acme.Certificate
Create Certificate Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
@overload
def Certificate(resource_name: str,
args: CertificateArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Certificate(resource_name: str,
opts: Optional[ResourceOptions] = None,
account_key_pem: Optional[str] = None,
cert_timeout: Optional[int] = None,
certificate_p12_password: Optional[str] = None,
certificate_request_pem: Optional[str] = None,
common_name: Optional[str] = None,
disable_complete_propagation: Optional[bool] = None,
dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
http_challenge: Optional[CertificateHttpChallengeArgs] = None,
http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
key_type: Optional[str] = None,
min_days_remaining: Optional[int] = None,
must_staple: Optional[bool] = None,
pre_check_delay: Optional[int] = None,
preferred_chain: Optional[str] = None,
profile: Optional[str] = None,
recursive_nameservers: Optional[Sequence[str]] = None,
renewal_info_ignore_retry_after: Optional[bool] = None,
renewal_info_max_sleep: Optional[int] = None,
revoke_certificate_on_destroy: Optional[bool] = None,
revoke_certificate_reason: Optional[str] = None,
subject_alternative_names: Optional[Sequence[str]] = None,
tls_challenge: Optional[CertificateTlsChallengeArgs] = None,
use_renewal_info: Optional[bool] = None)
func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)
type: acme:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertificateArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var certificateResource = new Acme.Certificate("certificateResource", new()
{
AccountKeyPem = "string",
CertTimeout = 0,
CertificateP12Password = "string",
CertificateRequestPem = "string",
CommonName = "string",
DisableCompletePropagation = false,
DnsChallenges = new[]
{
new Acme.Inputs.CertificateDnsChallengeArgs
{
Provider = "string",
Config =
{
{ "string", "string" },
},
},
},
HttpChallenge = new Acme.Inputs.CertificateHttpChallengeArgs
{
Port = 0,
ProxyHeader = "string",
},
HttpMemcachedChallenge = new Acme.Inputs.CertificateHttpMemcachedChallengeArgs
{
Hosts = new[]
{
"string",
},
},
HttpS3Challenge = new Acme.Inputs.CertificateHttpS3ChallengeArgs
{
S3Bucket = "string",
},
HttpWebrootChallenge = new Acme.Inputs.CertificateHttpWebrootChallengeArgs
{
Directory = "string",
},
KeyType = "string",
MinDaysRemaining = 0,
MustStaple = false,
PreCheckDelay = 0,
PreferredChain = "string",
Profile = "string",
RecursiveNameservers = new[]
{
"string",
},
RenewalInfoIgnoreRetryAfter = false,
RenewalInfoMaxSleep = 0,
RevokeCertificateOnDestroy = false,
RevokeCertificateReason = "string",
SubjectAlternativeNames = new[]
{
"string",
},
TlsChallenge = new Acme.Inputs.CertificateTlsChallengeArgs
{
Port = 0,
},
UseRenewalInfo = false,
});
example, err := acme.NewCertificate(ctx, "certificateResource", &acme.CertificateArgs{
AccountKeyPem: pulumi.String("string"),
CertTimeout: pulumi.Int(0),
CertificateP12Password: pulumi.String("string"),
CertificateRequestPem: pulumi.String("string"),
CommonName: pulumi.String("string"),
DisableCompletePropagation: pulumi.Bool(false),
DnsChallenges: acme.CertificateDnsChallengeArray{
&acme.CertificateDnsChallengeArgs{
Provider: pulumi.String("string"),
Config: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
},
HttpChallenge: &acme.CertificateHttpChallengeArgs{
Port: pulumi.Int(0),
ProxyHeader: pulumi.String("string"),
},
HttpMemcachedChallenge: &acme.CertificateHttpMemcachedChallengeArgs{
Hosts: pulumi.StringArray{
pulumi.String("string"),
},
},
HttpS3Challenge: &acme.CertificateHttpS3ChallengeArgs{
S3Bucket: pulumi.String("string"),
},
HttpWebrootChallenge: &acme.CertificateHttpWebrootChallengeArgs{
Directory: pulumi.String("string"),
},
KeyType: pulumi.String("string"),
MinDaysRemaining: pulumi.Int(0),
MustStaple: pulumi.Bool(false),
PreCheckDelay: pulumi.Int(0),
PreferredChain: pulumi.String("string"),
Profile: pulumi.String("string"),
RecursiveNameservers: pulumi.StringArray{
pulumi.String("string"),
},
RenewalInfoIgnoreRetryAfter: pulumi.Bool(false),
RenewalInfoMaxSleep: pulumi.Int(0),
RevokeCertificateOnDestroy: pulumi.Bool(false),
RevokeCertificateReason: pulumi.String("string"),
SubjectAlternativeNames: pulumi.StringArray{
pulumi.String("string"),
},
TlsChallenge: &acme.CertificateTlsChallengeArgs{
Port: pulumi.Int(0),
},
UseRenewalInfo: pulumi.Bool(false),
})
var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
.accountKeyPem("string")
.certTimeout(0)
.certificateP12Password("string")
.certificateRequestPem("string")
.commonName("string")
.disableCompletePropagation(false)
.dnsChallenges(CertificateDnsChallengeArgs.builder()
.provider("string")
