{"id":39207597,"url":"https://github.com/aptise/peter_sslers","last_synced_at":"2026-01-17T23:00:58.484Z","repository":{"id":5995508,"uuid":"54431432","full_name":"aptise/peter_sslers","owner":"aptise","description":"or how i stopped worrying and learned to love the ssl certificate","archived":false,"fork":false,"pushed_at":"2025-10-17T20:21:27.000Z","size":7090,"stargazers_count":64,"open_issues_count":4,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-18T21:42:14.493Z","etag":null,"topics":["acme","acme-client","letencrypt","nginx","openresty","pyramid","python","ssl-certificate"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aptise.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-03-21T23:57:01.000Z","updated_at":"2025-10-17T20:21:32.000Z","dependencies_parsed_at":"2024-06-29T01:43:24.592Z","dependency_job_id":"da11c94e-394c-4376-bad8-4a98c15e4d3e","html_url":"https://github.com/aptise/peter_sslers","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/aptise/peter_sslers","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aptise%2Fpeter_sslers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aptise%2Fpeter_sslers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aptise%2Fpeter_sslers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aptise%2Fpeter_sslers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aptise","download_url":"https://codeload.github.com/aptise/peter_sslers/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aptise%2Fpeter_sslers/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28521292,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T22:11:28.393Z","status":"ssl_error","status_checked_at":"2026-01-17T22:11:27.841Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","acme-client","letencrypt","nginx","openresty","pyramid","python","ssl-certificate"],"created_at":"2026-01-17T23:00:39.584Z","updated_at":"2026-01-17T23:00:58.201Z","avatar_url":"https://github.com/aptise.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"If you'd like to jump to the [QuickStart](https://github.com/aptise/peter_sslers/blob/main/docs/QuickStart.md), otherwise keep reading.\n\nProject History\n===============\n\nPeterSSLers is a bundled ACME Client, Certificate Manager, OpenResty/Nginx Plugin\nand Python-based framework designed for programmatically managing SSL Certificates.\n\nThis project started at Aptise Media as an internal tool for obtaining and managing\nSSL Certificates for whitelabeled systems (e.g. partner and customer domains).\nThe project integrated an ACME(v1) Client, a SQL based Certificate Manager, and\nan OpenResty plugin for dynamic certificate loading.\n\nACME-V2 support involved a large rewrite of the Client and the Certificate\nManager's design. The central object changed from a `X509Certificate` to the\n`AcmeOrder`, which caused a ripple effect.  The V1 release again changed the\ncentral object to a new `RenewalConfiguration` concept and streamlined operations.\n\nAside from offering scalable and programmatic management, the project also\nsupports Backup Certificates procured against a secondary CA and can be\nconfigured to support Backup Challenges (failing over to DNS-01 if HTTP-01 is\nunavailable, and vice-versa).\n\npeter_sslers README\n===================\n\nPeter SSLers *or how i stopped worrying and learned to LOVE the SSL Certificate*.\n\n`peter_sslers` is a framework designed to help *experienced* Admins and DevOps\npersons manage SSL Certificates and deploy them on larger systems (e.g. you have\nlots of Domains and/or Nodes and/or Networks).  This system is NOT designed for\ncasual usage; it was designed for the needs of cloud deployed PAAS/SAAS systems\nthat host domains for scalable numbers of customers over scalable nodes.\n\nWhat's in the \"box\" ?\n\n* This project is a Python/[Pyramid](https://github.com/pylons/pyramid) based\n  robust SSL Certificate Client, Manager and Explorer, complete with:\n  * an Admin Dashboard,\n  * a fullly programmatic API,\n  * commandline tools\n  * cron job \"routines\"\n  * an integrated ACME V2 Client optimized for the\n    [LetsEncrypt](https://LetsEncrypt.org) CertificateAuthority.\n* The paired project\n  [Lua-Resty Peter_SSLers](https://github.com/aptise/lua-resty-peter_sslers)\n  is an [OpenResty](https://github.com/openresty/openresty) Lua module to enable\n  Dynamic SSL Certificate Handling on the `Nginx` webserver.\n\n**This library contains everything you need to ssl-erate an inifinitely scaleable\nmulti-server or multi-domain setup!!!**\n\nAmazing, right?\n\nThis project is *not* aimed at casual users or people concerned with a handful of\nwebsites or servers.\n\nThis project is designed for people who have lots of Domains and/or Servers,\nall of which need to be coordinated and centrally managed. The target audience\nis companies that offer whitelabel services, such as: SAAS, PAAS, hosting user\ndomains, and other infrastructure oriented systems.