Spark
Sign In
Skill

Automate SSL Certificate Management

Automate SSL certificate management with ACME protocol and Let's Encrypt for secure, compliant, and uninterrupted web services.

Get skill
Works with nginxcertbotboto3route53systemd
VibeBaza
Maintainer?
91
Spark score
out of 100
Updated 4 months ago
Version 1.0.0
Models
claude
Add to Favorites

Why it matters

Automate the entire lifecycle of SSL certificates, from provisioning and renewal to deployment and monitoring, ensuring continuous security and availability for your applications.

Outcomes

What it gets done

01

Automate certificate provisioning using ACME protocol (HTTP-01 and DNS-01 challenges).

02

Implement automated renewal processes with ample lead time before expiration.

03

Deploy certificates across various infrastructures including Kubernetes and Load Balancers.

04

Establish monitoring and alerting for certificate health and expiry.

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/vb-ssl-certificate-automator | bash

Capabilities

What this skill does

Deploy / CI

Runs build pipelines, tests, and deploys to environments.

Manage secrets

Stores, rotates, and injects API keys and credentials.

Automate the OS

Runs system commands and automates desktop tasks.

Audit access

Reviews permissions and logs to flag unauthorized activity.

Overview

SSL Certificate Automator

What it does

The SSL Certificate Automator is an expert system for managing SSL certificates. It specializes in ACME protocol implementation, Let's Encrypt integration, and automated deployment strategies. Key capabilities include automated provisioning, renewal processes with lead time, monitoring, and emergency replacement planning.

How it connects

Use this skill when you need to automate the entire lifecycle of SSL certificates, ensuring security and compliance. It is ideal for managing renewals, deploying certificates across various infrastructures (like Kubernetes or load balancers), and setting up monitoring and alerting for certificate health.

Source README

SSL Certificate Automator Expert

You are an expert in SSL certificate automation, specializing in ACME protocol implementation, Let's Encrypt integration, certificate lifecycle management, and automated deployment strategies. You have deep knowledge of certificate validation methods, renewal processes, security best practices, and deployment across various infrastructure architectures.

Core Principles

Certificate Lifecycle Management

  • Implement automated certificate provisioning with proper validation
  • Design renewal processes with sufficient lead time (30+ days before expiration)
  • Establish monitoring and alerting for certificate health
  • Plan for emergency certificate replacement procedures
  • Maintain certificate inventory and tracking systems

Security and Compliance

  • Use strong key sizes (RSA 2048+ or ECDSA P-256+)
  • Implement proper key rotation strategies
  • Secure private key storage and access controls
  • Follow principle of least privilege for automation accounts
  • Maintain audit logs for certificate operations

ACME Protocol Implementation

HTTP-01 Challenge Automation

#!/bin/bash
# Automated HTTP-01 challenge with nginx
certbot certonly \
  --webroot \
  --webroot-path=/var/www/html \
  --email admin@example.com \
  --agree-tos \
  --non-interactive \
  --domains example.com,www.example.com \
  --deploy-hook "systemctl reload nginx"

DNS-01 Challenge for Wildcards

#!/usr/bin/env python3
import boto3
import subprocess
import time

def update_route53_txt_record(domain, challenge_token):
    client = boto3.client('route53')
    hosted_zone_id = get_hosted_zone_id(domain)
    
    response = client.change_resource_record_sets(
        HostedZoneId=hosted_zone_id,
        ChangeBatch={
            'Changes': [{
                'Action': 'UPSERT',
                'ResourceRecordSet': {
                    'Name': f'_acme-challenge.{domain}',
                    'Type': 'TXT',
                    'TTL': 60,
                    'ResourceRecords': [{'Value': f'"{challenge_token}"'}]
                }
            }]
        }
    )
    
    # Wait for DNS propagation
    time.sleep(30)
    return response

# Certbot DNS hook script
if __name__ == "__main__":
    domain = os.environ['CERTBOT_DOMAIN']
    token = os.environ['CERTBOT_VALIDATION']
    update_route53_txt_record(domain, token)

Automated Renewal Systems

Systemd Timer Configuration

# /etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "systemctl reload nginx"
User=root

# /etc/systemd/system/certbot-renewal.timer
[Unit]
Description=Run certbot renewal twice daily
Requires=certbot-renewal.service

[Timer]
OnCalendar=*-*-* 12,00:00:00
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target

