaining orrenewing a certificate with ACME, and returns whether thisbatch is eligible for certificates. It also ensures that anemail address is available if possible.

IP certificates via ACME are defined inRFC 8738.

func (*ACMEIssuer)Revoke ¶added inv0.16.0

func (am *ACMEIssuer) Revoke(ctxcontext.Context, certCertificateResource, reasonint)error

Revoke implements the Revoker interface. It revokes the given certificate.

typeCache ¶

type Cache struct {// contains filtered or unexported fields}

Cache is a structure that stores certificates in memory.A Cache indexes certificates by name for quick accessduring TLS handshakes, and avoids duplicating certificatesin memory. Generally, there should only be one per process.However, that is not a strict requirement; but using morethan one is a code smell, and may indicate anover-engineered design.

An empty cache is INVALID and must not be used. Be sureto call NewCache to get a valid value.

These should be very long-lived values and must not becopied. Before all references leave scope to be garbagecollected, ensure you call Stop() to stop maintenance onthe certificates stored in this cache and release locks.

Caches are not usually manipulated directly; create aConfig value with a pointer to a Cache, and then usethe Config to interact with the cache. Caches areagnostic of any particular storage or ACME config,since each certificate may be managed and storeddifferently.

funcNewCache ¶

func NewCache(optsCacheOptions) *Cache

NewCache returns a new, valid Cache for efficientlyaccessing certificates in memory. It also begins amaintenance goroutine to tend to the certificatesin the cache. Call Stop() when you are done with thecache so it can clean up locks and stuff.

Most users of this package will not need to call thisbecause a default certificate cache is created for you.Only advanced use cases require creating a new cache.

This function panics if opts.GetConfigForCert is notset. The reason is that a cache absolutely needs tobe able to get a Config with which to manage TLSassets, and it is not safe to assume that the Defaultconfig is always the correct one, since you havecreated the cache yourself.

See the godoc for Cache to use it properly. Whenno longer needed, caches should be stopped withStop() to clean up resources even if the processis being terminated, so that it can clean upany locks for other processes to unblock!

func (*Cache)AllMatchingCertificates ¶

func (certCache *Cache) AllMatchingCertificates(namestring) []Certificate

AllMatchingCertificates returns a list of all certificates that couldbe used to serve the given SNI name, including exact SAN matches andwildcard matches.

func (*Cache)Remove ¶added inv0.19.0

func (certCache *Cache) Remove(hashes []string)

Remove removes certificates with the given hashes from the cache.This is effectively used to unload manually-loaded certificates.

func (*Cache)RemoveManaged ¶added inv0.19.0

func (certCache *Cache) RemoveManaged(subjects []SubjectIssuer)

RemoveManaged removes managed certificates for the given subjects from the cache.This effectively stops maintenance of those certificates. If an IssuerKey isspecified alongside the subject, only certificates for that subject from thespecified issuer will be removed.

func (*Cache)RenewManagedCertificates ¶

func (certCache *Cache) RenewManagedCertificates(ctxcontext.Context)error

RenewManagedCertificates renews managed certificates,including ones loaded on-demand. Note that this is doneautomatically on a regular basis; normally you will notneed to call this. This method assumes non-interactivemode (i.e. operating in the background).

func (*Cache)SetOptions ¶added inv0.19.0

func (certCache *Cache) SetOptions(optsCacheOptions)

func (*Cache)Stop ¶

func (certCache *Cache) Stop()

Stop stops the maintenance goroutine forcertificates in certCache. It blocks untilstopping is complete. Once a cache isstopped, it cannot be reused.

typeCacheOptions ¶

type CacheOptions struct {// REQUIRED. A function that returns a configuration// used for managing a certificate, or for accessing// that certificate's asset storage (e.g. for// OCSP staples, etc). The returned Config MUST// be associated with the same Cache as the caller,// use New to obtain a valid Config.//// The reason this is a callback function, dynamically// returning a Config (instead of attaching a static// pointer to a Config on each certificate) is because// the config for how to manage a domain's certificate// might change from maintenance to maintenance. The// cache is so long-lived, we cannot assume that the// host's situation will always be the same; e.g. the// certificate might switch DNS providers, so the DNS// challenge (if used) would need to be adjusted from// the last time it was run ~8 weeks ago.GetConfigForCertConfigGetter// How often to check certificates for renewal;// if unset, DefaultOCSPCheckInterval will be used.OCSPCheckIntervaltime.Duration// How often to check certificates for renewal;// if unset, DefaultRenewCheckInterval will be used.RenewCheckIntervaltime.Duration// Maximum number of certificates to allow in the cache.// If reached, certificates will be randomly evicted to// make room for new ones. 0 means unlimited.Capacityint// Set a logger to enable loggingLogger *zap.Logger}

CacheOptions is used to configure certificate caches.Once a cache has been created with certain options,those settings cannot be changed.

