{"id":29301457,"url":"https://github.com/fabriziosalmi/certmate","last_synced_at":"2026-05-25T14:01:24.484Z","repository":{"id":300909819,"uuid":"1007555070","full_name":"fabriziosalmi/certmate","owner":"fabriziosalmi","description":"SSL Certificate Management System (API + UI)","archived":false,"fork":false,"pushed_at":"2026-05-22T21:12:30.000Z","size":9824,"stargazers_count":1188,"open_issues_count":4,"forks_count":89,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-05-22T22:28:42.649Z","etag":null,"topics":["automation","certificate-generation","certificate-management","certificate-renewal","certificate-revocation-lists","certification-authority","private-ca","ssl-api","ssl-certificates","ssl-management","tls-certificate","tls-certificates"],"latest_commit_sha":null,"homepage":"https://www.certmate.org/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fabriziosalmi.png","metadata":{"files":{"readme":"README.dockerhub.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"fabriziosalmi"}},"created_at":"2025-06-24T07:16:05.000Z","updated_at":"2026-05-22T21:12:34.000Z","dependencies_parsed_at":"2025-07-11T21:17:05.795Z","dependency_job_id":"7fbf499e-873e-44db-a888-7881c3e36569","html_url":"https://github.com/fabriziosalmi/certmate","commit_stats":null,"previous_names":["fabriziosalmi/certmate"],"tags_count":113,"template":false,"template_full_name":null,"purl":"pkg:github/fabriziosalmi/certmate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fcertmate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fcertmate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fcertmate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fcertmate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fabriziosalmi","download_url":"https://codeload.github.com/fabriziosalmi/certmate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabriziosalmi%2Fcertmate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33477951,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-25T06:32:55.349Z","status":"ssl_error","status_checked_at":"2026-05-25T06:32:35.322Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","certificate-generation","certificate-management","certificate-renewal","certificate-revocation-lists","certification-authority","private-ca","ssl-api","ssl-certificates","ssl-management","tls-certificate","tls-certificates"],"created_at":"2025-07-06T22:13:10.694Z","updated_at":"2026-05-25T14:01:24.472Z","avatar_url":"https://github.com/fabriziosalmi.png","language":"Python","funding_links":["https://github.com/sponsors/fabriziosalmi"],"categories":["Python","automation"],"sub_categories":[],"readme":"# CertMate - SSL Certificate Management System\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/fabriziosalmi/certmate/main/certmate_logo.png\" alt=\"CertMate Logo\" width=\"180\"\u003e\n\n\u003c/div\u003e\n\n**CertMate** is an SSL certificate management system for modern infrastructure. Multi-DNS provider support, Docker-ready, comprehensive REST API.\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)\n[![Docker](https://img.shields.io/badge/docker-ready-blue)](https://hub.docker.com/)\n\n **Full Documentation**: https://github.com/fabriziosalmi/certmate\n\n---\n\n## Key Features\n\n- **Zero-Downtime Automation** - Auto-renewal 30 days before expiry\n- **22 DNS Providers** - Cloudflare, AWS, Azure, GCP, Hetzner, and more\n- **Multiple CA Support** - Let's Encrypt, DigiCert ACME, Private CAs\n- **Unified Backups** - Atomic snapshots of settings and certificates\n- **Multiple Storage Backends** - Local, Azure Key Vault, AWS Secrets Manager, Vault, Infisical\n- **Enterprise Ready** - Multi-account support, REST API, monitoring\n- **Simple Integration** - One-URL certificate downloads\n\n## Quick Start\n\n### Docker Compose (Recommended)\n\n```bash\n# 1. Create docker-compose.yml\nversion: '3.8'\nservices:\n certmate:\n image: