pe_console_letsencrypt
Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.21.0 < 8.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'albatrossflavour-pe_console_letsencrypt', '0.1.0'
Learn more about managing modules with a PuppetfileDocumentation
pe_console_letsencrypt
Table of Contents
- Description
- Setup - The basics of getting started with pe_console_letsencrypt
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
Managing the Puppet console's SSL certificates can be automated, but it's not straightforward if you want them to be managed by Let's Encrypt.
This module will allow you request, install, and manage valid SSL certs for your console, via Let's Encrypt.
It does require that port 80 on your puppet server is accessible from the internet, and that your puppet servers has a publicly resolvable DNS name.
Setup
What pe_console_letsencrypt affects
The module will replace the autogenerated, self-signed, SSL certificates used by default. These certs are usually found in /etc/puppetlabs/puppet/ssl
.
It uses the letsencrypt module from Vox Pupuli to do the hard lifting.
Setup Requirements
You MUST disable the default http_redirect
vhost which is created as part of a PE install. This can be done by setting the following value in the puppet server's hiera:
puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false
The value can also be set in the Puppet console by adding it as "Configuration data" against the PE Console
node group.
The module will check that it is disabled and will cause a catalog compilation failure if it isn't.
You should also ensure you're not specifying any certificates in hiera
. Check the key puppet_enterprise::profile::console
for any values matching browser_ssl_cert
and browser_ssl_private_key
.
Beginning with pe_console_letsencrypt
Usage
At the very basic level, you can simply:
- Add the module and dependencies to your
Puppetfile
- Add the following hiera to
common.yaml
:puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false
- Classify your puppet server with :
pe_console_letsencrypt
Limitations
Only works with Puppet Enterprise
Development
Fork, develop, submit a pull request
Please make sure all pull requests include testing and that the tests pass
Reference
Table of Contents
Classes
pe_console_letsencrypt
: Manage SSL certs for NGINX on PE using letsencrypt
Classes
pe_console_letsencrypt
Manage SSL certs for NGINX on PE using letsencrypt
Examples
Basic usage
include pe_console_letsencrypt
Parameters
The following parameters are available in the pe_console_letsencrypt
class:
nginx_conf_dir
Data type: Stdlib::Absolutepath
Stdlib::Absolutepath The directory containing the nginx config for the console
Default value: '/etc/puppetlabs/nginx/conf.d'
letsencrypt_conf_dir
Data type: Stdlib::Absolutepath
Stdlib::Absolutepath The directory containing the letsencrypt config
Default value: '/etc/letsencrypt'
docroot
Data type: Stdlib::Absolutepath
Stdlib::Absolutepath The directory we should use as the docroot
Default value: '/var/www'
mode
Data type: Stdlib::Filemode
Stdlib::Filemode Octal value for the file permissions
Default value: '0640'
email
Data type: Stdlib::Email
Stdlib::Email Email address to use when requesting the certificates
Default value: "puppet@${facts['puppet_server']}"
port
Data type: Stdlib::Port
Stdlib::Port Port to use for the nginx server
Default value: 80
owner
Data type: String
String User running the puppet console services
Default value: 'pe-puppet'
group
Data type: String
String Group running the puppet console services
Default value: 'pe-puppet'
manage_letsencrypt
Data type: Boolean
Boolean Should we manage the letsencrypt install?
Default value: true
cert_dir
Data type: Stdlib::Absolutepath
Stdlib::Absolutepath Where are the PE console certs?
Default value: '/etc/puppetlabs/puppet/ssl'
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v0.1.0 (2023-03-29)
Added
- 4 check for existing browser certs and keys in hiera #5 (albatrossflavour)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs-stdlib (>= 4.13.1 < 9.0.0)
- puppet-letsencrypt (>= 9.0.0 < 10.0.0)