CertAutoPilot logo CertAutoPilot
Get started

Standalone deployment

Single-binary install for one Linux host. Bundles nginx, sets up a local MongoDB, and bootstraps secrets. The fastest path to a production-shaped instance for a single project.

01Supported distros

  • Ubuntu 22.04, 24.04 LTS
  • Debian 12 (bookworm) and 13 (trixie)
  • RHEL / Oracle / Rocky / Alma 9 and 10
  • Amazon Linux 2023

Older distros may work but are not tested. The installer is glibc-only — Alpine is supported via the Docker path.

02Install

curl -fsSL https://raw.githubusercontent.com/CloudNativeWorks/certautopilot-archive/main/get.sh \
  | sudo bash -s -- \
      --version=1.4.0 \
      --mongo=local \
      --tls=self-signed \
      --port=443

Flags are positional-style; everything has a sensible default.

FlagDefaultEffect
--versionlatestPinned semver. Required for repeatable installs.
--mongolocallocal installs Mongo. external uses --mongo-uri.
--tlsself-signedself-signed, provided, letsencrypt.
--cert / --keyRequired for --tls=provided.
--port443Public HTTPS port.
--data-dir/var/lib/certautopilotMongo data + KEK + uploads.

03Filesystem layout

/etc/certautopilot/         config.yaml, secrets.env, kek.bin
/usr/lib/certautopilot/     binary, migrations, web bundle
/var/lib/certautopilot/     mongo data, uploaded files
/var/log/certautopilot/     application logs (rotated)
/etc/nginx/conf.d/certautopilot.conf

04systemd services

  • certautopilot.service — the all-mode application.
  • certautopilot-mongo.service — only when --mongo=local.
  • nginx.service — TLS terminator.
sudo systemctl status certautopilot
sudo journalctl -u certautopilot -f

05Upgrade

Re-run the installer with the new --version. The script stops the service, runs schema migrations against MongoDB, swaps the binary, and starts again. Migrations are forward-only and idempotent.

Take a backup first

For any upgrade that crosses a minor version (1.3.x → 1.4.x), mongodump the data directory before running the installer. Migrations are safe but irreversible.

06TLS

Three options:

  1. --tls=self-signed — generated locally. Useful for setup, replace before exposing to users.
  2. --tls=provided --cert=<pem> --key=<pem> — your own material. The installer copies the files into nginx's path and reloads.
  3. --tls=letsencrypt --acme-email=<you@example.com> — bootstraps a Let's Encrypt cert via HTTP-01. Requires the host to be reachable on port 80.

Once installed and running, CertAutoPilot can also manage its own TLS — issue a cert from any configured CA and distribute it to its own nginx via the SSH module. Eat your own dog food.

07Uninstall

sudo /usr/lib/certautopilot/uninstall.sh --purge-data

Without --purge-data, MongoDB and uploaded files are preserved at /var/lib/certautopilot/ for future reinstall.