Cloudevelops The Official Cloudevelops Blog

Just another way to get Let's Encrypt certificate with puppet and hiera for Nginx

Let’s Encrypt is a new certificate authority (CA) offering free and automated SSL/TLS certificates. Certificates issued by Let’s Encrypt are trusted by most browsers in production. As Let’s Encrypt client does not yet officially support NGINX (nginx plugin is in beta) we will use webroot plugin for getting it’s certificates. This post show puppet snippets that ease process of getting them upto simple including puppet module and defining all needed parameters at puppet hiera.

Assume we have puppet wrapper module that adds some organization specific functionality to danzilio/puppet-letsencrypt module.

Call create_resources at init class of our wrapper module to create domains from $base_domains_list with specified parameters:

class letsencrypt_base (
  $base_domains_list   = undef,
  if $base_domains_list {
    create_resources('letsencrypt_base::domain', $base_domains_list, {require => Class['letsencrypt']})

Example of hiera parameters at base_domains_list in json:

"letsencrypt_base::email": "<email>",
  "letsencrypt_base::base_domains_list": {
    "<domain that will use Let's Encrypt certificates>": {
      "plugin": "webroot",
      "vhost_name": "<vhost_name>",
      "webroot_paths": "<path to webroot dir>"

Defined resource example:

define letsencrypt_base::domain (
  $base_domain          = $name,
  $webroot_paths        = '/var/www/letsencrypt',
  $plugin               = 'webroot',
  $additional_args      = undef,
  $manage_cron          = false,
  $letsencrypt_command  = $letsencrypt::command,
  $vhost_name           = $base_domain

# request letsencrypt for certificates (will be stored at :/etc/letsencrypt/live/<domain name>/)
  letsencrypt::certonly { $base_domain:
    domains         => [$base_domain],
    plugin          => $plugin,
    webroot_paths   => [$webroot_paths],
    require         => File[$webroot_paths],
    manage_cron     => $manage_cron,
    additional_args => $additional_args

# Location for our domain. needed for confirmation that you are owner of domain.
# The Let’s Encrypt client running on  host creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server makes an HTTP request to retrieve the file and validates the token, which serves to verify that the DNS record for your domain resolves to the server running the Let’s Encrypt client.
  nginx::resource::location { $base_domain:
    ensure     => present,
    www_root   => $webroot_paths,
    location   => '/.well-known/acme-challenge',
    vhost      => $vhost_name,
    auth_basic => 'off',
    require    => File[$webroot_paths],

#create folder that will be used by letsencrypt
  file { $webroot_paths:
    ensure => 'directory',
    owner  => 'www-data',
    group  => 'www-data',
    mode   => '0755',


Modules used:

Let’s Encrypt puppet module

Nginx puppet module that location defined resource use

Nginx article about Let’s Encrypt

Share this article: