salt.modules.acme module¶

ACME / Let's Encrypt module¶

This module currently uses letsencrypt-auto, which needs to be available in the path or in /opt/letsencrypt/.

Note

Currently only the webroot authentication is tested/implemented.

Note

Installation & configuration of the Let's Encrypt client can for example be done using https://github.com/saltstack-formulas/letsencrypt-formula

Warning

Be sure to set at least accept-tos = True in cli.ini!

Most parameters will fall back to cli.ini defaults if None is given.

salt.modules.acme.cert(name, aliases=None, email=None, webroot=None, test_cert=False, renew=None, keysize=None, server=None, owner='root', group='root')¶

Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.

Parameters:

Parameters:	name -- Common Name of the certificate (DNS name of certificate) aliases -- subjectAltNames (Additional DNS names on certificate) email -- e-mail address for interaction with ACME provider webroot -- True or full path to webroot used for authentication test_cert -- Request a certificate from the Happy Hacker Fake CA (mutually exclusive with 'server') renew -- True/'force' to force a renewal, or a window of renewal before expiry in days keysize -- RSA key bits server -- API endpoint to talk to owner -- owner of private key group -- group of private key
Returns:	dict with 'result' True/False/None, 'comment' and certificate's expiry date ('not_after')

name -- Common Name of the certificate (DNS name of certificate)
aliases -- subjectAltNames (Additional DNS names on certificate)
email -- e-mail address for interaction with ACME provider
webroot -- True or full path to webroot used for authentication
test_cert -- Request a certificate from the Happy Hacker Fake CA (mutually exclusive with 'server')
renew -- True/'force' to force a renewal, or a window of renewal before expiry in days
keysize -- RSA key bits
server -- API endpoint to talk to
owner -- owner of private key
group -- group of private key

Returns:

dict with 'result' True/False/None, 'comment' and certificate's expiry date ('not_after')

CLI example:

salt 'gitlab.example.com' acme.cert dev.example.com "[gitlab.example.com]" test_cert=True renew=14 webroot=/opt/gitlab/embedded/service/gitlab-rails/public

salt.modules.acme.certs()¶

Return a list of active certificates

CLI example:

salt 'vhost.example.com' acme.certs

salt.modules.acme.expires(name)¶

The expiry date of a certificate in ISO format

Parameters:	name -- CommonName of cert

CLI example:

salt 'gitlab.example.com' acme.expires dev.example.com

salt.modules.acme.has(name)¶

Test if a certificate is in the Let's Encrypt Live directory

Parameters:	name -- CommonName of cert

Code example:

if __salt__['acme.has']('dev.example.com'):
    log.info('That is one nice certificate you have there!')

salt.modules.acme.info(name)¶

Return information about a certificate

Note

Will output tls.cert_info if that's available, or OpenSSL text if not

Parameters:	name -- CommonName of cert

CLI example:

salt 'gitlab.example.com' acme.info dev.example.com

salt.modules.acme.needs_renewal(name, window=None)¶

Check if a certicate needs renewal

Parameters:	name -- CommonName of cert window -- Window in days to renew earlier or True/force to just return True

Code example:

if __salt__['acme.needs_renewal']('dev.example.com'):
    __salt__['acme.cert']('dev.example.com', **kwargs)
else:
    log.info('Your certificate is still good')

salt.modules.acme.renew_by(name, window=None)¶

Date in ISO format when a certificate should first be renewed

Parameters:	name -- CommonName of cert window -- number of days before expiry when renewal should take place