Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. ACME
  3. API Docs
  4. Certificate
ACME v0.9.0 published on Friday, Mar 28, 2025 by Pulumiverse
pulumiverse/pulumi-acme

acme.Certificate

Explore with Pulumi AI

ACME v0.9.0 published on Friday, Mar 28, 2025 by Pulumiverse
pulumiverse/pulumi-acme

Create Certificate Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Certificate(name: string, args: CertificateArgs, opts?: CustomResourceOptions);
@overload
def Certificate(resource_name: str,
                args: CertificateArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                account_key_pem: Optional[str] = None,
                cert_timeout: Optional[int] = None,
                certificate_p12_password: Optional[str] = None,
                certificate_request_pem: Optional[str] = None,
                common_name: Optional[str] = None,
                disable_complete_propagation: Optional[bool] = None,
                dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
                http_challenge: Optional[CertificateHttpChallengeArgs] = None,
                http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
                http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
                http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
                key_type: Optional[str] = None,
                min_days_remaining: Optional[int] = None,
                must_staple: Optional[bool] = None,
                pre_check_delay: Optional[int] = None,
                preferred_chain: Optional[str] = None,
                profile: Optional[str] = None,
                recursive_nameservers: Optional[Sequence[str]] = None,
                revoke_certificate_on_destroy: Optional[bool] = None,
                revoke_certificate_reason: Optional[str] = None,
                subject_alternative_names: Optional[Sequence[str]] = None,
                tls_challenge: Optional[CertificateTlsChallengeArgs] = None)
func NewCertificate(ctx *Context, name string, args CertificateArgs, opts ...ResourceOption) (*Certificate, error)
public Certificate(string name, CertificateArgs args, CustomResourceOptions? opts = null)
public Certificate(String name, CertificateArgs args)
public Certificate(String name, CertificateArgs args, CustomResourceOptions options)

