I have a salt state which starts a letsencrypt acme challenge and install the certbot but the whole challenge has to go via a proxy which I also set in the salt state. Could you please confirm that this salt state is working and the acme challenge are done via the proxy?
{% set proxy_url = 'http://' %}
set-proxy:
environ.setenv:
- name: set-proxy
- value:
http_proxy: {{ proxy_url }}
https_proxy: {{ proxy_url }}
- update_minion: True
certbot:
pkg.installed:
- name: certbot
- require:
- environ: set-proxy
reload-nginx:
cmd.run:
- name: systemctl reload nginx.service
- require:
- pkg: certbot
<domain>:
acme.cert:
- aliases:
- <domain>
- email: <mail>
- webroot: <webroot path>
- renew: 14
- fire_event: acme/<domain>
- onchanges:
- cmd: reload-nginx
- require:
- environ: set-proxy
I tried it and it didnt work. Now I'am not sure if it's the firewall or the wrong salt state.
The salt state you provided appears to be correctly setting the proxy and installing Certbot before performing the ACME challenge and obtaining the SSL certificate. However, there is an issue with the way you are setting the proxy_url variable.
Currently, you have set proxy_url as 'http://'. This will not specify a valid proxy address. You need to provide the complete proxy URL, including the hostname or IP address and the port number if applicable. For example, it should be something like 'http://proxy.example.com:8080'.
Assuming you provide the correct proxy URL, the state seems to be properly configured to execute the ACME challenge via the proxy. The environ.setenv state sets the proxy environment variables, and the subsequent pkg.installed state installs Certbot, which depends on the proxy being set correctly.
The acme.cert state for your <domain> appears to be correctly configured as well. It specifies the necessary parameters for the ACME challenge, such as aliases, email, webroot path, renewal period, and event triggering for certificate changes. It also has a require statement to ensure that the proxy environment variables are set before executing the ACME challenge.
The reload-nginx state uses the cmd.run state to trigger a command for reloading the Nginx service, and it depends on the successful installation of Certbot (pkg: certbot).
To confirm if the ACME challenges are being done via the proxy, you can check the logs or debug output of Certbot during the certificate issuance process. Additionally, you can monitor the network traffic on the proxy server to see if there are requests to the Let's Encrypt ACME servers.