Open source · Self-hosted · DNS-01 validation

Free SSL certificates,
automated, on your terms.

CertMate issues and renews Let's Encrypt certificates using DNS-01 validation across 23 DNS providers, then ships the renewed bundle to your edge via deploy hooks. Wildcards, multi-SAN, CNAME delegation, role-scoped API keys — handled.

Get CertMate ↗ Get the Agent ↗ Browse explainers

Looks like Caddy or Traefik handled this for you already? They do — until they don't. CertMate is the answer when you need wildcards, cross-cluster cert sync, audited renewals, or DNS-01 on providers the reverse proxy doesn't speak.

23 DNS providers

Cloudflare, Route 53, Azure, Google, Hetzner, OVH, PowerDNS, Linode, Vultr, Gandi, deSEC via ACME-DNS — and more. First-class plugins, not generic wrappers.

Wildcards by default

DNS-01 means *.example.com works without HTTP redirects or port-80 gymnastics. CNAME delegation lets you validate domains whose DNS lives elsewhere.

Deploy hooks

On each renewal, CertMate runs your hook: push the new cert to S3, reload nginx, sync to a sibling cluster, page on failure. One contract, run anywhere.

Scoped API keys

role=operator + allowed_domains per token. Audit log captures every issue, renew, and deploy with caller identity. Self-hosted, so the keys never leave your network.

What this site is for

Hand-written explainers covering the parts of certificate management that are easy to get wrong: ACME protocol mechanics, DNS-01 validation chains, wildcard issuance, CNAME delegation across providers, deploy-hook contracts. Each piece cites the CertMate source it's grounded in. No LLM-generated filler.

A public chat companion grounded in the same docs is on the way — lives at api.agent.certmate.org when deployed next sprint. The full conversational layer is already available as a sidecar for self-hosters today.

What CertMate is (and isn't) · vs certbot, Caddy, Traefik · when each one fits
ACME DNS-01, end to end · why DNS validation, what a TXT challenge looks like, where CertMate plugs in
Free wildcard certificates with Let's Encrypt · the only way to get one, walked through
CNAME delegation for cross-provider validation · validate example.com using a delegated zone
Deploy hooks: from renewed cert to live edge · S3, nginx, cluster sync, error semantics
More topics arriving — written, not generated.

Run it on your infrastructure.

Docker compose, single binary, or Python install. Sensible defaults, no telemetry, no SaaS dependency. The conversational sidecar is a separate, optional add-on.

Install CertMate ↗ Install the Agent ↗