.config(Map.of("string", "string"))
.build())
.httpChallenge(CertificateHttpChallengeArgs.builder()
.port(0)
.proxyHeader("string")
.build())
.httpMemcachedChallenge(CertificateHttpMemcachedChallengeArgs.builder()
.hosts("string")
.build())
.httpS3Challenge(CertificateHttpS3ChallengeArgs.builder()
.s3Bucket("string")
.build())
.httpWebrootChallenge(CertificateHttpWebrootChallengeArgs.builder()
.directory("string")
.build())
.keyType("string")
.minDaysRemaining(0)
.mustStaple(false)
.preCheckDelay(0)
.preferredChain("string")
.profile("string")
.recursiveNameservers("string")
.renewalInfoIgnoreRetryAfter(false)
.renewalInfoMaxSleep(0)
.revokeCertificateOnDestroy(false)
.revokeCertificateReason("string")
.subjectAlternativeNames("string")
.tlsChallenge(CertificateTlsChallengeArgs.builder()
.port(0)
.build())
.useRenewalInfo(false)
.build());
certificate_resource = acme.Certificate("certificateResource",
account_key_pem="string",
cert_timeout=0,
certificate_p12_password="string",
certificate_request_pem="string",
common_name="string",
disable_complete_propagation=False,
dns_challenges=[{
"provider": "string",
"config": {
"string": "string",
},
}],
http_challenge={
"port": 0,
"proxy_header": "string",
},
http_memcached_challenge={
"hosts": ["string"],
},
http_s3_challenge={
"s3_bucket": "string",
},
http_webroot_challenge={
"directory": "string",
},
key_type="string",
min_days_remaining=0,
must_staple=False,
pre_check_delay=0,
preferred_chain="string",
profile="string",
recursive_nameservers=["string"],
renewal_info_ignore_retry_after=False,
renewal_info_max_sleep=0,
revoke_certificate_on_destroy=False,
revoke_certificate_reason="string",
subject_alternative_names=["string"],
tls_challenge={
"port": 0,
},
use_renewal_info=False)
const certificateResource = new acme.Certificate("certificateResource", {
accountKeyPem: "string",
certTimeout: 0,
certificateP12Password: "string",
certificateRequestPem: "string",
commonName: "string",
disableCompletePropagation: false,
dnsChallenges: [{
provider: "string",
config: {
string: "string",
},
}],
httpChallenge: {
port: 0,
proxyHeader: "string",
},
httpMemcachedChallenge: {
hosts: ["string"],
},
httpS3Challenge: {
s3Bucket: "string",
},
httpWebrootChallenge: {
directory: "string",
},
keyType: "string",
minDaysRemaining: 0,
mustStaple: false,
preCheckDelay: 0,
preferredChain: "string",
profile: "string",
recursiveNameservers: ["string"],
renewalInfoIgnoreRetryAfter: false,
renewalInfoMaxSleep: 0,
revokeCertificateOnDestroy: false,
revokeCertificateReason: "string",
subjectAlternativeNames: ["string"],
tlsChallenge: {
port: 0,
},
useRenewalInfo: false,
});
type: acme:Certificate
properties:
accountKeyPem: string
certTimeout: 0
certificateP12Password: string
certificateRequestPem: string
commonName: string
disableCompletePropagation: false
dnsChallenges:
- config:
string: string
provider: string
httpChallenge:
port: 0
proxyHeader: string
httpMemcachedChallenge:
hosts:
- string
httpS3Challenge:
s3Bucket: string
httpWebrootChallenge:
directory: string
keyType: string
minDaysRemaining: 0
mustStaple: false
preCheckDelay: 0
preferredChain: string
profile: string
recursiveNameservers:
- string
renewalInfoIgnoreRetryAfter: false
renewalInfoMaxSleep: 0
revokeCertificateOnDestroy: false
revokeCertificateReason: string
subjectAlternativeNames:
- string
tlsChallenge:
port: 0
useRenewalInfo: false
Certificate Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Certificate resource accepts the following input properties:
- Account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- Cert
Timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- Certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - Certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- Common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- Disable
Complete boolPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- Dns
Challenges List<Pulumiverse.Acme. Inputs. Certificate Dns Challenge> - The DNS challenges to use in fulfilling the request.
- Http
Challenge Pulumiverse.Acme. Inputs. Certificate Http Challenge - Defines an HTTP challenge to use in fulfilling the request.
- Http
Memcached Pulumiverse.Challenge Acme. Inputs. Certificate Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- Http
S3Challenge Pulumiverse.Acme. Inputs. Certificate Http S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- Http
Webroot Pulumiverse.Challenge Acme. Inputs. Certificate Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- Key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - Min
Days intRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - Must
Staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- Pre
