Hello,

Would it be possible to add the functionality of '--toPkcs' to acme::certificate params?
https://github.com/acmesh-official/acme.sh/wiki#3-how-to-get-pkcs12pfx-format

Use case: A puppet managed java-based application that utilizes SSL certs but in keystore format. So the acme.sh cert issued must be exported to pkcs12 manually or with openssl puppet module each cert lifecycle.

EDIT: I noticed this module supports posthooks. Is it possible to issue/renew a certificate to pkcs12 using a posthook_cmd?

Thanks,
Brian

i would have opened a discussion if they where enabled in this git repo. i am not sure if i simply do something wrong or if i found a bug.

for the development i created the certificates with the ca letsencrypt_test. this worked quite well, just needed some puppet runs and the certificate was correctly there. after that i switched to the ca letsencrypt but the certificates where still from the test ca. i wasn't able to force a regeneration of the cert.
so i tried to delete the complete acme folder from the client but after the puppet run the i got wrong certs again. also tried to delete the folder on server and client which led me to an unusable system (not exactly in this order, i played around a bit) as "suddenly" the private key doesn't match the cert any more.

Jan 10 02:25:09 aio001 nginx[932050]: nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/acme.sh/keys/.../private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Jan 10 02:25:09 aio001 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE

am i doing something wrong? should this module be able to switch ca's? how can i start-over? how to force regeneration?

New versions of acme.sh now default to zerossl which fails, especially if you've been using LetsEncrypt for a while.

It would be good to add configuration to the module to allow selecting of the different CAs. Right now the only option is 'production' or 'staging' and that assumes an LE CA. However, acme.sh now has support for several different servers other than just LE.

See: https://github.com/acmesh-official/acme.sh/wiki/Server

I had to go force my default ca on my account configs to get around this after doing an upgrade!

acme::certificate requires the definition of the ca but should also use the default ca if not provided

I am in the process of migrating a service from one node to another. As part of this, I set up the same certificates on the second node, both with the respective hostname as a SAN:

The puppet run completes on the second node, but on the puppet master it now errors out with:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Acme::Request[myservice.myhost.tld] is already declared; cannot redeclare (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/csr.pp, line: 192) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/csr.pp, line: 192, column: 5) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/certificate.pp, line: 59) on node puppetmaster.myhost.tld

The certificates are set up in hiera like this:

on node1 (which is also the puppetmaster, in case that matters):

acme::certificates:
 'myservice.myhost.tld node1.myhost.tld':
    use_profile: my_profile

on node2:

acme::certificates:
 'myservice.myhost.tld node2.myhost.tld':
    use_profile: my_profile

Perhaps the acme::request resources that are exported "to" the puppetmaster should be canonicalized with the hostname?

I'm trying to get this module setup (I'm on CentOS 8) and I keep getting the following error during runs on the puppetmaster:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' expects a String value, got Undef (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/request/handler.pp, line: 188, column: 25) on node REDACTED

Looking at the line in question I'm trying to puzzle out where $openssl_version is supposed to come from as the stated dependencies don't seem to be creating the fact.

Current configuration:
puppetserver 6.12.0
puppet-agent: 6.16
OS: CentOS 8

declared dependencies:
puppetlabs-stdlib: 6.3.0
puppetlabs-concat: 6.2.0
puppetlabs-vcsrepo: 3.1.0
camptocamp-openssl: 1.14.0

Getting issues when i run puppet to get letsencrypt ssl cert. Below are the errors. How do I fix this issue?

[Mon Sep 18 15:59:29 EDT 2017] you must specify a path to the nsupdate key file
[Mon Sep 18 15:59:29 EDT 2017] Error add txt for domain:_acme-challenge.[domain_Name]

Synopsis

On the Puppet 5 Server, I've just noticed that every manifest run now fails when your module attempts to renew any certificate that isn't yet near expiration. When I manually execute the failing command, I notice that the result is non-fatal; rather, the user is politely informed when the next renewal time should be. However, because the acme.sh script returns a non-zero exit state -- 2 rather than 0 -- your exec resource mistakes the result as a fatal error.

