Nginx servers need SSL/TLS certificates for secure connections. Existing solutions like Certbot are often too large and complex for simple setups.
Zero is a lightweight service that manages SSL/TLS certificates using ZeroSSL. It automatically handles certificate obtainment, renewal, and HTTP challenges while running as a background service.
Core Features:
- Automatic SSL/TLS certificate management via ZeroSSL
- Daily certificate monitoring and renewal (30 days before expiration)
- Built-in HTTP server for ACME challenges
- HTTP to HTTPS traffic redirection
- Post-renewal hooks with Docker container support
Deployment:
- Available as a Docker image (AMD64/ARM64)
- Minimal dependencies
- Simple command-line interface
- Configurable certificate storage
- Configurable renewal schedule
Integration:
- Works seamlessly with Nginx
- Easy to use with Docker Compose
- Automatic ZeroSSL account management
- Go 1.23 or later
Download the latest release from the releases page.
-
Download the appropriate archive for your system architecture:
- For AMD64 (Intel):
zero_*_darwin_amd64.tar.gz - For ARM64 (Apple Silicon):
zero_*_darwin_arm64.tar.gz
- For AMD64 (Intel):
-
Extract the binary:
tar xzf zero_*.tar.gz -
Make the binary executable and move it to your local bin directory:
chmod +x ./zero sudo mv ./zero /usr/local/bin/
-
Remove the macOS security quarantine attribute:
sudo xattr -d com.apple.quarantine /usr/local/bin/zero
-
Download the appropriate archive for your system architecture:
- For AMD64:
zero_*_linux_amd64.tar.gz - For ARM64:
zero_*_linux_arm64.tar.gz
- For AMD64:
-
Extract the binary:
tar xzf zero_*.tar.gz -
Make the binary executable and move it to your local bin directory:
chmod +x ./zero sudo mv ./zero /usr/local/bin/
-
Download the appropriate archive for your system architecture:
- For Windows AMD64:
zero_*_windows_amd64.tar.gz - For Windows ARM64:
zero_*_windows_arm64.tar.gz
- For Windows AMD64:
-
Extract the archive using your preferred archive tool
-
Add the extracted binary location to your system's PATH environment variable
If you have Go 1.23 or later installed:
go install github.com/yarlson/zero@latestPull and run the latest image:
docker pull yarlson/zero:latestSee the Docker section for detailed usage instructions.
To verify the installation:
zero --helpBasic usage:
zero -d example.com -e [email protected]With all options:
zero -d example.com -e [email protected] [-c /path/to/certs] [-p port] [-t HH:mm]Options:
-d, --domain: Domain name for the certificate (required)-e, --email: Email address for credential retrieval and account registration (required)-c, --cert-dir: Directory to store certificates (default: "./certs")-p, --port: HTTP port for ACME challenges (default: 80)-t, --time: Time for daily renewal checks in HH:mm format (default: "02:00")--hook: Command to execute after certificate renewal--hook-container: Container name or network alias to execute hook in
For more information, run:
zero --helpZero operates as a daemon that:
- Serves HTTP-01 challenges on port 80 (required by ACME protocol)
- Redirects all other HTTP traffic to HTTPS
- Checks certificates daily at the specified time
- Automatically obtains or renews certificates when needed
- Executes configured hooks after certificate renewal
- Handles graceful shutdown on SIGINT/SIGTERM
Certificates are stored in the ./certs directory by default. Use the --cert-dir flag to specify a custom directory for certificate storage.
The daemon will check certificates daily at 02:00 by default. Use the --time flag to specify a different time in 24-hour format.
You can configure commands to be executed after certificate renewal using hooks:
# Execute local command after renewal
zero -d example.com -e [email protected] --hook "systemctl reload nginx"
# Execute command in Docker container after renewal
zero -d example.com -e [email protected] \
--hook "nginx -s reload" \
--hook-container "nginx-container"When using --hook-container, Zero will:
- Find the container by name or network alias
- Execute the specified command inside that container
- Wait for command completion
This is particularly useful for reloading Nginx configuration after certificate renewal.
- Only supports HTTP-01 challenge
- Designed for single-domain certificates
- No support for wildcard certificates
Contributions are welcome. Please submit pull requests with clear descriptions of changes and updates to tests if applicable.
This project is licensed under the MIT License - see the LICENSE file for details.
Zero is available as a Docker image supporting both AMD64 and ARM64 architectures.
Basic usage:
docker run -d \
--name zero \
-p 80:80 \
-v /path/to/certs:/certs \
yarlson/zero:latest \
-d example.com \
-e [email protected] \
-c /certsOptions:
-d: Run container in background-p 80:80: Map container's port 80 to host's port 80 (required for ACME challenges)-v /path/to/certs:/certs: Mount local directory for certificate storageyarlson/zero:latest: Use latest version (or specify a version likeyarlson/zero:0.3.7)
The certificates will be stored in the mounted volume at /path/to/certs on the host.
Example docker-compose.yml:
volumes:
certs: # Named volume for certificates
services:
zero:
image: yarlson/zero:latest
ports:
- "80:80"
volumes:
- certs:/certs
command:
- -d
- example.com
- -e
- [email protected]
- -c
- /certs
restart: unless-stoppedExample docker-compose.yml with Nginx:
volumes:
certs: # Named volume for certificates
services:
zero:
image: yarlson/zero:latest
ports:
- "80:80"
volumes:
- certs:/certs
command:
- -d
- example.com
- -e
- [email protected]
- -c
- /certs
- --hook
- nginx -s reload
- --hook-container
- nginx
restart: unless-stopped
nginx:
image: nginx:alpine
ports:
- "443:443"
volumes:
- certs:/etc/nginx/certs:ro # Mount the same volume as read-only
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
depends_on:
- zero
restart: unless-stoppedExample nginx.conf:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/certs/example.com.crt;
ssl_certificate_key /etc/nginx/certs/example.com.key;
# ... rest of your configuration ...
}