Check intDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- Preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- Profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- Recursive
Nameservers List<string> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- Renewal
Info boolIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - Renewal
Info intMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- Revoke
Certificate boolOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - Revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- Subject
Alternative List<string>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- Tls
Challenge Pulumiverse.Acme. Inputs. Certificate Tls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- Use
Renewal boolInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- Account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- Cert
Timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- Certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - Certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- Common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- Disable
Complete boolPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- Dns
Challenges []CertificateDns Challenge Args - The DNS challenges to use in fulfilling the request.
- Http
Challenge CertificateHttp Challenge Args - Defines an HTTP challenge to use in fulfilling the request.
- Http
Memcached CertificateChallenge Http Memcached Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- Http
S3Challenge CertificateHttp S3Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- Http
Webroot CertificateChallenge Http Webroot Challenge Args - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- Key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - Min
Days intRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - Must
Staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- Pre
Check intDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- Preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- Profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- Recursive
Nameservers []string - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- Renewal
Info boolIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - Renewal
Info intMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- Revoke
Certificate boolOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - Revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- Subject
Alternative []stringNames - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- Tls
Challenge CertificateTls Challenge Args Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- Use
Renewal boolInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key StringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout Integer Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
P12Password String - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Request StringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- common
Name String - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete BooleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges List<CertificateDns Challenge> - The DNS challenges to use in fulfilling the request.
- http
Challenge CertificateHttp Challenge - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached CertificateChallenge Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge CertificateHttp S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot CertificateChallenge Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- key
Type String - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days IntegerRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple Boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check IntegerDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain String The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- profile String
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers List<String> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info BooleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info IntegerMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- revoke
Certificate BooleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate StringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative List<String>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge CertificateTls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal BooleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout number Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete booleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges CertificateDns Challenge[] - The DNS challenges to use in fulfilling the request.