\n\nIf you can use Certbot or another consumer friendly simple client to solve your\nneeds, YOU ALMOST ABSOLUTELY WANT TO USE THAT CLIENT INSTEAD.\n\nPeter, as we fondly call this package, offers lightweight tools to centrally manage\nSSL Certificate data in a centralized SQL database of your choice. PostgreSQL is\nrecommended; sqlite3 is supported and the primary testing environment.\n\nPeter combines an integrated ACME V2 Client designed to primarily operate against\nthe LetsEncrypt service, alongside tools designed to manage, deploy and troubleshoot\nSSL Certificates.\n\nIt is highly likely that PeterSSLers will work with most, if not all, ACME Servers.\nHowever, **only LetsEncrypt's Boulder and Pebble are target ACME Servers at this time**.\nLetsEncrypt implementation of the ACME RFC,\n[Boulder](https://github.com/letsencrypt/boulder) has made some unique decisions\nregarding RFC spec-compliant implementation details, and this system was written\nto support those first and foremost.  Widespread compatibility is hopefully achieved\nby using the [Pebble](https://github.com/letsencrypt/pebble) ACME Server for\ntesting.\n\nPeter's core tool is a lightweight database-backed\n[Pyramid](https://github.com/pylons/pyramid) application that can:\n\n* Act as a client for the entire ACME Certificate provisioning process,\n  operating behind a proxied webserver for HTTP-01 challenges or integrating\n  with an [acme-dns](https://github.com/joohoi/acme-dns) .\n* Offer a unified API for creating and managing the ACME process. Your client\n  software will only talk to Peter, never LetsEncrypt/ACME.\n* Import existing ACME Account Credentials for various CA Operations.\n* Import existing SSL Certificates for management and exploration\n* Ease provisioning Certificates onto various servers across your systems\n* Browse Certificate data and easily see what needs to be renewed\n* Interact with the upstream ACME Servers to deal with accounts, pending\n  AcmeAuthorizations, and all that mess.\n* Communicate with a properly configured\n  [OpenResty](https://github.com/openresty/openresty) enabled `Nginx` web server\n  (see next section)\n* Prime a Redis cache with Certificate data\n* Translate Certificates into different formats\n* Be the source of lots of puns!\n\nPeter ships alongside a `Lua` `opm` module for the\n[OpenResty](https://github.com/openresty/openresty) framework on the `Nginx`\nserver which will:\n\n* Dynamically request Certificates from a primed `Redis` cache\n* Store data in `Nginx`'s shared worker and main memories\n* Expose routes to flush the worker shared memory or expire select keys.\n\nThe [Peter_SSLers OpenResty Module](https://github.com/aptise/lua-resty-peter_sslers)\nmodule is available in a separate project,\n[lua-resty-peter_sslers](https://github.com/aptise/lua-resty-peter_sslers) and can\nbe installed into your [OpenResty](https://github.com/openresty/openresty) / `Nginx`\nserver via the `opm` package installer. It has been used in production for several\nyears.\n\nThe [Pyramid](https://github.com/pylons/pyramid) based application can function\nas a daemon for Admin or API access, or even a commandline script. Most web pages\noffer `.json` endpoints, so you can easily issue commands via `curl` and have\nhuman-readable data in a terminal window. Don't want to do things manually? Ok -\neverything was built to be readable on commandline browsers... yes, this is\nactually developed-for and tested-with Lynx.  I sh*t you not, Lynx.\n\nDo you like book-keeping and logging?  Peter's ACME Client can log everything into\nSQL so you can easily find the answers to burning questions like:\n\n* What AcmeAuthorizations are still pending?\n* What AcmeChallenges are active?\n* Which external IPs are triggering my AcmeChallenges?\n* Where did this PrivateKey come from?\n* How many requests have I been making to upstream servers?\n\nAll communication to the upstream ACME server is logged using Python's standard\n`logging` module.\n\nmodule: `peter_sslers.lib.acme_v2`\n* log level: `logging.info` will show the raw data received\n* log level: `logging.debug` will show the response parsed to json, when applicable\n\n**THIS PACKAGE IS EXTREME TO THE MAX!!!**\n\nDo you like cross-referencing?  Your certs are broken down into fields that are\ncross-referenced or searchable within Peter as well.\n\n*Peter has absolutely no security measures and should only be used by people who\nunderstand that.* This should be a self-selecting group, because many people will\nnot want this tool. Peter is a honeybadger, he don't care. He does what he wants.\n\nPeter offers several commandline tools -- so spinning up a tool \"webserver\" mode\nmay not be necessary at all -- or might only be needed for brief periods of time.