{"id":20657727,"url":"https://github.com/boltops-tools/google-ssl-cert","last_synced_at":"2026-04-24T09:32:34.250Z","repository":{"id":46304623,"uuid":"417326657","full_name":"boltops-tools/google-ssl-cert","owner":"boltops-tools","description":"Google SSL Cert Rotation Tool","archived":false,"fork":false,"pushed_at":"2021-11-01T23:28:12.000Z","size":66,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-31T15:28:26.059Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boltops-tools.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-15T00:55:07.000Z","updated_at":"2021-11-01T23:28:10.000Z","dependencies_parsed_at":"2022-09-08T21:52:35.302Z","dependency_job_id":null,"html_url":"https://github.com/boltops-tools/google-ssl-cert","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/boltops-tools/google-ssl-cert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fgoogle-ssl-cert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fgoogle-ssl-cert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fgoogle-ssl-cert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fgoogle-ssl-cert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boltops-tools","download_url":"https://codeload.github.com/boltops-tools/google-ssl-cert/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boltops-tools%2Fgoogle-ssl-cert/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32216915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T08:24:32.376Z","status":"ssl_error","status_checked_at":"2026-04-24T08:24:26.731Z","response_time":64,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T18:22:40.102Z","updated_at":"2026-04-24T09:32:29.239Z","avatar_url":"https://github.com/boltops-tools.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Google Ssl Cert Rotation Tool\n\n[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)\n\nA Google SSL Cert rotation automation tool.\n\n## How Does It Work?\n\nYou should run this tool in the folder with your cert files. The cert files can be inferred conventionally or explicitly specified. Tool can be used in conjuction with [Kubes](https://kubes.guru/) and the [google_secret](https://kubes.guru/docs/helpers/google/secrets/) helper. It can be used to automate the SSL cert rotation process.\n\nThis is done by generating a new SSL cert and storing that name to Google secrets.  All the user needs to do is be in the folder with the cert private key and signed cert. These files are typically named: `private.key` and `certificate.crt`.  The key is that the Google Secret name itself does not change, only it's value.\n\n### Kubes Kuberbetes YAML\n\nYour Kuberbetes YAML files can be built with [Kubes](https://kubes.guru/) with the `google_secret` helper which references the cert name.\n\nExample `ingress.yaml` with an L7 external load balancer and global cert.\n\n.kubes/resources/web/ingress.yaml:\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: web\n  annotations:\n    ingress.gcp.kubernetes.io/pre-shared-cert: '\u003c%= google_secret(\"cert-app1\", base64: false) %\u003e'\nspec:\n  defaultBackend:\n    service:\n      name: web\n      port:\n        number: 80\n```\n\nThe `.kubes/resources/web/ingress.yaml` code remains the same, but the generated/compiled ``.kubes/output/web/ingress.yaml`` will have the new Google SSL Cert name.  This triggers Kuberbetes to do a rolling deploy properly.\n\n## Summary of Steps\n\n1. Use the `google-ssl-cert create` command to create new SSL cert and save the name to Google Secrets.  The value in the Google Secret can be later referenced.\n2. Deploying your application to Kuberbetes and using the Kubes `google_secret` helper that references the new cert name.\n3. Pruning the old cert names with the `google-ssl-cert prune` command.\n\n## Usage: Quick Start\n\nMake sure you have the cert files in your current folder:\n\n    $ ls\n    private.key  certificate.crt\n\nCommand synopsys:\n\n    google-ssl-cert create CERT_NAME\n\nNote: Google ssl cert names can only contain letters, numbers, and dashes. Underscores are not allowed.\n\nExample:\n\n    $ google-ssl-cert create cert-app1\n    Global cert created: cert-app1-global-20211021155725\n    Secret saved: name: cert-app1 value: cert-app1-global-20211021155725\n\nThe secret conventionally is the same as the cert name. You can override it with `--secret-name`.\n\nCheck that cert and secret was created on google cloud:\n\n    % gcloud compute ssl-certificates list\n    NAME                             TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS\n    cert-app1-global-20211021155725  SELF_MANAGED  2021-10-21T08:57:26.005-07:00  2022-01-12T15:59:59.000-08:00\n    ~/environment/cert-files git:master aws:tung:us-west-2 gke:default\n    %\n    $ gcloud secrets versions access latest --secret cert-app1\n    cert-app1-global-20211021155725\n\n## Usage: Region Cert\n\nIf you need to create a region cert instead, IE: for internal load balancers, specify the `--no-global` flag. Example:\n\n    $ google-ssl-cert create cert-app1 --no-global\n    Region cert created: cert-app1-us-central1-20211021155852 in region: us-central1\n    Secret saved: name: cert-app1 value: cert-app1-us-central1-20211021155852\n\nCheck that cert and secret was created on google cloud:\n\n    $ gcloud compute ssl-certificates list\n    NAME                                  TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS\n    cert-app1-us-central1-20211021155852  SELF_MANAGED  2021-10-21T08:58:53.514-07:00  2022-01-12T15:59:59.000-08:00\n\n## Required Env Vars\n\nThese env vars should be set:\n\nName | Description\n--- | ---\nGOOGLE\\_APPLICATION_CREDENTIALS | A service account as must be set up. `GOOGLE_APPLICATION_CREDENTIALS` is set to the path of the file. IE: `export GOOGLE_APPLICATION_CREDENTIALS=~/.gcp/credentials.json`\nGOOGLE_PROJECT | The env var `GOOGLE_PROJECT` and must be set.\nGOOGLE_REGION | The env var `GOOGLE_REGION` and must be set when creating a region-based google ssl cert. So when using the `--no-global` flag\n\nTo check that `GOOGLE_APPLICATION_CREDENTIALS` is valid and is working you can use the [boltops-tools/google_check](https://github.com/boltops-tools/google_check) test script to check. Here are the summarized commands:\n\n    git clone https://github.com/boltops-tools/google_check\n    cd google_check\n    bundle\n    bundle exec ruby google_check.rb\n\n## Cert Files Conventions\n\nThe tool will look in your current folder for these private keys in the following order:\n\n    private.key\n    server.key\n    key.pem\n\nAnd look for these certs:\n\n    certificate.crt\n    server.crt\n    cert.pem\n\nSo, for example, if you name your cert files in your current folder conventionally like so:\n\n    private.key     # private key\n    certificate.crt # signed cert\n\nThe tool is able to detect it and automatically use those files to create the cert.\n\nYou can also specify the path to the certificate and private key explicitly:\n\n    google-ssl-cert create cert-app1 --private-key server.key --certificate server.crt\n\n## Prune\n\nTo prune or delete old google ssl certs after rotating:\n\n    google-ssl-cert prune CERT_NAME\n\n## Installation\n\n    gem install google-ssl-cert\n\n## Contributing\n\n1. Fork it\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Commit your changes (`git commit -am \"Add some feature\"`)\n4. Push to the branch (`git push origin my-new-feature`)\n5. Create new Pull Request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboltops-tools%2Fgoogle-ssl-cert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboltops-tools%2Fgoogle-ssl-cert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboltops-tools%2Fgoogle-ssl-cert/lists"}