type: acme:Certificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. CertificateArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. CertificateArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. CertificateArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var certificateResource = new Acme.Certificate("certificateResource", new()
{
    AccountKeyPem = "string",
    CertTimeout = 0,
    CertificateP12Password = "string",
    CertificateRequestPem = "string",
    CommonName = "string",
    DisableCompletePropagation = false,
    DnsChallenges = new[]
    {
        new Acme.Inputs.CertificateDnsChallengeArgs
        {
            Provider = "string",
            Config = 
            {
                { "string", "string" },
            },
        },
    },
    HttpChallenge = new Acme.Inputs.CertificateHttpChallengeArgs
    {
        Port = 0,
        ProxyHeader = "string",
    },
    HttpMemcachedChallenge = new Acme.Inputs.CertificateHttpMemcachedChallengeArgs
    {
        Hosts = new[]
        {
            "string",
        },
    },
    HttpS3Challenge = new Acme.Inputs.CertificateHttpS3ChallengeArgs
    {
        S3Bucket = "string",
    },
    HttpWebrootChallenge = new Acme.Inputs.CertificateHttpWebrootChallengeArgs
    {
        Directory = "string",
    },
    KeyType = "string",
    MinDaysRemaining = 0,
    MustStaple = false,
    PreCheckDelay = 0,
    PreferredChain = "string",
    Profile = "string",
    RecursiveNameservers = new[]
    {
        "string",
    },
    RevokeCertificateOnDestroy = false,
    RevokeCertificateReason = "string",
    SubjectAlternativeNames = new[]
    {
        "string",
    },
    TlsChallenge = new Acme.Inputs.CertificateTlsChallengeArgs
    {
        Port = 0,
    },
});
Copy
example, err := acme.NewCertificate(ctx, "certificateResource", &acme.CertificateArgs{
	AccountKeyPem:              pulumi.String("string"),
	CertTimeout:                pulumi.Int(0),
	CertificateP12Password:     pulumi.String("string"),
	CertificateRequestPem:      pulumi.String("string"),
	CommonName:                 pulumi.String("string"),
	DisableCompletePropagation: pulumi.Bool(false),
	DnsChallenges: acme.CertificateDnsChallengeArray{
		&acme.CertificateDnsChallengeArgs{
			Provider: pulumi.String("string"),
			Config: pulumi.StringMap{
				"string": pulumi.String("string"),
			},
		},
	},
	HttpChallenge: &acme.CertificateHttpChallengeArgs{
		Port:        pulumi.Int(0),
		ProxyHeader: pulumi.String("string"),
	},
	HttpMemcachedChallenge: &acme.CertificateHttpMemcachedChallengeArgs{
		Hosts: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	HttpS3Challenge: &acme.CertificateHttpS3ChallengeArgs{
		S3Bucket: pulumi.String("string"),
	},
	HttpWebrootChallenge: &acme.CertificateHttpWebrootChallengeArgs{
		Directory: pulumi.String("string"),
	},
	KeyType:          pulumi.String("string"),
	MinDaysRemaining: pulumi.Int(0),
	MustStaple:       pulumi.Bool(false),
	PreCheckDelay:    pulumi.Int(0),
	PreferredChain:   pulumi.String("string"),
	Profile:          pulumi.String("string"),
	RecursiveNameservers: pulumi.StringArray{
		pulumi.String("string"),
	},
	RevokeCertificateOnDestroy: pulumi.Bool(false),
	RevokeCertificateReason:    pulumi.String("string"),
	SubjectAlternativeNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	TlsChallenge: &acme.CertificateTlsChallengeArgs{
		Port: pulumi.Int(0),
	},
})
Copy
var certificateResource = new Certificate("certificateResource", CertificateArgs.builder()
    .accountKeyPem("string")
    .certTimeout(0)
    .certificateP12Password("string")
    .certificateRequestPem("string")
    .commonName("string")
    .disableCompletePropagation(false)
    .dnsChallenges(CertificateDnsChallengeArgs.builder()
        .provider("string")
        .config(Map.of("string", "string"))
        .build())
    .httpChallenge(CertificateHttpChallengeArgs.builder()
        .port(0)
        .proxyHeader("string")
        .build())
    .httpMemcachedChallenge(CertificateHttpMemcachedChallengeArgs.builder()
        .hosts("string")
        .build())
    .httpS3Challenge(CertificateHttpS3ChallengeArgs.builder()
        .s3Bucket("string")
        .build())
    .httpWebrootChallenge(CertificateHttpWebrootChallengeArgs.builder()
        .directory("string")
        .build())
    .keyType("string")
    .minDaysRemaining(0)
    .mustStaple(false)
    .preCheckDelay(0)
    .preferredChain("string")
    .profile("string")
    .recursiveNameservers("string")
    .revokeCertificateOnDestroy(false)
    .revokeCertificateReason("string")
    .subjectAlternativeNames("string")
    .tlsChallenge(CertificateTlsChallengeArgs.builder()
        .port(0)
        .build())
    .build());
Copy
certificate_resource = acme.Certificate("certificateResource",
    account_key_pem="string",
    cert_timeout=0,
    certificate_p12_password="string",
    certificate_request_pem="string",
    common_name="string",
    disable_complete_propagation=False,
    dns_challenges=[{
        "provider": "string",
        "config": {
            "string": "string",
        },
    }],
    http_challenge={
        "port": 0,
        "proxy_header": "string",
    },
    http_memcached_challenge={
        "hosts": ["string"],
    },
    http_s3_challenge={
        "s3_bucket": "string",
    },
    http_webroot_challenge={
        "directory": "string",
    },
    key_type="string",
    min_days_remaining=0,
    must_staple=False,
    pre_check_delay=0,
    preferred_chain="string",
    profile="string",
    recursive_nameservers=["string"],
    revoke_certificate_on_destroy=False,
    revoke_certificate_reason="string",
    subject_alternative_names=["string"],
    tls_challenge={
        "port": 0,
    })
Copy
const certificateResource = new acme.Certificate("certificateResource", {
    accountKeyPem: "string",
    certTimeout: 0,
    certificateP12Password: "string",
    certificateRequestPem: "string",
    commonName: "string",
    disableCompletePropagation: false,
    dnsChallenges: [{
        provider: "string",
        config: {
            string: "string",
        },
    }],
    httpChallenge: {
        port: 0,
        proxyHeader: "string",
    },
    httpMemcachedChallenge: {
        hosts: ["string"],
    },
    httpS3Challenge: {
        s3Bucket: "string",
    },
    httpWebrootChallenge: {
        directory: "string",
    },
    keyType: "string",
    minDaysRemaining: 0,
    mustStaple: false,
    preCheckDelay: 0,
    preferredChain: "string",
    profile: "string",
    recursiveNameservers: ["string"],
    revokeCertificateOnDestroy: false,
    revokeCertificateReason: "string",
    subjectAlternativeNames: ["string"],
    tlsChallenge: {
        port: 0,
    },
});
Copy
type: acme:Certificate
properties:
    accountKeyPem: string
    certTimeout: 0
    certificateP12Password: string
    certificateRequestPem: string
    commonName: string
    disableCompletePropagation: false
    dnsChallenges:
        - config:
            string: string
          provider: string
    httpChallenge:
        port: 0
        proxyHeader: string
    httpMemcachedChallenge:
        hosts:
            - string
    httpS3Challenge:
        s3Bucket: string
    httpWebrootChallenge:
        directory: string
    keyType: string
    minDaysRemaining: 0
    mustStaple: false
    preCheckDelay: 0
    preferredChain: string
    profile: string
    recursiveNameservers:
        - string
    revokeCertificateOnDestroy: false
    revokeCertificateReason: string
    subjectAlternativeNames:
        - string
    tlsChallenge:
        port: 0
Copy