\n\nSQLAlchemy is the underlying database library, so virtually any database can be used\n(SQLite, PostgreSQL, MySQL, Oracle, mssql, etc). `SQLite` is the default, but\nthe package has been deployed against PostgreSQL. SQLite is actually kind of great,\nbecause a single `.sqlite` file can be sftp'd on-to and off-of different machines\nfor distribution and local viewings.\n\nPeter only uses the Cryptography package, support for PyOpenSSL was dropped.\n\n\nHow?\n-----\n\nThere are 2 main libraries:\n\n* The paired\n  [Lua-Resty Peter_SSLers](https://github.com/aptise/lua-resty-peter_sslers)\n  project, an [OpenResty](https://github.com/openresty/openresty) Lua module\n  that enables Dynamic SSL Certificate Handling on the `Nginx` webserver.\n\n* This Python library, [Peter_SSLers](https://github.com/aptise/peter_sslers),\n  which provides:\n  * Commandline Tools\n  * A webserver application for obtaining and managing certificates\n    * designed for JSON/API programmatic usage\n    * usable by humans with simplified html\n  * An isolated library and model for building custom applications\n\nProvisioning Certificates and initial orders can be done through the web\ninterface or through commandline tools.\n\nRenewing Certificates can be done via two methods:\n\n* If the web application is running, it can renew certificates\n* A commandline routine will spin up a webserver to answer challenges if needed\n\nCurrent support for ACME Challenge Types:\n\n* HTTP-01: answered by the native webserver\n* DNS-01: domains will be registered with a global acme-dns server\n* TLS-ALPN-01: support is not currently planned\n\nAll data is stored in a per-environment directory.  You can run multiple deployments with a single installation, and easily migrate entire installations across machines.\n\nWhy?\n-----\n\nMost of us hate having to spend time on DevOps tasks. Personally, I would rather\nspend time working on the core product or consumer products. This tool was designed\nas a swiss-army-knife to streamline some tasks and troubleshoot a handful of issues\nwith https hosting. This also allows for programmatic control of most ACME\noperations that can be difficult to accomplish with Certbot and other popular clients.\n\nPeter sits in between your machines and LetsEncrypt. It is designed to let your\napplications programmatically interact with ACME servers, allowing you to\nprovision new Certificates and load them into webservers.\n\nPeter is originally designed for systems that offer whitelabel services in the cloud.\n\nPRs are absolutely welcome, even if just fixes or additions to the test-suite.\n\n\nStatus\n------\n\nPeter SSLers is fully functional and deployed in production environments for:\n\n* Certificate Management\n* Certificate Procurement\n* Manual Renewal\n* Programmatic Renewal\n* Interrogating and syncing against ACME Servers\n* Queuing new Domains for Certificate Provisioning\n* Automatic Renewal\n* Backup Certificates\n* ARI Monitoring\n\nWARNING (Important)\n===================\n\n* This package DOES NOT USE/KNOW/CARE ABOUT SECURITY.\n* This package manages PRIVATE SSL KEYS and makes them readable.\n* If you do not know / are not really awesome with basic network security PLEASE\n  DO NOT USE THIS.\n\n\nACME2 Features\n==============\n\n| Feature | Supported? |\n| --- | --- |\n| New Certificate | Yes |\n| Renew Certificate | Yes |\n| Deactivate Account | Yes |\n| Account Key Rollover | Yes |\n| Automatic Renewal Information | Yes |\n| EAB | No [1] |\n| IP Address Certificates | No [2] |\n\n[1] EAB is not implemented due to the lack of need. This may one day change.\n\n[2] The foundation for IP Address Certificates has been completed, but the support\nis not feature complete.\n\n\nThe Components\n==============\n\n\"Peter SSLers\" - a `Pyramid` Application\n----------------------------------------\n\n\"Peter SSLers\" is the core toolkit. It is a\n[Pyramid](https://github.com/pylons/pyramid) application that can be spun up as a\nwebserver or used via a commandline interface. Peter is your friend and handles all\nof the Certificate Management and translation functions for you.  He's a bit\neccentric, but basically a good guy.\n\n\"SSL Minnow\" - The Datastore\n----------------------------------------\n\nBy default, the \"SSL Minnow\" is a SQLite database `ssl_minnow.sqlite`. It is the\nbacking datastore for SSL Certificates and the operations log. Your data is ONLY\nsaved to the SSL Minnow - not to the filesystem like other LE clients - so you\nshould be careful with it. If the Minnow would be lost, it can not be recovered.\nBe a good skipper, or your three hour tour could end up taking many years and might\ninvolve the Harlem Globetrotters, who are great to watch but do you want to be stuck\non a remote desert island with them?!?! No.