Yar Kravtsov's blog

Yar Kravtsov's blog

Published at

Why I Created Zero: A Lightweight SSL Certificate Manager

Table of Contents

Why I Created Zero: A Lightweight SSL Certificate Manager

In the world of web development, securing your applications with SSL/TLS certificates is non-negotiable. Whether you’re running a small personal project or a large-scale production application, ensuring that your users’ data is encrypted and secure is paramount. However, managing SSL certificates can be a daunting task, especially when you’re dealing with multiple domains, renewals, and the complexities of the ACME protocol.

This is why I created Zero, a lightweight SSL certificate manager designed to simplify the process of obtaining, renewing, and managing SSL/TLS certificates. In this blog post, I’ll walk you through the journey of why I built Zero, the challenges I faced, and why existing solutions didn’t quite meet my needs.

The Problem: SSL Management is Too Complex

When I first started deploying web applications, I quickly realized that managing SSL certificates was one of the most cumbersome parts of the process. Tools like Certbot are powerful and widely used, but they come with a lot of overhead. For simple setups, especially those involving single-domain certificates, Certbot felt like overkill. It required a deep understanding of its configuration files, and its dependency on Python made it heavy for lightweight environments.

Moreover, Certbot’s complexity often led to issues when integrating with containerized environments like Docker. I found myself spending hours debugging why Certbot wasn’t working as expected, or why it wasn’t renewing certificates automatically. This was time I could have spent building features or improving my application.

The Challenges I Faced

  1. Complexity in Simple Setups: For small projects, I didn’t need the full power of Certbot. I just wanted something that could handle a single domain and renew the certificate automatically.

  2. Integration with Docker: Running Certbot in a Dockerized environment was often a headache. It required additional configuration and sometimes even custom scripts to make it work seamlessly with Nginx or other web servers.

  3. Renewal Management: Certbot’s renewal process, while reliable, wasn’t always straightforward. I wanted a tool that would handle renewals silently in the background, without requiring manual intervention.

  4. Lightweight and Minimal Dependencies: I wanted a tool that was lightweight, with minimal dependencies, and could run efficiently in resource-constrained environments.

Why Existing Solutions Didn’t Fit My Needs

Before building Zero, I explored several alternatives, including Certbot, Traefik, and Caddy. While each of these tools has its strengths, none of them fully met my requirements for simplicity and ease of use.

Certbot

Certbot is the de facto standard for managing SSL certificates, but it comes with a steep learning curve. Its configuration files are complex, and it requires a deep understanding of how the ACME protocol works. For small projects, this level of complexity was unnecessary. Additionally, Certbot’s dependency on Python made it heavier than I wanted for my lightweight setups.

Traefik

Traefik is a fantastic reverse proxy and load balancer that can automatically manage SSL certificates. However, it’s designed for more complex setups involving multiple services and load balancing. For a simple single-domain setup, Traefik felt like overkill. It also requires you to adopt its entire ecosystem, which wasn’t ideal for my use case.

Caddy

Caddy is another excellent tool that automatically manages SSL certificates. It’s lightweight and easy to use, but it’s also a full-fledged web server. If you’re already using Nginx or another web server, switching to Caddy just for SSL management isn’t practical. I wanted a tool that could integrate seamlessly with existing setups, not replace them.

The Solution: Zero

After struggling with these tools, I decided to build Zero, a lightweight SSL certificate manager that focuses on simplicity and ease of use. Zero is designed to handle the most common use case: managing SSL certificates for a single domain with minimal configuration.

Key Features of Zero

  • Lightweight: Zero is written in Go, which makes it fast and efficient. It has minimal dependencies and can run in resource-constrained environments.

  • Automatic Renewals: Zero checks your certificates daily and automatically renews them 30 days before they expire. You don’t have to worry about manually renewing certificates or setting up cron jobs.

  • Built-in HTTP Server: Zero includes a built-in HTTP server that handles ACME challenges, making it easy to obtain and renew certificates.

  • Docker Integration: Zero is designed to work seamlessly with Docker. You can run it as a container, and it can execute post-renewal hooks in other containers (like Nginx) to reload configurations automatically.

  • Simple CLI: Zero has a straightforward command-line interface that makes it easy to get started. You can configure it with just a few flags, and it handles the rest.

How Zero Works

Zero operates as a background service that:

  1. Serves HTTP-01 Challenges: Zero runs a built-in HTTP server on port 80 to handle ACME challenges, which are required by the ACME protocol to verify domain ownership.

  2. Redirects HTTP Traffic: Any non-ACME HTTP traffic is automatically redirected to HTTPS, ensuring that your users always connect securely.

  3. Monitors Certificates: Zero checks your certificates daily at a configurable time (default is 2:00 AM) and renews them if they’re within 30 days of expiration.

  4. Executes Post-Renewal Hooks: After renewing a certificate, Zero can execute a command or reload a Docker container (like Nginx) to apply the new certificate.

