whatisgithub

What is certmagic?

caddyserver/certmagic — explained in plain English

Analysis updated 2026-06-26

5,557GoAudience · developerComplexity · 2/5Setup · easy

In one sentence

CertMagic is a Go library that fully automates HTTPS certificate management, requesting, installing, and renewing TLS certificates from Let's Encrypt with a single function call, no certificate files to manage.

Mindmap

mindmap
  root((CertMagic))
    What it does
      Auto HTTPS setup
      Certificate renewal
      Domain validation
    Validation methods
      HTTP challenge
      TLS-ALPN challenge
      DNS challenge
    Features
      Wildcard certs
      On-demand issuance
      Load balancer support
    Audience
      Go developers
      Web server builders
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add automatic HTTPS to any Go web server with a single function call, no certificate files to create or renew manually

USE CASE 2

Issue certificates on demand the first time someone visits a new domain, useful for multi-tenant SaaS apps

USE CASE 3

Manage HTTPS for hundreds of thousands of domains behind a load balancer with a shared certificate storage backend

USE CASE 4

Get TLS certificates for a server behind a firewall using DNS-based domain validation instead of HTTP

What is it built with?

GoACME protocolLet's Encrypt

How does it compare?

caddyserver/certmagicvolcano-sh/volcanocubefs/cubefs
Stars5,5575,5575,559
LanguageGoGoGo
Setup difficultyeasyhardhard
Complexity2/54/55/5
Audiencedeveloperops devopsops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 30min

Domain must point to a publicly reachable server, use the staging environment during development to avoid Let's Encrypt rate limits.

So what is it?

CertMagic is a Go library that handles automatic HTTPS certificate management for any Go program. Getting a website to run over HTTPS normally involves requesting a certificate from a certificate authority, verifying that you own the domain, downloading and installing the certificate file, and repeating the renewal process every 90 days. CertMagic takes care of all of that in the background. The library works through a protocol called ACME, which is the same standard used by Let's Encrypt, the free certificate authority behind most of the web's HTTPS connections. You point your domain name at your server, call a single function in your Go code, and CertMagic contacts Let's Encrypt, proves domain ownership, retrieves a certificate, installs it, and renews it automatically before it ever expires. The whole process happens without you touching certificate files at all. To prove you own a domain, the library supports three methods. The HTTP challenge places a temporary file on your server that Let's Encrypt fetches. The TLS-ALPN challenge works at the connection level without needing port 80 open. The DNS challenge lets you add a record to your domain's DNS settings, which is useful when your server is behind a firewall and cannot be reached from the public internet. Beyond the basics, CertMagic supports wildcard certificates (which cover all subdomains at once), on-demand issuance (certificates created the moment someone first connects to a new domain), distributed operation behind load balancers, and pluggable storage backends so certificates can be saved somewhere other than the local file system. Error handling includes automatic retries for up to 30 days with exponential backoff, and the library can switch to a test environment during development to avoid hitting Let's Encrypt rate limits. This is the same library that powers the Caddy web server internally. It scales to hundreds of thousands of certificates per instance and works on Mac, Windows, Linux, and other platforms. The project requires Go 1.21 or newer. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
I am building a Go HTTP server. Show me the minimal code to use CertMagic to automatically get and renew a Let's Encrypt certificate for my domain example.com.
Prompt 2
I need CertMagic to use the DNS challenge instead of the HTTP challenge because my server is behind a firewall on port 80. How do I configure it with a DNS provider plugin?
Prompt 3
I want on-demand TLS with CertMagic so new customer domains get HTTPS the first time they connect. Show me how to enable it and add a callback that approves only known domains.
Prompt 4
How do I configure CertMagic to use a shared storage backend so multiple server instances behind a load balancer all have access to the same certificates?

Frequently asked questions

What is certmagic?

CertMagic is a Go library that fully automates HTTPS certificate management, requesting, installing, and renewing TLS certificates from Let's Encrypt with a single function call, no certificate files to manage.

What language is certmagic written in?

Mainly Go. The stack also includes Go, ACME protocol, Let's Encrypt.

How hard is certmagic to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is certmagic for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.