6 months after


The certbot-cdh integrates certbot with config-driven-helper sites, to automatically set up and link the SSL certificates to each site.

It by default creates a single certificate shared between each site, adding all ['server_name']s and ['server_aliases'] to the certificate.

It can optionally split up the certificates into separate sites based on site ['ssl']['use_sni'] and ['ssl']['san_group'] settings.


Add "recipe[certbot-cdh]" to enable it.

Include the following in attributes:

"default_attributes": {
  "certbot": {
    "cert-owner": {
      "email": "[email protected]"
  "nginx": {
    "shared_config": {
      "<project-name>": {
        "protocols": ["http", "https"],
        "includes_first": [

Add the following cookbooks to the Berksfile:

cookbook 'config-driven-helper', '~> 2.5'
cookbook 'certbot-cdh', '~> 0.1.0'

Given you have nginx or apache sites defined for example as:

"default_attributes": {
  "nginx": {
    "sites": {
      "mysite1": {
        "server_name": "",
        "docroot": "/var/www/mysite1/public",
        "inherits": "<project name>"
      "mysite2": {
        "server_name": "",
        "server_aliases": [''],
        "docroot": "/var/www/mysite1/public",
        "inherits": "<project name>"

This will create letsencrypt cert/chain/fullchain/privkey pem files in:


The certificate will have SAN domains:

Certbot uses the first domain of the certificate's domains as the folder to store them in.

Node attributes for the sites will automatically be set up to point ['ssl']['certfile'], ['ssl']['certchainfile'], and ['ssl]['keyfile'] to the correct pem files for each site.

Where apache will use: ['ssl']['certfile'] = /etc/letsencrypt/live/ ['ssl']['certchainfile'] = /etc/letsencrypt/live/ ['ssl']['keyfile'] = /etc/letsencrypt/live/

And nginx will use: ['ssl']['certfile'] = /etc/letsencrypt/live/ ['ssl']['keyfile'] = /etc/letsencrypt/live/

config-driven-helper::apache-sites and config-driven-helper::nginx-sites will use this to set up their vhost's ssl configuration.

See the spec for examples of using ['ssl']['use_sni'] and ['ssl']['san_group'] to split up the certificates per config-driven-helper site.


  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write you change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

Supermarket share

stove is used to create git tags and publish the cookbook on

To tag/publish you need to be a contributor to the cookbook on Supermarket and run:

$ stove login --username <your username> --key ~/.chef/<your username>.pem
$ rake publish

It will take the version defined in metadata.rb, create a tag, and push the cookbook to

License and Authors

  • Author:: Andy Thompson
  • Author:: Felicity Ratcliffe
Copyright:: 2016 The Inviqa Group Ltd

See LICENSE file