Project Atlas AetherDev project hub
Atlas project production

CertManager

Automate certificate issuance and renewal via ACME with hooks for DNS/web validation and post-deploy workflows. Read dehydrated config and domains.txt for target certificates. Perform ACME challenges (HTTP-01 or DNS-01) and issue/renew certs as needed. Run hook scripts for DNS integration or post-renew deployment steps.

Type
System
Lifecycle
Deprecated
Last touched
2023-07-12
Visibility
Public

Purpose

Automate certificate issuance and renewal via ACME with hooks for DNS/web validation and post-deploy workflows.

Current state

Last touched: 2023-07-12. Functionality and completeness: Dehydrated client and docs are present; local ops runbooks are pending.

Next step

Add baseline automated tests to cover critical flows; Add CI pipeline for build/test/lint; Document deployment/runtime environment (or add Dockerfile); Document interfaces (CLI flags, API endpoints, file formats); Add structured logging and basic health checks.

Interfaces

Inputs
  • config file, domains.txt, hook scripts
Outputs
  • Certificate files, account key, renewal logs
  • .txt

Reality to Action trace

Reality Ingestion

Contributes in this stage.

Canonical Storage

Not in scope.

Automation Engines

Contributes in this stage.

Human Interfaces

Contributes in this stage.

Operational Adoption

Contributes in this stage.

Core workflow

TBD. Document the 5-10 steps that define the core workflow.

Artifacts

  • `config` and `domains.txt` file format used by dehydrated

Operational notes

Constraints and scars

  • Depends on DNS/web challenge configuration and provider TTL behavior; rate limits apply for production ACME endpoints.

Reliability posture

Failure modes and safe behavior: Challenge failures abort issuance; existing certs remain unchanged. Idempotency / retries / batching behavior: Cron runs renew only when needed; no built-in retries.

Observability

  • Logs: stdout/stderr; hook scripts can add additional logging
  • Metrics/health checks: None documented
  • Logs: stdout/stderr from dehydrated; hook scripts can emit additional logs.

Security and privacy

Protect account keys and private keys; restrict access to cert and account directories.

Dependencies

Upstream
  • ACME servers (e.g., Let's Encrypt), DNS/web servers for challenges

Ownership

Owners

Josh Barton

Users

Josh Barton (owner)

CertManager

Architecture & Major Components

  • High-level diagram (text):

    • Config + domains -> ACME challenge -> cert issuance -> hooks -> output files

  • Entry points: CertManager/dehydrated

  • Top-level folders: accounts, certs, docs, hooks

  • Key abstractions: dehydrated CLI, hooks for DNS/HTTP integration

Setup / Build / Run

  • Build system(s): None (bash script).
  • Provide config and domains.txt, then run dehydrated via cron with optional hooks.