puppet-certbot

Puppet module to manage the EFF's client for Let's Encrypt, Certbot

Why?

There are a few Puppet modules out there for Certbot/Letsencrypt. Why have we written our own one? Other than a lack of maintenance on some of the existing modules, ours differs in that:

• It installs Certbot from PyPI using pip in a virtualenv so that you can install the latest version
• It runs Certbot as a non-root user with limited privileges
• It automates more of the steps around enabling HTTPS for an Nginx server with Let's Encrypt certificates

Warning

We don't recommend you use this in production just yet for the following reasons:

• There are no real tests yet
• We've only used this on Debian 8 (Jessie)
• We've only used this for webroot-based (http-01) challenges with Nginx
• There are some complications around the way Certbot is installed as some Python modules must be installed from source, requiring a compiler and relevant development libraries
• We use some hacky Puppet features (virtual resources) to "auto-magically" set up SSL settings for Nginx servers
• The code is likely to change substantially

Usage

Set up the basics: install Python and Certbot.

class { 'python':
  dev        => present,
  virtualenv => present,
}
->
class { 'certbot':
  email => 'letsencrypt@example.com',
}

Set up an Nginx server and nginx_virtual_server resource:

@nginx::resource::server { 'myserver':
  server_name => ['foo.example.com'],
  proxy       => 'http://localhost:5000/',
}

certbot::nginx_virtual_server { 'myserver': }

After one Puppet run the certificates should be issued. Adjust the nginx_virtual_server resource parameter to enable SSL:

certbot::nginx_virtual_server { 'myserver': enable_certs => true }