New in version 2016.3.0.
This module currently looks for certbot script in the $PATH as - certbot, - lestsencrypt, - certbot-auto, - letsencrypt-auto eventually falls back to /opt/letsencrypt/letsencrypt-auto
Installation & configuration of the Let's Encrypt client can for example be done using https://github.com/saltstack-formulas/letsencrypt-formula
Be sure to set at least accept-tos = True in cli.ini!
Most parameters will fall back to cli.ini defaults if None is given.
This module currently supports the CloudFlare certbot DNS plugin. The DNS
plugin credentials file needs to be passed in using the
Make sure the appropriate certbot plugin for the wanted DNS provider is installed before using this module.
Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
name -- Common Name of the certificate (DNS name of certificate)
aliases -- subjectAltNames (Additional DNS names on certificate)
email -- e-mail address for interaction with ACME provider
webroot -- True or a full path to use to use webroot. Otherwise use standalone mode
test_cert -- Request a certificate from the Happy Hacker Fake CA (mutually exclusive with 'server')
renew -- True/'force' to force a renewal, or a window of renewal before expiry in days
keysize -- RSA key bits
server -- API endpoint to talk to
owner -- owner of the private key file
group -- group of the private key file
mode -- mode of the private key file
certname -- Name of the certificate to save
preferred_challenges -- A sorted, comma delimited list of the preferred challenge to use during authorization with the most preferred challenge listed first.
tls_sni_01_port -- Port used during tls-sni-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 443.
tls_sni_01_address -- The address the server listens to during tls-sni-01 challenge.
http_01_port -- Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80.
https_01_address -- The address the server listens to during http-01 challenge.
dns_plugin -- Name of a DNS plugin to use (currently only 'cloudflare' or 'digitalocean')
dns_plugin_credentials -- Path to the credentials file if required by the specified DNS plugin
dns_plugin_propagate_seconds -- Number of seconds to wait for DNS propogations before asking ACME servers to verify the DNS record. (default 10)
manual_auth_hook -- Path to the manual authentication hook script.
manual_cleanup_hook -- Path to the manual cleanup or post-authentication hook script.
Dictionary with 'result' True/False/None, 'comment' and certificate's expiry date ('not_after')
salt 'gitlab.example.com' acme.cert dev.example.com "[gitlab.example.com]" test_cert=True renew=14 webroot=/opt/gitlab/embedded/service/gitlab-rails/public
Return a list of active certificates
salt 'vhost.example.com' acme.certs
The expiry date of a certificate in ISO format
salt 'gitlab.example.com' acme.expires dev.example.com
Test if a certificate is in the Let's Encrypt Live directory
log.info('That is one nice certificate you have there!')
Return information about a certificate
name (str) -- Name of certificate
Dictionary with information about the certificate.
If neither the
tls nor the
x509 module can be used to determine
the certificate information, the information will be retrieved as one
big text block under the key
text using the openssl cli.
salt 'gitlab.example.com' acme.info dev.example.com
Check if a certificate needs renewal
name (str) -- Name of certificate
window (bool/str/int) -- Window in days to renew earlier or True/force to just return True
Whether or not the certificate needs to be renewed.
log.info('Your certificate is still good')