Forge Home


This module has been moved to voxpupuli/letsencrypt


8,206 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 999.999.999 (latest)
  • 1.0.0
  • 0.4.0
  • 0.3.2
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Dec 20th 2016
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 3.4.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'danzilio-letsencrypt', '999.999.999'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add danzilio-letsencrypt
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install danzilio-letsencrypt --version 999.999.999

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



danzilio/letsencrypt — version 999.999.999 Dec 20th 2016


This module has been donated to Vox Pupuli and can be found at

Puppet Forge Build Status Documentation Status

This module installs the Let's Encrypt client from source and allows you to request certificates.


This module requires Puppet >= 3.4. and is currently only written to work on Debian and RedHat based operating systems, although it may work on others.


On EL (Red Hat, CentOS etc.) systems, the EPEL repository needs to be enabled for the Let's Encrypt client package.

The module can integrate with stahnma/epel to set up the repo by setting the configure_epel parameter to true (the default for RedHat) and installing the module.


To install the Let's Encrypt client with the default configuration settings you must provide your email address to register with the Let's Encrypt servers:

class { ::letsencrypt:
  email => '',

If using EL7 without EPEL-preconfigured, add configure_epel:

class { ::letsencrypt:
  configure_epel => true,
  email          => '',

(If you manage epel some other way, disable it with configure_epel => false.)

This will install the Let's Encrypt client and its dependencies, agree to the Terms of Service, initialize the client, and install a configuration file for the client.

Alternatively, you can specify your email address in the $config hash:

class { ::letsencrypt:
  config => {
    email  => '',
    server => '',

During testing, you probably want to direct to the staging server instead with server => ''

If you don't wish to provide your email address, you can set the unsafe_registration parameter to true (this is not recommended):

class { ::letsencrypt:
  unsafe_registration => true,

To request a certificate for using the certonly installer and the standalone authenticator:

letsencrypt::certonly { '': }

To request a certificate for and with the certonly installer and the apache authenticator:

letsencrypt::certonly { 'foo':
  domains => ['', ''],
  plugin  => 'apache',

To request a certificate using the webroot plugin, the paths to the webroots for all domains must be given through webroot_paths. If domains and webroot_paths are not the same length, the last webroot_paths element will be used for all subsequent domains.

letsencrypt::certonly { 'foo':
  domains       => ['', ''],
  plugin        => 'webroot',
  webroot_paths => ['/var/www/foo', '/var/www/bar'],

If you need to pass a command line flag to the letsencrypt-auto command that is not supported natively by this module, you can use the additional_args parameter to pass those arguments:

letsencrypt::certonly { 'foo':
  domains         => ['', ''],
  plugin          => 'apache',
  additional_args => ['--foo bar', '--baz quuz'],

To automatically renew a certificate, you can pass the manage_cron parameter. You can optionally add a shell command to be run on success using the cron_success_command parameter.

letsencrypt::certonly { 'foo':
  domains => ['', ''],
  manage_cron => true,
  cron_success_command => '/bin/systemctl reload nginx.service',


  1. Fork it
  2. Create a feature branch
  3. Write a failing test
  4. Write the code to make that test pass
  5. Refactor the code
  6. Submit a pull request

We politely request (demand) tests for all new features. Pull requests that contain new features without a test will not be considered. If you need help, just ask!