typeCertificate ¶

type Certificate struct {tls.Certificate// Names is the list of subject names this// certificate is signed for.Names []string// Optional; user-provided, and arbitrary.Tags []string// contains filtered or unexported fields}

Certificate is a tls.Certificate with associated metadata tacked on.Even if the metadata can be obtained by parsing the certificate,we are more efficient by extracting the metadata onto this struct,but at the cost of slightly higher memory use.

funcDefaultCertificateSelector ¶added inv0.10.7

func DefaultCertificateSelector(hello *tls.ClientHelloInfo, choices []Certificate) (Certificate,error)

DefaultCertificateSelector is the default certificate selection logicgiven a choice of certificates. If there is at least one certificate inchoices, it always returns a certificate without error. It chooses thefirst non-expired certificate that the client supports if possible,otherwise it returns an expired certificate that the client supports,otherwise it just returns the first certificate in the list of choices.

func (Certificate)Empty ¶added inv0.15.4

func (certCertificate) Empty()bool

Empty returns true if the certificate struct is not filled out; atleast the tls.Certificate.Certificate field is expected to be set.

func (Certificate)Expired ¶added inv0.12.0

func (certCertificate) Expired()bool

Expired returns true if the certificate has expired.

func (Certificate)HasTag ¶added inv0.10.7

func (certCertificate) HasTag(tagstring)bool

HasTag returns true if cert.Tags has tag.

func (Certificate)Hash ¶added inv0.19.0

func (certCertificate) Hash()string

Hash returns a checksum of the certificate chain's DER-encoded bytes.

func (Certificate)Lifetime ¶added inv0.21.5

func (certCertificate) Lifetime()time.Duration

Lifetime returns the duration of the certificate's validity.

func (Certificate)NeedsRenewal ¶

func (certCertificate) NeedsRenewal(cfg *Config)bool

NeedsRenewal returns true if the certificate is expiringsoon (according to ARI and/or cfg) or has expired.

typeCertificateResource ¶

type CertificateResource struct {// The list of names on the certificate;// for convenience only.SANs []string `json:"sans,omitempty"`// The PEM-encoding of DER-encoded ASN.1 data// for the cert or chain.CertificatePEM []byte `json:"-"`// The PEM-encoding of the certificate's private key.PrivateKeyPEM []byte `json:"-"`// Any extra information associated with the certificate,// usually provided by the issuer implementation.IssuerDatajson.RawMessage `json:"issuer_data,omitempty"`// contains filtered or unexported fields}

CertificateResource associates a certificate with its privatekey and other useful information, for use in maintaining thecertificate.

func (*CertificateResource)NamesKey ¶

func (cr *CertificateResource) NamesKey()string

NamesKey returns the list of SANs as a single string,truncated to some ridiculously long size limit. Itcan act as a key for the set of names on the resource.

typeCertificateSelector ¶

type CertificateSelector interface {SelectCertificate(*tls.ClientHelloInfo, []Certificate) (Certificate,error)}

CertificateSelector is a type which can select a certificate to use given multiple choices.

typeChainPreference ¶added inv0.13.0

type ChainPreference struct {// Prefer chains with the fewest number of bytes.Smallest *bool// Select first chain having a root with one of// these common names.RootCommonName []string// Select first chain that has any issuer with one// of these common names.AnyCommonName []string}

ChainPreference describes the client's preferred certificate chain,useful if the CA offers alternate chains. The first matching chainwill be selected.

typeChallenge ¶added inv0.13.0

type Challenge struct {acme.Challenge// contains filtered or unexported fields}

Challenge is an ACME challenge, but optionally paired withdata that can make it easier or more efficient to solve.

funcGetACMEChallenge ¶added inv0.13.0

func GetACMEChallenge(identifierstring) (Challenge,bool)

GetACMEChallenge returns an active ACME challenge for the given identifier,or false if no active challenge for that identifier is known.

typeCleanStorageOptions ¶

type CleanStorageOptions struct {// Optional custom logger.Logger *zap.Logger// Optional ID of the instance initiating the cleaning.InstanceIDstring// If set, cleaning will be skipped if it was performed// more recently than this interval.Intervaltime.Duration// Whether to clean cached OCSP staples.OCSPStaplesbool// Whether to cleanup expired certificates, and if so,// how long to let them stay after they've expired.ExpiredCertsboolExpiredCertGracePeriodtime.Duration}

CleanStorageOptions specifies how to clean up a storage unit.

