CDIST-TYPE__LETSENCRYPT_CERT(7) cdist CDIST-TYPE__LETSENCRYPT_CERT(7)

cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt

Automatically obtain a Let's Encrypt SSL certificate using Certbot.

This type attempts to setup automatic renewals always. In many Linux distributions, that is the case out of the box, see: https://certbot.eff.org/docs/using.html#automated-renewals

For Alpine Linux and Arch Linux, we setup a system-wide cronjob that attempts to renew certificates daily.

If you are using FreeBSD, we configure periodic(8) as recommended by the port mantainer, so there will be a weekly attempt at renewal.

If your OS is not mentioned here or on Certbot's docs as having support for automated renewals, please make sure you check your OS and possibly patch this type so the system-wide cronjob is installed.

A cert name. If domain parameter is not specified then it is used as a domain to be included in the certificate.
Where to send Let's Encrypt emails like "certificate needs renewal".

'present' or 'absent', defaults to 'present' where:
if the certificate does not exist, it will be obtained
the certificate will be removed

The path to your webroot, as set up in your webserver config. If this parameter is not present, Certbot will be run in standalone mode.

Domains to be included in the certificate. When specified then object id is not used as a domain.
Command to be executed only when the certificate associated with this $__object_id is issued or renewed. You can specify it multiple times, but any failure will prevent further commands from being executed.

For this command, the shell variable $RENEWED_LINEAGE will point to the config live subdirectory (for example, /etc/letsencrypt/live/${__object_id}) containing the new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example, example.com www.example.com)

Command to be run in a shell before obtaining any certificates. You can specify it multiple times, but any failure will prevent further commands from being executed.

Note these run regardless of which certificate is attempted, you may want to manage these system-wide hooks with __file in /etc/letsencrypt/renewal-hooks/pre/.

Intended primarily for renewal, where it can be used to temporarily shut down a webserver that might conflict with the standalone plugin. This will only be called if a certificate is actually to be obtained/renewed.

Command to be run in a shell after attempting to obtain/renew certificates. You can specify it multiple times, but any failure will prevent further commands from being executed.

Note these run regardless of which certificate was attempted, you may want to manage these system-wide hooks with __file in /etc/letsencrypt/renewal-hooks/post/.

Can be used to deploy renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an attempt was made to obtain/renew a certificate.


Obtain a test certificate from a staging server.

Certificate was changed.
Certificate was created.
Certificate was removed.

# use object id as domain
__letsencrypt_cert example.com \
    --admin-email root@example.com \
    --deploy-hook "service nginx reload" \
    --webroot /data/letsencrypt/root



# domain parameter is specified so object id is not used as domain
# and example.com needs to be included again with domain parameter
__letsencrypt_cert example.com \
    --admin-email root@example.com \
    --domain example.com \
    --domain foo.example.com \
    --domain bar.example.com \
    --deploy-hook "service nginx reload" \
    --webroot /data/letsencrypt/root



Nico Schottelius <nico-cdist--@--schottelius.org>
Kamila Součková <kamila--@--ksp.sk>
Darko Poljak <darko.poljak--@--gmail.com>
Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
Evilham <contact@evilham.com>

Copyright (C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and Ľubomír Kučera. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

ungleich GmbH 2021

September 26, 2023 7.0.0