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Certificate resource accepts the following input properties:

AccountKeyPem
This property is required.
Changes to this property will trigger replacement.
string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

CommonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>
The DNS challenges to use in fulfilling the request.
HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
KeyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

Profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

RecursiveNameservers List<string>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
RevokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
SubjectAlternativeNames Changes to this property will trigger replacement. List<string>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem
This property is required.
Changes to this property will trigger replacement.
string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

CommonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges []CertificateDnsChallengeArgs
The DNS challenges to use in fulfilling the request.
HttpChallenge CertificateHttpChallengeArgs
Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge CertificateHttpS3ChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge CertificateHttpWebrootChallengeArgs
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
KeyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

Profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

RecursiveNameservers []string
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
RevokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
SubjectAlternativeNames Changes to this property will trigger replacement. []string
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
TlsChallenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem
This property is required.
Changes to this property will trigger replacement.
String
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout Integer

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password String
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem Changes to this property will trigger replacement. String

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

commonName Changes to this property will trigger replacement. String
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<CertificateDnsChallenge>
The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType Changes to this property will trigger replacement. String
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Integer
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. Boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Integer

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. String

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

profile Changes to this property will trigger replacement. String

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers List<String>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason String
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. List<String>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem
This property is required.
Changes to this property will trigger replacement.
string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

commonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges CertificateDnsChallenge[]
The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining number
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay number

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers string[]
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. string[]
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem
This property is required.
Changes to this property will trigger replacement.
str
The private key of the account that is requesting the certificate. Forces a new resource when changed.
cert_timeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificate_p12_password str
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificate_request_pem Changes to this property will trigger replacement. str

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

common_name Changes to this property will trigger replacement. str
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disable_complete_propagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dns_challenges Sequence[CertificateDnsChallengeArgs]
The DNS challenges to use in fulfilling the request.
http_challenge CertificateHttpChallengeArgs
Defines an HTTP challenge to use in fulfilling the request.
http_memcached_challenge CertificateHttpMemcachedChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
http_s3_challenge CertificateHttpS3ChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
http_webroot_challenge CertificateHttpWebrootChallengeArgs
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
key_type Changes to this property will trigger replacement. str
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
min_days_remaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
must_staple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

pre_check_delay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferred_chain Changes to this property will trigger replacement. str

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

profile Changes to this property will trigger replacement. str

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursive_nameservers Sequence[str]
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revoke_certificate_on_destroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revoke_certificate_reason str
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subject_alternative_names Changes to this property will trigger replacement. Sequence[str]
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tls_challenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem
This property is required.
Changes to this property will trigger replacement.
String
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout Number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateP12Password String
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificateRequestPem Changes to this property will trigger replacement. String

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

commonName Changes to this property will trigger replacement. String
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<Property Map>
The DNS challenges to use in fulfilling the request.
httpChallenge Property Map
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge Property Map
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge Property Map
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge Property Map
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
keyType Changes to this property will trigger replacement. String
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Number
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. Boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Number

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. String

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

profile Changes to this property will trigger replacement. String

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers List<String>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason String
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. List<String>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge Property Map

