{"id":20015621,"url":"https://github.com/jen20/lambda-cert","last_synced_at":"2025-10-06T18:06:58.086Z","repository":{"id":57134022,"uuid":"132372173","full_name":"jen20/lambda-cert","owner":"jen20","description":"Obtain and renew Let's Encrypt certificates using AWS Lambda","archived":false,"fork":false,"pushed_at":"2018-10-24T00:16:27.000Z","size":979,"stargazers_count":17,"open_issues_count":1,"forks_count":2,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-06T18:06:33.804Z","etag":null,"topics":["acmev2","aws","lambda","letsencrypt"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jen20.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-06T20:09:35.000Z","updated_at":"2022-10-31T17:20:35.000Z","dependencies_parsed_at":"2022-09-04T07:31:21.810Z","dependency_job_id":null,"html_url":"https://github.com/jen20/lambda-cert","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/jen20/lambda-cert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jen20%2Flambda-cert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jen20%2Flambda-cert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jen20%2Flambda-cert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jen20%2Flambda-cert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jen20","download_url":"https://codeload.github.com/jen20/lambda-cert/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jen20%2Flambda-cert/sbom","scorecard":{"id":514844,"data":{"date":"2025-08-11","repo":{"name":"github.com/jen20/lambda-cert","commit":"70fe11e766a2cc5f63333d32096b88b052c3008a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.5,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/6 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/jen20/lambda-cert/releases/11997129","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/jen20/lambda-cert/releases/10946225","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/jen20/lambda-cert/releases/11997129","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/jen20/lambda-cert/releases/10946225"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 8 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":0,"reason":"42 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-c6rq-rjc2-86v2","Warn: Project is vulnerable to: GHSA-pp75-xfpw-37g9","Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6","Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9","Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f","Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p","Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv","Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8","Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65","Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh","Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44","Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988","Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx","Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37","Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546","Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx","Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-xf5p-87ch-gxw2","Warn: Project is vulnerable to: GHSA-ch52-vgq2-943f","Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj","Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6","Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj","Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9","Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw","Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc","Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh","Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T01:33:25.369Z","repository_id":57134022,"created_at":"2025-08-20T01:33:25.373Z","updated_at":"2025-08-20T01:33:25.373Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278655146,"owners_count":26022968,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acmev2","aws","lambda","letsencrypt"],"created_at":"2024-11-13T07:46:42.868Z","updated_at":"2025-10-06T18:06:58.045Z","avatar_url":"https://github.com/jen20.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## `lambda-cert`\n\n`lambda-cert` is a lambda function which can be used to obtain TLS certificates from a certificate\nauthority using the `acme` API (for example, [Let's Encrypt][le]). The private key is encrypted\nusing KMS, and stored along with the certificate (unencrypted) in an S3 bucket. Optionally, the\nprivate key can be re-encoded using PCKS8 and added to a Java KeyStore which is then uploaded to S3.\n\nA policy granting access to these files and the Decrypt operation for the KMS key can be assigned to\na role associated with an instance profile in order for servers to obtain the keys on startup.\n\n`lambda-cert` completes the [DNS-01][dns1] challenge using AWS Route 53 in order to verify control\nof a particular domain.\n\nAn accompanying utility `s3-get-secret` shares much of the same codebase, and can be used to\ndownload and decrypt certificates from S3 without needing additional dependencies.\n\nNote that this is only really intended to be used in circumstances where ACM certificates are\nunpalatable - that is, if TLS termination is being done inside an instance specifically, or where a\nself-signed CA cannot be used. It is especially useful for [HashiCorp Vault][vault] clusters, since\neach client need not be provisioned with an additional root certificate, provided they already trust\ncertificates issued by Let's Encrypt.\n\n### Rationale\n\nThe rate limits for ACME with Let's Encrypt mean that renewing a certificate for each member of a\nlarge cluster whenever a new image is deployed (say, a rolling upgrade of an auto-scaling group)\ncannot be achieved. In this model, Lambda manages the initial creation and subsequent renewal of the\ncertificate, and the instances making use of the certificates can simply obtain the files from S3,\nand update them on a regular basis.\n\nEven in smaller clusters which are not affected by the rate limit, it is preferable not to delegate\ncontrol over DNS records in an instance policy, given the limited granularity with which AWS IAM\nexposes controls over Route 53 hosted zones.\n\n### Building\n\nDuring development, `lambda-cert` and `s3-get-secret` can be built using `go build`. \n\nReleases are made using `goreleaser`. _You should likely build binaries yourself rather than\ntrusting these._\n\n### Contributing\n\nFeedback, issues and pull requests are welcome!\n\n### Pulumi Component\n\nA [Pulumi][pulumi] component is included in the `pulumi/` directory, and also published in the\n[npm][npm] registry as [`@operator-error/pulumi-lambda-cert`][npmmod]. See the\n[README][pulumireadme] in that directory for more documentation.\n\n### Terraform Module\n\nA [Terraform][terraform] module is included in the `terraform/` directory. See the\n[README][tfreadme] in that directory for more documentation.\n\n### Example lambda function policy\n\nSubstitute values as necessary for your certificates:\n\n```\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"logs:CreateLogGroup\",\n                \"logs:CreateLogStream\",\n                \"logs:PutLogEvents\"\n            ],\n            \"Resource\": \"arn:aws:logs:*:*:*\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\",\n                \"kms:GenerateDataKey\"\n            ],\n            \"Resource\": \"\u003cKMS KEY ARN\u003e\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"s3:PutObject\",\n                \"s3:GetObject\",\n            ],\n            \"Resource\": [\n                \"arn:aws:s3:::\u003cBUCKET NAME\u003e/\u003cBUCKET PREFIX\u003e/config/config.json.enc\",\n                \"arn:aws:s3:::\u003cBUCKET NAME\u003e/\u003cBUCKET PREFIX\u003e/\u003cNAME\u003e/cert.crt\",\n                \"arn:aws:s3:::\u003cBUCKET NAME\u003e/\u003cBUCKET PREFIX\u003e/\u003cNAME\u003e/cert.key.enc\",\n\t\t\"arn:aws:s3:::\u003cBUCKET NAME\u003e/\u003cBUCKET PREFIX\u003e/\u003cNAME\u003e/keystore.jks\"\n            ]\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"route53:ChangeResourceRecordSets\"\n            ],\n            \"Resource\": [\n                \"arn:aws:route53:::hostedzone/\u003cHOSTED ZONE ID\u003e\"\n            ]\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"route53:GetChange\",\n                \"route53:ListHostedZonesByName\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\n```\n\n[le]: https://letsencrypt.org/\n[vault]: https://vaultproject.io\n[mage]: https://magefile.org\n[terraform]: https://terraform.io\n[tfreadme]: ./terraform/README.md\n[pulumi]: https://www.pulumi.io\n[npm]: https://www.npmjs.com\n[npmmod]: https://www.npmjs.com/package/@operator-error/pulumi-lambda-cert\n[pulumireadme]: ./pulumi/README.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjen20%2Flambda-cert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjen20%2Flambda-cert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjen20%2Flambda-cert/lists"}