\n\n\"SSLX\" - The `OpenResty` package\n----------------------------------------\n\n[OpenResty](https://github.com/openresty/openresty) is a fork of the nginx\nwebserver which offers a lot of programmatic hooks (similar to Apache's mod_perl).\nOne of the many hooks allows for programmatic determination and loading of SSL\nCertificates based on the hostname.\n\nA tiered waterfall approach is used to aggressively cache Certificates:\n\n* initial attempt: `nginx` worker memory\n* failover 1:  `nginx` shared memory\n* failover 2: centralized `redis` server\n* failover 3: querying the `Peter SSLers` `Pyramid` application\n\nThe [Pyramid](https://github.com/pylons/pyramid) application can be used to prime\nand clear each cache level.\n\nSSLX, I'm your only friend. SSLX, Your love will sing for you.\n\nAvailable via the opm package manager:\n\n    opm get lua-resty-peter_sslers\n\nThe source and docs are available on a separate github repository:\n\n* https://github.com/aptise/lua-resty-peter_sslers\n\n\n\"Routines\" and Scripts\n----------------------------------------\n\nSeveral \"routines\" and scripts are provided for commandline invocation:\n\nRoutines for cron:\n\n* periodic_tasks\n  This routine runs all the other routines on a schedule\n  * on first run:\n    * it generates a line to enter into your crontab, using an random minute\n    * a json file is created that lists which hours the other routines will be run\n  * on subsequent runs:\n    * the json file is loaded and tasks are dispatched\n\n  The crontab should be installed to run every hour on a set minute, said set minute\n  recommended by the periodic_tasks script.  The scheduler will figure out what to run\n  on a given hour.\n\n  If certs need to be ordered, a WSGI server running on :config.ini:`http_port.renewals`\n  will be spun up to answer AcmeChallenges in a subprocess. Whatever server is\n  listening to port80 should proxy to this server.  This server only responds to\n  public URLs.\n  \n  `periodic_tasks` is designed to run every core routine on an hourly basis.\n\n  If alternate invocation strategies are required, there is a specific commandline\n  routine for each task which can be used instead.\n\nPlease read the\n[Automation Guide](https://github.com/aptise/peter_sslers/blob/main/docs/Automation.md)\nfor more details and additional routines.\n\n\nToDo\n=====\n\nSee `TODO.txt`\n\n\nGetting Started\n===============\n\nPlease read the\n[Full Installation Instructions](https://github.com/aptise/peter_sslers/blob/main/docs/Installation.md)\n\nThere is also a\n[QuickStart](https://github.com/aptise/peter_sslers/blob/main/docs/QuickStart.md)\n\nThe abridged version:\n\n```\nmkdir certificate_admin\ncd certificate_admin\nvirtualenv peter_sslers-venv\nsource peter_sslers-venv/bin/activate\ngit clone https://github.com/aptise/peter_sslers.git\ncd peter_sslers\n$VENV/bin/pip3 install -e .\nmkdir data_development\nco example_configs/development.ini data_development/config.ini\nvi data_development/config.ini\n$VENV/bin/initialize_peter_sslers_db data_development\n$VENV/bin/import_certbot data_development dir=/etc/letsencrypt\n$VENV/bin/pserve data_development/config.ini\n```\n\n\nFull Documentation\n==================\n\n* [QuickStart](https://github.com/aptise/peter_sslers/blob/main/docs/QuickStart.md)\n* [Installation](https://github.com/aptise/peter_sslers/blob/main/docs/Installation.md)\n* [Configuration Options](https://github.com/aptise/peter_sslers/blob/main/docs/Configuration_Options.md)\n* [General_Management_Concepts](https://github.com/aptise/peter_sslers/blob/main/docs/General_Management_Concepts.md)\n* [Implementation_Details](https://github.com/aptise/peter_sslers/blob/main/docs/Implementation_Details.md)\n* [Automation](https://github.com/aptise/peter_sslers/blob/main/docs/Automation.md)\n* [Frequently Asked Questions](https://github.com/aptise/peter_sslers/blob/main/docs/Frequently_Asked_Questions.md)\n* [Misc](https://github.com/aptise/peter_sslers/blob/main/docs/Misc.md)\n* [Tools](https://github.com/aptise/peter_sslers/blob/main/docs/Tools.md)\n* [Tests](https://github.com/aptise/peter_sslers/blob/main/docs/Tests.md)\n* [Versioning](https://github.com/aptise/peter_sslers/blob/main/docs/Versioning.md)\n\n\nRelated Projects\n==================\n* [aptise/lua-resty_peter_sslers](https://github.com/aptise/lua-resty-peter_sslers)\n* [aptise/cert_utils](https://github.com/aptise/cert_utils)\n* OpenResty\n  * [Github Source](https://github.com/openresty/openresty)\n  * [Project Homepage](https://openresty.org)\n* Pyramid\n  * [Github Source](https://github.com/pylons/pyramid)\n  * [Project Homepage](https://trypyramid.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faptise%2Fpeter_sslers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faptise%2Fpeter_sslers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faptise%2Fpeter_sslers/lists"}