letsencrypt
: Install and configure Certbot, the LetsEncrypt clientletsencrypt::install
: Installs the Let's Encrypt client.letsencrypt::plugin::dns_cloudflare
: Installs and configures the dns-cloudflare pluginletsencrypt::plugin::dns_rfc2136
: Installs and configures the dns-rfc2136 pluginletsencrypt::plugin::dns_route53
: Installs and configures the dns-route53 pluginletsencrypt::plugin::nginx
: install and configure the Let's Encrypt nginx pluginletsencrypt::renew
: Configures renewal of Let's Encrypt certificates using Certbot
letsencrypt::config
: Configures the Let's Encrypt client.letsencrypt::scripts
: Deploy helper scripts scripts
letsencrypt::certonly
: Request a certificate using thecertonly
installerletsencrypt::hook
: Creates hook scripts.
Letsencrypt::Cron::Hour
: mimic hour setting in cron as defined in man 5 crontabLetsencrypt::Cron::Minute
: mimic minute setting in cron as defined in man 5 crontabLetsencrypt::Cron::Monthday
: mimic monthday setting in cron as defined in man 5 crontabLetsencrypt::Plugin
: List of accepted plugins
Install and configure Certbot, the LetsEncrypt client
class { 'letsencrypt' :
email => '[email protected]',
config => {
'server' => 'https://acme-staging-v02.api.letsencrypt.org/directory',
},
}
The following parameters are available in the letsencrypt
class:
email
environment
package_name
package_ensure
package_command
config_file
config
cron_scripts_path
cron_owner_group
manage_config
manage_install
configure_epel
agree_tos
unsafe_registration
config_dir
key_size
certificates
renew_pre_hook_commands
renew_post_hook_commands
renew_deploy_hook_commands
renew_additional_args
renew_disable_distro_cron
renew_cron_ensure
renew_cron_hour
renew_cron_minute
renew_cron_monthday
renew_cron_environment
Data type: Optional[String]
The email address to use to register with Let's Encrypt. This takes precedence over an 'email' setting defined in $config.
Default value: undef
Data type: Array
An optional array of environment variables
Default value: []
Data type: String
Name of package and command to use when installing the client package.
Default value: 'certbot'
Data type: Any
The value passed to ensure
when installing the client package.
Default value: 'installed'
Data type: String
Path or name for letsencrypt executable.
Default value: 'certbot'
Data type: String
The path to the configuration file for the letsencrypt cli.
Default value: "${config_dir}/cli.ini"
Data type: Hash
A hash representation of the letsencrypt configuration file.
Default value: { 'server' => 'https://acme-v02.api.letsencrypt.org/directory' }
Data type: String
The path for renewal scripts called by cron
Default value: "${facts['puppet_vardir']}/letsencrypt"
Data type: String
Group owner of cron renew scripts.
Default value: 'root'
Data type: Boolean
A feature flag to toggle the management of the letsencrypt configuration file.
Default value: true
Data type: Boolean
A feature flag to toggle the management of the letsencrypt client installation.
Default value: true
Data type: Boolean
A feature flag to include the 'epel' class and depend on it for package installation.
Data type: Boolean
A flag to agree to the Let's Encrypt Terms of Service.
Default value: true
Data type: Boolean
A flag to allow using the 'register-unsafely-without-email' flag.
Default value: false
Data type: Stdlib::Unixpath
The path to the configuration directory.
Default value: '/etc/letsencrypt'
Data type: Integer[2048]
Size for the RSA public key
Default value: 4096
Data type: Hash[String[1],Hash]
A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly.
Default value: {}
Data type: Any
Array of commands to run in a shell before obtaining/renewing any certificates.
Default value: []
Data type: Any
Array of commands to run in a shell after attempting to obtain/renew certificates.
Default value: []
Data type: Any
Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot:
- $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com
- $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com"
Default value: []
Data type: Any
Array of additional command line arguments to pass to 'certbot renew'.
Default value: []
Data type: Any
Boolean, set to true to disable the cron created by the distro package
Default value: true
Data type: Any
Intended state of the cron resource running certbot renew.
Default value: 'absent'
Data type: Any
Optional string, integer or array of hour(s) the renewal command should run. E.g. '[0,12]' to execute at midnight and midday. hour.