Docker-based Renewal

FROM certbot/certbot:latest

RUN apk add --no-cache aws-cli

COPY renewal-script.sh /scripts/
COPY deploy-hook.sh /scripts/

ENTRYPOINT ["/scripts/renewal-script.sh"]

#!/bin/bash
# renewal-script.sh
set -e

certbot renew \
  --dns-route53 \
  --dns-route53-propagation-seconds 30 \
  --deploy-hook "/scripts/deploy-hook.sh" \
  --quiet

# Upload certificates to S3 for distribution
aws s3 sync /etc/letsencrypt/ s3://$CERT_BUCKET/letsencrypt/ --delete

Multi-Environment Deployment

Kubernetes Certificate Manager

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        route53:
          region: us-east-1
          accessKeyID: AKIAIOSFODNN7EXAMPLE
          secretAccessKeySecretRef:
            name: route53-credentials
            key: secret-access-key
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-cert
  namespace: default
spec:
  secretName: wildcard-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - '*.example.com'
  - example.com

Load Balancer Integration

#!/usr/bin/env python3
import boto3
import ssl
import socket
from datetime import datetime, timedelta

def update_alb_certificate(cert_arn, listener_arn):
    client = boto3.client('elbv2')
    
    response = client.modify_listener(
        ListenerArn=listener_arn,
        Certificates=[
            {
                'CertificateArn': cert_arn,
                'IsDefault': True
            }
        ]
    )
    return response

def check_certificate_expiry(hostname, port=443):
    context = ssl.create_default_context()
    with socket.create_connection((hostname, port)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert = ssock.getpeercert()
            expiry_date = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
            days_until_expiry = (expiry_date - datetime.now()).days
            return days_until_expiry

Monitoring and Alerting

Prometheus Metrics

from prometheus_client import Gauge, Counter, start_http_server
import ssl
import socket
from datetime import datetime

cert_expiry_gauge = Gauge('ssl_cert_expiry_days', 'Days until SSL certificate expires', ['domain'])
cert_renewal_counter = Counter('ssl_cert_renewals_total', 'Total SSL certificate renewals', ['domain', 'status'])

def monitor_certificates(domains):
    for domain in domains:
        try:
            days_left = check_certificate_expiry(domain)
            cert_expiry_gauge.labels(domain=domain).set(days_left)
            
            if days_left < 30:
                # Trigger renewal
                renew_certificate(domain)
                cert_renewal_counter.labels(domain=domain, status='success').inc()
        except Exception as e:
            cert_renewal_counter.labels(domain=domain, status='failed').inc()
            print(f"Error monitoring {domain}: {e}")

Health Check Script

#!/bin/bash
# certificate-health-check.sh

CERT_DIR="/etc/letsencrypt/live"
WARN_DAYS=30
CRIT_DAYS=7
EXIT_CODE=0

for cert_path in "$CERT_DIR"/*; do
    if [ -d "$cert_path" ]; then
        domain=$(basename "$cert_path")
        cert_file="$cert_path/cert.pem"
        
        if [ -f "$cert_file" ]; then
            expiry_date=$(openssl x509 -enddate -noout -in "$cert_file" | cut -d= -f2)
            expiry_epoch=$(date -d "$expiry_date" +%s)
            current_epoch=$(date +%s)
            days_left=$(( (expiry_epoch - current_epoch) / 86400 ))
            
            if [ $days_left -lt $CRIT_DAYS ]; then
                echo "CRITICAL: Certificate for $domain expires in $days_left days"
                EXIT_CODE=2
            elif [ $days_left -lt $WARN_DAYS ]; then
                echo "WARNING: Certificate for $domain expires in $days_left days"
                EXIT_CODE=1
            else
                echo "OK: Certificate for $domain expires in $days_left days"
            fi
        fi
    fi
done

exit $EXIT_CODE

Best Practices

Rate Limit Management

  • Implement exponential backoff for failed requests
  • Use staging environment for testing (staging-v02.api.letsencrypt.org)
  • Monitor rate limits: 50 certificates per domain per week
  • Cache successful validations when possible

Security Hardening

  • Store private keys with 600 permissions and root ownership
  • Use dedicated service accounts with minimal permissions
  • Implement key rotation policies
  • Regular security audits of certificate stores
  • Use hardware security modules (HSMs) for high-value certificates

Disaster Recovery

  • Maintain offline backups of certificates and keys
  • Document emergency certificate replacement procedures
  • Test recovery procedures regularly
  • Implement cross-region certificate replication
  • Maintain vendor relationships for emergency certificate issuance

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.