Go Library · Let's Encrypt · Auto-Renewal

Let's Encrypt certs,
the Go way

Certy is a Go library for managing Let's Encrypt SSL/TLS certificates with automatic renewal, HTTP-01 challenge support, custom certificates, and thread-safe operations.

go get certy See Code Examples
main.go 
package main

import (
    "log"

    "github.com/kintsdev/certy"
)

func main() {
    // Create a new certificate manager
    manager := certy.NewManager(
        "[email protected]", // Your email for Let's Encrypt
        "./certs",                // Directory to store certificates
        true,                     // Use staging environment first
    )

    // Issue a certificate for a domain
    err := manager.IssueCert("example.com")
    if err != nil {
        log.Fatalf("Failed to issue certificate: %v", err)
    }
}
Scroll
Features

Certificate management
built for Go developers

Everything you need for automated Let's Encrypt certificate lifecycle — from issuing to renewal.

Automatic Let's Encrypt

Issue and renew SSL certificates automatically via Let's Encrypt. Production and staging environment support out of the box.

HTTP-01 Challenge

Built-in ACME challenge handler for domain verification. Just wrap your HTTP handler and Let's Encrypt validates automatically.

Custom Certificates

Add your own PEM certificates alongside Let's Encrypt ones. Use AddCustomCert() with cert and key data.

Thread-Safe Operations

Concurrent certificate issuance with proper mutex locking. Safe to use across multiple goroutines without data races.

Automatic Renewal

Certificates are renewed 30 days before expiry automatically. ECDSA P-256 keys, RSA 4096-bit account keys, 88-day cert lifetime.

Staging Environment

Test with Let's Encrypt staging servers first. 300 new orders per 3 hours — switch to production when you're ready.

Three steps to
production TLS

01

Install the Library

Run go get github.com/kintsdev/certy to add Certy to your Go project.

02

Create Manager & Issue

Call NewManager(email, path, staging) then IssueCert(domain).

03

Serve with Auto-TLS

Use GetCert in your TLS config and wrap with HTTPHandler for challenges.

Full Example

HTTP server with
automatic certificates

Drop Certy into any Go HTTP server. Use GetCert for automatic certificate selection and HTTPHandler for ACME challenge handling.

  • TLS config with GetCertificate callback
  • ACME challenge handler wraps your existing routes
  • Custom certs via AddCustomCert(domain, cert, key)
  • Certs stored in organized directory structure
server.go 
manager := certy.NewManager(
    "[email protected]", "./certs", false,
)

server := &http.Server{
    Addr: ":8443",
    TLSConfig: &tls.Config{
        GetCertificate: manager.GetCert,
    },
    Handler: http.HandlerFunc(
        func(w http.ResponseWriter, r *http.Request) {
            fmt.Fprintf(w, "Hello from %s!", r.Host)
        },
    ),
}

// Wrap with ACME challenge handler
server.Handler = manager.HTTPHandler(server.Handler)
log.Fatal(server.ListenAndServeTLS("", ""))
Use Cases

TLS for every Go
service you ship

From single-server microservices to multi-domain platforms, Certy handles the certificate lifecycle so you don't have to.

Go Microservices

Embed Certy in each service to handle its own TLS certificate. No sidecar, no external agent — just your binary and a Let's Encrypt endpoint.

Zero Dependencies Embedded

Internal & Self-Hosted Tools

Deploy internal dashboards or admin panels with valid TLS on a custom domain, renewed automatically — no manual certbot cron jobs needed.

Internal DNS Auto-Renew

Multi-Tenant SaaS Platforms

Issue and renew certificates for customer-provided custom domains at scale. Programmatically manage hundreds of certs through the Go API.

Custom Domains Programmatic

Regulated & Compliance Environments

Never let a TLS certificate expire in a compliance-sensitive environment again. Certy tracks expiry and renews with configurable lead time.

Expiry Alerts Compliance

CI/CD & Ephemeral Environments

Provision valid TLS for short-lived preview environments in your deployment pipeline, then let Certy clean up automatically on teardown.

Ephemeral CI/CD

Edge & IoT Deployments

A tiny, zero-dependency binary is ideal for edge nodes and IoT gateways that need TLS but can't run heavy certificate management agents.

Lightweight Edge

0

External Dependencies

Auto

Certificate Renewal

ACME

HTTP-01 Challenge

Ready to automate
your certificates?

Automatic Let's Encrypt certificates with HTTP-01 challenges, auto-renewal, and thread-safe design. Open source, production ready.

View on GitHub [email protected]

Frequently asked questions

What is Certy?

Certy is a Go library that automates Let's Encrypt SSL/TLS certificate management. It handles certificate issuance, storage, and renewal so your services stay secure without manual intervention.

How do I add Certy to my Go project?

Install with go get github.com/kintsdev/certy, then call certy.New() with your domain and email. Certy handles the ACME HTTP-01 challenge and renews certificates before expiry automatically.

Does Certy support automatic certificate renewal?

Yes. Certy monitors certificate expiry and renews before the deadline, ensuring your services are never caught with an expired certificate.

What ACME challenge types does Certy support?

Certy currently supports the HTTP-01 challenge, which works with any standard web server configuration and does not require DNS access.

Can I use Certy alongside custom or internal certificates?

Yes. Certy supports custom certificate injection alongside Let's Encrypt certificates, letting you manage internal PKI and public-facing certs from one place.

More from Kints

Aurora·Fraud Detection Coswarm·Docker Swarm Deployment Kubeswarm·Kubernetes Management Lima·License & Version Mgmt Norm·PostgreSQL ORM for Go Workspace·Self-Hosted Communication Wostat·Status Page & Uptime