Possible Fix

To the "renew-certificate-${domain}" exec at https://github.com/fraenki/puppet-acme/blob/master/manifests/request.pp#L272, simply add this additional line:

    returns        => [ 0, 2, ],

This line will permit the exec to report a success when the certificate renewal either has actually succeeded (0) or has been deferred to a later date (2).

Steps To Reproduce

This error can be reproduced by:

1. Build a fresh Puppet 5 Server
2. Build any other Puppet 5 client node that requests certificates via your module using the DNS-01 mechanism.
3. Check back the next day (may occur sooner for you, but I happened to notice the issue the next day).
4. Manually run puppet agent -tv on the Puppet 5 Server to observe the error.

Error Messages

Error: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/[email protected]/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]
Error: /Stage[main]/Acme::Request::Handler/Acme::Request[host.domain.tld]/Exec[renew-certificate-host.domain.tld]/returns: change from 'notrun' to ['0'] failed: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/[email protected]/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]

Actual Command Output

[Sun Feb 25 03:00:09 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sun Feb 25 03:00:10 UTC 2018] Domains not changed.
[Sun Feb 25 03:00:10 UTC 2018] Skip, Next renewal time is: Fri Mar 23 17:41:34 UTC 2018
[Sun Feb 25 03:00:10 UTC 2018] Add '--force' to force to renew.

Actual Command Exit State

echo $?
2

Hello,

I'm getting the following error message:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' expects a String value, got Undef (file: /etc/puppetlabs/code/environments/puppet7/modules/acme/manifests/request/handler.pp, line: 185, column: 18

The line:
$old_openssl = versioncmp($facts['openssl_version'], '1.1.0') < 0
Debug mode:

Debug: Facter: Executing command: /usr/bin/openssl version 2>&1
Debug: Facter: value for openssl_version is still nil

# /usr/bin/openssl version 2>&1
OpenSSL 1.1.1k  FIPS 25 Mar 2021

├─┬ fraenki-acme (v4.0.0)
│ ├── puppetlabs-stdlib (v8.5.0)
│ ├── puppetlabs-concat (v7.3.0)
│ ├── puppetlabs-vcsrepo (v5.4.0)
│ ├── puppetlabs-augeas_core (v1.2.0)
│ └── puppet-openssl (v2.0.1)

Puppet server - 7.11.0
Puppet agent - 7.24.0
RHEL 8 based OS.

I've already reviewed #27, but not seeing a clear solution.

Thank you.

After upgrading to version 2.1.0 and issuing a new certificate I get an error on my puppet master.

Error: Could not retrieve catalog from remote server: 
Error 500 on SERVER: Server Error: 
Could not find resource 'File[/etc/acme.sh/configs/gitlab.example.com/params.dh]' in parameter 'require' 
(file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/deploy/crt.pp, line: 99) on node puppet.example.com

Not sure why this is happening..

After downgrading to 2.0.0 the error is gone.

First of all, thank you for this opportunity for central certificate management with puppet.

I use this module with ISPConfig dns plugin.
For issuing certificates, I noticed two problems with puppet-acme:

Configurable timeout for EXEC "issue-certificate-${domain}"
Publishing the dns record via ISPConfig and from there to an external slave DNS provider takes time.
The default timeout of 300 is not always enough.

Param dnssleep should be optional
If not provided or set to e.g false/-1, do not prepend --dnssleep to the command. This way acme.sh can recheck the dns entry periodically and finish after success or will be terminated when EXEC timeout is exceeded.

At the moment I run the issuing command by hand on the puppet master. The last certificate took about 7 minutes to be issued. Too much for default exec runtime.

Hi,

Is it possible to use this module without a puppet server (running 'puppet apply' for example)?

Thanks for your help

Hello,

I'm getting the following error message with below code and would appreciate your assistance.

Thank you.

