CertDeliver: Automated SSL Certificate Distribution for Clusters / 集群 SSL 证书自动分发系统
🔒 The HTTPS Headache / HTTPS 的痛点
In a distributed system, you often have multiple servers (Nginx, Xray, Mail) that need the same wildcard certificate.
在分布式系统中,你经常有多个服务器(Nginx, Xray, Mail)需要使用同一个通配符证书。
Standard Certbot logic works great for one server, but syncing that certificate to 10 other nodes securely? That’s messy. rsync with loose SSH keys? Manual copying?
标准的 Certbot 逻辑对于单台服务器很完美,但要安全地将该证书同步到其他 10 个节点?那就很麻烦了。使用 SSH key 运行 rsync?手动复制?
Enter CertDeliver.
CertDeliver 为此而生。
🛠️ How It Works / 工作原理
CertDeliver is a secure client-server system designed to sync Let’s Encrypt certificates automatically.
CertDeliver 是一个安全的客户端-服务器系统,旨在自动同步 Let’s Encrypt 证书。
The Flow / 工作流
sequenceDiagram |
Security First / 安全至上
- Token Auth: Uses constant-time string comparison (
secrets.compare_digest) to prevent timing attacks. - IP Whitelist: DNS-based verification ensures only your known nodes can fetch certificates.
- Minimal Privileges: The client runs as a standard user, only needing permission to write to the cert directory and reload services (
sudoaccess restricted to specific commands).
🚀 Quick Start / 快速开始
1. Server Side (Central Authority)
Deploy with Docker Compose. This container will act as the source of truth.
git clone https://github.com/yuanweize/CertDeliver.git |
2. Client Side (The Nodes)
Install the client on your edge nodes (VPS, Raspberry Pi, etc.).
pip install git+https://github.com/yuanweize/CertDeliver.git |
3. Automation (Cron)
Add this to your crontab to check for updates every 6 hours:
0 */6 * * * /usr/local/bin/certdeliver-client >> /var/log/certdeliver.log 2>&1 |
Set it in crontab, and never worry about expired certs on your slave nodes again.
将其设置在 crontab 中,再也不用担心从节点的证书过期了。
