Automated TLS certificate routing for proxies
TL;DR
Reverse proxy plugin for backend developers managing 5+ domains that automatically maps incoming SNI requests to Let’s Encrypt certificates during TLS handshakes so they can eliminate manual certificate configuration and reduce HTTPS downtime to zero
Target Audience
Go developers building multi‑tenant HTTPS reverse proxies
The Problem
Problem Context
You run multiple websites on one server, each with its own domain. You use a reverse proxy to route traffic, but HTTPS fails because your proxy can't quickly match the requested domain to the right SSL certificate. Without this, visitors get errors or wrong certificates, breaking your sites.
Pain Points
Your current code finds the backend server but can't load the correct certificate on-the-fly during TLS handshakes. Manual workarounds (like preloading all certs) fail because you can't predict every domain request. This blocks new sites from working until you manually fix it, wasting hours per week.
Impact
Downtime means lost revenue, frustrated users, and wasted time fixing broken HTTPS. Every new site requires manual certificate setup, slowing down growth. Without a fix, scaling your proxy becomes impossible—each new domain is a manual headache.
Urgency
This isn’t a ‘nice-to-have’—it’s a showstopper. Without dynamic certificate selection, your multi-site setup won’t work. The problem grows with each new domain, making it harder to ignore. Fixing it manually each time is unsustainable as your infrastructure scales.
Target Audience
Backend developers, DevOps engineers, and sysadmins running reverse proxies (Nginx, HAProxy, custom Go proxies) for multiple domains. Also affects hosting providers, SaaS teams, and anyone managing shared server infrastructure with dynamic TLS needs.
Proposed AI Solution
Solution Approach
CertFlow is a lightweight Go service that sits alongside your reverse proxy. It automatically matches incoming domain requests to the correct Let’s Encrypt certificate during TLS handshakes, using SNI (Server Name Indication). No manual setup—just point your proxy to CertFlow, and it handles the rest.
Key Features
- Let’s Encrypt Integration: Automatically fetches and renews certificates via DNS challenges (using
lego). - Proxy Agnostic: Works with any reverse proxy (Nginx, HAProxy, custom Go proxies) via a simple TCP proxy pass.
- Zero-Downtime Updates: Certificates refresh without restarting your proxy or disrupting traffic.
User Experience
You install CertFlow once, configure it with your domains, and forget it. Your proxy routes TLS traffic to CertFlow, which handles certificate selection automatically. New domains? Just add them to CertFlow’s config—no manual certificate setup. Your sites stay secure and fast, with no downtime.
Differentiation
Unlike Nginx/HAProxy (which require manual certificate mapping) or manual scripts (which break under load), CertFlow is designed *specifically- for dynamic SNI-based TLS. It’s lighter than full proxy solutions, faster than manual workarounds, and more reliable than homegrown scripts.
Scalability
CertFlow scales with your needs. Start with a single instance for solo devs, then add team seats for shared certificate management. Supports high-traffic sites with low latency, and integrates with monitoring tools for uptime alerts.
Expected Impact
Your multi-site setup works out of the box—no more broken HTTPS or manual certificate juggling. Add new domains in seconds, not hours. Downtime drops to zero, and your infrastructure scales effortlessly. CertFlow pays for itself in the time you save.