cdist-type__letsencrypt_cert - Man Page

Get an SSL certificate from Let's Encrypt

Description

Automatically obtain a Let's Encrypt SSL certificate using Certbot.

This type attempts to setup automatic renewals always. In many Linux distributions, that is the case out of the box, see: https://certbot.eff.org/docs/using.html#automated-renewals

For Alpine Linux and Arch Linux, we setup a system-wide cronjob that attempts to renew certificates daily.

If you are using FreeBSD, we configure periodic(8) as recommended by the port mantainer, so there will be a weekly attempt at renewal.

If your OS is not mentioned here or on Certbot's docs as having support for automated renewals, please make sure you check your OS and possibly patch this type so the system-wide cronjob is installed.

Required Parameters

object id

A cert name. If domain parameter is not specified then it is used as a domain to be included in the certificate.

admin-email

Where to send Let's Encrypt emails like "certificate needs renewal".

Optional Parameters

state

'present' or 'absent', defaults to 'present' where:

present

if the certificate does not exist, it will be obtained

absent

the certificate will be removed

webroot

The path to your webroot, as set up in your webserver config. If this parameter is not present, Certbot will be run in standalone mode.

Optional Multiple Parameters

domain

Domains to be included in the certificate. When specified then object id is not used as a domain.

deploy-hook

Command to be executed only when the certificate associated with this $__object_id is issued or renewed. You can specify it multiple times, but any failure will prevent further commands from being executed.

For this command, the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example, /etc/letsencrypt/live/${__object_id}) containing the new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, example.com www.example.com)

pre-hook

Command to be run in a shell before obtaining any certificates. You can specify it multiple times, but any failure will prevent further commands from being executed.

Note these run regardless of which certificate is attempted, you may want to manage these system-wide hooks with __file in /etc/letsencrypt/renewal-hooks/pre/.

Intended primarily for renewal, where it can be used to temporarily shut down a webserver that might conflict with the standalone plugin. This will only be called if a certificate is actually to be obtained/renewed.

post-hook

Command to be run in a shell after attempting to obtain/renew certificates. You can specify it multiple times, but any failure will prevent further commands from being executed.

Note these run regardless of which certificate was attempted, you may want to manage these system-wide hooks with __file in /etc/letsencrypt/renewal-hooks/post/.

Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate.

Boolean Parameters

staging

Obtain a test certificate from a staging server.

Messages

change

Certificate was changed.

create

Certificate was created.

remove

Certificate was removed.

Examples

# use object id as domain
__letsencrypt_cert example.com \
    --admin-email root@example.com \
    --deploy-hook "service nginx reload" \
    --webroot /data/letsencrypt/root
# domain parameter is specified so object id is not used as domain
# and example.com needs to be included again with domain parameter
__letsencrypt_cert example.com \
    --admin-email root@example.com \
    --domain example.com \
    --domain foo.example.com \
    --domain bar.example.com \
    --deploy-hook "service nginx reload" \
    --webroot /data/letsencrypt/root

Authors

Nico Schottelius <nico-cdist--@--schottelius.org>
Kamila Součková <kamila--@--ksp.sk>
Darko Poljak <darko.poljak--@--gmail.com>
Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
Evilham <contact@evilham.com>

Copying

Copyright (C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and Ľubomír Kučera. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Referenced By

cdist-type__openldap_server(7).

Apr 20, 2021 6.9.6 cdist