# create a certificate using certbot # # @param email # email address to provide to letsencrypt # @param preferred_challanges # value for the --preferred-challanges parameter to certbot # @param auth_hook # Script to use as an auth hook to certbot. To use hooks provided by the puppet subclasses in this module, # set it to the subclass name (for example "loopia" to use the loopia auth hook) # @param clean_hook # Script to use as a clean hook to certbot. See auth_hook. # @param domain # Domain to get certificate for # @param create_timeout # Timeout for certbot when fetching the certificate for the first time. # @param cert_path # Path where the certificate will be "installed" when fetched. # @param fullchain_path # Path where the file containing the full certificate chain will be "installed" when fetched. # @param chain_path # Path where the pki chain file will be "installed" when fetched. # @param key_path # Path where the key file will be "installed" when fetched. # @param file_owner # User that should own the "installed" certificate/key files. # @param file_group # Group that should own the "installed certificate/key files. # @param public_files_perm # Permissions mode for the public certificate files. # @param private_files_perm # Permissions mode fot the private key file. # define certbot::cert ( String[1] $email, Optional[String[1]] $preferred_challanges = undef, Optional[String[1]] $auth_hook = undef, Optional[String[1]] $clean_hook = undef, String[1] $domain = $title, Integer $create_timeout = 900, Optional[String[1]] $cert_path = undef, Optional[String[1]] $fullchain_path = undef, Optional[String[1]] $chain_path = undef, Optional[String[1]] $key_path = undef, Variant[String[1], Integer] $file_owner = 0, Variant[String[1], Integer] $file_group = 0, String[1] $public_files_perm = '0644', String[1] $private_files_perm = '0400', ) { if $auth_hook or $clean_hook { $exec_manual = '--manual --manual-public-ip-logging-ok' } $exec_auth_hook = $auth_hook ? { 'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-auth-loopia.py", undef => '', default => "--manual-auth-hook ${auth_hook}", } $exec_clean_hook = $auth_hook ? { 'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-cleanup-loopia.py", undef => '', default => "--manual-auth-hook ${auth_hook}", } if $preferred_challanges { $exec_challanges = "--preferred-challenges=${preferred_challanges}" } $exec_cmd = "${certbot::params::certbot_bin} certonly --agree-tos -n -d ${domain} -m ${email} ${exec_challanges} ${exec_manual} ${exec_auth_hook} ${exec_clean_hook}" # lint:ignore:140chars exec { "certbot::cert::${title}": command => $exec_cmd, timeout => $create_timeout, creates => "${certbot::params::etc_dir}/letsencrypt/renewal/${domain}.conf"; } if $cert_path { file { $cert_path: source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/cert.pem", owner => $file_owner, group => $file_group, mode => $public_files_perm, require => Exec[ "certbot::cert::${title}" ]; } } if $fullchain_path { file { $fullchain_path: source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/fullchain.pem", owner => $file_owner, group => $file_group, mode => $public_files_perm, require => Exec[ "certbot::cert::${title}" ]; } } if $chain_path { file { $chain_path: source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/chain.pem", owner => $file_owner, group => $file_group, mode => $public_files_perm, require => Exec[ "certbot::cert::${title}" ]; } } if $key_path { file { $key_path: source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/privkey.pem", owner => $file_owner, group => $file_group, mode => $private_files_perm, require => Exec[ "certbot::cert::${title}" ]; } } }