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

CertificateDomain string
The common name of the certificate.
CertificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateSerial string
The serial number, in string format, as reported by the CA.
CertificateUrl string
The full URL of the certificate within the ACME CA.
Id string
The provider-assigned unique ID for this managed resource.
IssuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
CertificateDomain string
The common name of the certificate.
CertificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateSerial string
The serial number, in string format, as reported by the CA.
CertificateUrl string
The full URL of the certificate within the ACME CA.
Id string
The provider-assigned unique ID for this managed resource.
IssuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
PrivateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
certificateDomain String
The common name of the certificate.
certificateNotAfter String
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial String
The serial number, in string format, as reported by the CA.
certificateUrl String
The full URL of the certificate within the ACME CA.
id String
The provider-assigned unique ID for this managed resource.
issuerPem String
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
certificateDomain string
The common name of the certificate.
certificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial string
The serial number, in string format, as reported by the CA.
certificateUrl string
The full URL of the certificate within the ACME CA.
id string
The provider-assigned unique ID for this managed resource.
issuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
certificate_domain str
The common name of the certificate.
certificate_not_after str
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificate_p12 str
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificate_pem str
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificate_serial str
The serial number, in string format, as reported by the CA.
certificate_url str
The full URL of the certificate within the ACME CA.
id str
The provider-assigned unique ID for this managed resource.
issuer_pem str
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
private_key_pem str
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
certificateDomain String
The common name of the certificate.
certificateNotAfter String
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificatePem String
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateSerial String
The serial number, in string format, as reported by the CA.
certificateUrl String
The full URL of the certificate within the ACME CA.
id String
The provider-assigned unique ID for this managed resource.
issuerPem String
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
privateKeyPem String
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.

Look up Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_key_pem: Optional[str] = None,
        cert_timeout: Optional[int] = None,
        certificate_domain: Optional[str] = None,
        certificate_not_after: Optional[str] = None,
        certificate_p12: Optional[str] = None,
        certificate_p12_password: Optional[str] = None,
        certificate_pem: Optional[str] = None,
        certificate_request_pem: Optional[str] = None,
        certificate_serial: Optional[str] = None,
        certificate_url: Optional[str] = None,
        common_name: Optional[str] = None,
        disable_complete_propagation: Optional[bool] = None,
        dns_challenges: Optional[Sequence[CertificateDnsChallengeArgs]] = None,
        http_challenge: Optional[CertificateHttpChallengeArgs] = None,
        http_memcached_challenge: Optional[CertificateHttpMemcachedChallengeArgs] = None,
        http_s3_challenge: Optional[CertificateHttpS3ChallengeArgs] = None,
        http_webroot_challenge: Optional[CertificateHttpWebrootChallengeArgs] = None,
        issuer_pem: Optional[str] = None,
        key_type: Optional[str] = None,
        min_days_remaining: Optional[int] = None,
        must_staple: Optional[bool] = None,
        pre_check_delay: Optional[int] = None,
        preferred_chain: Optional[str] = None,
        private_key_pem: Optional[str] = None,
        profile: Optional[str] = None,
        recursive_nameservers: Optional[Sequence[str]] = None,
        revoke_certificate_on_destroy: Optional[bool] = None,
        revoke_certificate_reason: Optional[str] = None,
        subject_alternative_names: Optional[Sequence[str]] = None,
        tls_challenge: Optional[CertificateTlsChallengeArgs] = None) -> Certificate
func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
public static Certificate get(String name, Output<String> id, CertificateState state, CustomResourceOptions options)
resources:  _:    type: acme:Certificate    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccountKeyPem Changes to this property will trigger replacement. string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateDomain string
The common name of the certificate.
CertificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

CertificateSerial string
The serial number, in string format, as reported by the CA.
CertificateUrl string
The full URL of the certificate within the ACME CA.
CommonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges List<Pulumiverse.Acme.Inputs.CertificateDnsChallenge>
The DNS challenges to use in fulfilling the request.
HttpChallenge Pulumiverse.Acme.Inputs.CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge Pulumiverse.Acme.Inputs.CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge Pulumiverse.Acme.Inputs.CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge Pulumiverse.Acme.Inputs.CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
IssuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
KeyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

PrivateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
Profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

RecursiveNameservers List<string>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
RevokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
SubjectAlternativeNames Changes to this property will trigger replacement. List<string>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
TlsChallenge Pulumiverse.Acme.Inputs.CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

AccountKeyPem Changes to this property will trigger replacement. string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
CertTimeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

CertificateDomain string
The common name of the certificate.
CertificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
CertificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
CertificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
CertificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
CertificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

CertificateSerial string
The serial number, in string format, as reported by the CA.
CertificateUrl string
The full URL of the certificate within the ACME CA.
CommonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
DisableCompletePropagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

