CertMagex

Automatic SSL certs from Let's Encrypt for your Phoenix applications. This is based on the ZeroSSL library which is used for the ACME handshake. Plugging into the sni_fun and the name is inspired by similar functionality of the golang certmagic library.

This is used in the real world for example on https://tcpbin.net.

Installation

For Cowboy add to your prod.exs:

config <your_app>, <your_endpoint>,
https: [port: 443, sni_fun: &CertMagex.sni_fun/1],
# ATTENTION: Ensure you comment http: out and port 80 is free!
...

For Bandit add to your prod.exs:

config <your_app>, <your_endpoint>,
https: [port: 443, thousand_island_options: [transport_options: [sni_fun: &CertMagex.sni_fun/1]]],
# ATTENTION: Ensure you comment http: out and port 80 is free!
...

And add this to your deps:

def deps do
[
{:certmagex, "~> 1.0"}
]
end

You're done!

Optional Configuration values

The following configuration values are optional and can be set in your config.exs file.

Custom storage backend

A backend implements the CertMagex.Storage.Backend behaviour:

defmodule MyApp.CertStorage do
@behaviour CertMagex.Storage.Backend
@impl true
def child, do: :ignore
@impl true
def insert(_key, _value), do: :ok
@impl true
def delete(_key), do: :ok
@impl true
def lookup(_key), do: nil
end

Return a supervisor child spec from child/0 when the backend needs its own process (as CertMagex.Storage.Dets does with DetsPlus); return :ignore if it does not.

IP address certificates

When using Let's Encrypt (provider: :letsencrypt or :letsencrypt_test), certmagex can issue certificates for IP addresses (IPv4 and IPv6). IP certificates are short-lived (~6 days) and require reliable automated renewal. They are not supported with the :zerossl provider. If the SNI callback receives an IP and the provider does not support IP certs, no certificate is generated (and a warning is logged).

Example config.exs

config :certmagex,
provider: :zerossl,
account_key: System.get_env("ZEROSSL_ACCOUNT_KEY"),
addr: "0.0.0.0",
user_email: "your@email.com",
storage_module: CertMagex.Storage.Acmev2Adapter

Notes

Generated certificates are by default stored in $HOME/.local/share/certmagex but the XDG_DATA_HOME variable is respected.

This wouldn't be possible without the Acmev2 module from zerossl https://hex.pm/packages/zerossl