Configures SSL certificates and keys.
This module is a rename of the original broadinstitute/certs Forge module. All active development will happen in this module going forward.
This module provides SSL certificate files required by Apache or other services via the certificates::site
define.
It can be used in conjunction with puppetlabs/apache's apache::vhost
definitions to provide the ssl_cert and ssl_key files or any other service requiring SSL certificates.
It can also be used independent of any Puppet-defined service that requires the files to exist on a managed node.
The certificate files must come from an external store. Recommended stores are a site-specific (and private) module containing SSL files or a network-accessible filesystem, such as NFS, that the managed node can access.
Once a file store is determined, include at least one certificates::site define and specify the file store location as the source_path
.
By default, this module will place certificates and keys in their relative locations and restart the specified service, provided it is defined in the catalog.
-
RedHat
- certificates directory:
/etc/pki/tls/certs
- keys directory:
/etc/pki/tls/private
- service:
httpd
- certificates directory:
-
Debian & Suse
- certificates directory:
/etc/ssl/certs
- keys directory:
/etc/ssl/private
- service:
apache2
- certificates directory:
-
FreeBSD
- certificates directory:
/usr/local/etc/apache24
- keys directory:
/usr/local/etc/apache24
- service:
apache24
- certificates directory:
-
Gentoo
- certificates directory:
/etc/ssl/apache2
- keys directory:
/etc/ssl/apache2
- service:
apache2
- certificates directory:
No trailing slashes should be provided for any paths.
Puppet Forge:
puppet module install broadinstitute-certificates
Puppetfile:
mod 'broadinstitute/certificates'
manifest.pp
include certificates
$domain = 'www.example.com'
certificates::site { $domain:
source_path => 'puppet:///site_certificates',
ca_cert => true,
ca_name => 'caname',
ca_source_path => 'puppet:///ca_certs',
}
node.yaml
classes:
- certificates
certificates::sites:
'www.example.com':
source_path: 'puppet:///site_certificates'
ca_cert: true
ca_name: 'caname'
ca_source_path: 'puppet:///ca_certs'
manifest.pp
Certificates::Site<| |> -> Apache::Vhost<| |>
You can also reset some of the settings in params.pp globally via the certificates base class which will be inherited by all certificates::site defines used that are later defined. In this example, we can reset the default certificate and key paths for all instantiated sites so that we don't have to manually set the custom path in each site:
$domain1 = 'www.example.com'
$domain2 = 'foo.example.com'
class { 'certificates':
cert_path => '/path/to/certs',
key_path => '/path/to/keys',
}
certificates::site { $domain1:
source_path => 'puppet:///site_certificates',
ca_cert => true,
ca_name => 'caname',
ca_source_path => 'puppet:///ca_certs',
}
certificates::site { $domain2:
source_path => 'puppet:///site_certificates',
ca_cert => true,
ca_name => 'caname',
ca_source_path => 'puppet:///ca_certs',
}
REFERENCE.md (generated with Puppet Strings)
This module is CI tested against open source Puppet on:
- CentOS 7, 8, 9
- RHEL 7, 8, 9
This module also provides functions for other distributions and operating systems, such as FreeBSD and Gentoo, but is not formally tested on them and are subject to regressions.
Riccardo Calixte (@rcalixte)
Andrew Teixeira (@coreone)