Letsencrypt certonly does not seem to run in yaml

sheikhimmu · November 1, 2023, 11:05am

I am looking for some advice / help with an issue I am facing in yaml. But it is also puppet related.

I am using a control-repo for my puppet configuration. I am hosting a site of one of my puppet agent VM's. I can get letsencrypt::certonly to work in puppet i.e my letsencrypt.pp file. But, I would like the certonly configuration to be in my .yaml file for my agent VM. The issue is when I run puppet agent on my agent VM the code all runs without any errors. But my SSL certificate is not populated. This should appear in /etc/letsencrypt/live/. I also check if it exists by using a SSL checker online to see if it had been generated else where It had not. So, from what I can tell this code is not running. Like I said if I have this in my letsencrypt.pp file the SSL cert is generated and all works well.

So, I think I don't have the right code for letsencrypt::certonly for yaml. Any help to correct this for yaml would be really appreciated. My nodes yaml file looks like the following apart from a few redaction's.

---
classes:
   - roles::www

# UFW Rules
ufw::rules:
  'Allow HTTP':
    action: allow
    to_ports_app: 80
    proto: tcp
  'Allow HTTPS':
    action: allow
    to_ports_app: 443
    proto: tcp



# nginx rules
nginx::nginx_servers:
  'www.test.domain.com': 
    server_name: ['test.domain.com']
    ipv6_enable: true
    ssl: true
    http2: 'on'
    ipv6_listen_options: ''
    ssl_redirect: true
    ssl_cert: '/etc/letsencrypt/live/test.domain.com/cert.pem' 
    ssl_key: '/etc/letsencrypt/live/test.domain.com/privkey.pem' 
    www_root: '/www-data/www.test.domain.com/' 
    server_cfg_ssl_append:
    ssl_dhparam: '/usr/lib/python3/dist-packages/certbot/ssl-dhparams.pem'

# letsencryot certonly
letsencrypt::certonly:
    'test.domain.com':
      cert_name: 'test.domain.com'
      domains:
        - 'test.domain.com'
        - '*.test.domain.com'
      plugin: dns-cloudflare
      manage_cron: false
      require:
        classes:
          - profiles::nginx
    
# letsencrypt
letsencrypt::email: 'email@email.com'
letsencrypt::plugin::dns_cloudflare::email: 'email@email.com'

It is only the letsencrypt::certonly section of this file that does not seem to be correct / working.

I am using the puppet-letsencrypt module from the Puppet Forge, version 10.0.0, like so:

class profiles::letsencrypt {

  package { 'cron':
    ensure => installed,
  }

  class { 'letsencrypt':
    config  => {
      email  => 'email@email.com',
      server => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    require => Package['cron'],
  }

  file { '/etc/letsencrypt/options-ssl-nginx.conf':
    ensure => file,
  }

  file { '/etc/letsencrypt/ssl-dhparams.pem':
    ensure => file,
  }
  include 'letsencrypt'
  include 'letsencrypt::plugin::dns_cloudflare'
}

Bruce5051 · November 1, 2023, 5:11pm

Hello @sheikhimmu, welcome to the Let's Encrypt community.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

webprofusion · November 2, 2023, 8:21am

Does your system have no log or do you not know where it is? You're going to need that to investigate what's happening (or not happening).