Real-World Example: Using Zero with Docker Compose

Here’s an example of how I use Zero in a real-world Docker Compose setup:

volumes:
  certs:

services:
  zero:
    image: yarlson/zero:latest
    ports:
      - "80:80"
    volumes:
      - certs:/certs
    command:
      - -d
      - example.com
      - -e
      - [email protected]
      - -c
      - /certs
      - --hook
      - nginx -s reload
      - --hook-container
      - nginx
    restart: unless-stopped

  nginx:
    image: nginx:alpine
    ports:
      - "443:443"
    volumes:
      - certs:/etc/nginx/certs:ro
      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
    depends_on:
      - zero
    restart: unless-stopped

In this setup, Zero manages the SSL certificates and automatically reloads Nginx when a new certificate is issued. The certificates are stored in a Docker volume, making them persistent across container restarts.

Why Zero is Perfect for Small VPS Instances

One of the biggest advantages of Zero is its minimal resource usage. In a real-world deployment, Zero and Nginx together consume very little memory, making it an ideal solution for small VPS instances where resources are limited.

Here’s a snapshot of memory usage in one of my deployments:

aerie@pdg:~$ docker stats --no-stream
CONTAINER ID   NAME                       CPU %     MEM USAGE / LIMIT     MEM %     NET I/O           BLOCK I/O         PIDS
4d533325bc1d   ftl-flask-demo-zero        0.00%     1.238MiB / 961.6MiB   0.13%     3.44kB / 2.03kB   0B / 0B           5
279fae42a9a6   ftl-flask-demo-proxy       0.00%     4.691MiB / 961.6MiB   0.49%     985kB / 1.06MB    2.86MB / 24.6kB   2
2472f07ebcd4   ftl-flask-demo-flask-app   0.01%     101.7MiB / 961.6MiB   10.57%    3.44MB / 4.21MB   26.3MB / 0B       4
c4ba57ee6afb   ftl-flask-demo-postgres    0.01%     25.14MiB / 961.6MiB   2.61%     3.62MB / 2.87MB   15MB / 287kB      9

As you can see, Zero uses just 1.238MiB of memory, and the Nginx proxy uses 4.691MiB. This is incredibly efficient, especially when compared to other SSL management tools that can consume significantly more resources. For small VPS instances with limited RAM, this makes Zero an excellent choice.

Zero: The Essential Part of FTL

Zero isn’t just a standalone tool—it’s also a core component of FTL (Faster Than Light), my lightweight deployment tool designed to simplify cloud deployments. FTL provides automated, zero-downtime deployments through a single YAML configuration file, and Zero plays a crucial role in managing SSL/TLS certificates seamlessly within the FTL ecosystem.

How Zero Integrates with FTL

In FTL, Zero is responsible for:

  1. Automatic SSL/TLS Certificate Management: FTL uses Zero to automatically obtain and renew SSL certificates for your deployed applications. This ensures that your applications are always secure without requiring manual intervention.

  2. Built-in Nginx Reverse Proxy: FTL includes a built-in Nginx reverse proxy that works hand-in-hand with Zero to handle HTTPS traffic. When Zero renews a certificate, it automatically reloads the Nginx configuration to apply the new certificate, ensuring zero downtime.

  3. Lightweight and Efficient: Just like in standalone deployments, Zero’s minimal resource usage makes it perfect for FTL’s lightweight architecture. Whether you’re deploying a small personal project or a production application, FTL and Zero together ensure that your deployments are secure and efficient.

Here’s an example of how Zero is integrated into an FTL configuration:

project:
  name: my-project
  domain: my-project.example.com
  email: [email protected]

server:
  host: my-project.example.com
  user: my-project
  ssh_key: ~/.ssh/id_rsa

services:
  - name: web
    path: ./src
    port: 80
    health_check:
      path: /
    routes:
      - path: /

dependencies:
  - "postgres:16"

In this setup, FTL uses Zero to manage SSL certificates for the my-project.example.com domain. The certificates are automatically renewed, and the Nginx reverse proxy is reloaded to apply the new certificates without any downtime.

Why I Love Zero

Zero has become an essential tool in my development workflow. It’s simple, lightweight, and just works. I no longer have to worry about managing SSL certificates or debugging complex configurations. Zero handles everything for me, allowing me to focus on building my applications.

If you’re looking for a lightweight SSL certificate manager that’s easy to use and integrates seamlessly with Docker and FTL, give Zero a try. You can find it on GitHub at yarlson/zero.

Final Thoughts

Building Zero was a rewarding experience. It solved a real problem I faced and has made my life as a developer much easier. If you’re struggling with SSL certificate management, I hope Zero can do the same for you.

Feel free to contribute to the project or suggest new features. I’m always looking for ways to improve Zero and make it even more useful for the community.

Happy coding!

  • Yar Kravtsov
    Name
    Yar Kravtsov
    About
    Senior Software Engineer
    Twitter
    @yarlson