Default value: fqdn_rand(24)
Data type: Any
Optional string, integer or array of minute(s) the renewal command should run. E.g. 0 or '00' or [0,30].
Default value: fqdn_rand(60, fqdn_rand_string(10))
Data type: Any
Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days.
Default value: '*'
Data type: Any
Optional string or array of environments(s) the renewal command should have. E.g. PATH=/sbin:/usr/sbin:/bin:/usr/bin
Default value: undef
Installs the Let's Encrypt client.
The following parameters are available in the letsencrypt::install
class:
Data type: Boolean
A feature flag to include the 'epel' class and depend on it for package installation.
Default value: $letsencrypt::configure_epel
Data type: String
The value passed to ensure
when installing the client package.
Default value: $letsencrypt::package_ensure
Data type: String
Name of package to use when installing the client package.
Default value: $letsencrypt::package_name
This class installs and configures the Let's Encrypt dns-cloudflare plugin. https://certbot-dns-cloudflare.readthedocs.io
The following parameters are available in the letsencrypt::plugin::dns_cloudflare
class:
Data type: Optional[String[1]]
The name of the package to install when $manage_package is true.
Default value: undef
Data type: Optional[String[1]]
Optional string, cloudflare api key value for authentication.
Default value: undef
Data type: Optional[String[1]]
Optional string, cloudflare api token value for authentication.
Default value: undef
Data type: Optional[String[1]]
Optional string, cloudflare account email address, used in conjunction with api_key.
Default value: undef
The path to the configuration directory.
Data type: Boolean
Manage the plugin package.
Default value: true
Data type: Integer
Number of seconds to wait for the DNS server to propagate the DNS-01 challenge.
Default value: 10
Data type: Stdlib::Absolutepath
Default value: "${letsencrypt::config_dir}/dns-cloudflare.ini"
This class installs and configures the Let's Encrypt dns-rfc2136 plugin. https://certbot-dns-rfc2136.readthedocs.io
The following parameters are available in the letsencrypt::plugin::dns_rfc2136
class:
server
key_name
key_secret
key_algorithm
port
propagation_seconds
manage_package
package_name
config_dir
Data type: Stdlib::Host
Target DNS server.
Data type: String[1]
TSIG key name.
Data type: String[1]
TSIG key secret.
Data type: String[1]
TSIG key algorithm.
Default value: 'HMAC-SHA512'
Data type: Stdlib::Port
Target DNS port.
Default value: 53
Data type: Integer
Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. (the plugin defaults to 60)
Default value: 10
Data type: Boolean
Manage the plugin package.
Default value: true
Data type: String[1]
The name of the package to install when $manage_package is true.
Data type: Stdlib::Absolutepath
The path to the configuration directory.
Default value: $letsencrypt::config_dir
This class installs and configures the Let's Encrypt dns-route53 plugin. https://certbot-dns-route53.readthedocs.io
The following parameters are available in the letsencrypt::plugin::dns_route53
class:
Data type: Integer
Number of seconds to wait for the DNS server to propagate the DNS-01 challenge.
Default value: 10
Data type: Boolean
Manage the plugin package.
Default value: true
Data type: String[1]
The name of the package to install when $manage_package is true.
install and configure the Let's Encrypt nginx plugin
The following parameters are available in the letsencrypt::plugin::nginx
class:
Data type: Boolean
Manage the plugin package.
Default value: true
Data type: String[1]
The name of the package to install when $manage_package is true.
Default value: 'python3-certbot-nginx'
Configures renewal of Let's Encrypt certificates using the certbot renew command.
Note: Hooks set here will run before/after/for ALL certificates, including any not managed by Puppet. If you want to create hooks for specific certificates only, create them using letsencrypt::certonly.
will be deleted (unless systemd is used)
The following parameters are available in the letsencrypt::renew
class:
pre_hook_commands
post_hook_commands
deploy_hook_commands
additional_args
disable_distro_cron
distro_renew_cron_file
distro_renew_timer
cron_ensure
cron_hour
cron_minute
cron_monthday
cron_environment
Data type: Variant[String[1], Array[String[1]]]
Array of commands to run in a shell before obtaining/renewing any certificates.
Default value: $letsencrypt::renew_pre_hook_commands
Data type: Variant[String[1], Array[String[1]]]
Array of commands to run in a shell after attempting to obtain/renew certificates.