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Resource type not found: NSUPDATE_SERVER (file: /etc/puppetlabs/code/environments/puppet/site-modules/profiles/manifests/puppetboard.pp, line: 31, column: 13) on node puppet

    class { 'acme':
      accounts => ['[email protected]'],
      profiles => {
        nsupdate_example => {
          challengetype => 'dns-01',
          hook          => 'nsupdate',
          env           => {
            NSUPDATE_SERVER => 'dns.example.com'
          },
          options       => {
            dnssleep      => 5,
            nsupdate_id   => 'acme-update',
            nsupdate_type => 'hmac-sha512',
            nsupdate_key  => '`123456',
          }
        }
      }
    }

When updating to 1.0.3 on puppet 5.5, I get the following error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown function: 'get'. (file: /etc/puppetlabs/code/environments/p
roduction/modules/acme/manifests/request/crt.pp, line: 24, column: 33) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/init.pp, line: 106) on node mynode

I believe this is caused by changeset 59144d6, which introduces usage of the $facts.get() function, which is not available before Puppet 6.0.

It would probably be better to use the fact() function from stdlib. Since the fact names don't use dot navigation, a simple $facts["..."] lookup might do as well.

Currently module has these options --fullchainpath but master acme.sh has --fullchain-file.

so is it on purpose that we it depends on older version of acme.sh ?

acmesh-official/acme.sh@5c539af

Building a fresh node with your module using the DNS-01 mechanism with GoDaddy works mostly well. However, if we destroy a node that had already received its certificate, chain, and key files, we are unable to rebuild that node because we end up with a mismatched certificate/key pair. In my own testing, I was only able to rebuild an affected node by fully destroying both the affected node and the Puppet Server itself, then rebuilding them both! This is obviously not an ideal workaround.

Steps to reproduce:

1. Build up a fresh Open-Source Puppet 5 Server with your module properly configured.
2. Attach and build an Apache HTTPd node that also uses your module and requests a Let's Encrypt certificate via the DNS-01 mechanism for an SSL-enabled vhost.
3. Note that after about 15 minutes and a few Puppet Agent runs on both the Puppet Server and the Apache HTTPd node, it works. [Aside: Please call this out in your README file; that it takes at least15 minutes and a minimum of 3 sequential Puppet Agent runs on the Puppet Server itself to actually obtain a signed certificate. So, if an unattended Puppet Server runs its Agent only once per hour, it will take over 3 hours to obtain a signed certificate!]
4. Destroy the Apache HTTPd node. We do this deliberately to simulate disaster and other dynamic cloud scaling scenarios.
5. Rebuild the Apache HTTPd node.
6. Encounter the intractable error, "key values mismatch" even after the 15 minute minimum delay and any number of Puppet Agent runs on the Puppet Server and Apache HTTPd node.

There is no readily-identifiable way to resolve this error. I manually compared the private key and certificate files on the affected node and indeed, they are mismatched. I tried destroying the old certificate files from /etc/acme.sh/* directories on the Puppet Server for the affected node and repeating the request sequence in hope that your module would re-request fresh copies of the files from GoDaddy, but this had no effect; in fact, the certificate files are never recreated on the Puppet Server. This leaves me to suspect that you're caching the certificates in PuppetDB, which is cool except this needs to be clear in your documentation along with a direct means of flushing affected resources.

Please advise.

letsencrypt/certbot allows the usage without email address but this puppetmodule has a hard requirement to accounts/email adresses. would be awesome to allow the usage of this module without providing a email address.

When using DNS-01 and a high value for dnssleep the exec may terminate due to a timeout:

Error: /Stage[main]/Acme::Request::Handler/Acme::Request[foobar.example.com]/Exec[issue-certificate-foobar.example.com]/returns: change from 'notrun' to ['0'] failed: Command exceeded timeout

Maybe we should set the exec timeout dynamically, depending on the value of dnssleep.

