dehydrated

Module Description

The dehydrated module lets you use Puppet to manage Let's Encrypt certificates creation and renewal using dehydrated.

Setup

Beginning with dehydrated

Let's encrypt needs a contact address that must be passed to the dehydrated class:

class { 'dehydrated':
  contact_email => 'user@example.com',
}

This is enough to get started and creating certificates.

Usage

Generate a simple certificate

After including the required dehydrated class, each dehydrated::certificate will produce a single certificate file:

class { 'dehydrated':
  contact_email => 'user@example.com',
}

dehydrated::certificate { 'example.com':
}

Generate a certificate with SAN

A dehydrated::certificate can use the domains parameter to indicate Subject Alternative Names (SAN).

class { 'dehydrated':
  contact_email => 'user@example.com',
}

dehydrated::certificate { 'example.com':
  domains => [
    'www.example.com',
    'example.net',
    'www.example.net'
  ],
}

Use DNS-01 hook

Examples of dns-01 hook.sh:

Hook must wait until DNS records are really synced across public DNS servers and only then finish. Otherwise Let's Encrypt won't find the records from their side and dehydrated run will fail.

class { 'dehydrated':
  contact_email => 'user@example.com',
  challengetype => 'dns-01',
  hook          => '/home/dehydrated/hook.sh',
  timeout       => 600,
}

dehydrated::certificate { 'example.com':
}

Renewing certificates with cron

The cron_integration parameter of the dehydrated class configures cron to renew certificates before they expire.

class { 'dehydrated':
  contact_email    => 'user@example.com',
  cron_integration => true,
}

Please note that the web server is not automatically restarted when certificates are renewed.

Serving challenges with Apache

The apache_integration parameter of the dehydrated class configures apache to serve the challenges used for domain validation.

The following example redirect all HTTP requests to HTTPS except those related to letsencrypt's validation:

include ::apache
include ::apache::mod::rewrite

class { 'dehydrated':
  contact_email      => 'user@example.com',
  apache_integration => true,
}

apache::vhost { 'main':
  port           => 80,
  default_vhost  => true,
  docroot        => '/var/empty',
  manage_docroot => false,
  directories    => [
    {
      path     => '/var/empty',
      rewrites => [
        {
          rewrite_rule => '.* https://%{HTTP_HOST}%{REQUEST_URI} [R=301]',
        },
      ],
    },
  ],
}

Name		Name	Last commit message	Last commit date
Latest commit History 190 Commits
.github		.github
data		data
examples		examples
functions		functions
manifests		manifests
plans		plans
spec		spec
tasks		tasks
templates		templates
.fixtures.yml		.fixtures.yml
.gitattributes		.gitattributes
.gitignore		.gitignore
.msync.yml		.msync.yml
.pmtignore		.pmtignore
.puppet-lint.rc		.puppet-lint.rc
.rspec		.rspec
.rspec_parallel		.rspec_parallel
.rubocop.yml		.rubocop.yml
.sync.yml		.sync.yml
.yardopts		.yardopts
CHANGELOG.md		CHANGELOG.md
Gemfile		Gemfile
LICENSE		LICENSE
README.md		README.md
REFERENCE.md		REFERENCE.md
Rakefile		Rakefile
hiera.yaml		hiera.yaml
metadata.json		metadata.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

dehydrated

Table of Contents

Module Description

Setup

Beginning with dehydrated

Usage

Generate a simple certificate

Generate a certificate with SAN

Use DNS-01 hook

Renewing certificates with cron

Serving challenges with Apache

About

Releases 15

Packages

Contributors 3

Languages

License

opus-codium/puppet-dehydrated

Folders and files

Latest commit

History

Repository files navigation

dehydrated

Table of Contents

Module Description

Setup

Beginning with dehydrated

Usage

Generate a simple certificate

Generate a certificate with SAN

Use DNS-01 hook

Renewing certificates with cron

Serving challenges with Apache

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 15

Packages 0

Contributors 3

Languages

Packages