Default value: $letsencrypt::renew_post_hook_commands
Data type: Variant[String[1], Array[String[1]]]
Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot:
- $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com
- $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com"
Default value: $letsencrypt::renew_deploy_hook_commands
Data type: Array[String[1]]
Array of additional command line arguments to pass to 'certbot renew'.
Default value: $letsencrypt::renew_additional_args
Data type: Boolean
Boolean, set to true to disable the cron created by the distro package
Default value: $letsencrypt::renew_disable_distro_cron
Data type: Optional[Stdlib::Unixpath]
Optional Unixpath, if set and if disable_distro_cron is true this file
Default value: undef
Data type: Optional[String]
Optional String, name of the systemd timer to disable if disable_distro_cron is true
Default value: undef
Data type: Enum['present', 'absent']
Intended state of the cron resource running certbot renew
Default value: $letsencrypt::renew_cron_ensure
Data type: Letsencrypt::Cron::Hour
Optional string, integer or array of hour(s) the renewal command should run. E.g. '[0,12]' to execute at midnight and midday. Default: fqdn-seeded random hour.
Default value: $letsencrypt::renew_cron_hour
Data type: Letsencrypt::Cron::Minute
Optional string, integer or array of minute(s) the renewal command should run. E.g. 0 or '00' or [0,30]. Default: fqdn-seeded random minute.
Default value: $letsencrypt::renew_cron_minute
Data type: Letsencrypt::Cron::Monthday
Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days. Default: Every day.
Default value: $letsencrypt::renew_cron_monthday
Data type: Variant[String, Array[String], Undef]
Optional string or array of environments(s) the renewal command should have. E.g. PATH=/sbin:/usr/sbin:/bin:/usr/bin
Default value: $letsencrypt::renew_cron_environment
This type can be used to request a certificate using the certonly
installer.
# Request a certificate for `foo.example.com` using the `certonly`
# installer and the `standalone` authenticator.
letsencrypt::certonly { 'foo.example.com': }
# Request a certificate for `foo.example.com` and `bar.example.com` using
# the `certonly` installer and the `standalone` authenticator.
letsencrypt::certonly { 'foo':
domains => ['foo.example.com', 'bar.example.com'],
}
# Request a certificate for `foo.example.com` with the `certonly` installer
# and the `apache` authenticator.
letsencrypt::certonly { 'foo.example.com':
plugin => 'apache',
}
# Request a certificate for `foo.example.com` with the `certonly` installer
# and the `nginx` authenticator.
letsencrypt::certonly { 'foo.example.com':
plugin => 'nginx',
}
# Request a certificate using the `webroot` authenticator. The paths to the
# webroots for all domains must be given through `webroot_paths`. If
# `domains` and `webroot_paths` are not the same length, the last
# `webroot_paths` element will be used for all subsequent domains.
letsencrypt::certonly { 'foo':
domains => ['foo.example.com', 'bar.example.com'],
plugin => 'webroot',
webroot_paths => ['/var/www/foo', '/var/www/bar'],
}
# Request a certificate using the `dns-rfc2136` authenticator. Ideally the
# key `secret` should be encrypted, eg. with eyaml if using Hiera. It's
# also recommended to only enable access to the specific DNS records needed
# by the Let's Encrypt client.
#
# [Plugin documentation](https://certbot-dns-rfc2136.readthedocs.io)
class { 'letsencrypt::plugin::dns_rfc2136':
server => '192.0.2.1',
key_name => 'certbot',
key_secret => '[...]==',
}
letsencrypt::certonly { 'foo.example.com':
plugin => 'dns-rfc2136',
}
# Request a certificate for `foo.example.com` with the `certonly` installer
# and the `dns-route53` authenticator.
letsencrypt::certonly { 'foo.example.com':
plugin => 'dns-route53',
}
# If you need to pass a command line flag to the `certbot` command that
# is not supported natively by this module, you can use the
# `additional_args` parameter to pass those arguments.
letsencrypt::certonly { 'foo.example.com':
additional_args => ['--foo bar', '--baz quuz'],
}
The following parameters are available in the letsencrypt::certonly
defined type:
ensure
domains
custom_plugin
plugin
webroot_paths
letsencrypt_command
additional_args
environment
key_size
manage_cron
suppress_cron_output
cron_before_command
cron_success_command
cron_hour
cron_minute
cron_monthday
config_dir
pre_hook_commands
post_hook_commands
deploy_hook_commands
cert_name
Data type: Enum['present','absent']
Intended state of the resource
Will remove certificates for specified domains if set to 'absent'. Will
also remove cronjobs and renewal scripts if manage_cron
is set to 'true'.
