acme

Manage X.509 certificates statefully using Certbot.

Hint

Also see the execution module documentation.

Example

reload-gitlab:
  cmd.run:
    - name: gitlab-ctl hup

dev.example.com:
  acme.cert:
    - aliases:
      - gitlab.example.com
    - email: acmemaster@example.com
    - webroot: /opt/gitlab/embedded/service/gitlab-rails/public
    - renew: 14
    - fire_event: acme/dev.example.com
    - onchanges_in:
      - cmd: reload-gitlab
saltext.acme.states.acme.cert(name, aliases=None, email=None, webroot=None, test_cert=False, renew=None, keysize=None, server=None, owner='root', group='root', mode='0640', certname=None, preferred_challenges=None, tls_sni_01_port=None, tls_sni_01_address=None, http_01_port=None, http_01_address=None, dns_plugin=None, dns_plugin_credentials=None, manual_auth_hook=None, manual_cleanup_hook=None)[source]

Obtain/renew a certificate from an ACME CA, probably Let’s Encrypt.

Parameters:

  • name – Common Name of the certificate (DNS name of certificate)

  • aliases – subjectAltNames (Additional DNS names on certificate)

  • email – e-mail address for interaction with ACME provider

  • webroot – True or a full path to webroot. Otherwise use standalone mode

  • test_cert – Request a certificate from the Happy Hacker Fake CA (mutually exclusive with ‘server’)

  • renew – True/’force’ to force a renewal, or a window of renewal before expiry in days

  • keysize – RSA key bits

  • server – API endpoint to talk to

  • owner – owner of the private key file

  • group – group of the private key file

  • mode – mode of the private key file

  • certname – Name of the certificate to save

  • preferred_challenges – A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first.

  • tls_sni_01_port – Port used during tls-sni-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 443.

  • tls_sni_01_address – The address the server listens to during tls-sni-01 challenge.

  • http_01_port – Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80.

  • https_01_address – The address the server listens to during http-01 challenge.

  • dns_plugin – Name of a DNS plugin to use (currently only ‘cloudflare’)

  • dns_plugin_credentials – Path to the credentials file if required by the specified DNS plugin

  • manual_auth_hook – Path to the authentication hook script.

  • manual_cleanup_hook – Path to the cleanup or post-authentication hook script.