fabriziosalmi/certmate:latest\n container_name: certmate\n ports:\n - \"8000:8000\"\n environment:\n - API_BEARER_TOKEN=your_secure_token_here\n - CLOUDFLARE_TOKEN=your_cloudflare_token # Or other DNS provider\n volumes:\n - ./data:/app/data\n - ./certificates:/app/certificates\n - ./letsencrypt:/app/letsencrypt\n restart: unless-stopped\n\n# 2. Start the service\ndocker-compose up -d\n\n# 3. Access the dashboard\nopen http://localhost:8000\n```\n\n### Standalone Docker\n\n```bash\ndocker run -d \\\n --name certmate \\\n -p 8000:8000 \\\n -e API_BEARER_TOKEN=your_secure_token_here \\\n -e CLOUDFLARE_TOKEN=your_token \\\n -v $(pwd)/data:/app/data \\\n -v $(pwd)/certificates:/app/certificates \\\n -v $(pwd)/letsencrypt:/app/letsencrypt \\\n fabriziosalmi/certmate:latest\n```\n\n## Supported DNS Providers\n\n| Provider           | Multi-Account | Status |\n| ------------------ | ------------- | ------ |\n| Cloudflare         |               | Stable |\n| AWS Route53        |               | Stable |\n| Azure DNS          |               | Stable |\n| Google Cloud DNS   |               | Stable |\n| DigitalOcean       |               | Stable |\n| PowerDNS           |               | Stable |\n| RFC2136            |               | Stable |\n| Linode             |               | Stable |\n| Gandi              |               | Stable |\n| OVH                |               | Stable |\n| Namecheap          |               | Stable |\n| Vultr              |               | Stable |\n| DNS Made Easy      |               | Stable |\n| NS1                |               | Stable |\n| Hetzner            |               | Stable |\n| Porkbun            |               | Stable |\n| GoDaddy            |               | Stable |\n| Hurricane Electric |               | Stable |\n| Dynu               |               | Stable |\n| ArvanCloud         |               | Stable |\n| Infomaniak         |               | Stable |\n| ACME-DNS           |               | Stable |\n\n## Certificate Authority Providers\n\n- **Let's Encrypt** - Free, automated certificates (default)\n- **DigiCert ACME** - Enterprise-grade with EAB support\n- **Private CA** - Internal/corporate CAs with ACME\n\n## Storage Backends\n\n- **Local Filesystem** - Default, secure file storage\n- **Azure Key Vault** - Enterprise secret management\n- **AWS Secrets Manager** - Scalable AWS integration\n- **HashiCorp Vault** - Industry-standard secrets\n- **Infisical** - Modern open-source platform\n\n## API Usage\n\n```bash\n# Create certificate\ncurl -X POST \"http://localhost:8000/api/certificates/create\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"domain\": \"example.com\",\n \"email\": \"admin@example.com\"\n }'\n\n# Download certificate (ZIP)\ncurl \"http://localhost:8000/api/certificates/example.com/download\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\" \\\n -o certificate.zip\n\n# Renew certificate\ncurl -X POST \"http://localhost:8000/api/certificates/example.com/renew\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\"\n\n# List certificates\ncurl \"http://localhost:8000/api/certificates\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\"\n```\n\n## Environment Variables\n\n### DNS Provider (choose one)\n- **Cloudflare**: `CLOUDFLARE_TOKEN`\n- **AWS Route53**: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`\n- **Azure**: `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`\n- **GCP**: `GOOGLE_PROJECT_ID`, `GOOGLE_APPLICATION_CREDENTIALS`\n- **DigitalOcean**: `DIGITALOCEAN_TOKEN`\n- **Hetzner**: `HETZNER_API_TOKEN`\n- See [documentation](https://github.com/fabriziosalmi/certmate/blob/main/docs/dns-providers.md) for all providers\n\n### Optional\n- `API_BEARER_TOKEN` - Bearer token for API authentication (auto-generated if unset)\n- `API_BEARER_TOKEN_FILE` - Path to a file containing the bearer token; takes precedence over `API_BEARER_TOKEN` when set\n- `SECRET_KEY` - Flask