- http
Challenge CertificateHttp Challenge - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached CertificateChallenge Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge CertificateHttp S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot CertificateChallenge Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days numberRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check numberDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers string[] - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info booleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info numberMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- revoke
Certificate booleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative string[]Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge CertificateTls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal booleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account_
key_ strpem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert_
timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate_
p12_ strpassword - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate_
request_ strpem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- common_
name str - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable_
complete_ boolpropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns_
challenges Sequence[CertificateDns Challenge Args] - The DNS challenges to use in fulfilling the request.
- http_
challenge CertificateHttp Challenge Args - Defines an HTTP challenge to use in fulfilling the request.
- http_
memcached_ Certificatechallenge Http Memcached Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http_
s3_ Certificatechallenge Http S3Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http_
webroot_ Certificatechallenge Http Webroot Challenge Args - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- key_
type str - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min_
days_ intremaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must_
staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre_
check_ intdelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred_
chain str The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- profile str
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive_
nameservers Sequence[str] - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal_
info_ boolignore_ retry_ after - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal_
info_ intmax_ sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- revoke_
certificate_ boolon_ destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke_
certificate_ strreason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject_
alternative_ Sequence[str]names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls_
challenge CertificateTls Challenge Args Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use_
renewal_ boolinfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key StringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout Number Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
P12Password String - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Request StringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- common
Name String - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete BooleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges List<Property Map> - The DNS challenges to use in fulfilling the request.
- http
Challenge Property Map - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached Property MapChallenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge Property Map - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot Property MapChallenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- key
Type String - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days NumberRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple Boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check NumberDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain String The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- profile String
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers List<String> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info BooleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info NumberMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- revoke
Certificate BooleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate StringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative List<String>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge Property Map Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal BooleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
Outputs
All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:
- Certificate
Domain string - The common name of the certificate.
- Certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - Certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - Certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- Certificate
Serial string - The serial number, in string format, as reported by the CA.
- Certificate
Url string - The full URL of the certificate within the ACME CA.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- Private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - Renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - Renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - Renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - Renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - Renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
- Certificate
Domain string - The common name of the certificate.
- Certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - Certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - Certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- Certificate
Serial string - The serial number, in string format, as reported by the CA.
- Certificate
Url string - The full URL of the certificate within the ACME CA.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- Private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - Renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - Renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - Renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - Renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - Renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
- certificate
Domain String - The common name of the certificate.
- certificate
Not StringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 String - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
Pem String - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Serial String - The serial number, in string format, as reported by the CA.
- certificate
Url String - The full URL of the certificate within the ACME CA.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Pem String - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- private
Key StringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - renewal
Info StringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info StringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info StringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info StringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info StringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
- certificate
Domain string - The common name of the certificate.
- certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Serial string - The serial number, in string format, as reported by the CA.
- certificate
Url string - The full URL of the certificate within the ACME CA.
- id string
- The provider-assigned unique ID for this managed resource.
- issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
- certificate_
domain str - The common name of the certificate.
- certificate_
not_ strafter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate_
p12 str - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate_
pem str - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate_
serial str - The serial number, in string format, as reported by the CA.
- certificate_
url str - The full URL of the certificate within the ACME CA.
- id str
- The provider-assigned unique ID for this managed resource.
- issuer_
pem str - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- private_
key_ strpem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - renewal_
info_ strexplanation_ url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal_
info_ strretry_ after - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal_
info_ strwindow_ end - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal_
info_ strwindow_ selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal_
info_ strwindow_ start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
- certificate
Domain String - The common name of the certificate.
- certificate
Not StringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 String - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
Pem String - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Serial String - The serial number, in string format, as reported by the CA.
- certificate
Url String - The full URL of the certificate within the ACME CA.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Pem String - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- private
Key StringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - renewal
Info StringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info StringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info StringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info StringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info StringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
).
