debaditya-mohankudo/ACME_Cert_Life_Cycle_Agent_By_Claude_Cowork
An agentic TLS certificate lifecycle manager built on LangGraph and LLM planning. Automates ACME RFC 8555 issuance, renewal, and revocation across multiple CAs (DigiCert, Let’s Encrypt, ZeroSSL, Sectigo) with deterministic state management, atomic storage, and protocol-safe sequential execution.
ACME Certificate Lifecycle Agent
An intelligent, agentic TLS certificate manager built on LangGraph and Claude. It monitors certificate expiry across multiple domains, uses an LLM to plan and prioritize renewals, executes the full ACME RFC 8555 flow against any RFC 8555-compliant CA (DigiCert, Let's Encrypt, or custom), and stores issued certificates as PEM files on the local filesystem — all on a configurable daily schedule.
Deterministic mode (LLM_DISABLED=true): No LLM API calls; fully auditable renewal logic for air-gapped installations and cost optimization.
Designed for the coming 47-day TLS mandate (2029), where automated renewal is not optional.
Quality & Testing
| Metric | Value |
|---|---|
| Line coverage | 92% — 6,338 / 6,884 statements |
| Unit tests (CI) | 527 · parallel via xdist · ~9 s |
| Integration tests | 9 against Pebble ACME mock server |
| Total | 536 tests |
| Modules at 100% | router · planner · registry · state · graph · crypto · prompts · revocation_graph |
Coverage lifts from targeted tests: router 60%→100% · storage 23%→96% · error_handler 26%→98% · finalizer 22%→88%
See CI_TEST_COVERAGE.md for the full per-file breakdown.
Documentation
| Topic | Link |
|---|---|
| Docs wiki home | WIKI_HOME.md |
| How it works | HOW_IT_WORKS.md |
| Project structure | PROJECT_STRUCTURE.md |
| Setup (includes prerequisites) | SETUP.md |
| Running with Docker | DOCKER.md |
| Usage | USAGE.md |
| MCP server usage | MCP_SERVER.md |
| Pebble testing server | PEBBLE_TESTING_SERVER.md |
| Configuration reference | CONFIGURATION.md |
| Certificate revocation | REVOCATION_IMPLEMENTATION.md |
| Certificate storage layout | CERTIFICATE_STORAGE.md |
| HTTP-01 challenge modes | HTTP_CHALLENGE_MODES.md |
| HTTP-01 validation explained | HTTP_01_VALIDATION_EXPLAINED.md |
| LLM nodes and provider support | LLM_NODES.md |
| Let's Encrypt | LETS_ENCRYPT.md |
| Observability | OBSERVABILITY.md |
| Security considerations | SECURITY.md |
| Dependencies | DEPENDENCIES.md |
Quick CLI examples
python main.py --once
python main.py --schedule
python main.py --expiring-in-30-days
python main.py --domain-status my.local api.example.com
python main.py --generate-test-cert example.com --days 90
python main.py --revoke-cert example.com --reason 4
# Deterministic mode (no LLM API calls)
LLM_DISABLED=true python main.py --once
python mcp_server.pyLicense
This project is licensed under the MIT License – see the LICENSE file for details.