Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

The letsencrypt cookbook has been deprecated

The letsencrypt cookbook has been deprecated and is no longer being maintained by its authors. Use of the letsencrypt cookbook is no longer recommended. You may find that the acme cookbook is a suitable alternative.


letsencrypt (12) Versions 0.1.6

Install free and trusted SSL/TLS certificates from Let's Encrypt

cookbook 'letsencrypt', '= 0.1.6'
cookbook 'letsencrypt', '= 0.1.6', :supermarket
knife supermarket install letsencrypt
knife supermarket download letsencrypt
Quality -%

letsencrypt cookbook

Build Status Cookbook Version

Automatically get/renew free and trusted certificates from Let's Encrypt (



  • node['letsencrypt']['contact'] - Contact information, default empty. Set to
  • node['letsencrypt']['endpoint'] - ACME server endpoint, default Set to for real certificates.
  • node['letsencrypt']['renew'] - Days before the certificate expires at which the certificate will be renewed, default 30.
  • node['letsencrypt']['source_ips'] - IP addresses used by letsencrypt to verify the TLS certificates, it will change over time. This attribute is for firewall purposes. Allow these IPs for HTTP (tcp/80).



Installs the required acme-client rubygem.


Use the letsencrypt_certificate provider to request a certificate. The webserver for the domain for which you are requesting a certificate must be running on the local server. Currently only the http validation method is supported. Provide the path to your wwwroot for the specified domain.

letsencrypt_certificate '' do
  crt      '/etc/ssl/'
  key      '/etc/ssl/'
  method   'http'
  wwwroot  '/var/www'

In case your webserver needs an already existing certificate when installing a new server you will have a bootstrap problem. Webserver cannot start without certificate, but the certificate cannot be requested without the running webserver. To overcome this a self-signed certificate can be generated with the letsencrypt_selfsigned provider.

letsencrypt_selfsigned '' do
  crt     '/etc/ssl/'
  key     '/etc/ssl/'

A working example can be found in the included acme_client test cookbook.



<table> <tr> <th>Property</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> <tr> <td><tt>cn</tt></td> <td>String</td> <td>The common name for the certificate</td> <td><tt>Name of the resource block</tt></td> </tr> <tr> <td><tt>alt_names</tt></td> <td>Array</td> <td>The SAN names for the certificate</td> <td><tt>[]</tt></td> </tr> <tr> <td><tt>crt</tt></td> <td>String</td> <td>File path to place the certificate</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>key</tt></td> <td>String</td> <td>File path to place the private key</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>chain</tt></td> <td>String</td> <td>File path to place the certificate chain</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>fullchain</tt></td> <td>String</td> <td>File path to place the certificate including the chain</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>owner</tt></td> <td>String</td> <td>Owner of the created files</td> <td><tt>root</tt></td> </tr> <tr> <td><tt>group</tt></td> <td>String</td> <td>Group of the created files</td> <td><tt>root</tt></td> </tr> <tr> <td><tt>method</tt></td> <td>String</td> <td>Validation method</td> <td><tt>http</tt></td> </tr> <tr> <td><tt>wwwroot</tt></td> <td>String</td> <td>Path to the wwwroot of the domain</td> <td><tt>/var/www</tt></td> </tr> <tr> <td><tt>ignore_failure</tt></td> <td>Boolean</td> <td>Whether to continue chef run if issuance fails</td> <td><tt>false</tt></td> </tr> <tr> <td><tt>retries</tt></td> <td>Integer</td> <td>Number of times to catch exceptions and retry</td> <td><tt>0</tt></td> </tr> <tr> <td><tt>retry_delay</tt></td> <td>Integer</td> <td>Number of seconds to wait between retries</td> <td><tt>2</tt></td> </tr> </table>


<table> <tr> <th>Property</th> <th>Type</th> <th>Description</th> <th>Default</th> </tr> <tr> <td><tt>cn</tt></td> <td>String</td> <td>The common name for the certificate</td> <td><tt>Name of the resource block</tt></td> </tr> <tr> <td><tt>crt</tt></td> <td>String</td> <td>File path to place the certificate</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>chain</tt></td> <td>String</td> <td>File path to place the certificate chain</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>key</tt></td> <td>String</td> <td>File path to place the private key</td> <td><tt>nil</tt></td> </tr> <tr> <td><tt>owner</tt></td> <td>String</td> <td>Owner of the created files</td> <td><tt>root</tt></td> </tr> <tr> <td><tt>group</tt></td> <td>String</td> <td>Group of the created files</td> <td><tt>root</tt></td> </tr> </table>


The kitchen includes a boulder server to run the integration tests with, so testing can run locally without interaction with the online API's.


  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write your change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

License and Authors

Authors: Thijs Houtenbos

letsencrypt changelog

This file is used to list changes made in each version of the letsencrypt cookbook.


  • funzoneq - Add verification IP for firewalling purposes
  • acoulton - fail chef run if certificate not issued, unless ignore_failure resource attribute set


  • thoutenbos - fix selfsigned chain


  • patcon - spin-off the boulder test cookbook
  • patcon - add Ubuntu support
  • thoutenbos - various improvements


  • sawanoboly - Add SAN support


  • obazoud - Improved logging
  • thoutenbos - Add Kitchen CI
  • thoutenbos - Fix key/cert creation order issue


  • Thijs Houtenbos - Added chain and fullchain properties


  • Thijs Houtenbos - Initial release

Check the Markdown Syntax Guide for help with Markdown.

The Github Flavored Markdown page describes the differences between markdown on github and standard markdown.

No quality metric results found