ShypShyp|Documentation
GitHubnpm

SSL Certificates

Shyp automatically provisions and manages SSL certificates using Let's Encrypt.

How It Works

When you run shyp sync, Shyp checks each app with a domain:

  1. If no certificate exists, Shyp runs certbot to obtain one
  2. Nginx configuration is generated with SSL settings
  3. HTTP traffic is automatically redirected to HTTPS

Certificates are stored in /etc/letsencrypt/live/ and are automatically renewed by certbot's systemd timer.

Checking Certificate Status

The shyp status command shows SSL certificate expiry for each app:

$ shyp status

Apps
──────────────────────────────────────────────────────────────────────
NAME           STATUS       PORT     MEMORY     UPTIME       SSL      DOMAIN
my-app         ● online     3001     156MB      2d 4h        89d      my-app.com
api-server     ● online     3002     89MB       5d 12h       45d      api.example.com
new-site       ● online     3003     45MB       1h           no cert  new-site.com

Green (30+ days): Certificate is healthy

Yellow (8-30 days): Certificate expiring soon

Red (0-7 days or no cert): Immediate attention needed

Provisioning Certificates

Certificates are provisioned automatically when you run shyp sync:

$ shyp sync

Syncing configurations...
✓ Generated nginx config for my-app
✓ Generated nginx config for api-server
✓ Obtaining certificate for new-site.com...
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Successfully received certificate.
✓ Certificate obtained for new-site.com
✓ Nginx reloaded

Email Configuration

Let's Encrypt sends expiry warnings to the email associated with each certificate.

Default Behavior

By default, Shyp uses contact@yourdomain.com for certificates. Make sure you have email forwarding set up.

Custom Email Per App

Override the email in your app config:

name: my-app
domain: my-app.com
ssl:
  email: alerts@your-company.com

Global Default Email

Set a global default in /etc/shyp/config.yaml:

ssl:
  email: devops@your-company.com

Automatic Renewal

Let's Encrypt certificates are valid for 90 days. Certbot automatically renews them via systemd timer.

# Check renewal timer status
sudo systemctl status certbot.timer

# Manually test renewal (dry run)
sudo certbot renew --dry-run

# Force renewal of a specific domain
sudo certbot certonly --force-renewal -d example.com

Manual Certificate Management

View All Certificates

sudo certbot certificates

Revoke a Certificate

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

Delete a Certificate

sudo certbot delete --cert-name example.com

Troubleshooting

Certificate not obtained

Make sure your DNS is properly configured and pointing to your server. Let's Encrypt needs to verify domain ownership via HTTP.

# Check if domain resolves to your server
dig +short yourdomain.com

# Check if port 80 is accessible
curl -I http://yourdomain.com

Rate limited

Let's Encrypt has rate limits (50 certificates per domain per week). If you hit the limit, wait before retrying. Use --dry-run for testing.

Wildcard certificates

Shyp doesn't currently support wildcard certificates automatically. You can manually obtain them with certbot using DNS challenge and configure Nginx manually.