Look up Existing Certificate Resource
Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_key_pem: Optional[str] = None,
cert_timeout: Optional[int] = None,
certificate_domain: Optional[str] = None,
certificate_not_after: Optional[str] = None,
certificate_p12: Optional[str] = None,
certificate_p12_password: Optional[str] = None,
certificate_pem: Optional[str] = None,
certificate_request_pem: Optional[str] = None,
certificate_serial: Optional[str] = None,
certificate_url: Optional[str] = None,
common_name: Optional[str] = None,
disable_complete_propagation: Optional[bool] = None,
dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
http_challenge: Optional[CertificateHttpChallengeArgs] = None,
http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
issuer_pem: Optional[str] = None,
key_type: Optional[str] = None,
min_days_remaining: Optional[int] = None,
must_staple: Optional[bool] = None,
pre_check_delay: Optional[int] = None,
preferred_chain: Optional[str] = None,
private_key_pem: Optional[str] = None,
profile: Optional[str] = None,
recursive_nameservers: Optional[Sequence[str]] = None,
renewal_info_explanation_url: Optional[str] = None,
renewal_info_ignore_retry_after: Optional[bool] = None,
renewal_info_max_sleep: Optional[int] = None,
renewal_info_retry_after: Optional[str] = None,
renewal_info_window_end: Optional[str] = None,
renewal_info_window_selected: Optional[str] = None,
renewal_info_window_start: Optional[str] = None,
revoke_certificate_on_destroy: Optional[bool] = None,
revoke_certificate_reason: Optional[str] = None,
subject_alternative_names: Optional[Sequence[str]] = None,
tls_challenge: Optional[CertificateTlsChallengeArgs] = None,
use_renewal_info: Optional[bool] = None) -> Certificate
func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
resources: _: type: acme:Certificate get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- Cert
Timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- Certificate
Domain string - The common name of the certificate.
- Certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - Certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - Certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - Certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- Certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- Certificate
Serial string - The serial number, in string format, as reported by the CA.
- Certificate
Url string - The full URL of the certificate within the ACME CA.
- Common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- Disable
Complete boolPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- Dns
Challenges List<Pulumiverse.Acme. Inputs. Certificate Dns Challenge> - The DNS challenges to use in fulfilling the request.
- Http
Challenge Pulumiverse.Acme. Inputs. Certificate Http Challenge - Defines an HTTP challenge to use in fulfilling the request.
- Http
Memcached Pulumiverse.Challenge Acme. Inputs. Certificate Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- Http
S3Challenge Pulumiverse.Acme. Inputs. Certificate Http S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- Http
Webroot Pulumiverse.Challenge Acme. Inputs. Certificate Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- Issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- Key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - Min
Days intRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - Must
Staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- Pre
Check intDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- Preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- Private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - Profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- Recursive
Nameservers List<string> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- Renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - Renewal
Info boolIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - Renewal
Info intMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- Renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - Renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - Renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - Renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - Revoke
Certificate boolOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - Revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- Subject
Alternative List<string>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- Tls
Challenge Pulumiverse.Acme. Inputs. Certificate Tls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- Use
Renewal boolInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- Account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- Cert
Timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- Certificate
Domain string - The common name of the certificate.
- Certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - Certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - Certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - Certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- Certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- Certificate
Serial string - The serial number, in string format, as reported by the CA.
- Certificate
Url string - The full URL of the certificate within the ACME CA.
- Common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- Disable
Complete boolPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- Dns
Challenges []CertificateDns Challenge Args - The DNS challenges to use in fulfilling the request.
- Http
Challenge CertificateHttp Challenge Args - Defines an HTTP challenge to use in fulfilling the request.
- Http
Memcached CertificateChallenge Http Memcached Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- Http
S3Challenge CertificateHttp S3Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- Http
Webroot CertificateChallenge Http Webroot Challenge Args - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- Issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- Key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - Min
Days intRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - Must
Staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- Pre
Check intDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- Preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- Private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - Profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- Recursive
Nameservers []string - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- Renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - Renewal
Info boolIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - Renewal
Info intMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- Renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - Renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - Renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - Renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - Revoke
Certificate boolOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - Revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- Subject
Alternative []stringNames - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- Tls
Challenge CertificateTls Challenge Args Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- Use
Renewal boolInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key StringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout Integer Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
Domain String - The common name of the certificate.
