Puppet Class: letsencrypt

Defined in:
manifests/init.pp

Summary

Install and configure Certbot, the LetsEncrypt client

Overview

Install and configure Certbot, the LetsEncrypt client

Examples:

class { 'letsencrypt' :
  email  => 'letsregister@example.com',
  config => {
    'server' => 'https://acme-staging-v02.api.letsencrypt.org/directory',
  },
}

Parameters:

  • email (Optional[String]) (defaults to: undef)

    The email address to use to register with Let’s Encrypt. This takes precedence over an ‘email’ setting defined in $config.

  • environment (Array) (defaults to: [])

    An optional array of environment variables

  • package_name (String) (defaults to: 'certbot')

    Name of package and command to use when installing the client package.

  • package_ensure (String[1]) (defaults to: 'installed')

    The value passed to ‘ensure` when installing the client package.

  • package_command (String) (defaults to: 'certbot')

    Path or name for letsencrypt executable.

  • config_file (String) (defaults to: "${config_dir}/cli.ini")

    The path to the configuration file for the letsencrypt cli.

  • config (Hash) (defaults to: { 'server' => 'https://acme-v02.api.letsencrypt.org/directory' })

    A hash representation of the letsencrypt configuration file.

  • cron_scripts_path (String) (defaults to: "${facts['puppet_vardir']}/letsencrypt")

    The path for renewal scripts called by cron

  • cron_owner_group (String) (defaults to: 'root')

    Group owner of cron renew scripts.

  • manage_config (Boolean) (defaults to: true)

    A feature flag to toggle the management of the letsencrypt configuration file.

  • manage_install (Boolean) (defaults to: true)

    A feature flag to toggle the management of the letsencrypt client installation.

  • configure_epel (Boolean)

    A feature flag to include the ‘epel’ class and depend on it for package installation.

  • agree_tos (Boolean) (defaults to: true)

    A flag to agree to the Let’s Encrypt Terms of Service.

  • unsafe_registration (Boolean) (defaults to: false)

    A flag to allow using the ‘register-unsafely-without-email’ flag.

  • config_dir (Stdlib::Unixpath) (defaults to: '/etc/letsencrypt')

    The path to the configuration directory.

  • key_size (Integer[2048]) (defaults to: 4096)

    Size for the RSA public key

  • certificates (Hash[String[1],Hash]) (defaults to: {})

    A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly.

  • renew_pre_hook_commands (Variant[String[1], Array[String[1]]]) (defaults to: [])

    Array of commands to run in a shell before obtaining/renewing any certificates.

  • renew_post_hook_commands (Variant[String[1], Array[String[1]]]) (defaults to: [])

    Array of commands to run in a shell after attempting to obtain/renew certificates.

  • renew_deploy_hook_commands (Variant[String[1], Array[String[1]]]) (defaults to: [])

    Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot:

    • $RENEWED_LINEAGE: Points to the live directory with the cert files and key.

      Example: /etc/letsencrypt/live/example.com

    • $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.

      Example: "example.com www.example.com"
  • renew_additional_args (Variant[String[1], Array[String[1]]]) (defaults to: [])

    Array of additional command line arguments to pass to ‘certbot renew’.

  • renew_cron_ensure (String[1]) (defaults to: 'absent')

    Intended state of the cron resource running certbot renew.

  • renew_cron_hour (Letsencrypt::Cron::Hour) (defaults to: fqdn_rand(24))

    Optional string, integer or array of hour(s) the renewal command should run. E.g. ‘[0,12]’ to execute at midnight and midday. hour.

  • renew_cron_minute (Letsencrypt::Cron::Minute) (defaults to: fqdn_rand(60))

    Optional string, integer or array of minute(s) the renewal command should run. E.g. 0 or ‘00’ or [0,30].

  • renew_cron_monthday (Letsencrypt::Cron::Monthday) (defaults to: '*')

    Optional string, integer or array of monthday(s) the renewal command should run. E.g. ‘2-30/2’ to run on even days.

  • certonly_pre_hook_commands (Array[String[1]]) (defaults to: [])

    Array of commands to run in a shell before obtaining/renewing any certificates.

  • certonly_post_hook_commands (Array[String[1]]) (defaults to: [])

    Array of commands to run in a shell after attempting to obtain/renew certificates.

  • certonly_deploy_hook_commands (Array[String[1]]) (defaults to: [])

    Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot:

    • $RENEWED_LINEAGE: Points to the live directory with the cert files and key.

      Example: /etc/letsencrypt/live/example.com

    • $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.

      Example: "example.com www.example.com"



63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'manifests/init.pp', line 63

class letsencrypt (
  Boolean $configure_epel,
  Optional[String] $email            = undef,
  Array $environment                 = [],
  String $package_name               = 'certbot',
  String[1] $package_ensure          = 'installed',
  String $package_command            = 'certbot',
  Stdlib::Unixpath $config_dir       = '/etc/letsencrypt',
  String $config_file                = "${config_dir}/cli.ini",
  Hash $config                       = { 'server' => 'https://acme-v02.api.letsencrypt.org/directory' },
  String $cron_scripts_path          = "${facts['puppet_vardir']}/letsencrypt",
  String $cron_owner_group           = 'root',
  Boolean $manage_config             = true,
  Boolean $manage_install            = true,
  Boolean $agree_tos                 = true,
  Boolean $unsafe_registration       = false,
  Integer[2048] $key_size            = 4096,
  Hash[String[1],Hash] $certificates = {},
  # $renew_* should only be used in letsencrypt::renew (blame rspec)
  Variant[String[1], Array[String[1]]] $renew_pre_hook_commands = [],
  Variant[String[1], Array[String[1]]] $renew_post_hook_commands = [],
  Variant[String[1], Array[String[1]]] $renew_deploy_hook_commands = [],
  Variant[String[1], Array[String[1]]] $renew_additional_args = [],
  String[1] $renew_cron_ensure                 = 'absent',
  Letsencrypt::Cron::Hour $renew_cron_hour = fqdn_rand(24),
  Letsencrypt::Cron::Minute $renew_cron_minute = fqdn_rand(60),
  Letsencrypt::Cron::Monthday $renew_cron_monthday = '*',
  # define default hooks for all certonly defined resources
  Array[String[1]] $certonly_pre_hook_commands = [],
  Array[String[1]] $certonly_post_hook_commands = [],
  Array[String[1]] $certonly_deploy_hook_commands = [],
) {
  if $manage_install {
    contain letsencrypt::install # lint:ignore:relative_classname_inclusion
    Class['letsencrypt::install'] -> Class['letsencrypt::renew']
  }

  $command = $package_command

  if $manage_config {
    contain letsencrypt::config # lint:ignore:relative_classname_inclusion
  }

  contain letsencrypt::renew

  $certificates.each |$certificate, $properties| {
    letsencrypt::certonly { $certificate: * => $properties }
  }
}