Saltstack formula for letsencrypt service
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 76 commits ahead, 2 commits behind martinhoefling:master.
javierbertoli Merge pull request #56 from dmaphy/master
Re-add execution of letsencrypt.post_renew.cmds
Latest commit 96101bc Dec 2, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
letsencrypt Re-add execution of letsencrypt.post_renew.cmds Dec 2, 2018
test/integration Merge branch 'master' into master Oct 27, 2018
.gitignore Merge branch 'master' into master Oct 22, 2018
.kitchen.yml Merge branch 'master' into master Oct 27, 2018
.travis.yml solves issue #34 Oct 27, 2018
Gemfile solves issue #34 Oct 27, 2018
LICENSE Initial commit Nov 21, 2015
README.rst solves issue #34 Oct 27, 2018
pillar.example solves issue #34 Oct 27, 2018



Creates certificates and manages renewal using the letsencrypt service.

Available states


This is a shortcut for letsencrypt.install letsencrypt.config and

If use_package is True (the default), the formula will try to install the certbot package from your Distro's repo. Keep in mind that most distros don't have a package available by default: Ie, current Debian (Stretch) requires a backports repo installed. Centos 7 requires EPEL, etc. This formula DOES NOT manage these repositories. Use the apt-formula or the `epel-formula <`_ to manage them.

If use_package is False it installs and configures the letsencrypt cli from git, creates the requested certificates and installs renewal cron job.

** WARNING ** If you set use_package to True, it will:

  • Default to Python3's certbot package (where possible), with Apache as the default Webserver to manage.
  • Delete all certbot's crons if they exist from a previous git-based installation (as the package uses a systemd's timer unit to renew all the certs)
  • Delete git-based installation's scripts (usually installed under /usr/local/bin) if they still exist declared in letsencrypt's pillar.
  • As a safety meassure, if there's an /opt/letsencrypt directory from a git-based installation, it will be left untouched, but unused.

To check dependencies to use the package for your distro, check


Only installs the letsencrypt client (see above).


Manages /etc/letsencrypt/cli.ini config file.

Creates a certificate with the domains in each domain set (letsencrypt:domainsets in pillar). Letsencrypt uses a relatively short validity of 90 days. Therefore, a cron job for automatic renewal every 60 days is installed for each domain set as well.