cookbook 'letsencrypt', '= 1.0.0'
The letsencrypt cookbook has been deprecated
Author provided reason for deprecation:
The letsencrypt cookbook has been deprecated and is no longer being maintained by its authors. Use of the letsencrypt cookbook is no longer recommended.
You may find that the acme cookbook is a suitable alternative.
letsencrypt (12) Versions 1.0.0 Follow11
Install free and trusted SSL/TLS certificates from Let's Encrypt
cookbook 'letsencrypt', '= 1.0.0', :supermarket
knife supermarket install letsencrypt
knife supermarket download letsencrypt
letsencrypt cookbook
Automatically get/renew free and trusted certificates from Let's Encrypt (letsencrypt.org).
Attributes
default
-
node['letsencrypt']['contact']
- Contact information, default empty. Set tomailto:your@email.com
. -
node['letsencrypt']['endpoint']
- ACME server endpoint, defaulthttps://acme-v01.api.letsencrypt.org
. Set tohttps://acme-staging.api.letsencrypt.org
if you want to use the letsencrypt staging environment and corresponding certificates. -
node['letsencrypt']['renew']
- Days before the certificate expires at which the certificate will be renewed, default30
. -
node['letsencrypt']['source_ips']
- IP addresses used by letsencrypt to verify the TLS certificates, it will change over time. This attribute is for firewall purposes. Allow these IPs for HTTP (tcp/80). -
node['letsencrypt']['private_key']
- Private key content of registered account.
Recipes
default
Installs the required acme-client rubygem.
Usage
Use the letsencrypt_certificate
provider to request a certificate. The webserver for the domain for which you are requesting a certificate must be running on the local server. Currently only the http validation method is supported. Provide the path to your wwwroot
for the specified domain.
letsencrypt_certificate 'test.example.com' do crt '/etc/ssl/test.example.com.crt' key '/etc/ssl/test.example.com.key' method 'http' wwwroot '/var/www' end
In case your webserver needs an already existing certificate when installing a new server you will have a bootstrap problem. Webserver cannot start without certificate, but the certificate cannot be requested without the running webserver. To overcome this a self-signed certificate can be generated with the letsencrypt_selfsigned
provider.
letsencrypt_selfsigned 'test.example.com' do crt '/etc/ssl/test.example.com.crt' key '/etc/ssl/test.example.com.key' end
A working example can be found in the included acme_client
test cookbook.
Providers
certificate
Property | Type | Default | Description |
---|---|---|---|
cn |
string | name | The common name for the certificate |
alt_names |
array | [] | The common name for the certificate |
crt |
string | nil | File path to place the certificate |
key |
string | nil | File path to place the private key |
chain |
string | nil | File path to place the certificate chain |
fullchain |
string | nil | File path to place the certificate including the chain |
owner |
string | root | Owner of the created files |
group |
string | root | Group of the created files |
method |
string | http | Validation method |
wwwroot |
string | /var/www | Path to the wwwroot of the domain |
ignore_failure |
boolean | false | Whether to continue chef run if issuance fails |
retries |
integer | 0 | Number of times to catch exceptions and retry |
retry_delay |
integer | 2 | Number of seconds to wait between retries |
selfsigned
Property | Type | Default | Description |
---|---|---|---|
cn |
string | name | The common name for the certificate |
crt |
string | nil | File path to place the certificate |
key |
string | nil | File path to place the private key |
chain |
string | nil | File path to place the certificate chain |
owner |
string | root | Owner of the created files |
group |
string | root | Group of the created files |
Example
To generate a certificate for an apache2 website you can use code like this:
# Set up contact information. Note the mailto: notation
node.set['letsencrypt']['contact'] = [ 'mailto:me@example.com' ]
# Real certificates please...
node.set['letsencrypt']['endpoint'] = 'https://acme-v01.api.letsencrypt.org'
site="example.com"
sans=Array[ "www.#{site}" ]
# Set up your server here...
# Let's letsencrypt
# Generate a self-signed if we don't have a cert to prevent bootstrap problems
letsencrypt_selfsigned "#{site}" do
crt "/etc/httpd/ssl/#{site}.crt"
key "/etc/httpd/ssl/#{site}.key"
chain "/etc/httpd/ssl/#{site}.pem"
owner "apache"
group "apache"
notifies :restart, "service[apache2]", :immediate
not_if do
# Only generate a self-signed cert if needed
::File.exists?("/etc/httpd/ssl/#{site}.crt")
end
end
# Get and auto-renew the certificate from letsencrypt
letsencrypt_certificate "#{site}" do
crt "/etc/httpd/ssl/#{site}.crt"
key "/etc/httpd/ssl/#{site}.key"
chain "/etc/httpd/ssl/#{site}.pem"
method "http"
wwwroot "/var/www/#{site}/htdocs/"
notifies :restart, "service[apache2]"
alt_names sans
end
Testing
The kitchen includes a boulder
server to run the integration tests with, so testing can run locally without interaction with the online API's.
Contributing
- Fork the repository on Github
- Create a named feature branch (like
add_component_x
) - Write your change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
License and Authors
Authors: Thijs Houtenbos thoutenbos@schubergphilis.com
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
letsencrypt changelog
This file is used to list changes made in each version of the letsencrypt cookbook.
1.0.0
seccubus - Make production the default end-point
seccubus - Add apache2 example
thoutenbos - Fix for chef-client v11 compatibility
thoutenbos - Fix integration tests
0.1.7
- glaszig - Use chef api inside ruby_block
- arr-dev - Document
node['letsencrypt']['private_key']
0.1.6
- funzoneq - Add verification IP for firewalling purposes
- acoulton - fail chef run if certificate not issued, unless
ignore_failure
resource attribute set
0.1.5
- thoutenbos - fix selfsigned chain
0.1.4
- patcon - spin-off the boulder test cookbook
- patcon - add Ubuntu support
- thoutenbos - various improvements
0.1.3
- sawanoboly - Add SAN support
0.1.2
- obazoud - Improved logging
- thoutenbos - Add Kitchen CI
- thoutenbos - Fix key/cert creation order issue
0.1.1
- Thijs Houtenbos - Added
chain
andfullchain
properties
0.1.0
- Thijs Houtenbos - Initial release
Check the Markdown Syntax Guide for help with Markdown.
The Github Flavored Markdown page describes the differences between markdown on github and standard markdown.