cdist-type__letsencrypt_cert(7)

1CDIST-TYPE__LETSENCRYPT_CERT(7)      cdist     CDIST-TYPE__LETSENCRYPT_CERT(7)
2
3
4

NAME

6       cdist-type__letsencrypt_cert  -  Get  an SSL certificate from Let's En‐
7       crypt
8

DESCRIPTION

10       Automatically obtain a Let's Encrypt SSL certificate using Certbot.
11
12       This type attempts to setup automatic renewals always.  In  many  Linux
13       distributions,    that   is   the   case   out   of   the   box,   see:
14       https://certbot.eff.org/docs/using.html#automated-renewals
15
16       For Alpine Linux and Arch Linux, we setup a  system-wide  cronjob  that
17       attempts to renew certificates daily.
18
19       If  you  are  using FreeBSD, we configure periodic(8) as recommended by
20       the port mantainer, so there will be a weekly attempt at renewal.
21
22       If your OS is not mentioned here or on Certbot's docs as having support
23       for automated renewals, please make sure you check your OS and possibly
24       patch this type so the system-wide cronjob is installed.
25

REQUIRED PARAMETERS

27       object id
28              A cert name. If domain parameter is not  specified  then  it  is
29              used as a domain to be included in the certificate.
30
31       admin-email
32              Where  to  send Let's Encrypt emails like "certificate needs re‐
33              newal".
34

OPTIONAL PARAMETERS

36       state  'present' or 'absent', defaults to 'present' where:
37
38              present
39                     if the certificate does not exist, it will be obtained
40
41              absent the certificate will be removed
42
43       webroot
44              The path to your webroot, as set up in your webserver config. If
45              this parameter is not present, Certbot will be run in standalone
46              mode.
47

OPTIONAL MULTIPLE PARAMETERS

49       domain Domains to be included in the certificate. When  specified  then
50              object id is not used as a domain.
51
52       deploy-hook
53              Command to be executed only when the certificate associated with
54              this $__object_id is issued or renewed.  You can specify it mul‐
55              tiple  times, but any failure will prevent further commands from
56              being executed.
57
58              For this command, the shell variable $RENEWED_LINEAGE will point
59              to  the  config  live  subdirectory  (for  example, /etc/letsen‐
60              crypt/live/${__object_id}) containing the new  certificates  and
61              keys;   the  shell  variable  $RENEWED_DOMAINS  will  contain  a
62              space-delimited list of renewed certificate domains  (for  exam‐
63              ple, example.com www.example.com)
64
65       pre-hook
66              Command  to be run in a shell before obtaining any certificates.
67              You can specify it multiple times, but any failure will  prevent
68              further commands from being executed.
69
70              Note these run regardless of which certificate is attempted, you
71              may want to  manage  these  system-wide  hooks  with  __file  in
72              /etc/letsencrypt/renewal-hooks/pre/.
73
74              Intended  primarily  for renewal, where it can be used to tempo‐
75              rarily shut down a webserver that might conflict with the stand‐
76              alone plugin. This will only be called if a certificate is actu‐
77              ally to be obtained/renewed.
78
79       post-hook
80              Command to be run in a shell after  attempting  to  obtain/renew
81              certificates.   You can specify it multiple times, but any fail‐
82              ure will prevent further commands from being executed.
83
84              Note these run regardless of which  certificate  was  attempted,
85              you  may  want  to manage these system-wide hooks with __file in
86              /etc/letsencrypt/renewal-hooks/post/.
87
88              Can be used to deploy renewed certificates, or  to  restart  any
89              servers  that were stopped by --pre-hook. This is only run if an
90              attempt was made to obtain/renew a certificate.
91

BOOLEAN PARAMETERS

93       staging
94              Obtain a test certificate from a staging server.
95

MESSAGES

97       change Certificate was changed.
98
99       create Certificate was created.
100
101       remove Certificate was removed.
102

EXAMPLES

104          # use object id as domain
105          __letsencrypt_cert example.com \
106              --admin-email root@example.com \
107              --deploy-hook "service nginx reload" \
108              --webroot /data/letsencrypt/root
109
110          # domain parameter is specified so object id is not used as domain
111          # and example.com needs to be included again with domain parameter
112          __letsencrypt_cert example.com \
113              --admin-email root@example.com \
114              --domain example.com \
115              --domain foo.example.com \
116              --domain bar.example.com \
117              --deploy-hook "service nginx reload" \
118              --webroot /data/letsencrypt/root
119

AUTHORS

121       Nico Schottelius <nico-cdist--@--schottelius.org>
122       Kamila Součková <kamila--@--ksp.sk>
123       Darko Poljak <darko.poljak--@--gmail.com>
124       Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
125       Evilham <contact@evilham.com>
126
127

COPYING

129       Copyright (C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak
130       and  Ľubomír Kučera. You can redistribute it and/or modify it under the
131       terms of the GNU General Public License as published by the Free  Soft‐
132       ware  Foundation,  either version 3 of the License, or (at your option)
133       any later version.
134

COPYRIGHT

136       ungleich GmbH 2020
137
138
139
140
1416.9.6                            Apr 20, 2021  CDIST-TYPE__LETSENCRYPT_CERT(7)