- certificate
Not StringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 String - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
P12Password String - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Pem String - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Request StringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- certificate
Serial String - The serial number, in string format, as reported by the CA.
- certificate
Url String - The full URL of the certificate within the ACME CA.
- common
Name String - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete BooleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges List<CertificateDns Challenge> - The DNS challenges to use in fulfilling the request.
- http
Challenge CertificateHttp Challenge - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached CertificateChallenge Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge CertificateHttp S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot CertificateChallenge Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- issuer
Pem String - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- key
Type String - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days IntegerRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple Boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check IntegerDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain String The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- private
Key StringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - profile String
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers List<String> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info StringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info BooleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info IntegerMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- renewal
Info StringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info StringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info StringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info StringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - revoke
Certificate BooleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate StringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative List<String>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge CertificateTls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal BooleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key stringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout number Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
Domain string - The common name of the certificate.
- certificate
Not stringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 string - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
P12Password string - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Pem string - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Request stringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- certificate
Serial string - The serial number, in string format, as reported by the CA.
- certificate
Url string - The full URL of the certificate within the ACME CA.
- common
Name string - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete booleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges CertificateDns Challenge[] - The DNS challenges to use in fulfilling the request.
- http
Challenge CertificateHttp Challenge - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached CertificateChallenge Http Memcached Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge CertificateHttp S3Challenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot CertificateChallenge Http Webroot Challenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- issuer
Pem string - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- key
Type string - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days numberRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check numberDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain string The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- private
Key stringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - profile string
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers string[] - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info stringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info booleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info numberMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- renewal
Info stringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info stringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info stringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info stringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - revoke
Certificate booleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate stringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative string[]Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge CertificateTls Challenge Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal booleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account_
key_ strpem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert_
timeout int Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate_
domain str - The common name of the certificate.
- certificate_
not_ strafter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate_
p12 str - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate_
p12_ strpassword - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate_
pem str - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate_
request_ strpem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- certificate_
serial str - The serial number, in string format, as reported by the CA.
- certificate_
url str - The full URL of the certificate within the ACME CA.
- common_
name str - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable_
complete_ boolpropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns_
challenges Sequence[CertificateDns Challenge Args] - The DNS challenges to use in fulfilling the request.
- http_
challenge CertificateHttp Challenge Args - Defines an HTTP challenge to use in fulfilling the request.
- http_
memcached_ Certificatechallenge Http Memcached Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http_
s3_ Certificatechallenge Http S3Challenge Args - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http_
webroot_ Certificatechallenge Http Webroot Challenge Args - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- issuer_
pem str - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- key_
type str - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min_
days_ intremaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must_
staple bool Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre_
check_ intdelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred_
chain str The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- private_
key_ strpem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - profile str
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive_
nameservers Sequence[str] - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal_
info_ strexplanation_ url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal_
info_ boolignore_ retry_ after - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal_
info_ intmax_ sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- renewal_
info_ strretry_ after - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal_
info_ strwindow_ end - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal_
info_ strwindow_ selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal_
info_ strwindow_ start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - revoke_
certificate_ boolon_ destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke_
certificate_ strreason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject_
alternative_ Sequence[str]names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls_
challenge CertificateTls Challenge Args Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use_
renewal_ boolinfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
- account
Key StringPem - The private key of the account that is requesting the certificate. Forces a new resource when changed.
- cert
Timeout Number Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.
As mentioned,
cert_timeout
does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.- certificate
Domain String - The common name of the certificate.
- certificate
Not StringAfter - The expiry date of the certificate, laid out in
RFC3339 format (
2006-01-02T15:04:05Z07:00
). - certificate
P12 String - The certificate, any intermediates, and the private key
archived as a PFX file (PKCS12 format, generally used by Microsoft products).
