Let's Encrypt certificate manager with DNS-01 via Cloudflare and API access
Project description
certpost
Let's Encrypt certificate manager with DNS-01 challenges, web admin panel, and TLS termination proxy. Supports Cloudflare and Technitium DNS Server.
Features
- Automatic certificate issuance — Let's Encrypt via ACME v2, DNS-01 challenges
- Multiple DNS providers — Cloudflare and Technitium DNS Server, with split provider support (e.g. Cloudflare for ACME, Technitium for records)
- Web admin panel — manage domains, view status, download certs, view logs (protected by admin key login)
- DNS management — automatically creates and manages A/CNAME records for your subdomains
- Background renewal — proactively renews the 2 oldest certs daily, with a 30-day expiry safety net
- Per-domain API tokens — each domain gets its own bearer token for certificate retrieval
- TLS termination proxy — built-in proxy with SNI routing and automatic cert refresh
- Certificate fetching — download
.crtand.keyfiles via CLI or admin panel - Interactive setup —
certpost-server setupandcertpost initwizards for easy configuration - Zero dependencies — stdlib only, shells out to system
opensslfor crypto - Modular DNS — protocol-based design makes it easy to add new providers
Requirements
- Python 3.12+
- System
opensslbinary (available on macOS and Linux) - A supported DNS provider: Cloudflare (API token + zone ID) or Technitium DNS Server (server URL + API token)
Installation
pip install certpost
Or install from source:
uv pip install .
Server
Initial setup
certpost-server setup -d /path/to/data
This walks you through creating a config.json with your DNS provider settings, base domain, and port. An admin key is generated automatically.
Starting the server
certpost-server run -d /path/to/data
The admin panel is available at http://localhost:8443. Log in with the admin key (printed on startup). From the panel you can:
- Add subdomains — enter an IP address or CNAME target, creates the DNS record via the configured provider, and issues a Let's Encrypt certificate
- View certificate status and expiry dates
- Copy or rotate per-domain API tokens
- Download certificate files
- View server logs
Configuration
The config.json in your data directory. Use a single dns key when one provider handles everything:
{
"base_domain": "example.com",
"admin_key": "auto-generated-admin-key",
"bind": "0.0.0.0",
"port": 8443,
"dns": {
"provider": "cloudflare",
"api_token": "your-cloudflare-api-token",
"zone_id": "your-zone-id"
}
}
For split configurations, use dns_acme and dns_records:
{
"base_domain": "example.com",
"admin_key": "auto-generated-admin-key",
"bind": "0.0.0.0",
"port": 8443,
"dns_acme": {
"provider": "cloudflare",
"api_token": "your-cloudflare-api-token",
"zone_id": "your-zone-id"
},
"dns_records": {
"provider": "technitium",
"server_url": "https://dns.example.com",
"api_token": "your-technitium-api-token",
"zone": "example.com"
}
}
API
Public endpoints (no auth):
| Endpoint | Description |
|---|---|
GET /api/version |
Product name, API version, server version |
GET /api/spec |
OpenAPI 3.0 specification |
GET /api/help |
Human-readable API documentation |
Certificate retrieval (per-domain bearer token):
| Endpoint | Description |
|---|---|
GET /api/cert/<domain> |
Certificate, chain, and private key |
GET /api/token-info |
Resolve token to domain |
Example:
curl -H "Authorization: Bearer <token>" http://certpost:8443/api/cert/app.example.com
Client
Fetch certificates
One-shot download:
certpost fetch -s http://certpost:8443 -t <token> -d app.example.com -o /etc/ssl/certs
With automatic refresh every 24 hours:
certpost fetch -s http://certpost:8443 -t <token> -d app.example.com --refresh 24
Or use a config file:
certpost fetch -c fetch.json
Output files: app.example.com.crt (full chain) and app.example.com.key (private key, mode 0600).
TLS termination proxy
Run a proxy that terminates TLS, routes by SNI, and auto-refreshes certs:
certpost proxy -c proxy.json
Proxy config:
{
"server": "http://certpost:8443",
"listen": "0.0.0.0:443",
"refresh_hours": 24,
"routes": {
"app.example.com": {
"token": "per-domain-api-token",
"backend": "127.0.0.1:8080"
},
"api.example.com": {
"token": "another-api-token",
"backend": "127.0.0.1:9090"
}
}
}
Generate a config interactively
certpost init
Walks you through creating either a fetch or proxy config. Auto-resolves domains from tokens and validates against the server.
Security
- Admin panel is protected by an admin key with cookie-based auth
- Certificate API uses per-domain bearer tokens (not shared)
- Private keys are stored in JSON files — protect the data directory with filesystem permissions
- TLS proxy loads certs into memory and immediately deletes temp files
Licence
Released under the Unlicense — public domain.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file certpost-1.0.0b7-py3-none-any.whl.
File metadata
- Download URL: certpost-1.0.0b7-py3-none-any.whl
- Upload date:
- Size: 56.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
69622250125f67d05c058c79164fc5378b79c55a97d0ae0517abfe14dc668502
|
|
| MD5 |
ebac76850558bc1e560a8f6c4af12b76
|
|
| BLAKE2b-256 |
4b091beae08ca880b9ae06f81cd8f1a2975b1aa986a4b68bddf9808e85d17748
|