I am getting this error on the first issue of a certificate:
Notice: /Stage[main]/Acme::Request::Handler/Acme::Request[www.example.com]/Exec[issue-certificate-www.example.com]/returns: /opt/acme.sh/acme.sh: 4678: /opt/acme.sh/acme.sh: cannot create /etc/acme.sh/certs/www.example.com/cert.pem: Directory nonexistent
I need to manually create the directory /etc/acme.sh/certs/www.example.com to make it work.

• set search path for all Execs, remove full paths from all commands
• use BSD-compatible date and stat syntax
• small tweaks here and there (bashism, etc.)

The commit a8b081b from #11 breaks certificate generation on the master node due to duplicate resource generation.
The certs dir is defined both in csr.pp and request.pp

since we have been using this module we have an exitcode 2 at every puppet run on the puppetserver.

Hey,

we use Puppetboard for our environments. We have some secrets leakage here:

Can we remove this notice?:

Hello,

puppet6.example.com - puppet (ACME) master
reflect.example.com - puppet client

After our initial installation, we got the following error message on the master:

puppet6.example.com puppet-agent[13881]: Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find resource 'File[/etc/acme.sh/configs/reflect.example.com/params.dh]' in parameter 'require' (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 97) on node puppet6.example.com

puppet6.example.com puppet-agent[13881]: (/Stage[main]/Acme/Acme::Request::Crt[reflect.example.com]/Acme::Deploy::Crt[reflect.example.com]/Concat[/etc/acme.sh/keys/reflect.example.com/fullchain_with_key.pem]/Concat_file[/etc/acme.sh/keys/reflect.example.com/fullchain_with_key.pem]) Failed to generate additional resources using 'eval_generate': Could not retrieve source(s) /etc/acme.sh/keys/reflect.example.com/private.key

params.dh as far as I understand should only be on the node itself (not on the master). The same goes for private.key. With the way source code is written right now, puppet is expecting both files to on both - master and node and is looking for /etc/acme.sh/keys/reflect.example.com/private.key, which of course doesn't exist on the master.

I added the following lines in deploy/crt.pp, which fixed that problem.

if $::hostname == 'puppet6' {
      $dh = "${cfg_dir}/puppet6.example.com/params.dh"
      $key = "${key_dir}/puppet6.example.com/private.key"
      $crt_full_chain_with_key = "${key_dir}/puppet.example.com/fullchain_with_key.pem"
}
else {
      $dh = "${cfg_dir}/${domain}/params.dh"
      $key = "${key_dir}/${domain}/private.key"
      $crt_full_chain_with_key = "${key_dir}/${domain}/fullchain_with_key.pem"
}

At this point I am experiencing the following issue:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Concat[/etc/acme.sh/keys/puppet.example.com/fullchain_with_key.pem] is already declared at (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78); cannot redeclare (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78) (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78, column: 3) (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/request/crt.pp, line: 32) on node puppet6.example.com

I have tried a couple of things, but none of them work 100% as often times fullchain_with_key.pem doesn't get distributed at all.

I would really appreciate your help on this matter.

Thank you!

Using ensure_packages('git') for puppetmaster setup creates a duplicate declaration error when the package 'git' is included in another module with something else than ensure_packages('git') or ensure => present.

A good explanation can be found in this issue for another module:
willdurand/puppet-composer#44

I propose changing the

ensure_packages('git')

to a

if !defined(Package['git']) {
      ensure_packages('git')
}

which will solve the issue.

Hi, you've said that HTTP-01 challenge is untested, but I'd like to use it anyway.

Following hiera config warns me that my profile is incomplete and that is missing either "challengetype" or "hook":

acme::acme_revision: 'master'
acme::acme_host: 'server.domain.com'
acme::accounts: [ '[email protected]' ]

acme::default_ca: 'letsencrypt_test'
acme::ca_whitelist:
  - 'letsencrypt_test'

acme::profiles:
  'http_config':
    challengetype: 'http-01'

acme::certificates:
  'sub.domain.com':
      use_profile: 'http_config'
      use_account: '[email protected]'
      ca: 'letsencrypt_test'

Will it be enough to adjust basic profiles validation section in handler.pp manifest?

Regards,
Mario

would be handy to be able to define a default account