The data is base64 encoded (including padding), and its password is
configurable via the
certificate_p12_password
argument. This field is empty if creating a certificate from a CSR. - certificate
P12Password String - Password to be used when generating
the PFX file stored in
certificate_p12
. Defaults to an empty string. - certificate
Pem String - The certificate in PEM format. This does not include the
issuer_pem
. This certificate can be concatenated withissuer_pem
to form a full chain, e.g."${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
- certificate
Request StringPem A pre-created certificate request, such as one from [
tls_cert_request
][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.One of
common_name
,subject_alternative_names
, orcertificate_request_pem
must be specified.certificate_request_pem
conflicts withcommon_name
andsubject_alternative_names
; You cannot havecertificate_request_pem
defined at the same time ascommon_name
orsubject_alternative_names
, and vice versa. Finally,common_name
can be blank whilesubject_alternative_names
is defined, and vice versa; in this case with theclassic
Let's Encrypt profile, the first domain defined insubject_alternative_names
becomes the common name.- certificate
Serial String - The serial number, in string format, as reported by the CA.
- certificate
Url String - The full URL of the certificate within the ACME CA.
- common
Name String - The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
- disable
Complete BooleanPropagation Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to
false
.See About DNS propagation checks for details on the
recursive_nameservers
anddisable_complete_propagation
settings.- dns
Challenges List<Property Map> - The DNS challenges to use in fulfilling the request.
- http
Challenge Property Map - Defines an HTTP challenge to use in fulfilling the request.
- http
Memcached Property MapChallenge - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
- http
S3Challenge Property Map - Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
- http
Webroot Property MapChallenge - Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
- issuer
Pem String - The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
- key
Type String - The key type for the certificate's private key. Can be one of:
P256
andP384
(for ECDSA keys of respective length) or2048
,4096
, and8192
(for RSA keys of respective length). Required when not specifying a CSR. The default is2048
(RSA key of 2048 bits). Forces a new resource when changed. - min
Days NumberRemaining - The minimum amount of days remaining on the
expiration of a certificate before a renewal is attempted. The default is
30
. A value of less than0
means that the certificate will never be renewed. - must
Staple Boolean Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to
false
. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using
must_staple
, and only enable it if you are sure your webserver or service provider can be configured correctly.- pre
Check NumberDelay Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).
Be careful with
pre_check_delay
since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name
+subject_alternative_names
).- preferred
Chain String The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in
issuer_pem
will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.preferred_chain
can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to thepreferred_chain
field would beISRG Root X1
. The equivalent in the staging environment is(STAGING) Pretend Pear X1
.- private
Key StringPem - The certificate's private key, in PEM format, if the
certificate was generated from scratch and not with
certificate_request_pem
. Ifcertificate_request_pem
was used, this will be blank. - profile String
The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.
Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.
- recursive
Nameservers List<String> - The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
- renewal
Info StringExplanation Url - A URL that can be optionally supplied by an
ARI endpoint explaining the renewal window policy (see
use_renewal_info
). - renewal
Info BooleanIgnore Retry After - Ignores the retry interval
supplied by the ARI endpoint for re-fetching renewal window data. Should only
be used for testing. Default:
false
. - renewal
Info NumberMax Sleep The maximum amount of time, in seconds, that the resource is willing to sleep during apply to reach a selected renewal window time when
use_renewal_info
is set totrue
. Default:0
.It's recommended to only use small values here (a few minutes maximum). Using extremely high values increases the risk of resource timeouts. To prevent hard resource timeouts, the maximum value allowed here is 900 seconds, or 15 minutes.
- renewal
Info StringRetry After - A timestamp describing when ARI details will be
refreshed if already fetched (see
use_renewal_info
). - renewal
Info StringWindow End - The end of the discovered ARI renewal window (see
use_renewal_info
). - renewal
Info StringWindow Selected - The selected time within the ARI renewal
window that a certificate will be renewed, if
use_renewal_info
is enabled. - renewal
Info StringWindow Start - The start of the discovered ARI renewal window
(see
use_renewal_info
). - revoke
Certificate BooleanOn Destroy - Enables revocation of a certificate upon destroy,
which includes when a resource is re-created. Default is
true
. - revoke
Certificate StringReason - Some CA's require a reason for revocation to be provided.