Default value: 'present'
Data type: Array[String[1]]
An array of domains to include in the CSR.
Default value: [$title]
Data type: Boolean
Whether to use a custom plugin in additional_args and disable -a flag.
Default value: false
Data type: Letsencrypt::Plugin
The authenticator plugin to use when requesting the certificate.
Default value: 'standalone'
Data type: Array[Stdlib::Unixpath]
An array of webroot paths for the domains in domains
.
Required if using plugin => 'webroot'
. If domains
and
webroot_paths
are not the same length, the last webroot_paths
element will be used for all subsequent domains.
Default value: []
Data type: String[1]
Command to run letsencrypt
Default value: $letsencrypt::command
Data type: Array[String[1]]
An array of additional command line arguments to pass to the letsencrypt
command.
Default value: []
Data type: Array[String[1]]
An optional array of environment variables
Default value: []
Data type: Integer[2048]
Size for the RSA public key
Default value: $letsencrypt::key_size
Data type: Boolean
Indicating whether or not to schedule cron job for renewal. Runs daily but only renews if near expiration, e.g. within 10 days.
Default value: false
Data type: Boolean
Redirect cron output to devnull
Default value: false
Data type: Optional[String[1]]
Representation of a command that should be run before renewal command
Default value: undef
Data type: Optional[String[1]]
Representation of a command that should be run if the renewal command succeeds.
Default value: undef
Data type: Variant[Integer[0,23], String, Array]
Optional hour(s) that the renewal command should execute. e.g. '[0,12]' execute at midnight and midday. Default - seeded random hour.
Default value: fqdn_rand(24, $title)
Data type: Variant[Integer[0,59], String, Array]
Optional minute(s) that the renewal command should execute. e.g. 0 or '00' or [0,30]. Default - seeded random minute.
Default value: fqdn_rand(60, fqdn_rand_string(10, $title))
Data type: Array[Variant[Integer[0, 59], String[1]]]
Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days. Default: Every day.
Default value: ['*']
Data type: Stdlib::Unixpath
The path to the configuration directory.
Default value: $letsencrypt::config_dir
Data type: Variant[String[1], Array[String[1]]]
Array of commands to run in a shell before attempting to obtain/renew the certificate.
Default value: []
Data type: Variant[String[1], Array[String[1]]]
Array of command(s) to run in a shell after attempting to obtain/renew the certificate.
Default value: []
Data type: Variant[String[1], Array[String[1]]]
Array of command(s) to run in a shell once if the certificate is successfully issued. Two environmental variables are supplied by certbot:
- $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com
- $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com"
Default value: []
Data type: String[1]
Default value: $title
This type is used by letsencrypt::renew and letsencrypt::certonly to create hook scripts.
The following parameters are available in the letsencrypt::hook
defined type:
Data type: Enum['pre', 'post', 'deploy']
Hook type.
Data type: String[1]
Path to deploy hook script.
Data type: Variant[String[1],Array[String[1]]]
Bash commands to execute when the hook is run by certbot.
Type: Ruby 4.x API
The letsencrypt::letsencrypt_lookup function.
The letsencrypt::letsencrypt_lookup function.
Returns: Any
Data type: Any
mimic hour setting in cron as defined in man 5 crontab
Alias of
Variant[Integer[0,23], String[1], Array[
Variant[
Integer[0,23],
String[1],
]
]]
mimic minute setting in cron as defined in man 5 crontab
Alias of
Variant[Integer[0,59], String[1], Array[
Variant[
Integer[0,59],
String[1],
]
]]
mimic monthday setting in cron as defined in man 5 crontab
Alias of
Variant[Integer[0,31], String[1], Array[
Variant[
Integer[0,31],
String[1],
]
]]
List of accepted plugins
Alias of
Enum['apache', 'standalone', 'webroot', 'nginx', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-rfc2136']