secret key (auto-generated if not set)\n- `SECRET_KEY_FILE` - Path to a file containing the Flask secret key (takes precedence over `SECRET_KEY`)\n- `FLASK_ENV` - Environment mode (default: production)\n- `HOST` - Bind address (default: 0.0.0.0)\n- `PORT` - Listen port (default: 8000)\n\n## Security Best Practices\n\n1. **Strong API Token**: Use 32+ character random token\n2. **File Permissions**: Automatic secure permissions (600/700)\n3. **Secrets Management**: Use environment variables or storage backends\n4. **HTTPS**: Use reverse proxy (nginx/traefik) for production\n5. **Network Isolation**: Deploy in private network when possible\n\n## Volume Mounts\n\n```yaml\nvolumes:\n - ./data:/app/data # Settings, cache, audit logs\n - ./certificates:/app/certificates # SSL certificates\n - ./letsencrypt:/app/letsencrypt # Let's Encrypt config\n - ./backups:/app/backups # Backup files (optional)\n - ./logs:/app/logs # Application logs (optional)\n```\n\n## Multi-Platform Support\n\nImages available for:\n- `linux/amd64` - x86_64 systems\n- `linux/arm64` - ARM64/Apple Silicon\n\nDocker automatically pulls the correct architecture.\n\n## Backup \u0026 Recovery\n\nCertMate includes unified atomic backups:\n\n```bash\n# Create backup via API\ncurl -X POST \"http://localhost:8000/api/backups/create\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\" \\\n -d '{\"type\": \"unified\"}'\n\n# List backups\ncurl \"http://localhost:8000/api/backups\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\"\n\n# Restore from backup\ncurl -X POST \"http://localhost:8000/api/backups/restore/unified\" \\\n -H \"Authorization: Bearer YOUR_TOKEN\" \\\n -d '{\"filename\": \"backup_20240101_120000.tar.gz\"}'\n```\n\n## Health Monitoring\n\n```bash\n# Health check endpoint\ncurl http://localhost:8000/health\n\n# Response\n{\n \"status\": \"healthy\",\n \"version\": \"2.1.0\",\n \"uptime\": \"24h 15m\",\n \"certificates\": 42,\n \"storage\": \"local_filesystem\"\n}\n```\n\n## Troubleshooting\n\n### Container won't start\n```bash\n# Check logs\ndocker logs certmate\n\n# Verify permissions\nls -la data/ certificates/ letsencrypt/\n```\n\n### DNS validation fails\n- Verify DNS provider credentials\n- Check DNS propagation: `dig _acme-challenge.example.com TXT`\n- Review logs for specific errors\n\n### Certificate not renewing\n- Check auto-renew is enabled in settings\n- Verify renewal threshold (default: 30 days)\n- Manual renewal: API POST `/api/certificates/{domain}/renew`\n\n## Documentation\n\n- **GitHub Repository**: https://github.com/fabriziosalmi/certmate\n- **Full README**: https://github.com/fabriziosalmi/certmate/blob/main/README.md\n- **Installation Guide**: https://github.com/fabriziosalmi/certmate/blob/main/docs/installation.md\n- **DNS Providers**: https://github.com/fabriziosalmi/certmate/blob/main/docs/dns-providers.md\n- **CA Providers**: https://github.com/fabriziosalmi/certmate/blob/main/docs/ca-providers.md\n- **Multi-Account Setup**: https://github.com/fabriziosalmi/certmate/blob/main/docs/dns-providers.md#multi-account-support\n- **API Documentation**: http://localhost:8000/docs/\n\n## Contributing\n\nContributions welcome! See [CONTRIBUTING.md](https://github.com/fabriziosalmi/certmate/blob/main/CONTRIBUTING.md)\n\n## License\n\nMIT License - see [LICENSE](https://github.com/fabriziosalmi/certmate/blob/main/LICENSE)\n\n## Links\n\n- **Source Code**: https://github.com/fabriziosalmi/certmate\n- **Docker Hub**: https://hub.docker.com/r/fabriziosalmi/certmate\n- **Issue Tracker**: https://github.com/fabriziosalmi/certmate/issues\n- **Discussions**: https://github.com/fabriziosalmi/certmate/discussions\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabriziosalmi%2Fcertmate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffabriziosalmi%2Fcertmate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabriziosalmi%2Fcertmate/lists"}