Use this reason (from RFC 5280, section 5.3.1.
By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:
- unspecified
- key-compromise
- ca-compromise
- affiliation-changed
- superseded
- cessation-of-operation
- certificate-hold
- remove-from-crl
- privilege-withdrawn
- aa-compromise
- subject
Alternative List<String>Names - The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
- tls
Challenge Property Map Defines a TLS challenge to use in fulfilling the request.
Only one of
http_challenge
,http_webroot_challenge
,http_s3_challenge
andhttp_memcached_challenge
can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these andtls_challenge
.- use
Renewal BooleanInfo When enabled, use information available from the CA's ACME Renewal Information (ARI) endpoint for renewing certificates. Default:
false
.More detail on ARI can be found in RFC 9773.
Note that
use_renewal_info
does not disablemin_days_remaining
! If the selected time within an ARI renewal window value cannot be reached at plan time (based on the current time plus the value ofrenewal_info_max_sleep
), or if the CA has no ARI endpoint, renewal behavior will fall back to comparing the certificate expiry time with the value inmin_days_remaining
. This means for short-lived certificates, you may wish to turn this value down so that the settings do not conflict; however, don't disable it altogether, as this may prevent the certificate from being renewed!
Supporting Types
CertificateDnsChallenge, CertificateDnsChallengeArgs
CertificateHttpChallenge, CertificateHttpChallengeArgs
- Port int
- The port that the challenge server listens on. Default:
80
. - Proxy
Header string The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
- Port int
- The port that the challenge server listens on. Default:
80
. - Proxy
Header string The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
- port Integer
- The port that the challenge server listens on. Default:
80
. - proxy
Header String The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
- port number
- The port that the challenge server listens on. Default:
80
. - proxy
Header string The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
- port int
- The port that the challenge server listens on. Default:
80
. - proxy_
header str The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
- port Number
- The port that the challenge server listens on. Default:
80
. - proxy
Header String The proxy header to match against. Default:
Host
.The
proxy_header
option behaves differently depending on its definition:- When set to
Host
, standard host header validation is used. - When set to
Forwarded
, the server looks in theForwarded
header for a section matchinghost=DOMAIN
whereDOMAIN
is the domain currently being resolved by the challenge. See RFC 7239 for more details. - When set to an arbitrary header (example:
X-Forwarded-Host
), that header is checked for the host entry in the same way the host header would normally be checked.
- When set to
CertificateHttpMemcachedChallenge, CertificateHttpMemcachedChallengeArgs
- Hosts List<string>
- Hosts []string
- hosts List<String>
- hosts string[]
- hosts Sequence[str]
- hosts List<String>
CertificateHttpS3Challenge, CertificateHttpS3ChallengeArgs
- S3Bucket string
- The s3_bucket to publish the record to.
- S3Bucket string
- The s3_bucket to publish the record to.
- s3Bucket String
- The s3_bucket to publish the record to.
- s3Bucket string
- The s3_bucket to publish the record to.
- s3_
bucket str - The s3_bucket to publish the record to.
- s3Bucket String
- The s3_bucket to publish the record to.
CertificateHttpWebrootChallenge, CertificateHttpWebrootChallengeArgs
- Directory string
- The directory to publish the record to.
- Directory string
- The directory to publish the record to.
- directory String
- The directory to publish the record to.
- directory string
- The directory to publish the record to.
- directory str
- The directory to publish the record to.
- directory String
- The directory to publish the record to.
CertificateTlsChallenge, CertificateTlsChallengeArgs
- Port int
- The port that the challenge server listens on. Default:
443
.
- Port int
- The port that the challenge server listens on. Default:
443
.
- port Integer
- The port that the challenge server listens on. Default:
443
.
- port number
- The port that the challenge server listens on. Default:
443
.
- port int
- The port that the challenge server listens on. Default:
443
.
- port Number
- The port that the challenge server listens on. Default:
443
.
Package Details
- Repository
- acme pulumiverse/pulumi-acme
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
acme
Terraform Provider.