DnsChallenges []CertificateDnsChallengeArgs
The DNS challenges to use in fulfilling the request.
HttpChallenge CertificateHttpChallengeArgs
Defines an HTTP challenge to use in fulfilling the request.
HttpMemcachedChallenge CertificateHttpMemcachedChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
HttpS3Challenge CertificateHttpS3ChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
HttpWebrootChallenge CertificateHttpWebrootChallengeArgs
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
IssuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
KeyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
MinDaysRemaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
MustStaple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

PreCheckDelay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

PreferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

PrivateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
Profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

RecursiveNameservers []string
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
RevokeCertificateOnDestroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
RevokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
SubjectAlternativeNames Changes to this property will trigger replacement. []string
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
TlsChallenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem Changes to this property will trigger replacement. String
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout Integer

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain String
The common name of the certificate.
certificateNotAfter String
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password String
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem String
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem Changes to this property will trigger replacement. String

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

certificateSerial String
The serial number, in string format, as reported by the CA.
certificateUrl String
The full URL of the certificate within the ACME CA.
commonName Changes to this property will trigger replacement. String
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<CertificateDnsChallenge>
The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem String
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType Changes to this property will trigger replacement. String
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Integer
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. Boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Integer

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. String

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem String
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
profile Changes to this property will trigger replacement. String

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers List<String>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason String
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. List<String>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem Changes to this property will trigger replacement. string
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain string
The common name of the certificate.
certificateNotAfter string
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 string
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password string
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem string
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem Changes to this property will trigger replacement. string

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

certificateSerial string
The serial number, in string format, as reported by the CA.
certificateUrl string
The full URL of the certificate within the ACME CA.
commonName Changes to this property will trigger replacement. string
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges CertificateDnsChallenge[]
The DNS challenges to use in fulfilling the request.
httpChallenge CertificateHttpChallenge
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge CertificateHttpMemcachedChallenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge CertificateHttpS3Challenge
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge CertificateHttpWebrootChallenge
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem string
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType Changes to this property will trigger replacement. string
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining number
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay number

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. string

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem string
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
profile Changes to this property will trigger replacement. string

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers string[]
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason string
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. string[]
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge CertificateTlsChallenge

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

account_key_pem Changes to this property will trigger replacement. str
The private key of the account that is requesting the certificate. Forces a new resource when changed.
cert_timeout int

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificate_domain str
The common name of the certificate.
certificate_not_after str
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificate_p12 str
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificate_p12_password str
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificate_pem str
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificate_request_pem Changes to this property will trigger replacement. str

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

certificate_serial str
The serial number, in string format, as reported by the CA.
certificate_url str
The full URL of the certificate within the ACME CA.
common_name Changes to this property will trigger replacement. str
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disable_complete_propagation bool

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dns_challenges Sequence[CertificateDnsChallengeArgs]
The DNS challenges to use in fulfilling the request.
http_challenge CertificateHttpChallengeArgs
Defines an HTTP challenge to use in fulfilling the request.
http_memcached_challenge CertificateHttpMemcachedChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
http_s3_challenge CertificateHttpS3ChallengeArgs
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
http_webroot_challenge CertificateHttpWebrootChallengeArgs
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuer_pem str
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
key_type Changes to this property will trigger replacement. str
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
min_days_remaining int
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
must_staple Changes to this property will trigger replacement. bool

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

pre_check_delay int

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferred_chain Changes to this property will trigger replacement. str

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

private_key_pem str
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
profile Changes to this property will trigger replacement. str

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursive_nameservers Sequence[str]
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revoke_certificate_on_destroy bool
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revoke_certificate_reason str
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subject_alternative_names Changes to this property will trigger replacement. Sequence[str]
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tls_challenge CertificateTlsChallengeArgs

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

accountKeyPem Changes to this property will trigger replacement. String
The private key of the account that is requesting the certificate. Forces a new resource when changed.
certTimeout Number

Controls the timeout in seconds for certificate requests that are made after challenges are complete. Defaults to 30 seconds.

