`letsencrypt::certonly` timeout can be too short for DNS-01 challenges

[gcoxmoz]

letsencrypt::certonly - the exec that issues your cert ( "letsencrypt certonly ${title}" ) has no ability to adjust its timeout from the default 300s.

Now, for everyone using boring ol' HTTP-01 "slap a file in /.well-known/ on the webserver", this isn't a concern. But if you're using DNS-01 and have to push out a DNS change, it takes longer. The DNS plugins in letsencrypt::plugin::dns_* have a propagation_seconds parameter that the plugin uses, but in the case of certain front-end providers who are slow to respond to NOTIFY's, blowing out 5-10 minutes isn't unheard-of, so the plugin can have a longer expected run than the exec calling it.

This isn't the end of the world, it just means you have to run /opt/puppetlabs/puppet/cache/letsencrypt/renew-YOURCERT.sh manually instead of Puppet doing the right thing, but it does mean manual intervention on initial deploys.

Minimum thought, being able to set the exec timeout should be feasible. More complexly: propagation_seconds should probably be part of letsencrypt::certonly rather than letsencrypt::certonly::plugin::dns_*, because you might create not-part-of-the-module plugins-or-processes. Perhaps have certonly use a calculated exec timeout, like max($propagation_seconds+30, 300) .

Not sure which way to go with this so filing an issue rather than offering code, sorry.