tlsd is a TLS certificate daemon protocol. It allows multiple clients to request TLS certificates and private keys to serve TLS connections.
Because getting a certificate from ACME requires listening on either port 80 or port 443, services like mail servers can't request one automatically (this would conflict with a web server). ACME also supports DNS challenges, but this isn't a viable solution as it requires the ACME client to support individually all existing DNS provider APIs.
Right now there are two main solutions used by users when setting up a TLS service:
None of these solutions allow services to provide zero-configuration TLS support.
tlsd aims to fix this issue by establishing a standard certificate protocol. Services like mail servers connect to a certificate daemon (which can be either a standalone daemon or a web server like Caddy). They register a domain name, and get an event when a new certificate is available. The certificate daemon is responsible for keeping certificates up-to-date.
tlsd uses Varlink. The interface definition is available at
tlsd-fs is a daemon that reads certificates from the filesystem. It can be used with existing tools like certbot or lego.
go build ./cmd/tlsd-fs ./tlsd-fs
tlsd-acme is a daemon that handles ACME negociation (e.g. with Let's Encrypt) and maintains fresh certificates.
tlsd-caddy is a tlsd plugin for Caddy 2. Certificate retrieval and maintenance is offloaded to Caddy.