Skip to content

Add TLS/HTTPS support with Let's Encrypt and BYO certificates#246

Open
patrickdappollonio wants to merge 4 commits intomasterfrom
feat/byo-tls-support
Open

Add TLS/HTTPS support with Let's Encrypt and BYO certificates#246
patrickdappollonio wants to merge 4 commits intomasterfrom
feat/byo-tls-support

Conversation

@patrickdappollonio
Copy link
Copy Markdown
Owner

@patrickdappollonio patrickdappollonio commented Mar 30, 2026
edited
Loading

Summary

Adds native HTTPS support to http-server in two modes:

Automatic certificates (Let's Encrypt): pass --hostname example.com and a free TLS certificate is provisioned automatically via certmagic. Handles HTTP-01 challenges, automatic renewal, and filesystem-based certificate storage.

Bring your own certificate: pass --tls-cert and --tls-key with your own cert and key files.

Both modes include:

  • Dual listeners: HTTPS serves content, HTTP redirects to HTTPS (and handles ACME challenges in auto mode)
  • Certificate reload: swap certs without downtime via SIGHUP (Unix) or POST /_/tls/reload
  • Certificate metadata: GET /_/tls returns JSON with subject, SANs, issuer, and expiry
  • File hiding: cert/key files and the certmagic cache directory are hidden from listings and blocked from direct access
  • Grouped --help: all CLI flags organized into logical sections

New flags

Flag Default Description
--hostname Domain name. Alone = auto-cert from Let's Encrypt. With --tls-cert/--tls-key = BYO cert.
--tls-cert Path to TLS certificate file (PEM, BYO mode)
--tls-key Path to TLS private key file (PEM, BYO mode)
--tls-email Email for Let's Encrypt notifications (auto mode)
--tls-cache-dir .certmagic/ in served dir Certificate storage directory (auto mode)
--https-port 443 HTTPS listener port
--http-port 80 HTTP listener port (use 0 to disable in BYO mode)

Usage

# Automatic certificate from Let's Encrypt
http-server --hostname example.com -d ./site

# With email notifications and custom cert storage
http-server --hostname example.com --tls-email you@example.com --tls-cache-dir /data/certs -d ./site

# BYO certificate
http-server --tls-cert cert.pem --tls-key key.pem --hostname example.com -d ./site

# Non-privileged ports
http-server --hostname example.com --https-port 8443 --http-port 8080 -d ./site

Multi-instance / Kubernetes

Certificates are stored on the filesystem (default .certmagic/ in the served directory). Multiple instances sharing the same volume reuse the same certificates. certmagic uses file locking to prevent ACME races. Use --tls-cache-dir to point at a shared persistent volume.

Cache directory hiding is scoped to the active auto-TLS cache path only. Users serving .certmagic directories without auto-TLS are not affected.

Closes

Test plan

  • 36 test cases covering TLS types, cert loading, expiry detection, validation rules (BYO + auto mode detection + port conflicts), reload behavior, endpoint responses, file hiding, and path prefix blocking
  • All existing tests pass unchanged
  • golangci-lint clean

@patrickdappollonio
Add BYO TLS certificate support (#145, #146)
644924b 
Serve content over HTTPS using your own certificate and key pair.
When TLS is active, the server runs dual listeners: HTTPS for content
and HTTP for automatic redirects. Certificates can be reloaded at
runtime via SIGHUP or the /_/tls/reload API endpoint.

New flags: --tls-cert, --tls-key, --hostname, --https-port, --http-port.
All CLI flags are now organized into logical groups in --help output.
@patrickdappollonio
Add automatic Let's Encrypt certificate support (#145)
be1d952 
Pass --hostname without --tls-cert/--tls-key and http-server
provisions a free TLS certificate from Let's Encrypt automatically.
Handles HTTP-01 challenges on port 80, automatic renewal, and
local certificate storage via certmagic.

New flag: --tls-email for Let's Encrypt account notifications.
@patrickdappollonio
Add automatic Let's Encrypt certificates and cert storage configuration
6eb29fd 
When --hostname is passed without --tls-cert/--tls-key, http-server
provisions a free TLS certificate from Let's Encrypt automatically
via certmagic. Handles HTTP-01 challenges, automatic renewal, and
filesystem-based cert storage for multi-instance safety.

New flags:
  --tls-email      Let's Encrypt account notifications
  --tls-cache-dir  certificate storage path (default: .certmagic/ in served dir)

The cache directory is hidden from listings and blocked from direct
access only when auto-TLS is active with that specific path. Users
serving .certmagic directories without auto-TLS are not affected.

The HTTP listener is mandatory in auto-TLS mode since it handles
ACME HTTP-01 challenges (--http-port 0 is rejected).
@patrickdappollonio
Replace flag-change tracking with default-value comparison
40931a6 
Config file and environment variable values were not detected by
cmd.Flags().Changed(), so port conflicts were silently ignored when
set via .http-server.yaml or env vars. Now compares against default
values (5000 for --port, 80/443 for --http-port/--https-port) which
works regardless of how the value was configured.
@patrickdappollonio patrickdappollonio changed the title Add BYO TLS certificate support Add TLS/HTTPS support with Let's Encrypt and BYO certificates Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for BYO certificate + key Let's Encrypt HTTPS support

1 participant

@patrickdappollonio