As mentioned, cert_timeout does nothing until all challenges are complete. If you are looking to control timeouts related to a particular challenge (such as a DNS challenge), see that challenge provider's specific options.

certificateDomain String
The common name of the certificate.
certificateNotAfter String
The expiry date of the certificate, laid out in RFC3339 format (2006-01-02T15:04:05Z07:00).
certificateP12 String
The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the certificate_p12_password argument. This field is empty if creating a certificate from a CSR.
certificateP12Password String
Password to be used when generating the PFX file stored in certificate_p12. Defaults to an empty string.
certificatePem String
The certificate in PEM format. This does not include the issuer_pem. This certificate can be concatenated with issuer_pem to form a full chain, e.g. "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
certificateRequestPem Changes to this property will trigger replacement. String

A pre-created certificate request, such as one from [tls_cert_request][tls-cert-request], or one from an external source, in PEM format. Forces a new resource when changed.

One of common_name, subject_alternative_names, or certificate_request_pem must be specified. certificate_request_pem conflicts with common_name and subject_alternative_names; You cannot have certificate_request_pem defined at the same time as common_name or subject_alternative_names, and vice versa. Finally, common_name can be blank while subject_alternative_names is defined, and vice versa; in this case with the classic Let's Encrypt profile, the first domain defined in subject_alternative_names becomes the common name.

certificateSerial String
The serial number, in string format, as reported by the CA.
certificateUrl String
The full URL of the certificate within the ACME CA.
commonName Changes to this property will trigger replacement. String
The certificate's common name, the primary domain that the certificate will be recognized for. Forces a new resource when changed.
disableCompletePropagation Boolean

Disable the requirement for full propagation of the TXT challenge records before proceeding with validation. Defaults to false.

See About DNS propagation checks for details on the recursive_nameservers and disable_complete_propagation settings.

dnsChallenges List<Property Map>
The DNS challenges to use in fulfilling the request.
httpChallenge Property Map
Defines an HTTP challenge to use in fulfilling the request.
httpMemcachedChallenge Property Map
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a Memcached cluster.
httpS3Challenge Property Map
Defines an alternate type of HTTP challenge that can be used to serve up challenges to a S3 bucket.
httpWebrootChallenge Property Map
Defines an alternate type of HTTP challenge that can be used to place a file at a location that can be served by an out-of-band webserver.
issuerPem String
The intermediate certificates of the issuer. Multiple certificates are concatenated in this field when there is more than one intermediate certificate in the chain.
keyType Changes to this property will trigger replacement. String
The key type for the certificate's private key. Can be one of: P256 and P384 (for ECDSA keys of respective length) or 2048, 4096, and 8192 (for RSA keys of respective length). Required when not specifying a CSR. The default is 2048 (RSA key of 2048 bits). Forces a new resource when changed.
minDaysRemaining Number
The minimum amount of days remaining on the expiration of a certificate before a renewal is attempted. The default is 30. A value of less than 0 means that the certificate will never be renewed.
mustStaple Changes to this property will trigger replacement. Boolean

Enables the OCSP Stapling Required TLS Security Policy extension. Certificates with this extension must include a valid OCSP Staple in the TLS handshake for the connection to succeed. Defaults to false. Note that this option has no effect when using an external CSR - it must be enabled in the CSR itself. Forces a new resource when changed.

OCSP stapling requires specific webserver configuration to support the downloading of the staple from the CA's OCSP endpoints, and should be configured to tolerate prolonged outages of the OCSP service. Consider this when using must_staple, and only enable it if you are sure your webserver or service provider can be configured correctly.

preCheckDelay Number

Insert a delay after every DNS challenge record to allow for extra time for DNS propagation before the certificate is requested. Use this option if you observe issues with requesting certificates even when DNS challenge records get added successfully. Units are in seconds. Defaults to 0 (no delay).

Be careful with pre_check_delay since the delay is executed per-domain. Take your expected delay and divide it by the number of domains you have configured (common_name + subject_alternative_names).

preferredChain Changes to this property will trigger replacement. String

The common name of the root of a preferred alternate certificate chain offered by the CA. The certificates in issuer_pem will reflect the chain requested, if available, otherwise the default chain will be provided. Forces a new resource when changed.

preferred_chain can be used to request alternate chains on Let's Encrypt during the transition away from their old cross-signed intermediates. See this article for more details. In their example titled "What about the alternate chain?", the root you would put in to the preferred_chain field would be ISRG Root X1. The equivalent in the staging environment is (STAGING) Pretend Pear X1.

privateKeyPem String
The certificate's private key, in PEM format, if the certificate was generated from scratch and not with certificate_request_pem. If certificate_request_pem was used, this will be blank.
profile Changes to this property will trigger replacement. String

The ACME profile to use when requesting the certificate. This can be used to control generation parameters according to the specific CA. The default is blank (no profile); forces a new resource when changed.

