<!--
Thank you for contributing to this project!
-->
On FreeBSD and OpenBSD gid 0 is 'wheel', not 'root' and it will fail.
Using gid 0 corrects this simply.
I didn't find an issue for this, but the PR #231 is similar.
Some Operating Systems (a current OpenBSD release) don't have group 'root' - this PR allows setting the group to something else.
Default of group:root has not changed
N/A
Allow specifying which key type to generate. Certbot changed it's default from rsa to elliptic curve, but I kept the default to rsa for backwards compatibility.
<!--
Thank you for contributing to this project!
-->
I added support to configure environments for the letsencrypt renew cron job. This way it possible to add for example an email address to send the output from the cronjob.
<!--
Thank you for contributing to this project!
-->
Add dns-ovh support based on dns_rfc2136 implementation
I added automatic installation of the ...-certbot-nginx-...
package when 'plugin' => 'nginx'
is given to define letsencrypt::certonly
. And i provided an example in Readme.
On Centos for example, when a Nginx web server is running, simply asking Certbot to create or renew certificates is not enough. It requires an additional package or plugin,
Fixes #63.
We rename the environment
to venv_vars
in order to ensure that hiera calls do not break, as soon as a puppet execution flow enters our module. For consistency's sake, we change environment
not only in the main class (where it's definitely needed: rodjek/puppet-lint#574), but also in the certonly
define.
This also adds support for naming services to restart with systemd instead of long-handing it all.
It also adds support for managing firewalls using firewalld for systems that are not meant to be http/https accessible at all times.
These three are essentially the same support and it is difficult to break it up
Again, I would love help knowing quite how to create the CI acceptances for this.
Change the random seed per hour for letsencrypt::certonly
cronjob resource.
Fixes #47
This PR aims at removing the system cron or systemd timer when the renew cron is managed by puppet (this doesn't handle certonly cron). If we don't do that on certains distro (for exemple Debian), a cron will be automaticaly added by the package and might renew the certificate before the puppet cron, and thus the puppet renew hooks won't be executed.
Fixes #164
<!--
Thank you for contributing to this project!
-->
Use the first domain for $cert_name
instead of the $title
.
This doesn't change anything if $domains
is undefined
, or if the $title
is already the same as the first argument of the list passed to $domains
.
certbot CLI by default will use the first domain as the cert-name and path to store the certificate files.
This puppet module should do the same.
(I separated this PR from #219 to allow merging separately, as this could potentially breaks things as it did when the --cert-name $title
was introduced in 8f8e4f98)
I needed one more change to make this running in my environment.
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, deprecation. merge. This function is deprecated, please use stdlib::merge instead. at ["/etc/puppetlabs/code/environments/production/forge/letsencrypt/manifests/config.pp", 27]
We still need to fix the CI tests.
<!--
Thank you for contributing to this project!
-->
Adding feature support for the certbot-plugin-gandi created by @obynio
The plugin use the Production API key.
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
N/A
This PR add an option for adding environment to the global renew cron, this is useful for example with the nginx certbot plugin which somehow can't find nginx if the PATH in the cron doesn't include /usr/sbin.
This PR is similar to #189 which doesn't seem really active.
Fixes: #250 (well kind of, it doesn't directly fix this, but it allows to add the PATH in the cron which will fix the problem).
My apologies on missing this. In testing https://github.com/voxpupuli/puppet-letsencrypt/pull/254 I had manually enable the python36 module stream at some point before hand, but after running on a fresh install I realized certbot requires this module stream to be enabled per:
Error: Execution of '/bin/dnf -d 0 -e 1 -y install certbot' returned 1: Error:
Problem: package certbot-1.20.0-1.el8.noarch requires python3-certbot = 1.20.0-1.el8, but none of the providers can be installed
- package python3-certbot-1.20.0-1.el8.noarch requires /usr/bin/python3.6, but none of the providers can be installed
- conflicting requests
- package python36-3.6.8-2.module_el8.3.0+6191+6b4b10ec.x86_64 is filtered out by modular filtering
Error: /Stage[main]/Letsencrypt::Install/Package[letsencrypt]/ensure: change from 'purged' to 'present' failed: Execution of '/bin/dnf -d 0 -e 1 -y install certbot' returned 1: Error:
Problem: package certbot-1.20.0-1.el8.noarch requires python3-certbot = 1.20.0-1.el8, but none of the providers can be installed
- package python3-certbot-1.20.0-1.el8.noarch requires /usr/bin/python3.6, but none of the providers can be installed
- conflicting requests
- package python36-3.6.8-2.module_el8.3.0+6191+6b4b10ec.x86_64 is filtered out by modular filtering
Fixes #236
modulesync 5.4.0
Add dns-azure to list of allowed plugins.
This is one of the 3rd party plugins listed at https://eff-certbot.readthedocs.io/en/stable/using.html#third-party-plugins
I'm currently using this module on my branch on a RHEL 9 host, but the only caveat is the fastest way I found to get the plugin working was via the snap package:
```puppet
include snap
package { 'certbot':
ensure => installed,
provider => 'snap',
install_options => ['classic'],
}
file { '/usr/bin/certbot':
ensure => link,
source => '/snap/bin/certbot',
require => Package['certbot'],
}
package { 'certbot-dns-azure':
ensure => installed,
provider => 'snap',
install_options => ['channel=edge'],
require => Package['certbot'],
}
```
And also had to run snap set certbot trust-plugin-with-root=ok
before the last package resource, but didn't take the time yet to examine what changed on disk in order to create an exec resource to do that.
<!--
Thank you for contributing to this project!
-->
This PR makes sure that only single certificate can be processed at the same time. Make sure to obtain exclusive lock before executing renewal command.
flock
command is used to obtain exclusive lock (with 30 seconds timeout).
Resolve errors like this, when randomized cron job time is not enough:
Another instance of Certbot is already running.