typeConfig ¶

type Config struct {// How much of a certificate's lifetime becomes the// renewal window, which is the span of time at the// end of the certificate's validity period in which// it should be renewed; for most certificates, the// global default is good, but for extremely short-// lived certs, you may want to raise this to ~0.5.// Ratio is remaining:total lifetime.RenewalWindowRatiofloat64// An optional event callback clients can set// to subscribe to certain things happening// internally by this config; invocations are// synchronous, so make them return quickly!// Functions should honor context cancellation.//// An error should only be returned to advise// the emitter to abort or cancel an upcoming// event. Some events, especially those that have// already happened, cannot be aborted. For example,// cert_obtaining can be canceled, but// cert_obtained cannot. Emitters may choose to// ignore returned errors.OnEvent func(ctxcontext.Context, eventstring, data map[string]any)error// DefaultServerName specifies a server name// to use when choosing a certificate if the// ClientHello's ServerName field is empty.DefaultServerNamestring// FallbackServerName specifies a server name// to use when choosing a certificate if the// ClientHello's ServerName field doesn't match// any available certificate.// EXPERIMENTAL: Subject to change or removal.FallbackServerNamestring// The state needed to operate on-demand TLS;// if non-nil, on-demand TLS is enabled and// certificate operations are deferred to// TLS handshakes (or as-needed).// TODO: Can we call this feature "Reactive/Lazy/Passive TLS" instead?OnDemand *OnDemandConfig// Adds the must staple TLS extension to the CSR.MustStaplebool// Sources for getting new, managed certificates;// the default Issuer is ACMEIssuer. If multiple// issuers are specified, they will be tried in// turn until one succeeds.Issuers []Issuer// How to select which issuer to use.// Default: UseFirstIssuer (subject to change).IssuerPolicyIssuerPolicy// If true, private keys already existing in storage// will be reused. Otherwise, a new key will be// created for every new certificate to mitigate// pinning and reduce the scope of key compromise.// Default: false (do not reuse keys).ReusePrivateKeysbool// The source of new private keys for certificates;// the default KeySource is StandardKeyGenerator.KeySourceKeyGenerator// CertSelection chooses one of the certificates// with which the ClientHello will be completed;// if not set, DefaultCertificateSelector will// be used.CertSelectionCertificateSelector// OCSP configures how OCSP is handled. By default,// OCSP responses are fetched for every certificate// with a responder URL, and cached on disk. Changing// these defaults is STRONGLY discouraged unless you// have a compelling reason to put clients at greater// risk and reduce their privacy.OCSPOCSPConfig// The storage to access when storing or loading// TLS assets. Default is the local file system.StorageStorage// CertMagic will verify the storage configuration// is acceptable before obtaining a certificate// to avoid information loss after an expensive// operation. If you are absolutely 100% sure your// storage is properly configured and has sufficient// space, you can disable this check to reduce I/O// if that is expensive for you.// EXPERIMENTAL: Subject to change or removal.DisableStorageCheckbool// SubjectTransformer is a hook that can transform the// subject (SAN) of a certificate being loaded or issued.// For example, a common use case is to replace the// left-most label with an asterisk (*) to become a// wildcard certificate.// EXPERIMENTAL: Subject to change or removal.SubjectTransformer func(ctxcontext.Context, domainstring)string// Disables both ARI fetching and the use of ARI for renewal decisions.// TEMPORARY: Will likely be removed in the future.DisableARIbool// Set a logger to enable logging. If not set,// a default logger will be created.Logger *zap.Logger// contains filtered or unexported fields}

Config configures a certificate manager instance.An empty Config is not valid: use New() to obtaina valid Config.

funcNew ¶

func New(certCache *Cache, cfgConfig) *Config

New makes a new, valid config based on cfg anduses the provided certificate cache. certCacheMUST NOT be nil or this function will panic.

Use this method when you have an advanced use casethat requires a custom certificate cache and configthat may differ from the Default. For example, ifnot all certificates are managed/renewed the sameway, you need to make your own Cache value with aGetConfigForCert callback that returns the correctconfiguration for each certificate. However, forthe vast majority of cases, there will be only asingle Config, thus the default cache (which alwaysuses the default Config) and default config willsuffice, and you should use NewDefault() instead.

funcNewDefault ¶

func NewDefault() *Config

NewDefault makes a valid config based on the packageDefault config. Most users will call this functioninstead of New() since most use cases require only asingle config for any and all certificates.

If your requirements are more advanced (for example,multiple configs depending on the certificate), then useNew() instead. (You will need to make your own Cachefirst.) If you only need a single Config to manage yourcerts (even if that config changes, as long as it is theonly one), customize the Default package variable beforecalling NewDefault().

All calls to NewDefault() will return configs that use thesame, default certificate cache. All configs returnedby NewDefault() are based on the values of the fields ofDefault at the time it is called.

This is the only way to get a config that uses thedefault certificate cache.

func (*Config)CacheManagedCertificate ¶

func (cfg *Config) CacheManagedCertificate(ctxcontext.Context, domainstring) (Certificate,error)

CacheManagedCertificate loads the certificate for domain into thecache, from the TLS storage for managed certificates. It returns acopy of the Certificate that was put into the cache.

This is a lower-level method; normally you'll call Manage() instead.