Let's Encrypt publishes details on their profiles at https://letsencrypt.org/docs/profiles/.

recursiveNameservers List<String>
The recursive nameservers that will be used to check for propagation of DNS challenge records, in addition to some in-provider checks such as zone detection. Defaults to your system-configured DNS resolvers.
revokeCertificateOnDestroy Boolean
Enables revocation of a certificate upon destroy, which includes when a resource is re-created. Default is true.
revokeCertificateReason String
Some CA's require a reason for revocation to be provided. Use this reason (from RFC 5280, section 5.3.1. By default, no reason provided in revocation requests. The reason is a string, when provided should be one of:

  • unspecified
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
  • remove-from-crl
  • privilege-withdrawn
  • aa-compromise
subjectAlternativeNames Changes to this property will trigger replacement. List<String>
The certificate's subject alternative names; domains that this certificate will also be recognized for. Forces a new resource when changed.
tlsChallenge Property Map

Defines a TLS challenge to use in fulfilling the request.

Only one of http_challenge, http_webroot_challenge, http_s3_challenge and http_memcached_challenge can be defined at once. See the section on Using HTTP and TLS challenges for more details on using these and tls_challenge.

Supporting Types

CertificateDnsChallenge
, CertificateDnsChallengeArgs

Provider This property is required. string
Config Dictionary<string, string>
Provider This property is required. string
Config map[string]string
provider This property is required. String
config Map<String,String>
provider This property is required. string
config {[key: string]: string}
provider This property is required. str
config Mapping[str, str]
provider This property is required. String
config Map<String>

CertificateHttpChallenge
, CertificateHttpChallengeArgs

Port int
The port that the challenge server listens on. Default: 80.
ProxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
Port int
The port that the challenge server listens on. Default: 80.
ProxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
port Integer
The port that the challenge server listens on. Default: 80.
proxyHeader String

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
port number
The port that the challenge server listens on. Default: 80.
proxyHeader string

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
port int
The port that the challenge server listens on. Default: 80.
proxy_header str

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.
port Number
The port that the challenge server listens on. Default: 80.
proxyHeader String

The proxy header to match against. Default: Host.

The proxy_header option behaves differently depending on its definition:

  • When set to Host, standard host header validation is used.
  • When set to Forwarded, the server looks in the Forwarded header for a section matching host=DOMAIN where DOMAIN is the domain currently being resolved by the challenge. See RFC 7239 for more details.
  • When set to an arbitrary header (example: X-Forwarded-Host), that header is checked for the host entry in the same way the host header would normally be checked.

CertificateHttpMemcachedChallenge
, CertificateHttpMemcachedChallengeArgs

Hosts This property is required. List<string>
Hosts This property is required. []string
hosts This property is required. List<String>
hosts This property is required. string[]
hosts This property is required. Sequence[str]
hosts This property is required. List<String>

CertificateHttpS3Challenge
, CertificateHttpS3ChallengeArgs

S3Bucket This property is required. string
The s3_bucket to publish the record to.
S3Bucket This property is required. string
The s3_bucket to publish the record to.
s3Bucket This property is required. String
The s3_bucket to publish the record to.
s3Bucket This property is required. string
The s3_bucket to publish the record to.
s3_bucket This property is required. str
The s3_bucket to publish the record to.
s3Bucket This property is required. String
The s3_bucket to publish the record to.

CertificateHttpWebrootChallenge
, CertificateHttpWebrootChallengeArgs

Directory This property is required. string
The directory to publish the record to.
Directory This property is required. string
The directory to publish the record to.
directory This property is required. String
The directory to publish the record to.
directory This property is required. string
The directory to publish the record to.
directory This property is required. str
The directory to publish the record to.
directory This property is required. String
The directory to publish the record to.

CertificateTlsChallenge
, CertificateTlsChallengeArgs

Port int
The port that the challenge server listens on. Default: 443.
Port int
The port that the challenge server listens on. Default: 443.
port Integer
The port that the challenge server listens on. Default: 443.
port number
The port that the challenge server listens on. Default: 443.
port int
The port that the challenge server listens on. Default: 443.
port Number
The port that the challenge server listens on. Default: 443.

Package Details

Repository
acme pulumiverse/pulumi-acme
License
Apache-2.0
Notes
This Pulumi package is based on the acme Terraform Provider.
ACME v0.9.0 published on Friday, Mar 28, 2025 by Pulumiverse
pulumiverse/pulumi-acme